#89: The data protection laws and Open Finance in Latin America
W FINTECHS NEWSLETTER #89: 18/09-24/09
This edition is brought to you by
Using the Boyce Data platform, your business is compliant with LGPD, GDPR, and CCPA. Boyce Data allows for the collection of consents and verification evidence, making the audit processes easier.
👉 W Fintechs is a newsletter focused on financial innovation. Every Monday, you will receive an email with the key facts and insights from this universe.
Since the beginning of this year, I have been studying the data privacy market extensively. Open Finance and open data ecosystems are just the beginning of a more open, interoperable, and privacy-focused world. Below is an article on the subject that was originally published in Finsiders.
We are facing a true transformation in the way we handle our finances and our data, amidst the emergence of infrastructures that enable more data to be created and shared among different companies and sectors. If data is the new oil, “we have a barrel of oil inside every company's room”. That's what I heard at an event recently.
In addition to the challenge of extracting value from this data (creating use cases, for example), another challenge that different companies and regulators are facing is preventing this oil from spilling (data leaks) to avoid harming the environment (systemic risks and a loss of trust, for example) and also ensuring it doesn't come into contact with fire (misuse of data) to prevent irreversible damage.
Given this, the world is witnessing the emergence of various data protection laws. In a non-exhaustive survey conducted by the W Fintechs in partnership with Boyce Data, a privacy management platform, it is possible to see many countries that have data protection laws. Furthermore, there are cases of countries that are implementing a new general law that aligns with the digital economy context – and thus, also integrates with Open Finance.
Variations
Laws tend to vary among countries in four aspects. The first of these is focus, with some prioritizing the protection of individuals' privacy and others concentrating their efforts on ensuring the security of the data itself. The second is scope, with some restricting their jurisdiction to companies or organizations that operate exclusively within national borders. Others extend their authority to companies that operate globally, regardless of their physical location.
The third aspect is penalties, with some laws providing for more severe sanctions for violations, while others adopt less punitive approaches. Finally, exceptions - in this last item, some laws include specific exceptions for situations such as criminal investigations or emergencies.
For example, GDPR has some unique aspects, such as the right to data portability, which is not present in all other data protection laws. LGPD, on the other hand, also has some distinct features, like the extension of its applicability to foreign companies conducting operations in Brazilian territory and the establishment of the National Data Protection Authority (ANPD).
For instance, CCPA (California) applies only to companies operating in California, USA. It imposes smaller fines for violations, but they can still be significant. Furthermore, CCPA grants California residents rights similar to those in GDPR and LGPD, such as the right to know what personal data is being collected and the right to request data deletion.
Differences among Latin American Laws
In addition to LGPD in Brazil, other countries in Latin America have also been dedicated to data protection. In Mexico, the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) establishes crucial rules for the protection of personal data, including consent, breach notification, and data subject rights. The authority responsible for overseeing its implementation is the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI).
In Argentina, Law 25.326 (PDPA - Personal Data Protection Law) ensures comprehensive protection of personal data, including sensitive data, with a focus on privacy and access to information, supervised by the National Directorate for Personal Data Protection (DNPDP). Recently, Argentina has also introduced a data protection program related to the growth of artificial intelligence (AI).
In Colombia, the Division for the Protection of Personal Data of the Superintendence of Industry and Commerce oversees compliance with Law 1.581 of 2012. In July 2022, the Bill 66 of 2022 was proposed to strengthen the protection of personal data in SMS, web, and email advertising, suggesting the creation of an exclusion registry and sanctions for companies that do not comply with user requests.
In Peru, there is an ongoing project to modernize Law 29.733, aiming to position the country at the forefront of data protection. Concepts such as the right to data portability and proactive responsibility in data processing will be introduced, while maintaining compliance with international standards.
Open Finance Regulations
All these laws share the goal of regulating the treatment of personal data, although they vary on issues such as consent, international data transfer, and data subject rights. However, when it comes to data sharing and the mechanisms involved, the situation is different. Many countries have been creating specific regulations for Open Finance that end up intertwining with their own data protection laws.
In Mexico, Open Finance is regulated by Article 76 of the Fintech Law approved in 2018. It is also subject to specific regulations that may have connections with the LFPDPPP. However, these regulations are distinct in their focus and scope. In Colombia, the Financial Superintendence of Colombia (SFC) has mandated that regulated institutions participating in Open Finance must have data processing policies and procedures in compliance with data protection laws.
In countries like Argentina, Chile, and Peru, the regulation of Open Finance is still under discussion. In these cases, the market has been seeking solutions on its own, even though all three countries have data protection laws in place.
Approaches
A study conducted by CGAP highlighted that there are three types of approaches when it comes to data protection laws and Open Finance: general law, specific law, and coexistence (such as Open Finance and LGPD, for example).
The implementation of a general data protection law that applies to Open Finance creates an equitable scenario for all market participants, regardless of size. This means both large financial institutions and fintechs. In a way, this ensures consistency and applicability of data protection guidelines. However, this approach may face challenges by not considering unique Open Finance issues. For example, data transfer between multiple entities — including data holders, intermediaries, and data users — which can result in uncertainties and regulatory gaps.
On the other hand, creating a specific law for Open Finance offers a more tailored approach to the needs of the players, taking into account the complexities of data transactions in this context. However, it can create competitive imbalances between companies covered by specific regulations and those that are not. In practice, it may create an imbalance in this data sharing market.
A third approach involves the coexistence of general data protection laws and separate Open Finance laws. This particular approach has the advantage of ensuring both data sharing and data protection, addressing both concerns. However, a conflict issue may arise between the two laws. This is because they can have conflicting definitions and provisions, as they are often not designed to work together.
Evolution
The connection between data protection laws and Open Finance in the context of Latin America is still evolving. As financial data sharing infrastructures expand in the region, it is crucial to find a balance between protecting individuals' privacy and promoting financial innovation through Open Finance.
Cooperation between regulators, data protection authorities, the financial industry, and consumer privacy advocates will play a crucial role in creating a secure and efficient Open Finance ecosystem in the countries of the region.
Until the next!