Ley No. 81: Panama becomes latest jurisdiction in the region to adopt GDPR-like protections

Since the implementation of the European Union’s General Data Protection Regulation (GDPR) in May 2018, the world has become more and more aware of data privacy given the exponentially increasing number of cyberattacks and data breaches. At the time of the GDPR’s implementation, the legislative framework in Latin America and the Caribbean vis a vis data protection and rights was quite nascent, with many jurisdictions recognizing that their citizens had a right to privacy; however, the vast majority of the legislative framework in the region did not contemplate the rights affected individuals have and the obligations data handlers should fulfill in the event of a data breach. Since May 2018, however, a wave of legislative reform has brought GDPR-like protections to the region. Perhaps the most newsworthy of these new laws is Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) which fully came into effect in August 2021, however since the passage of the GDPR, new laws have also come into effect or have been reformed in Barbados, Colombia, El Salvador, and Jamaica, just to name a few. This summer, Panama has become the latest jurisdiction to join this list.

In March 2021, Panama’s first privacy and data protection law, Law No. 81 on Personal Data Protection (the “Law”), came into full effect. This law is further regulated by Executive Decree No. 285 (the “Decree”) that was issued in May 2021. Given that Panama’s law has now been in force for a few months, we thought it useful to give a review of the Law and its accompanying executive decree through the lens of data privacy.

Article 5 establishes the extraterritoriality, or rather lack thereof, of Law 81. Article 5, and as further clarified in Article 2 of the Decree, states that the Law will be applicable to those databases that are located within Panamanian territory and to those data handlers domiciled in Panama.[1]

Article 2 of the Law establishes the Data Security Principle, which states that those responsible for handling personal data should adopt all technical and organizational measures necessary to guarantee the security of the personal data in their care. When personal data has been leaked without authorization or when there is evidence pointing towards the existence of a security breach, Article 2 of the Law obliges the data handlers to notify the data owner, as soon as possible.[2] At the same time, Article 37 of the Decree also requires that the regulator be notified when the data handler becomes aware of any security breach, defined as any damage, loss, alteration, destruction, access, or in general, any illicit or non-authorized use of personal data, even when this occurs accidently, if said breach represents a risk to the security of the personal data.[3]

To that end, in Article 4, the Law defines personal data as any identifying information related to a physical person.[4] The Law then goes on to further sub-categorize some personal data as sensitive data, which is defined as personal data that belongs to the “intimate sphere” of the data owner, whose unlawful utilization could give rise to discrimination or a grave risk to the data owner. The Law establishes some examples of sensitive data: racial or ethnic origin, religious, philosophical, or moral beliefs and convictions, union affiliation, political opinions, health data, sexual orientation, and genetic or biometric data.        

Turning to the aforementioned notifications, which must be issued to both the regulator and the owner of the affected data, Article 37 of the Decree states that these notifications must be issued “within 72 hours of when the incident was discovered and should contain the following information in clear and simple language:

  1. The nature of the incident;
  2. The compromised data;
  3. The corrective actions taken immediately after the incident;
  4. Recommendations for the data owner to take so as to better protect their interests; and
  5. Where the data owner can go for more information on the incident.”

Speaking of the regulator, the Law establishes, in Article 7 and as further detailed in Article 54 of the Decree, the National Authority of Transparency and Access to Information (ANTAI for its acronym in Spanish) as the governmental body tasked with enforcing the Law. At the same time, Article 34 of the Law creates the Council on Data Protection to act as a consultative body to the ANTAI.

Chapter VI of the Law categorizes noncompliance with the same into three different infractions—minor, grave, and very grave. Depending on the information compromised, we note that the type of security incident normally related to a data leak can fall within any of the three types of infractions. The sanctions that the ANTAI can impose range from appearances before the ANTAI (minor infraction) to fines anywhere between USD 1000.00 to USD 10,000.00 (grave infraction) to the permanent closing or suspension of the activities of the data holder (very grave infraction).       

What This Means for Insurers

We would be happy to delve deeper into the Law at the reader’s request, but it is clear that the new data protection framework in Panama opens up new avenues of liability for cyber (re)insurers—not only in the form of sanctions from the ANTAI, but also from the possibility of actions brought against insured data handlers by affected data owners. As we note at the beginning of this article, Panama is just the latest example in the region of an adoption of GDPR-like protections and we predict that similar evolutions of the legal frameworks throughout the region will soon also be adopted. With more robust protections for data owners, cyber (re)insurers should be aware that  a significant portion of liability may now stem from third-party losses, depending, of course, on the terms and conditions of the policy at issue. With specific regard to regulator-imposed sanctions in particular, we should note that many cyber policies provide cover for these sanctions so long as they are insurable under the applicable law.                 

 

[1] “Las bases de datos que se encuentran en el territorio de la Republica de Panamá, que almacenen o contengan datos personales de nacionales o extranjeros o que el responsable del tratamiento de los datos este domiciliado en el país quedan sujetas a las normas establecidas en esta Ley o su reglamentación.”

[2] “Principia de seguridad de los datos: los responsables del tratamiento de los datos personales deberán adoptar las medidas de índole técnica y organizativa necesarias para garantizar la seguridad de los datos bajo su custodia, principalmente cuando se trate de datos considerados sensibles, e informar al titular, lo más pronto posible, cuando los datos hayan sido sustraídos sin autorización o haya indicios suficientes de que su seguridad ha sido vulnerada.”

[3] “Cuando el responsable del tratamiento tenga conocimiento de una violación de seguridad, entendida ésta como cualquier daño, perdida, alteración, destrucción, acceso, y en general, cualquier uso ilícito o no autorizado de los datos personales, aun cuando ocurra de manera accidental, en cualquier fase del tratamiento y que represente un riesgo para la protección de los datos personales, notificara de inmediato dicho incidente a la autoridad y a los titulares afectados.”

[4] “Dato personal. Cualquier información concerniente a personas naturales, que las identifica o las hace identificables.”