The right to privacy is a fundamental right in a democratic community that embraces article 11 of the American Convention on Human Rights, 12 of the Universal Declaration of Human Rights, and 17 the International Covenant on Civil and Political Rights. At the same time, the right to privacy is governed by a local framework that involves different laws ensuring the protection of personal data [1] as, according to the UN Special Rapporteur for Freedom of Opinion and Information, the protection of personal data constitutes a special kind of safeguard of the right to privacy. [2]

By Emiliano Villa

Trafficking personal data is a constant activity that often involves public and private organizations and, of course, the complex world of the internet. It is, prima facie, an unlawful activity that has gained strength in certain websites and provoked significant public alarm over the past few years. In fact, all you need is a little technical know-how and a few minutes online to access a database containing personal information on a particular individual.

Until recently, the main goal of hacking was to destroy information and penetrate the security systems protecting that information; today, however, the business has shifted to a mercantilist model where personal data -or even entire identities- are offered to the highest bidder, thus generating a market for buying and selling personal data.

There are, then, entire websites dedicated to providing data from public or private archives and databanks, without the knowledge of the person whose information is being shared. We have known for a while of the existence of a new internet site that reveals personal confidential data while, undoubtedly, threatening the privacy and security of citizens. This site is currently running in Argentina, Chile and Paraguay. Although it was also running in Mexico, the Federal Electoral Institute (Instituto Federal Electoral, IFE) filed a claim and managed to have the site taken down.

The site in question is www.buscardatos.com which, by merely entering a person’s name and last name, provides -among other data- the person’s address and area of residence, phone number, date of birth and license plate number. All of this data is private and should not be open and massively available online.

I shall next describe how the process for removing the site began in Mexico, with hopes that it can be imitated in the rest of the countries in the region where the site is currently running (for reasons that are beyond comprehension).

In 2013, the IFE’s Legal Department denounced buscardatos.com before the Mexican General Attorney’s Office (Procuraduría General de la República, PGR), as it deemed the site’s activity to be obviously unlawful for making the personal data of citizens available to the general public.

The Federal Personal Data Protection Law of 2010 prohibits the diffusion of personal data without authorization from the rights holder. This law stipulates three months to three years imprisonment to anyone who threatens the security of a database under their custody; of six months to five years to anyone trafficking personal data by way of deception; and twice those penalties if it involves confidential data. Therefore, the Federal Institute of Access to Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos, IFAI), the applicable law enforcement agency, publically announced that it would file the corresponding claim before the PGR “against those responsible for the unlawful use of personal data.”

In Argentina, the Personal Data Protection Law (Law No. 25,326) provides that use of personal data is unlawful when the rights holder did not freely grant express informed consent for said use. Although authorization is not required when the data involved is limited only to the person’s name, personal identification number, tax or social security ID, occupation, date of birth, or any other data that could easily be obtained from public agencies, the rights holder must still be dully notified of the reasons for using his or her data. This is not the case in sites like the ones we are describing, which disseminate the information of millions of citizens.

These are private websites that provide data from private and public archives and databases without the knowledge of the person whose data is being shared regarding what this information will be used for. This is, without a doubt, unlawful and local personal data protection legislation grant applicable agencies adequate tools for safeguarding this information and ensuring the privacy of citizens who wish to keep their information private. Yielding this privacy and allowing an irresponsible interference with this data on behalf of actors who profit from sharing private data can lead to a dangerous tendency that may be difficult to overturn in the future.