Does Latin America need a GDPR-type regulation?
The General Data Protection Regulation, better known as GDPR, was introduced in May 2018
It is a set of regulations set by the 28 EU member states for better data protection and controls to replace older laws that did not consider technological advances.It mandates that companies EU-based or not (extra-territorial effect) which collect, store, share, or process personal data must get clear consent from the user. Else, significant fines for violators are imposed – including up to 4% of a company’s global annual revenue or €20 million, whichever is greater.
Considering the EU population of 450 million and geographic spread, this was not an easy task. Nevertheless, GDPR brought about more awareness and accountability, facilitated cross-border data, and gave users some rights and control over their data.
GDPR set a precedent. Mass adoption by international companies is an example of the ‘Brussels effect’ (where the EU commission is based), wherein EU regulations are used as a model, benchmark, or adopted.
Today, 120 countries, including the UK, India, Turkey, Japan, South Korea, South Africa, Kenya, China, and the state of California, have drawn or emulated the GDPR or such framework in some form.
Latin America has seen explosive growth of the internet, smartphones, and digital transformation with no signs of letting up. There’s a need for GDPR-type regulation that can align the country, company, and citizen’s best interests. From the four years since it was introduced, what can countries here that have not adopted this GDPR system or plan to – learn?
Should Latin America follow suit?
Let’s delve into this. There are 33 countries in Latin America and the Caribbean – of them Barbados, Panama, Argentina, Chile, Colombia, Costa Rica, Ecuador, Mexico, Peru, and Uruguay have been the first to adopt. Brazil recently enacted similar legislation. That’s only 1/3rd, while others are evaluating, drafting or yet to even consider.
If the EU overcame language barriers (with 24 official languages) to introduce GDPR, at least linguistically, it would be easier as Spanish and Portuguese are the most spoken languages in Latam, with 418 million people.
However, the macro-economic factors must be considered. The population of Latam is larger by over 200 million vs the EU; average per capita income is $8,340 while the EU is $38,230 – almost 5x higher. The economic costs to implement and enforce it effectively matter.
However, GDPR has had its challenges. Its complex regulation has been criticized as burdensome for smaller companies and startups. Some have struggled to comply and were fined as a result. It is also difficult to get consent from individuals, provided they understand it and then act if required.
This can create the risk of a ‘race to the bottom’ as companies could avoid compliance or the associated effort and costs by locating to countries outside or within Latin America, where regulation is weaker or non-existent.
GDPR could conflict with existing legal regimes, national security, and privacy laws, which can vary from country to country.
We must also consider each country’s economy, literacy, income levels, legal traditions, and culture. While Latam has some common languages, shared culture, and history, over 250 million speak and read other native Indigenous and regional languages. Making the law inclusive is essential for its success. Hence, applying this across in one broad stroke can be a challenge.
What may apply elsewhere must be put in context for Latam. For example, over 80% expected GDPR-related spending to be at least US$100,000 to set up compliance systems, cross-border data transfer requirements, security, breach notification, and data governance.
The cost to implement for EU companies is estimated at €200 billion, while for US companies, it is $41.7 billion. It can be argued that SMEs, which form the majority in Latam economy might not have the resources to comply, unlike the big tech (such as Facebook, Amazon, and Google) for whom the regulation was created to reign in foremost. Similar challenges will exist in Latin America.
For users, it’s an inconvenience and extra effort to claim their rights in the event of a breach or misuse.
So far, in four years, the EU fined a total of $1.7 billion – the majority to a handful of big tech companies. As a result, many of the data industry has learned to adapt without noticeably changing practices. To them it’s a small ‘cost of doing business’ with negligible impact to their bottom line. These are just a handful of successful cases and don’t include thousands of cases under review. This can burden the legal system.
Despite these challenges, GDPR protects individuals’ data and raises the bar. A GDPR-like regulation would have similar success here if done right.
Therefore, companies and countries must put the appropriate resources to enforce compliance across multiple jurisdictions.
So, to conclude, does Latin America need it? There is no one-size-fits-all answer. Nor is the GDPR a silver bullet. GDPR’s real value isn’t about fines, curtailing growth or revenue for the governments but ensuring companies manage user data responsibly; larger companies do not misuse their power and reach; citizens are empowered to protect an asset – their digital identity.
Nevertheless, it is in the right direction and essential that Latin America use it to fill in the gaps, reform and unify existing data protection laws to set their standard.