Panama’s data privacy law took effect on March 29. The law requires processors of data to obtain their subjects’ prior consent, and they must define the purpose for collection of data. Collectors of data are also required to take actions to keep data secure. What are the most significant parts of the law, and how adequate will it be to keep consumers’ data secure? How do Panama’s data privacy rules compare to such laws in other countries, and should legislators elsewhere use it as a model for their own data privacy efforts? What are the most important ramifications of the law for businesses in Panama?
Raúl Echeberría, executive director of the Latin American Internet Association (ALAI): “Panama’s data protection law closely follows the GDPR model, but it has some key provisions that deviate from it, and that might have an impact on how the law is interpreted and implemented. For instance, the law includes, besides consent, four additional bases of legitimation for the treatment of personal data, following the GDPR expansion of such legal basis. However, legitimate Interest, which is indeed included as a legal basis in the GDPR and deemed as a flexible tool that is closely related to accountability, is included in this law as an exception to consent, and not as an autonomous legal basis. With regard to the impact of Act 81 on businesses, this law has the potential to promote innovation and development in the digital economy. This now depends more on its regulation and interpretation. There is an opportunity for the national Data Protection Agency (ANTAI) and for the executive branch to include certain provisions in the secondary norms that can provide certainty to the companies that will act as controllers and processors. To this regard, the accountability provisions included in the law should allow those controllers and processors to choose various means of accrediting the legitimate use and adequate protection of users’ personal data, without being affected by a priori restrictions on legitimate processing activities. It is best that neither the law’s interpretation nor its implementation adopt a restrictive stance toward a certain technology, industry or data-processing activity, especially in this initial implementation phase. ANTAI’s role will be instrumental to adequately balance the law’s provisions with a practical and forward-looking execution in subjects such as international data transfers (an important pillar for international trade), automated decisions (an essential tool benefiting a wide array of industries), user rights (such as data portability) and differentiated access of minors to digital services and the informative self-management that ensues according to their maturity level, given that youth will be increasingly dependent and interested in the use of a wide array of digital services for their personal and professional development.”
Rodrigo Noriega, columnist on legal analysis at La Prensa in Panama City: “The protection of private data and personal information has improved under Law 81. The basic principle of the legal framework is that private data belongs to each individual citizen. Most transfers of personal data will require prior consent given by the titleholder, in this case the individual. The law exerts full jurisdiction over databases in Panama, excluding those in other jurisdictions. There are some ambiguities regarding freedom of the press, particularly in cases of ‘corrections’ of mistakes, errors, imprecisions or data that the owner believes are false or impertinent. The law sets up an administrative procedure to obtain changes in the personal data managed by third parties. In the final analysis, Law 81 is a step in a right direction. Although it has shortcomings, privacy protection has improved. Major local corporations have changed, but the Panamanian government is still behind the curve. Maybe Covid-19 is liable for the situation. In 2002, Panama enacted Law 6 of transparency and access to information, which followed the U.S. FOIA model. Law 6 became a good starting point for Latin American countries; Law 81 now represents a work in progress. A better model needs to be developed to protect personal data all over the world.”
Irvin A. Halman, president of the National Center for Competitiveness in Panama and former general administrator of Panama’s National Authority for Governmental Innovation: “Panama has made significant inroads in the advancement and use of digital government and e-commerce through digital platforms. Therefore, it also needs norms to assure citizen and consumer confidence on treatment of their personal data. Although constitutional rights on data protection had already existed (a legal mandate for the Transparency and Access to Information Authority, or ANTAI, for data privacy oversight), Panama lacked a legal framework for data protection, and citizens had increasing concerns about the inappropriate use or sale of their personal data. After ample consultations initiated in 2016, Panama’s executive branch submitted a bill inspired by Europe’s GDPR, and Panama’s Congress approved it in 2019. It took effect last month, two years after its passage, providing sufficient time for business, government and nongovernmental institutions to conform their systems and procedures to the new law, as well as for ANTAI to issue its regulations, which are pending approval by the executive branch. Law 81 establishes overarching general principles for its interpretation and application (loyalty, purpose, proportionality, truthfulness and accuracy, data security, transparency, confidentiality, legality and portability) as well as the ARCO rights, including portability, in Panama and in cross-border data treatment. There are exceptions, including for penal processes, national security and in regulated sectors, as long as minimum technical standards are met. The law requires businesses to communicate with subjects when data breaches occur. ANTAI has the legal capacity for overall supervision, and the sector regulators will establish specific procedures and standards to be met. The law establishes a public-private sector advisory, the Personal Data Protection Council, which the Ministry of Commerce and Industry oversees. ANTAI can impose fines, considered low when compared to legislation in other countries, that range from $1,000 to $10,000. The amount depends on the severity of the violation, which in very serious cases can lead to sanctions such as closure of a database or the temporary or permanent suspension of an activity.”
Alejandro Valerio, associate practice leader for Latin America at FrontierView: “Panama’s data privacy law used the E.U. General Data Protection Regulation (GDPR) as a benchmark, which governs how personal data of individuals in the European Union may be processed and transferred. Panama’s law is an important step to attract investment after last year’s economic fallout. Good data protection legislation reassures investors about a country’s rule of law, particularly for a global business hub like Panama. The most significant parts of the law are: 1.) the broad list of rights protecting individuals’ and firms’ personal data; 2.) the creation of ANTAI, a centralized authority to enforce the law; and 3.) the exception the law grants to the banking sector to be regulated by the entity that supervises it. By excluding Panama’s financial system, which is arguably the sector most interconnected to the global economy, the new law avoids bureaucratic entanglements that could make the sector less competitive. Panama’s law is perhaps the most updated in Latin America, as countries such as Argentina and Chile enacted legislation in this area two decades ago. Because most Latin American countries are trying to update their data protection laws according to GDPR guidelines, legislators elsewhere should look at Panama’s law aiming to have access to the economic benefits that stem from having a robust data protection framework. The most important ramification of the law for businesses in Panama is that it will force them to be more careful about the use of personal data in order to avoid reputational damage and administrative fines.”
Joaquín Jácome, senior partner at Jácome & Jácome in Panama City and former trade minister of Panama: “Law 81 regulates all matters concerning personal data storage. This law is aimed at individuals, as well as public and private entities, with notable exceptions including law enforcement agencies for preventive and punitive purposes, national security and financial intelligence analysis carried out by government authorities and all specially regulated databases. One crucial element of this law is that while it was approved in March 2019, it came into force two years later, in March 2021. The law also establishes the National Authority of Transparency and Access to Information as the governing body on this matter, which is to be assisted on technological matters by the Governmental Authority of Innovation. One of its predominant aspects is that it requires a person to give prior consent to a data processor before it gathers their personal information. Once their information is stored, said person is entitled to several irrevocable rights, such as the right to access, rectify and delete their data from these databases. Additionally, the law establishes that before transferring data from one database to another, the rightful owner of said data must give their expressly written consent. This law applies to all databases that are currently established in Panama and has a retroactive effect. Even though this overdue legislation is not as comprehensive and specific as its counterparts in the European Union, it constitutes an important step forward that should be emulated by other countries in the region. As for the possible effects of this law on the business community, the stricter data protection requirements mean that corporations must tighten the security of their databases, based on the sensitivity of the data they handle. As always, responsible corporations are mostly compliant with the law’s requirements. If correctly implemented, this law could bring great benefits to both consumers and businesses.”
Mariela de la Guardia Oteiza, partner at Icaza, González-Ruiz & Alemán: “Law 81 establishes the principles, rights, obligations and procedures that regulate the protection of personal data in Panama, with exceptions as to the scope of application for data subjects whose personal data is expressly regulated by special laws or by regulations. Law 81 applies to databases located in Panama that store or contain personal data of nationals or foreigners or those data controllers domiciled in the country. Panama’s constitution and laws establish that consent is required for the processing of subjects’ personal data and that they must be duly informed as to the purpose of that data’s use. Additionally, data must be obtained in a way that allows it to be easily traced. The law also establishes that sensitive data cannot be transferred without the data subject’s explicit consent. The National Authority of Transparency and Access to Information, the regulatory entity, is empowered to sanction data controllers and custodians of databases who have infringed the rights of subjects’ personal data. It also shall fix the amounts for the applicable sanctions, without prejudice to the patrimonial or moral damages that could cause the wrongful treatment of the data. An executive decree, which could clarify and develop some of the law’s points, has not yet been approved to regulate this law.”