Privacy and the protection of personal data are important human rights that we must strive to protect. In Panama, the right to privacy is enshrined in Articles 29, 42 and 43 of the Constitution. Similarly, the American Convention on Human Rights, ratified by Panama, enshrines in its article 11 the protection of the right to privacy.
When these rights are not properly protected, the lives of real people can be adversely affected. More and more data about each of us is being shared more and more frequently from more and more relationships with traditional businesses, e-commerce, financial institutions, government entities. In short, the list is endless. This is why many countries around the world have strengthened their data protection laws and have reinforced the compliance measures that can be imposed on an organization when privacy rights are violated.
It is for this reason that for a long time the importance of regulating the protection of personal data in Panama had been warned, due to the interactions that are constantly arising, especially in the cybernetic environment. Finally, Law 81 of March 26, 2019, published in Official Gazette 28743-A of March 29, 2019 on the Protection of Personal Data (“Law 81”) was enacted. This law will become effective on March 29, 2021.
Law 81 of March 26, 2019
This Law “aims to establish the principles, rights, obligations and procedures governing the protection of personal data, considering their interrelationship with the private life and other fundamental rights and freedoms of citizens, by natural or legal persons, public or private law, profit or not, who treat personal data under the terms provided in this Law.”
Key definitions:
Law 81 defines a series of terms related to data protection and which are included in Law 81. Among the most important are:
Sensitive data. Data that refers to the intimate sphere of the holder, or whose improper use may give rise to discrimination or entail a serious risk for the holder. Including, but not limited to: personal data that may reveal aspects such as racial or ethnic origin; religious, philosophical and moral beliefs or convictions; trade union membership; political opinions; data relating to health, life, sexual preference or orientation, genetic data or biometric data, among others, that are subject to regulation and aimed at univocally identifying a natural person, are considered sensitive.
Personal data. Any information concerning natural persons, which identifies them or makes them identifiable.
Data processing. Any operation or set of operations, or technical procedures, automated or not, that allows to collect, store, record, organize, elaborate, select, extract, confront, interconnect, associate, dissociate, communicate, yield, exchange, transfer, transmit or cancel data, or use it in any other way.
Data Controller. Natural or legal person, under public or private law, whether for profit or not, who is responsible for decisions relating to the processing of data and who determines the purposes, means and scope, as well as issues related to it.
Database custodian. Natural or legal person, of public or private law, for profit or not, acting in the name and on behalf of the data controller for the processing and entrusted with the custody and conservation of the database.
Confidential data. Data that by its nature should not be known to the public or to unauthorized third parties, including data protected by law, by confidentiality or non-disclosure agreements, in order to safeguard information. In the cases of the Public Administration, these are data which processing is limited for the purposes of this Administration or if the express consent of the owner is obtained, notwithstanding the provisions of special laws or regulations that develop them. Confidential data will always be of restricted access.
Scope of application: Law 81 applies to Databases located in the territory of the Republic of Panama, which store or contain personal data of nationals or foreigners or that the person responsible for processing the data is domiciled in the country.
Databases of subjects governed by special laws, for example, banking, insurance, etc., are excluded from the Law, provided that these laws or their regulations that develop them establish minimum technical standards necessary for the proper protection and processing of personal data, as established by Law 81. In addition, the following processing of personal data is excluded from the scope of Law 81:
Requirements for the processing of personal data: The processing of personal data may be carried out if any of the following conditions are met:
Cross-border processing:
The storage or transfer of original personal data or data stored within the Republic of Panama that is confidential, sensitive or restricted, that is processed across borders, shall be permitted provided that the data controller or custodian of such data complies with the standards of protection of personal data required by Law 81, or can demonstrate that it complies with the standards and rules of protection of personal data equal to or higher than those required by Law 81.
Exceptions:
Processing of data that does not require the consent of the data subject:
Sensitive data:
Sensitive data cannot be transferred, except in the following cases:
Where the consent relates to sensitive personal health data, the consent shall be prior, irrefutable and explicit.
General Principles and ARCO Rights: ARCO rights are recognized as inalienable rights. They are the rights that the data subjects have to access, rectify, cancel and oppose the use of their data. In addition, Law 81 also establishes a series of general principles that inspire and govern data protection. Among the general principles in which the protection of personal data is inspired and governed, as far as the interpretation and application of this law is concerned, are: the principle of loyalty, purpose, proportionality, truthfulness and accuracy, data security, transparency, confidentiality, legality, and portability.
Conclusions: The organization that processes personal data by any means, whether it is e-commerce, a government entity or any other, has the duty to do so respecting the right to privacy of the data subject. However, it is important to keep in mind that this is not an absolute or unlimited right. That is, it may be unavoidable, for example, to process personal data by a person in order to fulfill a contractual obligation of the company or by a legal obligation determined by law, so that the consent of the data subject will not always be the basis of justification for the processing of his or her personal data. In addition, there are contexts in which this right is not applicable.
Another issue to be considered is that the notions of personal data and personal data processing can be very wide-ranging. This should be kept in mind when a company or organization requests information, since only the minimum necessary data for the purpose for which it is requested should be collected. Likewise, personal data can only be used for the specific, legitimate and explicit purposes for which they were authorized when they were originally collected. For any other use of these personal data, it is mandatory to receive the consent of the data owner, that there is a special law approving such treatment or that it is necessary for the fulfillment of a contractual obligation, to which the data owner is a party, as well as when it is required by a public entity in the exercise of its legal functions or by order of a competent authority.
The concept of data protection is based on the fact that the data subject is the owner of the personal data and has the power to determine its use.
Finally, a regulatory decree is currently being expected to develop the provisions of Law 81, which will surely add many more elements to be taken into account. However, it is recommended that companies begin a process of self-evaluation as soon as possible in order to adapt the different processes, contracts, and other documentation to comply with the obligations that arise from Law 81.
The world changes at a dizzying pace and with each step technology takes, new environments emerge. The most significant recent development arose through the Internet, which continues to evolve and transform the way we communicate and do business, which has brought with it the need to protect the technological infrastructure against countless threats in this increasingly complex environment. Many will try to steal secrets of the competition (corporate and industrial espionage), personal data for extortion, theft of financial assets, blackmail, blocking of systems, identity theft, destruction of information, sale of data on the dark web, among others.
All of the above implies that, since data coexists in a not only physical but also digital environment, it is important for organizations to guarantee the security of data even before acquiring it.
In 2019, a new personal data protection law was passed in Panama. This law will come into force in March 2021 and will require companies to install protocols and systems for the custody, collection and treatment of personal data contained in their databases.