Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic. As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace. Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy.
Background on Data Privacy Laws in Latin America
Understanding how fighting COVID-19 and preserving privacy overlap in Latin America requires a brief review of the relevant constitutional law and more recent legal developments. Data privacy laws across Latin American countries are not uniform, though most share the concept of “habeas data.” Grounded in the region’s national constitutions, habeas data — literally, “you have the data” — confers a right to privacy as a safeguard of personal dignity and allows citizens to demand access to their personal information and object to or correct processing of it. These provisions stem from the waves of disappearances that terrorized various countries. For example, Mexico’s and Colombia’s Constitutions include a right to privacy, and Argentina’s Constitution specifically affords individuals the right to obtain information pertaining to themselves that is stored in public or private databases. While significant to the region’s approach to privacy, the concept of habeas data alone does not require data processors to ensure the protection or privacy of personal data.
In recent years Latin American countries have strengthened their data privacy and cybersecurity regulations. Many have looked toward the European Union’s General Data Protection Regulation (“GDPR”),[1] which is renowned for its broad protections of personal data and privacy. For example, Argentina proposed a bill in 2018 that aligns with the GDPR,[2] and Brazil has worked to consolidate its more than 40 data privacy regulations into the Lei Geral De Protecao de Dados (“LGPD”), which is very similar to the GDPR (though implementation has been postponed to May 2021, with enforcement of fines and penalties delayed until August 2021, due to COVID-19).[3] But other countries, like Guatemala, still do not have data privacy laws. Companies should be cognizant of these new laws and the underlying legislative momentum toward greater privacy protections as they formulate their return-to-work protocols.
Contact Tracing
Contact tracing is a way to identify and monitor infected individuals’ interactions, then warn potentially exposed people to get tested, self-quarantine, and receive treatment if necessary. Several tech companies are developing contact-tracing apps that employ mobile phone technology to collect user data and conduct an electronic contact assessment and notification. While some governments are developing their own apps, at least one Latin American country has considered switching to the Apple-Google technology.[4]
The GDPR’s general framework restricts mass-sharing of information such as people’s names, addresses, or emails, but the European Data Protection Board (“EDPB”) has stated that the GDPR was designed to be flexible and that its requirements should not frustrate the fight against COVID-19, which the EDPB considers an important public interest.[5] Members of the Ibero-American Data Protection Network (RIPD),[6] such as Chile, have echoed this guidance.[7]
Colombia developed its own contact-tracing feature for its “CoronApp” that would allow the government to track COVID-19 outbreaks. But the app has gone through various iterations to address unreliable results, and questions remain about both its so-far limited adoption and privacy protections.[8] Peru also launched its own mobile app, Peru en tus manos, which collects personal data from users like their location (using GPS and Bluetooth) and medical history.[9] The app then presents that data, anonymized, indicating areas with the highest percentage of individuals self-reporting COVID-19 symptoms.[10]
Reminder of data privacy considerations with contact-tracing apps:
- Transparency & consent. To protect data that is necessary to process to combat the COVID-19 pandemic, contact-tracing apps should be voluntary without repercussion if individuals opt not to use it, and individuals should consent to the app’s functions;
- Tracing method. The EDPB has also recommended that contact-tracing apps not rely on tracing individual movements, but rather rely on users’ proximity to each other.
- Data minimization & accuracy. Data collection and use should be limited to the data needed for purposes of fighting COVID-19. Users of Bluetooth- and WiFi- enabled apps, like Colombia’s CoronApp, should also be cognizant of inaccuracies inherent in locational data: the app’s inability to decipher whether there is a barrier, like a wall or window, between individuals in otherwise close proximity, and the inability of a significant population to download the app may result in biased data sets.
- De-identification & storage. Collected data should be anonymized and deleted as soon as it is no longer needed.
Taking Temperatures
Screening employees for COVID-19 by taking their temperatures presents another set of data protection issues. Information collected about an individual’s temperature, even just noting it is high or normal, constitutes “data concerning health,” a “special category of personal data” under the GDPR. Similarly, under Argentina’s Law 25,326, health data is a category of sensitive data and therefore requires more rigorous protection.[11]
The GDPR generally prohibits the processing of this kind of data unless the controller can satisfy more stringent requirements, such as a legitimate interest, contractual necessity, or consent to process the information. This is an area, however, in which individual Member States have significant leeway to set specific requirements and enact local frameworks.
Reminder of data privacy considerations with temperature screening:
- Define scope of processed data. Minimize data collection so as not to record more personal data than is strictly necessary. Prior to collecting data, organizations should know exactly what information is needed – and in what level of detail – to fulfill the purpose of the collection. And if the data need not be retained, it is almost always best simply to not keep the data beyond its temporary usefulness.
- Provide notice to employees. As a best practice, companies should communicate with employees about how they are collecting information about COVID-19 infections and obtain permission to make disclosures to government entities. For example, the GDPR principle of transparency requires an employer to provide notice to employees even when processing under an exception.[12] Even so, temperature checks should be voluntary, such that employees can refuse without penalty. This consent element is more robust under some countries’ regimes, like Colombia’s Law 1581, than others, like Mexico’s Federal Law for the Protection of Personal Data in the Possession of Private Parties which has various exceptions to its consent requirement.
- Protect data from misuse. Furthermore, data privacy laws in Latin America require organizations that collect, use, and disclose personal information to take reasonable precautions to protect that information from loss, misuse and unauthorized access, disclosure, alteration and destruction. If they must keep the data, employers should keep data related to COVID-19 infections confidential, store it securely, and dispose of it properly once it is no longer needed.
- Ensure employees have access to their information. As discussed above, one of the core elements of Latin America’s privacy laws is an individual’s right to access the information that organizations have collected about them and to dispute the accuracy of that information. If a company processes the temperatures of its employees and stores that information, it should ensure employees are able to access any information collected as part of the screening. Of course, there is no reason to retain information that is otherwise not useful, simply in order to make it available.
Documenting the Deliberations
As the COVID-19 pandemic wreaks deadly havoc around Latin America, businesses are wise to consider how various technologies can protect their employees and ensure their continued operations. It would be prudent to consider how these technologies collect, handle, and dispose of workers’ personal information so that efforts to safeguard employees’ health also respect their privacy rights. And when a company does undertake a thoughtful consideration of data protection impacts, it is important to document these considerations in a Data Protection Impact Assessment so that the record of these thoughtful deliberations is clear in case of any regulatory inquiry.
[1] Regulation (EU) 2016/679.
[2] Proyecto de Ley Datos Personales, No. 46290265, Sept. 19, 2018 (Arg.), https://www.argentina.gob.ar/sites/default/files/mensaje_ndeg_147-2018_datos_personales.pdf.
[3] Brazil: President promulgates law postponing LGPD enforcement provisions, DataGuidance (June 12, 2020), https://www.dataguidance.com/news/brazil-president-promulgates-law-postponing-lgpd-enforcement-provisions.
[4] Paresh Dave & Stephen Nellis, Colombia’s Coronavirus App Troubles Show Rocky Path Without Tech from Apple, Google, Reuters (May 6, 2020, 9:08 PM), https://www.reuters.com/article/us-health-coronavirus-colombia-apps/colombias-coronavirus-app-troubles-show-rocky-path-without-tech-from-apple-google-idUSKBN22J03W.
[5] European Data Protection Board, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (Apr. 21, 2020), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf.
[6] As of 2019, the Latin American members of RIPD were Argentina, Chile, Colombia, Costa Rica, Mexico, Peru, and Uruguay, with several other countries participating as observers. See Red IberoAmericana de Proteccion de Datos, Memoria de Actividades Red IberoAmericana de Protección de Datos (RIPD) 25 (2019), https://www.redipd.org/sites/default/files/2020-05/memoria-actividades-RIPD-2019.pdf.
[7] Consejo pare la Transparencia, Declaración Pública CPLT: La transparencia legitima las decisiones (Apr. 16, 2020), https://www.consejotransparencia.cl/declaracion-publica-cplt-la-transparencia-legitima-las-decisiones/
[8] Jessy Edwards, Tracking Coronavirus: Should You Install the CoronApp?, Bogota Post (June 19, 2020), https://thebogotapost.com/tracking-coronavirus-coronapp/46864/.
[9] Catherine Escobedo, Geolocation and Other Personal Data Used in the Fight Against COVID-19, International Association of Privacy Professionals (May 6, 2020), https://iapp.org/news/a/geolocation-and-other-personal-data-used-in-the-fight-against-covid-19/.
[10] Id.
[11] Argentina.gob.ar, Tratamiento de datos personales ante el Coronavirus (Mar. 11, 2020), https://www.argentina.gob.ar/noticias/tratamiento-de-datos-personales-ante-el-coronavirus; Argentina.gob.ar, Protección de datos personales y geolocalización (Apr. 29, 2020), https://www.argentina.gob.ar/noticias/proteccion-de-datos-personales-y-geolocalizacion
[12] See GDPR, art. 5(1).