instituto federal de acceso a la información y protección de datos protection of personal data in...

Instituto Federal de Acceso a la Información y Protección de DatosInstituto Federal de Acceso a la Información y Protección de Datos

Protection of Personal Data in Latin America

Dra. Sigrid Arzt ColungaIFAI Commissioner

January 25, 2013

Instituto Federal de Acceso a la Información y Protección de Datos

PRELIMINAR

DPA in Mexico

THE FEDERAL INSTITUTE OF ACCESS TO INFORMATION AND PERSONAL DATA (IFAI).- Is a body that belongs to the Federal Public Administration, which has operative, budget and decision making autonomy. It is in charge of:

Promoting the use of the right of access to information.Deciding if a request of access to information is accepted or denied.Protecting all personal data at the Federal Public Administration and

private entities.

Hence, two critical mandates are set from the very top legal framework, the Mexican Constitution:

Guarantee access to information.Protect personal data collected by government and entities of the Federal

Public Administration and by the private sector.

2


The PATH of Data Protection

Federal Law of Transparency and Access to

Public Government Information

Constitutional Reform

Federal Law on Protection of Personal Data

Held by Private Parties

2002 2007 2010


Legal Framework for the Public Sector.

On June 11, 2002 the Federal Law of Transparency and Access to Public Government Information (FLTAPGI) was published. It regulates the right of access to information and the protection of personal data held by the departments and entities of the Federal Public Administration, and it is only mandatory at the federal level. Mexico is a federal system, so each of the 32 states of the country has their own regulation, which are close to the federal law.

A number of guidelines have been published for the implementation of the law, such as the Guidelines for the Protection of Personal Data1. Those guidelines establishes the mandate of all departments of the federal government to register their databases of personal information in a system called “Sistema Persona”.

1. These guidelines contain a whole chapter of security measures that should be considered for the protection of personal information contained in those databases.

4


Sistema Persona

The purpose of this system is to control the registry of all the databases of personal information held by the departments and entities of the Federal Public Administration.

The information that should be submitted for registration: name of the database, purpose of the collection of the data, legal basis for processing it, name of the person in charge of such processing and the specification if transfers are carried out. Also modifications or cancellations of the databases should be informed through the system.

Today, a total of 3119 databases has been registered. Around 36% of those databases contain sensitive personal data, such as DNA, fingerprints, health information, ideology, religious believes, racial and ethnic origin, and information related to sex life.

5


Failures in the regulation of Personal Data Protection in the Public sector

• The Federal Law of Transparency and Access to Public Government Information does not include the right of cancellation and opposition.

• The law does not state the principles of protection of personal data, but they are mentioned in The guidelines on the Protection of Personal Data.

• The law does not establish important measures such as the privacy notice.

• The Guidelines on the Protection of Personal Data tried to "fill the gap" in the law, but they are insufficient.

6


Constitutional ReformOn July 20, 2007, the constitutional reform was enacted. The reform sets out the fundamental principles and operational bases to ensure the right of access to information for all levels of government.

• Article 6 establishes the right of data protection, as a limit of the right of access to information:

The information related to privacy and personal data will be protected under the terms and with the exceptions prescribed by the laws.

• Article 16:Every person has the right of protection of his personal data, and the right of access, rectification and cancellation to it, and to express his opposition in the terms fixed by the law, which establishes the hypothesis of exception to the principles that regulate the treatment of data, for reasons of national security, public order dispositions, public security and health or for the protection of third parties’ rights.

The constitutional reform finally recognized and gave content to the right of data protection as an independent right.


Legal Framework for the Private Sector.On July 5, 2010, with the publication of the Federal Law on Protection of Personal Data Held by Private Parties (FLPPDPP), Mexico joined the group of countries that have specific legislation for data protection in hands of private sector. This law is mandatory in all the Mexican territory. It has aspects of international data protection models: European model and APEC privacy framework.

This law seeks a balance between protecting personal data and, at the same time, allowing markets to develop with free flow of information across borders.

The FLPPDPP includes all the principles of data protection and the “ARCO” rights, recognized in the document entitled "International Standards on Protection of Personal Data and Privacy, Madrid Resolution” adopted in November 2009. The law places people at the center of the protection system, recognizing and respecting their dignity. 8


9


10


Different Regulation in Public and Private SectorsAn incomplete system that "falls short" when compared with the private sector.

Different laws for each government level. Public

sector

A comprehensive system of data protection in the European tradition, with one law for the whole country.

Private

sector

The current legal framework is much more modern in the private sector.


Asymmetry in Personal Data Protection in Public and Private Sectors

FLTAPGI (public sector) Exercise of the rights to access and correction of personal data

FLPPDPP (private sector)Exercise of ARCO rights (Access, Rectification, Cancellation, and

Opposition)

12


Access and Correction (Public Sector)

ARCO Rights (Private Sector)

Since January 6, 2012, date of the enactment of the exercise of ARCO Rights, IFAI have received 50 petitions of protection of those rights, and 44 of them derived in Procedures of Protection of ARCO Rights.

13

Number of reviews derived from those petitions: 1,222 from 2003 to 2007, 728 in 2008, 822 in 2009, 845 in 2010, 941 in 2011, and 1298 in 2012. In 2012, IMSS, ISSSTE, PROFEDET and SEP were the entities that received more petitions.


Challenges

In Public Sector:• It is necessary to reform the Federal Law of Transparency and Access to Public

Government Information to ensure data protection in the public and private sectors is at the same level, in order for this right to have the same scope in both sectors.

In Private Sector:• It is difficult to implement the FLPPDPP for the next reasons: • There are several million of companies, distributed in 32 states, with

different "sizes" and "capabilities”. We are still limited to have nationwide representation.

• Companies are in the process of becoming aware of their obligations regarding data protection.

• There is an absence of a culture of personal data protection.

Mexican society is still unaware of the existence and importance of data protection right, so it is IFAI’s duty to awake consciousness.


34%

39%

47%

52%

28%

28%

30%

28%

23%

20%

15%

14%

15%

12%

9%

7%

5. Health Data

6. Medical Treatment

2. Religion

3. Ethnicity

Nothing Little Much Very Much Ns/Nc

Cultural Perspective "I will give some examples of sensitive data and for each of them tell me how much will bother you to disclose it if they were yours. Would you bother very much, much, little or nothing?“2

2 “Encuesta Nacional sobre Protección de Datos Personales a Sujetos Regulados por la LFPDPPP y Población en General”, realizada por Ipsos.


Numbers about internet in Mexico

16

2006 2007 2008 2009 2010 2011

20.223.9

27.630.6

34.9

40.6

Number of internet users in Mexico 2006-2011 (millions)

+14 %

Source: AMIPCI, 2012.

Mexico has a total population of more than 110 million people. According to recent studies, 40.6 million people use internet.


• In 2007, Mexico was in 10th place of the world for its number of internet users. 73% of internet users in Mexico were social network users (facebook, twitter, etc.)

• In 2006, in Mexico there were 537 millions of sales via internet (B2C) and this number raised to 1.6 billions in 2008. Travel agencies were the most important.

• In 2007, about two thirds of internet users had access to internet outside their homes, from: a cyber coffee, work, school or mobile devices. (INEGI)

17


• 82% of internet users are around 12 and 44 years old.

• In 2007, 29.2% of the users had an age between 12 and 17 years old; 23.9% between 18 and 24; 17.1% between25 and 34; and 12% between 35 and 44. (INEGI).

• 78% of that number of users’ main activities were sending e-mails, which was the most popular one. 63% of them searched information. (Study of Milward Brown México).

18


• In 2007, at least 64% of the adult internet users said they used online bank services. 70% of them made transactions in which their credit card number was required. (AMIPCI).

• The Chairman of the Mexican Association of Banks announced that the bank system requires a raise in its security levels due to the concerns for the high percentage of identity theft.

• It is a fact that nowadays communication tools are more accessible for almost all the population, but at the same time we don’t stop to think if our personal data is used, kept and protected properly.

19


• For example: Nowadays, every week 6000 smart devices which contain personal data, get lost at Los Angeles Airport. In consequence, some questions come to our minds, who has this information, what use was given to that data or who are misusing it.

• In 2008, a hacker was caught for stealing credit and debit card numbers of more than 40 million of bank accounts, in companies and shops such as TJX Dave & Busters, Barnes & Noble, sport Authority, Forever 21 y DWS, OfficeMax, Boston Market, BJ´s Wholesale Club.

• Security must become an important element of business’, people’s and government’s daily routine, accordingly to the use of information and communication technologies and to their activities in internet.

20


Internet users in 2012• In 2011, the number of internet users reached 40.6 millions (37% of the

total population), which represents an increase of 14% compared to 2010. The PC´s (64%) and Laptops (61%) are the most used devices for internet connection.

• The use of smartphones to access internet (58%) doubled compared to 2010 (26%), thus the use of PC and Laptop decreased.

• The average time of connection to internet is 4 hours, 9minutes.

• The main online activities in Mexico are: the use of e-mail (80%), social networks (77%) and searching of information (71%).

• The main entertaining activities are: the use of social networks (86%), reading news (61%) and downloading videos and music (37%). The principal social networks in Mexico are Facebook (90%), Youtube (60%) and Twitter (55%).

Source: AMIPCI 2012

21


• In Mexico, social network (79%), online banking (65%) and online shopping (62%) sites are mainly where internet users give personal data.

• 9 out of 10 Internet users have provided identification data (name, photograph, age, address, gender, Federal Taxpayer’s Code (RFC) and Unique Code of Population Registration (CURP) and almost 4 out of 10 have provided sensitive data (ideology, political affiliation, religion, ethnicity and sexual preference).

• 76% of internet users have enabled the privacy settings offered in the social networks, and 61% do not know how will their personal data will be processed in these networks.

• The Mexican internet users who do not access social networks is because they are not interested (62%), they want to protect their personal data (53%), they do not have time (41%), they cancelled their accounts (27%) or they do not know how they work (17%).

Source: AMIPCI 2012.22


• If we focus on internet users’ ages, the majority are children and teenagers, so the responsibility must be shared in the family, public, private and social sectors.

• Family must teach children how to use internet responsibly and securely. Children must be warned about the risk of providing personal data to other people. Parents and tutors must be responsible to avoid that the information their children provide will not affect their privacy or others’ privacy.

• Adults must have a privacy culture and good control of personal data systems, and when someone asks for their personal data, they must ask themselves: for what purpose is it going to be used? Is that data necessary for that purpose?

23


• Concerning enterprises we must understand that privacy is not a factor against commercialization. On the contrary, personal data protection must be considered as a strategy to get well positioned in front of other enterprises, simply for doing safest transactions.

• If enterprises adopt models and systems which guarantee that personal data collection from their clients is necessary, and that they can protect it, that will result in confidence and loyalty of the consumers.

• Enterprises will be more prestigious showing respect for their clients’ right of privacy.

• In this world in which ICTs change, people must know which of their personal data is collected, and the reason of its collection.

• Enterprises and public entities in order to face personal data loss, must know how to report, recover and remedy (3 R’s).

24


• Nowadays we can hardly imagine a world without internet. However, we must be aware that with every technological innovation that is placed in the market, a new risk for privacy is originated.

• It is unavoidable to recognize that ICTs give people the ability to collect and process great amounts of personal data in an easier and efficient manner.

• In this way, the principal commitment we must assume is to make people aware that in order to exercise completely our right of privacy, we must: make people conscious, educate and warn people about the consequences of giving their personal data, and the measures that must be taken.

25


• Our first task is to work preventing, educating and informing about personal data protection.

• Enterprises which have personal information and personal data owners must be responsible for that data, the first must comply with the law and specifically with the principles of personal data protection, and the second ones for taking an informed decision of providing that data.

• A data protection culture must be created. As owners of personal data, we must be sure that the information is being collected, used and transferred accordingly to the principles of purpose, proportionality, consent, responsibility, legality and loyalty.

• Work with enterprises must be done in order to make data protection become a strategy of respect towards the consumer which will guarantee more sales instead of representing a cost for selling their products.

26


The Ibero-American Network of Data Protection (RIPD as its acronym in Spanish)

• It is integrated by 23 countries. IFAI (Mexico) chairs the Presidency, Spain’s DPA, the Permanent Secretary, and the other three members of the Executive Committee are the DPAs from: Costa Rica, Colombia and Uruguay.

• The RIPD was established as a response to the need to foster, maintain and strengthen a close and constant exchange of information, experiences and knowledge among Ibero-American countries, through dialogue and collaboration in issues related to personal data protection. It became a forum for the promotion of the Fundamental Right of Data Protection within this community.

• The RIPD is open to all Ibero-American countries that wish to promote and implement initiatives and projects related to this matter. It intends to create an integrating forum that will allow for the different social actors to get involved, both from the public and from the private sector. 27


The Ibero-American Network of Data Protection (RIPD) role

• It is a key goal for the institutions that comprise the RIPD to boost and implement the Fundamental Right of Personal Data Protection through entities with power and competence to urge national governments to elaborate regulatory laws related to this right.

• Nowadays, the objectives of the RIPD do not consider any enforcement actions. One of the recent projects is the development of a website which main purpose is to compile the jurisdiction of the member States to serve as a reference to share studies and good practices on the subject.

28


Convention 108 “Convention for the Protection of Individuals with Regard to the Automatic Processing or

Personal Data• In 1981, when Convention 108 was adopted, there was agreement to

apply its principles to the public as well as the private sector.

• The purpose of the Convention is to secure respect for the right of privacy for every individual.

• Already in 1981, Convention 108 adopted a deliberately international approach, reaching out beyond Europe. Article 23 provides for accession by non-member States (States which aren´t members of the Council of Europe).

• Several countries such as Argentina, Brazil, Colombia, Peru, Uruguay and Mexico have a constitutional right of data protection. The accession to the Convention by Latin American countries is not difficult due to the similarity between European and Latin American legal traditions. 29


Proposals for the Modernization of Convention 108

• Two main objectives are pursued: to deal with challenges for privacy resulting from the use of new ICTs and to strengthen the Convention’s follow up mechanism.

• Addition of the notions of “human dignity” and “the right to control one’s own data and the use made of such data”.

• There are special categories of data established in article 6, which consist of a list referred to data revealing racial origin, political opinions or religious or other believes, as well as personal data concerning health or sexual life and also data related to criminal convictions. With the modernization, it is proposed to add genetic data, trade-union membership, as well as biometric information.

• The modernization foresee new obligations regarding transparency of processing, impact assessment and privacy by design.

30

Instituto Federal de Acceso a la Información y Protección de DatosInstituto Federal de Acceso a la Información Pública

Thank you

[email protected]

www.ifai.org.mx

(52 55) 500 42400

mailto:[email protected]

http://www.ifai.org.mx/

instituto federal de acceso a la información y protección de datos protection of personal data in...

Documents

instituto federal

right of data protection

federal government

federal system

federal public administration

personal data ifai

sensitive personal data

right of protection