Identifiable trends in LAC data protection legislation

While data protection legislation has existed throughout Latin America and the Caribbean since the early 2000s, the enactment of the European Union’s General Data Protection Regulation (GDPR) in 2018 triggered a wave of legislation in Latin America and the Caribbean, modeled after the protections and obligations enumerated within that landmark European law.

As a result, over the past five years legislation throughout the region has undergone - and is undergoing - massive changes to bring it up to date with modern risks and realities. These new data protection regimes have opened new potential avenues of liability for your insureds that can be mitigated with well-developed insurance programs and robust incident response plans.

In the short note below, we will be delving into the trends pervading most of this new legislation that can and will directly impact businesses and industries, and by extension their (re)insurers, throughout the region.


Chief among the innovations adopted by various pieces of legislation across our region is their extraterritorial effect, which reflects and appreciates the cross-border nature of the global digital economy. Practically, this means that, in some jurisdictions, a company can have no physical presence or operation on the ground. However, if they process the data of nationals of that jurisdiction, they will be subject to the obligations - and sanctions - of that country’s data protection regime.

A common trigger for a law’s extraterritoriality is if the data processing activities are related to the offering of goods or services to data subjects that reside within that particular jurisdiction. For example, Article 3 of Brazil’s Lei Geral de Proteção de Dados (LGPD) establishes that the LGPD applies to processing operations carried out by natural persons or legal entities. This is irrespective of the means, the country in which its headquarters is located, or the country where the data is stored, provided that:

  • The processing operation is carried out in Brazil;
  • The processing activity is aimed at the offering or provision of goods or services or at the processing of data of individuals located in Brazil; or
  • The personal data being processed was collected within Brazil.

However, Colombia is an interesting case where its courts and its data protection regulator are of the position that the mere processing of data subjects domiciled in Colombia, even if it is done from abroad and no matter the purpose, is enough to trigger its data protection regime’s extraterritoriality (Law 1581/2012 and its follow-on legislation).

Finally, it should be noted that many data protection laws in the region have not yet incorporated an extraterritorial effect to their regimes. However, this is something that will slowly start to change as legislation is updated and modernized.

Notification and risk of harm analysis

Another relevant advancement adopted within legislation throughout the region is the requirement for those that have suffered a security incident to notify their national data privacy regulator and/or the affected data subjects themselves of said incident.

While some jurisdictions, like the Cayman Islands and Ecuador, require that this notification be an automatic consequence of suffering a security incident, many legislations require that a risk of harm analysis be undertaken, and should certain criteria be met, then the notification obligation is triggered.

Jurisdictions differ as to whom this risk of harm analysis should be applied to. Some jurisdictions, like Brazil and Mexico, focus this analysis on the data subjects - i.e., the owners of the affected data. For example, in Mexico, the Federal Law on the Protection of Data Held by Private Parties and its follow-on legislation, requires that security breaches that significantly prejudice the pecuniary or nonpecuniary rights of the data holder be notified to the relevant data subjects.

Other jurisdictions, like Panama and Colombia, focus this analysis on the data itself. Colombia’s Law 1581/2012 obliges notifications to the local regulator and the data subjects following security incidents that generate a “risk to the administration of the owner’s data”. A risk to the administration of the owner’s data has further been defined as a “violation of security codes or the loss of and/or unauthorized access to information found in a database.”

Contrast this with the Cayman Islands, where the Data Protection Act of 2021 states that a notification be issued to both the data subject and the regulator following any personal data breach, defined as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed.”

Outside of creating burdensome obligations to potential insureds that have recently undergone a security incident, these notification requirements also create an additional layer of liability from both the regulators - in the form of sanctions - and the affected data subjects.

As seen in the United States and Europe, companies are increasingly becoming the target of securities actions for the failure to adequately protect their systems and networks. At the same time, these companies are also being subject to class action litigation by the affected data subjects themselves for the damage suffered as a result of the security incident. We believe these types of actions may too arise in our region.

Regulator activity in the region

Many insureds ask how active the data protection regulators in the region are in enforcing these new rules and regulations. The answer is increasingly so.

As mentioned above, a lot of this new legislation in the region was enacted within the last five years, with many having trial periods before the full law comes into effect. Furthermore, a lot of this legislation called for the establishment of new regulators, thus necessitating a ramping up period for these newly formed regulators to find their feet.

However, we have been seeing more and more regulator activity in the region. For example, the Brazilian regulator has recently published a standard form that, as of 1 January 2023, must be used when notifying security incidents.

We also expect sanctions and regulator-initiated investigations to become more and more common. For example, the Colombian regulator has recently initiated an investigation into Avianca for alleged violations of Law 1581/2012 vis-à-vis the way Avianca collected personal data via its mobile application. The Argentinian regulator also recently issued a fine of ARS 160,000.00 (approximately USD 1000.00) Telefónica Móviles Argentina for failure to comply with a data subject’s requests relating to their right of access and right to rectification of their own data.

Final thoughts

As can be seen above, overall, the data protection regime in the region is evolving towards the establishment of stricter standards and obligations.

While this indeed does open up new potential liabilities for insureds, it also requires the same insureds to begin implementing minimum levels of data security. This generates the interesting scenario of creating greater need and capacity for (re)insurance while simultaneously creating more insurable risks. For the bold (re)insurer, the field is ripe for the picking.

For more discussion on cyber (re)insurance in the region, we invite the reader to the 2023 Miami Latin American Claims (Re)Insurance Forum, where we have two panels dedicated solely to cyber issues. The first panel will deal with the First Party cover usually provided under cyber policies; delving into systemic cyber, ransomware, business interruption, mitigation of loss, and effects of the Russian invasion of Ukraine on the cyber market. The second panel will deal with the effects cyber losses may have on other policies; delving into the interplay between cyber events and D&O, BBB & Crime, Professional Liability, and Tech Errors & Omissions policies.