The OAS Member States had the opportunity to express
comments pursuant to the project. The Draft of Principles
and Recommendations was made with the participation of the
Legal Committee, and the Department of Modernization.
The project provides a brief analysis on the differences of
data protection in Europe, in the U.S., and in Latin
America. The European view to the right to privacy covers
every aspect of the individual’s life. Based on this
expansive view to the right to privacy, privacy legislation
in Europe covers both the processing of personal data by the
government and private organizations. The U.S. system
provides for self-regulation by industry of the personal
data handled by private organizations. As such, industries
in the United States are mostly self-regulated, including
most private corporations, data-mining businesses, personal
data repositories and internet-based social-networking
sites, among others. Finally, in some Latin American
countries follow the concept of Habeas Data, which allows
people to access their own personal data and gives them the
right to correct inaccurate information.
The project provides a detailed report on the principles
and recommendations on data protection, summarized
below:
• Processing Requirements: Personal data should be
processed in accordance with the regulations and applicable
law, fairly, for a “specific purpose, explicit and
legitimate”; and is limited to personal information needed
to accomplish a specific purpose. The processing of personal
data should be transparent.
• Processing Purposes: The processing of personal
data of the individual is permitted by a contractual
agreement, if necessary to comply with an obligation imposed
by a governmental authority; or held by a data processor,
such as a public entity, in the legitimate exercise of his
authority.
• Data Processor Responsibilities: The data processor
must ensure that all personal data are confidential, and it
must provide reasonable technical and organizational
measures to ensure the integrity of personal data. The
processor is responsible for taking all necessary measures
to follow the steps of processing personal data imposed by
national legislation and applicable authority.
• Third Party Processors: A person in possession of
personal data may contract a third party in order to process
such personal data, without such employment is deemed a
disclosure to a third party, as long as the original
processor ensures that the third party offers at least the
same level of protection required by national legislation
and the agreement of the parties.
• Cross-border Transfers: International transfers of
personal data should only be performed if the recipient of
these offers the same level of protection, using the
following factors: 1) the nature of data, 2) the country
home, 3) the recipient country, 4) the purpose for data
processing, and 5) the security measures established for the
international processing and transfer. Personal data can be
transferred to a recipient that does not afford the same
level of protection of personal data only when there is a
contractual agreement that the transfer process and meet the
level of protection required.
• Habeas Data: People can exercise the right of
access, rectification, withdrawal and objection to the
processing of personal data. The right of access is the
individual’s right to request and obtain information about
their personal data held by the processor of data. The
individual has the right to request correction or deletion
of data when they are “incomplete, inaccurate, unnecessary
or excessive.” The individual may object to the processing
of personal data when there is a legitimate reason, as an
“unwarranted and substantial damage or distress to create”
the individual.
• Enforcement: OAS Member States must have a
guarantor body or independent supervisory authority to
ensure enforcement with the rights of people and provide a
judicial remedy for violations and failure of the processor.
This authority should have the technical capacity, self
sufficient and adequate resources to carry out
investigations and audits to ensure enforcement.
Finally, the project recommends proactive measures and
cooperation in the area through which States should develop
training programs, education and public awareness to foster
understanding of the legislation, procedures and rights for
the protection of personal data; data standard operating
procedures for data controllers to prevent, detect and
contain potential security breaches, and also to promote
cooperation between national authorities responsible for the
protection of personal data, nationally and internationally
to promote the protection.
|