In Latin America, most countries enacted data protection laws prior to the GDPR, generally modeled after its predecessor, the European Data Protection Directive of 1995. As a result, much like the Directive itself, these laws often no longer address present-day data protection concerns and must be updated—both for the protection of Latin American data subjects and to facilitate cross-border data transfers to and from the EU.
Many countries have already made updates to their legal frameworks. Below is an overview by country:
Mexico
The main data protection legislation in Mexico is the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) or Federal Law on Protection of Personal Data Held by Individuals. The law came into force in July 2010 and was followed in December 2011 by secondary regulations clarifying the obligations of personal data controllers under the LFPDPPP.
Additional milestones include:
- April 2013: Guidelines for privacy notices were issued.
- November 2013: Recommendations on personal data security were released.
- May 2014: Parameters for self-regulation regarding personal data were introduced.
A new law regulating data protection for entities receiving public funds—the Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados or General Law for the Protection of Personal Data in Possession of Obligated Subjects—entered into force in January 2017.
While Mexico has not yet aligned its legislation with the GDPR, it has acceded to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108) and its Additional Protocol. Countries that ratify Convention 108 are obligated to integrate its principles into domestic data protection laws.
Peru
The protection of personal data is recognized as a fundamental right under the Peruvian Constitution. Based on this principle, Law No. 29733 – Ley de Protección de Datos Personales (Law for Personal Data Protection) was enacted in June 2011 and came into force in March 2013, following the approval of Supreme Decree No. 003-2013-JUS. This regulation outlined the rights of data subjects and the obligations of data processors.
A legislative reform in 2017 introduced new classifications for data breaches and defined penalties for violations of data protection regulations.
Colombia
The right to privacy and data protection is guaranteed under the Colombian Constitution and is regulated through:
- Law 1581/2012 and Decree 1377/2013, which govern the processing of personal data.
- Law 1266/2008, which regulates credit reporting.
- Law 1273/2009, which defines criminal offenses related to personal data, such as its unauthorized disclosure or sale.
The Superintendence of Industry and Commerce (SIC)—Colombia’s Data Protection Authority—recently published a list of countries deemed to have adequate protection levels for cross-border data transfers under Law 1581. Notably, this list includes countries such as South Korea, Australia, and Costa Rica, which have not yet received adequacy decisions from the European Commission.
Chile
Chile was the first South American country to enact comprehensive data protection legislation with Law No. 19.628 on the Protection of Private Life, passed in 1999. In 2018, Chile amended Article 19 of its Constitution to formally recognize the protection of personal data as an individual right.
However, Law No. 19.628:
- Does not adequately regulate the processing of personal data via digital media.
- Lacks robust supervisory and enforcement mechanisms.
Currently, Chile does not have a dedicated data protection authority. A bill to amend Law 19.628, which includes provisions for data protection and the creation of an independent authority, was introduced and approved in general terms by the Senate in April 2018. It is still under discussion in both houses of Congress and has yet to be enacted into law.
