Personal Data, Companies and the Cloud: Are we ready for it?
by Digital Rights LAC on April 6, 2015
Cloud computing technology, so advanced in other parts of the globe, is incipient in Latin America in general and Argentina in particular. Nevertheless, according to recent studies (Usuaria Research, 2013), Argentine businesses expect to see substantial growth in the adoption of cloud technology in 2015, especially in the hiring of public cloud services provided by large multinational companies, including Google, Amazon, Microsoft and Rackspace, amongst others.
By Valeria Milanés, Asociación por los Derechos Civiles
The greatest concerns raised over the adoption of cloud computing are in connection with privacy and data and information security, not only in relation to the company itself but especially client and user data.
What is the situation like in Argentina? The dominant legal framework is Law N° 25.326 on Personal Data dated 30th October 2000 (based nearly word for word on the Spanish legislation), modified by Law 26.343 dated 12th December 2007, and the regulation deriving from it, including Regulatory Decree N° 1558/2001 of the same Law and all the Provisions issued by the enforcement authority, the National Personal Data Protection Department (DNPDP, as it is known in Spanish).
Also noteworthy are art. 43 of the National Constitution, as well as the international conventions that are constitutional nature in nature and applicable in accordance with art. 75 subparagraph 22 of the same body of law.
Argentine Personal Data Protection law is viewed as being among the most advanced data protection legislation. Firstly, it establishes the lawfulness of databases that are duly registered with the D.N.P.D.P., taking “file”, “record”, “database or databank” indistinctly to mean the organised set of personal data being treated or processed, electronically or otherwise, in any shape, form of storage, disposition or access.
The law also determines aspects of data quality, security and confidentiality, data holder consent, applicable conditions for assigning and transferring data internationally (including in both cases shared responsibility between the person responsible for the data and the contracting third party), data holder rights (regarding information, access, rectification, updating, suspension), habeas data, requirements and procedures concerning Database registration and criminal sanctions, amongst other provisions. In respect of chapters I, II, III, IV and art. 32, it also establishes the nature of public order, which is not a minor issue as public order legislation is not negotiable or renounceable and this means that any obligation assumed to the contrary goes against the law.
On the other hand, with regard to the cloud, large multinational public cloud service providers are known for using adhesion contracts, which generally do not contain specifications established by Law 25.326 and in which the applicable law and predetermined jurisdiction are that of the country where these companies are legally domiciled, mainly US cities. Furthermore, even the servers that store the information are sometimes not in Argentina.
Of note is that as it does not have Personal Data Protection legislation, the US is viewed as a country with inadequate protection by international and national standards. This is also not a lesser issue, because Argentine law requires that special administrative authority be granted in the case of international data transfers (cfr. art. 12 Decr. Reglam. 1558/2001).
In addition, the Personal Data law is of limited application and compliance. For example, in 2012, after twelve years in service, the D.N.P.D.P. had registered 20,000 databases, compared with 1,600,000 databases registered by that date and within the same period with the Spanish Data Protection Agency.
Equally Argentine businesses are not renowned for their adoption of international data protection standards. There are very few local companies that have obtained ISO 27001 and other related standard certification, not to mention the recent ISO/IEC 27018, which specifically concerns cloud security standards and that is only now falling under the scrutiny of specialists in the field.
Thus, we may conclude that Argentina still has a long path to tread in terms of data protection and that, in order to implement cloud technology beneficially, joint and responsible public and private sector growth are necessary, with a view to bringing commercial practices in line with the current legal framework.
This also holds true for the region, which to a lesser or greater extent consists of countries with personal data protection regulations. The issue continues to challenge the State, the business sector and users, who provide their data, with the need for actions towards effective implementation and compliance of current laws and adoption of responsible and sound business practices to allow, in as far as possible, for personal data privacy and security guarantees to be preserved.
Image credit: (CC: BY) JD Hancock / Flickr