There are two important considerations to take into account when navigating cross-border data flow issues. First, how do private sector entities foster trust and protect individual rights when processing data? Second, how do governments access data for law enforcement and national security purposes?
When determining the legal requirements for how and whether data can be shared and accessed by private sector or government entities, the focus is usually on data protection laws. A growing number of countries are enacting comprehensive privacy legislation, which is certainly a positive development for fostering trust. However, almost all of them contain broad national security and law enforcement exceptions for obtaining data. Thus, as helpful as it may be for a country to have data protection legislation on the books, such legislation is only a piece of the puzzle; it is important to also understand how a country protects privacy when its government seeks access to data for national security or law enforcement purposes. At Privacy Across Borders, we are seeking to enhance awareness and understanding of the legal frameworks governing such access. As a first step, we are highlighting comprehensive laws that have those exceptions. In this blog post, we share our findings on four countries in Latin America: Mexico, Brazil, Argentina, and Uruguay.
While Argentina and Uruguay have both received adequacy decisions, the European Commission has not recognized Mexico nor Brazil as providing adequate protection to personal data despite engaging in major cross-border data flow. Uruguay, Argentina, and Brazil are all growing digital markets. They are pairing their economies with dynamic technology, fostering entrepreneurial environments, and becoming leading digital competitors in the twenty-first century. However, Uruguay and Mexico are also major economic players within the South American region, and both countries currently outperform Brazil and Argentina. Therefore, the pivotal questions are: (1) what national security exceptions are specified in each country’s data protection law and (2) how does the national security legal framework of a country affect data protection?
In 2003, Argentina became the first country in Latin America to obtain the European Commission’s “adequacy qualification” and participate in the European Union (EU) data market. But pursuant to national security requirements, Argentina’s Personal Data Protection Act (PDPA) retained several exceptions. Article 10 provides that controllers or processors of personal data may be “relieved” of their confidentiality obligations “by judicial resolution and when there are well-founded reasons related to public safety, national defense or public health.” Article 17 limits individual access to data collected by the government: “Those responsible for or users of public data banks may, through a well-founded decision, deny access, rectification or deletion based on the protection of the defense of the Nation, public order and security, or the protection of the rights and interests of third parties.” Article 23 (para. 2) contains another exception, though it also has limiting text:
The processing of personal data for purposes of national defense or public security by the armed forces, security forces, police agencies or intelligence, without the consent of those affected, is limited to those cases and categories of data that are necessary for strict compliance with the missions legally assigned to those for national defense, public security or for the repression of crimes. The files, in such cases, must be specific and established for this purpose, and must be classified by categories, depending on their degree of reliability.
In an opinion by the European Parliament’s Data Protection Working Party (“Working Party”), the report observed that “the specific provisions of Article 23 of the Act” are constraints that “re-iterat[e] the purpose limitation principle.” However, note that “purpose limitation” is different terminology than that issued by the CJEU’s judgment in Schrems II, where the court “insisted that surveillance programs be… limited to what is ‘strictly necessary’” when data is processed for national security purposes. Argentina also qualified Article 18 oversight of national security access, stating that only identified legislative committees (Argentina’s National Defense Committee; Bicameral Committee for the Oversight of Internal Security and Intelligence Organizations; and the Internal Security Committee of the Chamber of Deputies) “will have access to the [national security] files or data banks . . . for well-founded reasons and in those aspects that constitute a matter of competence of said Committees.”
However, defense laws in Argentina illustrate the complex and integrated manner in which national security legal frameworks impact the data protection of a given country. The adequacy decision for Argentina, for instance, did not specifically examine Argentina’s national security legal framework. Argentina’s National Defense Act contains broad provisions enabling access to data under certain circumstances. Article 34 provides: “The people of the nation and any legal persons settled in the country are compelled to provide information, facilitate assets and render services –according to national defense needs– when so requested by the pertinent authorities.” The European Commission solely stated that “[t]he Member States and the Commission shall inform each other of any indications that interferences by Argentinian public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences” (Article 3a).
Mexico’s General Law on the Protection of Personal Data held by Obliged Subjects governs all entities, organs, and agencies of the Executive, Legislative and Judicial Branches (“obliged subjects”) with respect to personal data protection. As set forth by Article 1, the purpose of the General Law is to guarantee that the nation shall serve to protect the personal data of individuals. There is, however, a national security exception in Article 6:
The State shall guarantee the privacy of individuals and shall ensure that third parties do not engage in conduct that may arbitrarily affect it. The right to the protection of personal data shall only be limited for reasons of national security, in terms of the law on the matter, provisions of public order, public safety and health, or to protect the rights of third parties.
Additionally, Article 70 invokes Mexico’s authority to realize transfers of personal data without the holder’s consent in nine cases, one of which includes reasons “necessary for national security.”
Moreover, Mexico’s National Security Law defines “intelligence” broadly as “knowledge obtained from the collection, processing, dissemination and exploitation of information for decision making in matters of [n]ational [s]ecurity” (Article 29) and states that information “may only be collected, compiled, processed and disseminated for [n]ational [s]ecurity purposes for authorized instances” (Article 30).
Like Mexico’s General Law, Brazil’s General Data Privacy Law recognizes a national security exception where its data protection law will not apply. The law is Brazil’s first legislative effort to create data protection for individuals. Article 4 issues rules on data processing, stating that it can be “carried out for the exclusive purpose” of (1) public security, (2) national defense, (3) state security, and (4) activities to investigate and prosecute criminal offenses. Brazil’s law provides that the National Data Protection Authority (ANDP), an independent body under Brazil’s Executive Branch, is empowered to issue opinions and recommendations about Article 4 exceptions. It is important to note, however, that such opinions and recommendations are “non-binding.” To date, the ANDP has not issued public guidance on the matter.
Additionally, Public Law 9,883 provides that the Brazilian Intelligence Agency (ABIN) can “obtain [and] analyze” information data for purposes of “external defense, internal security, and foreign relations” (Article 2). Alternatively, Brazil’s Public Law 12,527 provides that access to government information may be denied “for the security of society or the State” (Article 24).
Turning to Uruguay, the European Commission’s adequacy decision arrived in 2012, making it the second country in Latin America to be recognized as providing adequate levels of protection for transfers of personal data. The Protection of Personal Data and the Habeas Data Action 2008 (“PPD”) and Decree No. 414/009 govern the nation’s data protection framework.
Both laws invoke exceptions based on national security. For example, Article 3 of the PPD states that the law “shall not apply to” databases “whose purpose is public security, defense, [and] State security.” Article 2 of the Decree reaffirms that exception: the “legal regime for the protection of personal data,” as applied to collection, registration and processing, will not apply to databases whose purpose is “public security, defense, [and] State security.”
Article 25 of the PPD attempts to narrow the national security exception by specifically designating databases belonging to the armed forces, police, and intelligence agencies. Likewise, the PPD reiterates that
[t]he processing of personal data for the purposes of national defense or public security by the public security by the armed forces, police or intelligence agencies, without the prior consent of the or intelligence, without prior consent of the owners, is limited to those cases and categories of data that are necessary for the strict fulfillment of the missions legally assigned to them for national defense, public safety or for the repression of crimes.
In its Opinion on the Level of Protection of Personal Data in Uruguay, the Working Party analyzed “the dangers that could arise in [exceptions] relati[ng] to [‘]defence of the State or public safety[’][,]” and found (on page 10) that Uruguay’s law “can be considered similar to those established in Article 13 of the [Data Protection Directive].” Article 13 of the Directive discussed the public safety, defence, and State security activities of European Member States. But the GDPR effectively replaced the Data Protection Directive of 1995. Thus, because Uruguay is not a member state and the CJEU has not issued guidance on national security exceptions, similarities between national defense exceptions is inexact.
Ultimately, an expanded inquiry of these four countries’ legal frameworks emphasizes the importance of a holistic review of national security exceptions in a post-Schrems II world. Countries generally have national security exceptions to their privacy laws; therefore, understanding how privacy and government access function also requires understanding each country’s national security legal framework. Pointing to broad exceptions in data protection laws is the starting point. A subsequent review must venture into the country’s national security legal framework in greater depth.