LATAM COVID-19 Task Force – Privacy and Cybersecurity Issues

Introduction

PRIVACY AND CYBERSECURITY

1. How should companies in your country think about privacy and cybersecurity issues in the context of COVID-19?
         
   

   Country	Answer
   Argentina	In our opinion, companies should take necessary steps to ensure that all work is carried out on devices that have adequate security measures, especially when employees use their personal devices to perform work-related tasks. Work-related tasks from non-secure devices and networks should not be allowed. Moreover, it is important for companies to have appropriate privacy, acceptable use of information resources, and “bring your own device” internal policies; not only to establish how work tools should be used, but also to regulate the employee’s expectation of privacy when performing their work-related tasks.
   Brazil	The COVID-19 pandemic has created a new reality that companies have adapted to in order to maintain business continuity via technologies such as telecommuting. These changes impose considerable technical challenges, as the use of large-scale telecommuting can increase the companies’ exposure to privacy, data protection, and security risks. Moreover, after the isolation measures end, companies will face new challenges, as they will be eager to carry out tests to check whether their employees and visitors have symptoms of COVID-19. This scenario also brings privacy and data protection concerns, especially in the context of processing of sensitive personal data, a category of personal data that includes information concerning health.2 Concerns about such privacy and cybersecurity risks are even more relevant considering that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) will come into effect soon. Inspired by the EU’s General Data Protection Regulation (“GDPR”), the LGPD defines a comprehensive set of rules that promises to reshape how companies, organizations and public authorities collect, use, process, and store personal data when carrying out their activities. The LGPD also requires data controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access or any other form of unlawful processing. In any event, it is not clear at this point when the LGPD will be effective, as described in more detail below.
   Chile	In the context of the COVID-19 pandemic, where teleworking and remote meetings have become an everyday standard, companies need to take all the necessary measures to prevent data breaches. We have seen how cybercriminals can easily access teleconferencing calls – where strategic information is being shared – when companies do not take all the necessary cybersecurity measures in order to avoid such exposures. The implementation of a remote working protocol, which was already being carried out only by some “innovative companies” before the disruption of COVID-19, has been dramatically accelerated and generalized by the pandemic, imposing new challenges to companies that need to adapt their data protection standards and cybersecurity measures to this new way of working. Accordingly, simple and clear teleworking policies could help employees and partners understand that working from home is not synonymous with relaxing security and data privacy standards.
   Colombia	Companies in Colombia face a significant challenge in balancing their duties to best protect their workforce and the public at large (businesses have to implement health protocols to prevent the spread of COVID-19 when they resume activities), to continue to expand their operations amidst the COVID-19 crisis (i.e., through remote-work schemes), and to comply with local data protection laws (Law 1581 of 2012 and Decree 1074 of 2015). In the absence of specific and comprehensive guidance on the part of Colombian authorities, companies should take a proactive approach to best tackle privacy and cybersecurity issues in the context of COVID-19, while being mindful of the strong and permanent enforcement of privacy and data protection regulations by the Superintendencia de Industria y Comercio, the Colombian Data Protection Authority (the “SIC”). Health information is considered sensitive data under Colombian data protection laws (Law 1581 of 2012 and Decree 1074 of 2015). Processing sensitive data is generally prohibited, save, among other cases, when data subjects provide their prior, express and informed consent, and in cases of medical or sanitary urgency. The notion of “medical and sanitary urgency” provides legal grounds for companies to temporarily process health personal data to address, prevent, manage and/or control the spread of COVID-19 and mitigate its effects. Nevertheless, bearing in mind that sensitive data is subject to enhanced levels of protection, it is advisable that companies always (i) try to obtain consent from data subjects if possible; (ii) use information exclusively for purposes of preventing and managing risks related to COVID-19; (iii) keep information under security conditions to prevent its loss, alteration or unauthorized access, disclosure or use; and (iv) conduct a data protection impact assessment to keep, record, and seek an adequate balance between data processing operations, legal basis, and the proportionality and adequacy of measures implemented to keep data safe.
   Costa Rica	Companies in Costa Rica should focus on the cybersecurity risks of having a significant number of their employees working from home. Also, sensitive information may be required in order to prevent employees or customers who are infected with COVID-19 from accessing companies’ facilities. In Costa Rica, this would be a real challenge from a legal standpoint because sensitive personal data can only be collected and processed under limited exceptions.
   Ecuador	Ecuador faces a big challenge in all legal matters related to privacy and cybersecurity. It’s important to mention that despite the fact that privacy rights are recognized and guaranteed by the Ecuadorian Constitution as fundamental rights, the lack of specific privacy regulations and regulatory authorities has led to a social and corporate culture that does not respect or give much attention to these fundamental rights. However, now that we are going through a pandemic where companies must deal with additional personal sensitive information (e.g., medical information related to possible and confirmed cases of COVID-19) and corporate confidential information might be exposed to cybersecurity issues, companies must start considering privacy and cybersecurity matters seriously. We have been advising our clients since the beginning of the pandemic that all COVID-19-related information which is personal data must be treated according to certain regulations included in the Ecuadorian medical and commercial laws and the Ecuadorian Constitution. In our experience, bigger companies and multinationals are better prepared to deal with personal information obtained due to COVID-19 than small companies, which suffer from lack of knowledge, information and preparation. For further information, please refer to the links below: https://www.pbplaw.com/es/covid-19-la-importancia-de-los-datos-personales/ https://www.pbplaw.com/es/proteccion-de-datos-en-epoca-de-coronavirus/
   Mexico	Recent federal and state guidelines issued by work and health federal authorities of the Mexican government intended to mitigate the risk of contagion of COVID-19 in the workplace, require private companies to collect specific data from employees that have tested positive for COVID-19, as well as employees that came into direct contact with infected employees. Companies should consider this data as sensitive information, and all databases containing any COVID-19 cases or related information should be handled in accordance with private data protection regulations, especially those restricting the transfer of data to any third parties.
   Panama	Although Panama’s first personal data protection law, Law No. 81 of 2019 on the Protection of Personal Data will not come into effect until March 2021, the concept of personal private communications and documents is already regulated in the Panamanian Constitution as a fundamental right (article 29), and the consent of the interested subject is required for the transfer of any personal information (article 42). Furthermore, Law 68 of 2003 regulates the information and confidentiality rights of patients. Likewise, every person has the right to confidential medical records. Any company who fails to comply with these regulations may be subject to severe sanctions pursuant to the Penal Code. In light of the above, even though Law No. 81 of 2019 has not yet entered into effect, companies must consider very carefully both the existing domestic privacy legislation (including the upcoming Law 81 of 2019) together with applicable international regulations on data protection amid the pandemic, particularly when (i) adopting health control measures in the company’s premises (e.g., conducting body temperature checks) to stop the spread of COVID-19 and (ii) implementing new security protocols to protect confidential information of clients and employees when their employees are working from home.
   Peru	Existing privacy and cybersecurity-related regulations remain applicable regardless of the COVID-19 crisis and therefore, companies should continue to comply with the existing legal framework. Additionally authorities have stressed the fact that companies should ensure that they have adequate technical and technological capabilities to prevent potential data breaches given the rise in the use of electronic means during these trying times. As a couple of examples, the Banking and Insurance Authorities have issued some guidelines on the continuity of online banking services, stating that banks must ensure that they meet adequate measures against cyberattacks; also, certain regulations regarding remote work state that employers must implement adequate cybersecurity measures while their employees work from home. The following client alert summarizes the main civil, administrative and criminal considerations that companies that operate, collect or otherwise process personal data in Peru, also applicable to companies that are not incorporated in the Peruvian territory but collect data in Peru, should keep in mind: http://rebaza-alcazar.com/blog/alerta-data-privacy-personal-data-protection-cybersecurity-ocassion-covid-19/.
   Spain	The health crisis has highlighted the importance of having a good technological structure that can guarantee business continuity in adverse situations. From now on, companies must understand technology as a business ally and must increase the investment made in it. Directly related to the use of technology is the management of network security. This aspect is crucial and all companies should put the focus on it since in these months an increase in security breaches has been detected and it has been demonstrated in many cases that networks are very vulnerable and are not yet prepared for a constant remote working situation.
   United States	The transition to remote work environments has created significant new cybersecurity risks, and companies need to be acutely aware of the numerous new vectors for attack (e.g. unsecured home devices and networks, and the use of personal cloud storage accounts to save confidential information) and take steps to mitigate those risks. This is compounded by attackers preying on fears surrounding the crisis to launch social engineering attacks around the COVID-19 pandemic. Companies need to ensure open lines of communication with dispersed employees to provide them with access to and reminders of best practices for securely working from home, as well as the company’s remote access and appropriate use policies. Companies should also keep employees updated on emerging risks, as well as proper procedures for elevating potential incidents back to the right personnel and ensuring necessary personnel can respond in a timely manner. Ongoing efforts to stem the spread of the pandemic also mean that many companies will be collecting significantly more data from employees and customers alike, particularly with respect to the health and well-being of any individuals who visit a company facility. While Congress considers legislation specific to the issues raised by data collected and used in the context of the pandemic, companies will need to understand the privacy implications under existing law of measures they may take to promote the health and safety of employees and consumers. Companies should consider exactly what information they need – including, potentially, developing a list of written questions that they deem acceptable to ask – and how their internal and external privacy policies align with any changes in the type, usage, and/or disclosure of information collected, and then make any changes necessary based on new data collection efforts and communicate those changes appropriately.
   Uruguay	In the context of the COVID-19 pandemic, companies conducting data processing activities in Uruguay should maintain their compliance and security standards at their highest level. Given the new situation, in which working remotely is becoming the new normal, and new health preventive measures may be required at companies’ premises, companies must implement adequate security measures to reduce the risk of data security breaches and respect their employees’ privacy rights. Also, when processing and transferring personnel, companies must especially comply with the principles of veracity and accuracy, limited use, data security and proactive responsibility, set forth, respectively, in articles 7, 8, 10 and 12 of the Data Protection Law No. 18.331.
   Venezuela	Companies operating in Venezuela should be aware that, although there is no general data protection legislation and no authority is specifically responsible for supervising data protection issues, there are several regulations in place that (a) aim to protect personal data of Venezuelan citizens, (b) regulate the treatment of health data (especially concerning epidemics), and (c) require companies to collect certain data relating to employees’ health in a specific manner. There was also a binding decision issued by the Constitutional Chamber of the Supreme Court (Decision No. 1318 dated August 4, 2011) which sets forth several principles regarding personal data collection, treatment and protection, which must be considered in light of the pandemic. Companies should also consider maintaining or strengthening controls over personal data (especially in relation to health data) to guarantee its confidentiality. Finally, companies should take into account the provisions of the Law on Data Messages and Electronic Signatures to properly assess the use of digital media communications with employees working from home, clients and/or suppliers.

2. Has the relevant regulator(s) in your country issued any guidance, rulings, or other public statements about how companies should address privacy or cybersecurity issues raised by the COVID-19 pandemic?
         
   

   Country	Answer
   Argentina	The Argentine Specialized Cybercrime Prosecutor’s Unit recently published a series of recommendations to operate safely on the internet, social networks and with online messaging services, in order to avoid personal data theft and online fraud. Moreover, the Argentine Agency of Access to Public Information (Argentina’s data protection authority) has shared some recommendations for video calls, such as paying attention to “free” platforms that may use the users’ personal data for purposes other than the provision of the service. Lastly, the aforementioned Agency has published a series of recommendations for the use of geolocation apps (whether they are used by the public or private sector, or both in collaboration), and listed fundamental principles on data protection related to them. Useful links (in Spanish): www.fiscales.gob.ar/ciberdelincuencia/coronavirus-recomendaciones-de-la-ufeci-para-evitar-el-robo-de-datos-personales-cuentas-y-claves-bancarias-durante-el-aislamiento/ (Recommendation of the Specialized Cybercrime Prosecutor’s Unit). www.argentina.gob.ar/noticias/videollamadas-mas-seguras (Recommendation of the Agency of Access to Public Information related to video calls). https://www.argentina.gob.ar/noticias/proteccion-de-datos-personales-y-geolocalizacion (Recommendation of the Agency of Access to Public Information related to geolocation apps).
   Brazil	In 2019, the LGPD was amended by Law No. 13,853/2019 in order to create the Brazilian Data Protection Authority (Agência Nacional de Proteção de Dados – “ANPD”). This authoritative body is intended to enforce the new Law and issue regulations and guidelines. Unfortunately, the ANPD has not been created, as the President of Brazil has not yet nominated its members. The creation of the ANPD is crucial, even before the LGPD came into force, because it would regulate the various legal loopholes and provide guidance to Brazilian companies and government bodies on how to comply with LGPD. In addition, the creation of the ANPD would have been crucial since it would have provided greater certainty to companies and governmental bodies on how to comply with the public and private measures issued by the Brazilian government to deal with the COVID-19 crisis. Although these measures are being taken to protect health and prevent crowding, they could have an adverse impact on privacy and data protection.
   Chile	As Chile does not have a specific cybersecurity/data privacy agency (it will probably have one once the Data Privacy bill, currently under discussion in Congress, is enacted), all the guidance on this matter has come from each industry-specific regulator. For example, the Undersecretary of Telecommunications has made several cybersecurity recommendations related to the safe use of telecom devices and networks during the pandemic, also launching a public consultation on a proposed draft of a cybersecurity regulation regarding networks and systems used in the provision of telecommunications services. Additionally, the Labor Ministry has issued recommendations on how to implement telework in a manner that complies with local regulations, and the Commission for the Financial Markets has issued several guidelines related to new ways to conduct remote shareholders/board meetings.
   Colombia	The following guidance has been issued to date by SIC on how companies should address personal data issues raised by the COVID-19 pandemic: External Directive (Circular Externa) No. 001 informs that mobile phone operators and private entities in general have legal grounds to provide to public entities that so require it personal data that is necessary to address, prevent, treat and/or control the spread of COVID-19 and mitigate its effects. The SIC explained that consent to process personal data is not required in the case of medical or sanitary urgency, and when public entities require them to perform their duties. The SIC stressed that public entities must adopt measures to ensure security, restricted circulation and confidentiality of personal data in the context of the emergency raised by the COVID-19 pandemic. External Directive (Circular Externa) No. 002 orders data controllers and processors to refrain from collecting or processing biometric data using physical or electronic fingerprint readers or any other mechanism that allows the spread of COVID-19 through indirect contact, while the emergency endures. This instruction does not apply to biometric identification systems where the device is for personal and individual use. External Directive (Circular Externa) No. 003 extends the deadline for entities to update the registration of their databases before the SIC until July 3, 2020, to control the spread of COVID-19 and mitigate its effects (because information may be at the workplace). The SIC released a public statement through its website announcing that it was requiring certain municipal and provincial authorities to provide information regarding the data processing practices and operations around the mobile app they had launch as a measure to track and control the spread of COVID-19, available at https://www.sic.gov.co/slider/la-superintendencia-de-industria-y-comercio-en-su-calidad-de-autoridad-nacional-de-protecci%C3%B3n-de-datos-se-permite-informar-lo-siguiente-0.
   Costa Rica	No, the regulator has not issued any guidance, rulings, or other public statements about how companies should address privacy or cybersecurity issues raised by the COVID-19 pandemic.
   Ecuador	Ecuador does not have a regulator for privacy or personal data matters. However, on March 16, 2020, a presidential decree authorized, while the state of exception remains in place, the use of personal data by private companies in coordination with the government to stop the spread of COVID-19. The measures approved allow, without further consent from the data subjects involved, the main Ecuadorian telecommunication service providers to track, through both government and private mobile applications, the location of those persons who must remain confined (e.g., because they have been infected by COVID-19 or they have been exposed to contact with people infected by COVID-19). Furthermore, the Ecuadorian medical law obligates all companies operating in Ecuador to report any possible or confirmed case of COVID-19 among their employees to the government.
   Mexico	Yes. The National Institute for Transparency, Information Access and Personal Data Protection (“INAI”) has issued several communications that are accessible at the following site: https://micrositios.inai.org.mx/covid-19/
   Panama	No guidance or rulings on how to address privacy or cybersecurity issues raised by the COVID-19 pandemic have been issued for companies. However, on April 23, 2020, the Personal Data Protection Council of Panama, composed of nine entities from the public and private sectors, met to analyze the collection, processing and transfer of personal data on the different platforms that are being used to address the state of national emergency decreed by the government because of the COVID-19 situation. The Council particularly emphasized the importance of making correct use of the data collected and the need to raise public awareness of this issue.
   Peru	Even though Peru’s existing framework has been robust enough to face the current context, Data Protection Authorities have issued an Opinion – “Opinión Consultiva No. 32-2020-JUS” on the processing of health data during the pandemic in the workplace, concluding that: (i) employers may process employees’ personal data without their consent when the collection of such personal data is necessary to guarantee safety and health at work in order to prevent the spread of COVID-19, but employers must comply with their obligation to inform employees of these legal provisions; (ii) employees are obliged to cooperate and provide information to their employer regarding their possible or actual contagion with COVID-19; and (iii) the processing of personal data carried out by employers in order to prevent the spread of COVID-19 must comply with the provisions of the current Peruvian data protection legal framework.
   Spain	Yes, the Spanish Data Protection Agency (“AEPD”) has been very active during this health crisis. It has published several notes and different guides about the measures that employers can take to try to control the spread of the virus. Mainly, the AEPD has focused on establishing precisely what the legitimacy is for the processing of health data, and the guarantees that must be applied so that the processing is legal. They have also published a guide to the different technologies used during the pandemic.
   United States	Guidance of one form or another has been issued by: the Federal Trade Commission (“FTC”), Department of Homeland Security (“DHS”), Department of Health and Human Services (“HHS”), Department of Education, and the National Institute of Standards and Technology (“NIST”), as well as some states. For example, the Equal Employment Opportunity Commission published guidance concerning the information employers are allowed to collect from employees, as well as the protections that information is due under the Americans with Disabilities Act. HHS issued guidance to entities covered under the Health Insurance Portability and Accountability Act (“HIPAA”) on how to appropriately share patients’ personal information. Both the FTC and DHS have issued warnings to consumers about scams related to COVID-19 and the risk of clicking on unknown links from unknown senders, and NIST has drafted guidance on security steps companies can implement to reduce the risks posed by employees working from home. Finally, both the FTC and the Department of Education have published guidance on children’s and students’ privacy in a virtual learning environment subject to protections under the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act.
   Uruguay	Yes. The Uruguayan Data Protection Authority (“URCDP”) has recently issued Decision No. 2/2020, in which it analyzes and provides guidelines on how Data Protection Law No. 18.331 regulates the treatment of health-related data and sets forth the circumstances under which companies can process health-related data in the context of the COVID-19 pandemic without the data subject’s consent. In accordance with this decision, health-related data can only be processed by companies without the data subject’s consent under the exceptions set forth in Law No. 18.331, including, among others, when health data is being collected by the government acting within its constitutional powers, when a law establishes that the data can be collected and processed for public interest reasons, when public health is at risk or for epidemiological studies, provided that the data is anonymized. Please see: https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/dictamen-2020 Further, URCDP has also issued certain recommendations related to the handling of health-related data. These recommendations include, among others, that companies must (i) implement proactive protective measures, such as data protection impact assessments; and (ii) obtain the subject’s written consent to process their personal sensitive data (unless an exception is applicable); this consent may be obtained by electronic means, but, in such cases, measures that ensure the data subject’s proper identification must be implemented. Please see: https://www.gub.uy/unidad-reguladora-control-datos-personales/comunicacion/publicaciones/recomendaciones-para-tratamiento-datos-personales-ante-situacion Finally, in February 2020, the government issued Decree No. 64/020 which regulates several highly relevant data privacy issues (e.g., the duties of the data protection officer, data protection impact assessments, data breach notification requirements, etc.). We believe that URCDP will continue focusing on issuing guidelines and decisions regarding this type of issue.
   Venezuela	No. However, the “state of alarm” decree issued in response to the COVID-19 pandemic requires anyone who is suspected to have contracted COVID-19 or has been exposed to a person with or suspected to have COVID-19 to inform the competent authorities of any useful data to determine the form and extension of possible contagion, emphasizing that the information provided cannot be disclosed or used for any purposes other than those established in the decree (i.e., to stop the spread of the pandemic). In addition, the Ministry of Health reaffirmed the obligation of Venezuelan companies to maintain a registry of employees’ chronic illnesses, and included privacy, anonymity, and confidentiality as core principles in the guidelines provided for conducting research related to COVID-19.

3. Are there any changes to existing law that have been undertaken as a result of, indirectly or directly, the COVID-19 pandemic?
         
   

   Country	Answer
   Argentina	Even though there were no legislative changes related to privacy or cybersecurity due to the COVID-19 pandemic, it is worth noting that the health emergency gave rise to complementary regulations impacting privacy. For example, Administrative Decision No. 432/2020 (in force since March 24, 2020) established the mandatory use of the app “COVID-19 Ministry of Health” for anybody entering the country after March 10, 2020 (and permitted the voluntary use of the app for anybody else). Under this context, the Argentine Undersecretariat of Open Government and Digital Country (which depends on the Secretariat of Public Innovation of the President’s Chief of Staff Office, and is responsible for the app “COVID-19 Ministry of Health”) may process or transfer the personal data collected by such an app (whenever possible, in a dissociated form) to other state entities and/or national, provincial or municipal health facilities, without the need of prior consent of the data subject, to the extent that they do so within their powers pursuant to Article 11 of the Argentine Data Protection Law No. 25,326. Useful link: https://www.boletinoficial.gob.ar/detalleAviso/primera/227116/20200324 (Administrative Decision No. 432/2020, in force since March 24, 2020, which established the use of app “COVID-19 Ministry of Health”).
   Brazil	Federal Law No. 13,979/2020 was approved in February in order to impose emergency public health measures in response to COVID-19, and it impacts Brazilian citizens’ privacy. Under Article 6, government bodies at the federal, state and municipal levels, and the Federal District must share essential personal data to identify suspected or confirmed COVID-19 cases. The provision makes clear that the sharing of this personal information has the exclusive purpose of preventing the spread of the virus. Likewise, private companies must also share personal data on suspected or confirmed COVID-19 cases with health authorities upon request. This Law also states that the Ministry of Health must maintain public and up-to-date data on confirmed, suspected and investigated cases of COVID-19; while also safeguarding the right to confidentiality of personal information. On April 17th, the President issued Provisional Measure No. 954 (Medida Provisória No. 954/2020 or “MP 954”)3, which provides for sharing telecommunications users’ personal data with the Brazilian Institute of Geography and Statistics – (Instituto Brasileiro de Geografia e Estatística – “IBGE”), for purposes of enabling official statistical research during COVID-19. Under MP 954, telecommunications operators must share with the IBGE a list of names, telephone numbers, and addresses of their customers (individuals or legal entities). MP 954 was justified under the assumption that sharing personal data would allow IBGE to produce official statistics during the pandemic through telephone interviews during the isolation and social distancing measures period. However, the Brazilian Bar Association and several political parties filed lawsuits with the Supreme Court to challenge the validity of MP 954 on the grounds that it would be unconstitutional.4 They alleged that by requiring telecom operators to make customers’ personal data available to IBGE, MP 954 violates the right to privacy, intimacy and data confidentiality as provided by the Federal Constitution. In a landmark decision, the Supreme Court upheld the injunction initially granted by Justice Rosa Weber on the grounds that sharing personal data under MP 954 indeed violates the constitutional right to privacy, private life and data confidentiality. Recent changes regarding the LGPD’s effectiveness On April 29, 2020, the Brazilian president issued Provisional Measure No. 959 (“MP 959”), which, among other provisions, postpones the effectiveness of the LGPD from August 16, 2020 to May 3, 2021. The publication of MP 959 was totally unexpected, as it occurred during the evaluation of the Senate’s Bill No. 1179/2020 by the Brazilian House of Representatives, which, among other matters, proposes delaying the LGPD’s effectiveness to January 1, 2021, whereas its administrative sanctions applicability (including fines) would only be applicable as of August 1, 2021. Finally, Bill No. 1179/2020 was signed by the President on May 10, 2020 and published in the Official Gazette as Law No. 14,010/2020. Considering that MP 959 must be approved by the Brazilian Congress in order to become a permanent federal law, it is not clear at this point when the LGPD will effectively come into force, and that is causing confusion and legal uncertainty for companies, especially foreign investors. Therefore, the current scenario for the LGPD’s effectiveness is as follows: Entry into force: May 3, 2021, under MP 959/20’s terms. Enforceability of administrative sanctions: August 1, under the recently enacted Law No. 14,010/20. However, if 959/20 is not approved by the Brazilian Congress, the LGPD will come into force in August of this year, as described below: Entry into force: August 16, 2020, under Law No. 13,853/2019, which amended the original LGPD text. Enforceability of administrative sanctions: August 1, 2021 under the recently enacted Law No. 14,010/2020. In any event, the fact that the administrative sanctions of the LGPD will come into effect only in August 2021 does not preclude the enforcement of administrative sanctions foreseen in other laws dealing with privacy and data protection matters, such as the Consumer Protection Code and the Brazilian Internet Law (Marco Civil da Internet – “MCI”). These administrative sanctions could be enforced by other public authorities, such as the Public Prosecutor’s Offices and consumer protection agencies. Moreover, the postponement of enforceability of the LGPD’s administrative sanctions does not preclude other means of enforcing the LGPD provisions after this Law comes into effect, as data subjects, the Public Prosecutor’s Offices and private associations, for example, will still be able to file law suits in courts to enforce the provisions of the LGPD and seek redress. Not knowing when the LGPD is effectively coming into force and not having the respective authority – the ANPD – to oversee the LGPD are two aggravating problems amid the COVID-19 crisis. Therefore, it is crucial that the Brazilian Congress approves MP 959/20 as soon as possible to put an end to the uncertainty surrounding the date on which LGPD will enter into force.
   Chile	We have not seen concrete changes or modifications to laws, but a group of Senators have proposed a draft bill that modifies the current legislation in order to allow city councils (municipalities) to collect and process sensitive data such as health conditions of the residents in their territories. Another legislative initiative recently submitted to the Congress proposes to mirror in Chile some of the rights, principles, obligations and other provisions from the European General Data Protection Regulation in order to improve Chile’s data protection and privacy regulations. The above-mentioned initiatives are currently under discussion and will probably follow a very straightforward path to be enacted as laws of the Republic.
   Colombia	No.
   Costa Rica	There have been a significant number of changes to existing laws because of the COVID-19 pandemic. However, none of these changes has addressed privacy or cybersecurity matters.
   Ecuador	As mentioned above, though privacy rights are recognized and guaranteed by the Ecuadorian Constitution as fundamental rights, there are no specific privacy regulations and regulatory authorities. However, as a consequence of the COVID-19 pandemic, the national assembly has resumed the analysis of an old draft privacy law that was previously postponed for months. PBP is part of the group of experts advising the senators on the drafting of the law. For further information, please refer to the links below: https://www.pbplaw.com/es/que-tan-protegidos-estan-mis-datos-personales/ https://www.pbplaw.com/es/webinar-pbp-proteccion-de-datos-personales-de-sus-empleados/ https://www.pbplaw.com/es/que-significa-la-proteccion-de-datos-personales/
   Mexico	No.
   Panama	There have been a number of laws and regulations passed as a result of the COVID-19 pandemic to address health, labor and fiscal issues. However, none of them are related to data protection, privacy or cybersecurity matters.
   Peru	The Opinion issued by the Data Protection Authorities is considered confirmation of the Data Protection Authorities’ criteria in applying the actual legal framework, not a change to existing laws. Additionally, a practical guide has been published in order to orient healthcare establishments processing sensitive data related to COVID-19 patients. You may find a brief summary of the matter in the following client alert: http://rebaza-alcazar.com/blog/alerta-data-privacy-guide-healthcare-establishments-regarding-covid-19/
   Spain	With regard to data protection regulations, no. The regulations themselves include exceptional situations for public health reasons that enable data to be processed. Only a ministerial order has been published which covers the type of applications that can be developed to prevent the spread of COVID-19, but it does not modify the current regulations in any way.
   United States	No. Several members of Congress have introduced legislation explicitly focused on protecting consumer information collected for COVID-19-related purposes, but it seems unlikely that any such privacy legislation will be enacted in the short term. At the state level, the California Attorney General has declined to delay the enforcement date for the California Consumer Privacy Act (currently set for July 1).
   Uruguay	No. Existing laws and regulations in Uruguay have not been modified as a result of the COVID-19 pandemic.
   Venezuela	There are no other changes to existing data protection or cybersecurity regulations than those described above.

4. What are some of the key/repeat questions you have heard from clients trying to deal with the privacy and cybersecurity issues raised by COVID-19?
         
   

   Country	Answer
   Argentina	Most clients have inquiries on (i) how to handle personal data of their employees who may have tested positive with COVID-19 and (ii) how and if they can or should check employees’ temperatures before they are granted access to the company’s premises, as well as doubts or concerns about employees’ expectation of privacy when performing their work-related tasks. In addition, we have received frequent questions on how to ensure general privacy policies and cybersecurity measures remain in force and effect.
   Brazil	Most of the questions are related to how companies may process employees’ sensitive personal data, whether companies may carry out testing, what precautions must be taken, and how to handle sensitive personal data related to COVID-19 after the end of the pandemic. There are also questions about privacy and cybersecurity concerns related to telecommuting, including how to implement an incident response plan adapted to this new situation.
   Chile	Most of the questions that we have received from our clients are related to the possibility of creating databases and records with personal information of their employees, specifically information on underlying chronic medical conditions. This matter is strictly regulated under Chilean legislation, as these types of databases implicate the treatment of sensitive personal data and must comply with strict conditions in order to be legally collected and used.
   Colombia	Companies are asking constantly about the best way to balance their obligations under Colombian data protection laws, and their duties to implement health protocols to prevent the spread of COVID-19 when they resume activities. This has been particularly challenging for them given the absence of specific and comprehensive guidance on the part of SIC. Companies are also asking about their cybersecurity obligations under local law, considering the need of businesses to have their employees work from home in less secure environments.
   Costa Rica	The most frequent questions that we have received from our clients are related to how to manage (collect and use) sensitive personal information and how companies should treat an employee suspected of having COVID-19. We are also receiving questions in connection with the “working from home” regulations recently enacted.
   Ecuador	Most of our clients, which are large domestic companies and multinationals, are concerned about whether their data privacy protocols are in compliance with the applicable regulations and, particularly, with the above-mentioned COVID-19 specific report obligations. Therefore, they are constantly requesting our advice to assess and confirm that they are complying with the obligation to report confirmed and possible COVID-19 cases and that, at the same time, the safety and preventive measures that they are implementing to comply with such obligation do not constitute a violation of the privacy or personal data protection regulations.
   Mexico	Frequent questions are: What personal data can be collected related to COVID-19 patients? Answer: All data deemed relevant to Mexican health authorities, in view of the emergency situation, that could potentially harm a person or when the personal data is necessary for the treatment, prevention, diagnosis and provision of healthcare. Is it necessary to obtain the consent of the holder of personal data related to COVID-19? An exception to obtaining the express written consent of the holders could be considered while processing data related to the emergency, provided that said data is necessary for medical care, prevention, diagnosis, the provision of healthcare, medical treatments or the management of health services. Such exception would apply as long as the holder is not in a position to grant consent or when there is an emergency situation that could potentially harm such person. It will therefore be essential that the controller analyzes case by case in order to determine which one may be subject to the exception, and in case of uncertainty, the applicability of the exception should be confirmed by INAI or the applicable local authority. Is it necessary to include COVID-19 in the controller’s Privacy Notice? Yes. The processing of personal data derived for the COVID-19 crisis must be informed, and the owner of such personal data must know at all times the purposes for which his or her personal data will be collected and processed. Prior to the processing, the controller must make its privacy notice available to the owner. Is it necessary to establish security measures in any organization or authority for the processing of personal data obtained due to the COVID-19 crisis? Yes. Controllers must comply with their obligations of security and confidentiality and therefore must take the necessary physical, administrative and technical measures to guarantee the integrity, availability and confidentiality of the information, given its sensitive nature. What kind of security measures should any organization or institution take in order to address the ongoing remote work? If staff work remotely and through personal devices, the same security measures taken to protect the organization’s information under normal circumstances should be taken, or even adopt new ones if required, as remote work increases the risk of loss or leakage of information that may contain personal data. It is also suggested to communicate through channels established by institutions and to avoid the use of internet pages or unverified mobile applications for the flow of information. Can I request additional health information from employees due to COVID-19? We recommend that employers encourage workers to voluntarily report symptoms or relevant COVID-19 information rather than have employees fill out extensive forms about their health situation or frequent destinations, as they may be disproportionate. Is it necessary to document the decision-making process derived from COVID-19? Yes. It is necessary to document the decision-making process related to the processing of sensitive personal data in order to comply with the principle of responsibility, as well as to take steps to notify staff about how their personal information will be handled to respond to any potential or confirmed case of COVID-19. Can staff be informed that a co-worker or visitor to the institution or organization contracted or can be a suspected case of COVID-19? As part of the obligation to safeguard the health and safety of workers, staff can be informed that a co-worker or visitor contracted or may be a suspected case of COVID-19. However, this information will be provided anonymized in order not to make the affected person identifiable, and thus avoid a situation of tension and even discrimination. Can I share employee health information with public health authorities? Yes, but only if required by a health authority when updating an exception scenario for the transfer of personal data. However, such communication must observe compliance with the other guiding principles and duties of the right to the protection of personal data.
   Panama	So far, we have not received any questions related to privacy or cybersecurity issues raised by COVID-19.
   Peru	Clients have been mostly concerned about whether or not the collection of their employees’ personal data (e.g. weight, body measurements and other health-related data), for the purpose of the identification of risk factors and the development of protocols for resuming activities, imposes additional obligations that should be taken into account. As previously mentioned, any such sensitive personal data collected by companies shall be treated in accordance with the existing applicable regulations.
   Spain	The most recurrent queries we have received have been in relation to the processing of health data by employers with respect to their employees and customers. These consultations have focused on two different procedures: the possibility of requesting health information from workers and customers or even of accessing the results of COVID-19 tests; the possibility of incorporating thermal cameras to measure the temperature of workers and customers.
   United States	Questions related to best practices for collecting, using, securing, and sharing employee data related to COVID-19 – e.g., what questions can we ask, how long should we save it, what can we do with the information, etc. – continue to be at the forefront of companies’ minds, particularly as many states have withdrawn their stay-at-home orders and companies begin to welcome their employees back to the office.
   Uruguay	The key questions we are receiving from clients are the following: How to process health-related employee data in the context of the COVID-19 pandemic? How to validly obtain consent from data subjects in order to process health-related data? How to implement remote working in compliance with applicable data protection regulations?
   Venezuela	Clients have recently asked about the appropriate manner to collect and process personal data related to the issues raised by the pandemic (e.g., health data), and about the requirements for conducting legitimate international data transfers amid the pandemic.

5. What do you anticipate the medium- and long-term effects of COVID-19 will be on privacy/cybersecurity issues? For example, do you think this will make it more/less likely that new legislation will be enacted related to privacy? Will it change how much and what kinds of information companies collect about their employees?

Country	Answer
Argentina	Surely, COVID-19’s effects regarding privacy and cybersecurity will persist even after the health emergency ends, or the mobility restrictions related to the health emergency become more flexible. For example, Provision No. 4/2020 (in force since May 21, 2020), which approved and made public the terms and conditions of the “COVID-19 Ministry of Health” app, states that the data related to geolocation will be preserved only as long as necessary (i.e., as long as the health emergency lasts), although anonymized versions may be preserved for scientific and epidemiological purposes. On the other hand, the effects of COVID-19 could make it more likely for new legislation to be passed. In this regard, in September 2018 the Argentine Executive Branch introduced before Congress a bill intended to replace the Argentine Data Protection Law, arguing that it has become outdated given recent technological and legal developments, especially regarding the recent implementation of the GDPR in the EU. This draft bill lost parliamentary status in March 2020, so it is likely that a new proposed text, following a similar GDPR style, could be introduced during 2020 (in fact, the Argentine Data Protection Authority mentioned this as part of its 2020 plans).
Brazil	As to the medium- and long-term effects of COVID-19, we envision that companies will be more and more engaged with digital transformation, which will require more caution with privacy and cybersecurity measures to protect corporate confidential information and personal data. Companies will have to review and improve their systems and internal policies to ensure the security of telecommuting. We also envision an increase in testing and other health monitoring efforts by companies and public entities, which may result in large-scale processing of sensitive personal data. The increasing reliance on massive testing and monitoring will raise concerns on privacy and data protection matters, and this will likely result in legal disputes and/or legislative initiatives. Several state governors and local city governments have entered into partnership arrangements with telecommunications and technology companies to enable collecting aggregated and anonymized geolocation data in order to monitor crowding and social distancing rates. The reliance on technology aiming to control the effects of the pandemic is expected to remain until the end of the COVID-19 crisis. It is also expected that there will be an increased use of tracing apps by governments and companies to keep tracking individual smartphone users’ real-life interactions with other smartphone users in order to control and/or prevent contacts with individuals suspected or confirmed of having COVID-19. This may also result in a legal debate within the upcoming months.
Chile	As previously mentioned, one of the most substantial changes that our privacy and cybersecurity legislation has ever faced (the creation of a specific cybersecurity/data privacy regulator) is being pushed forward amid the pandemic. The protection of individuals’ personal and sensitive data and the confidentiality of strategic information have become a key aspect in a society that now bases its relations in remote communications. The new legislation that will most likely be enacted in Chile will include the creation of a specialized privacy agency that will be able to impose severe sanctions to companies not complying with the new standards, while also empowering data subjects with rights that are not currently covered by legislation. More information about Chile recommendations are available at https://www.bye.cl/covid-19-recomendaciones-relativas-a-teletrabajo-seguridad-de-la-informacion-y-proteccion-de-datos-personales/
Colombia	Given the absence of guidance from SIC regarding the obligation of businesses to implement health protocols to prevent the spread of COVID-19 when they resume activities (which requires them to collect and process personal data), we anticipate widespread enforcement activity looking into data processing operations conducted by businesses in this regard. We do not anticipate new legislation being enacted related to privacy due to the COVID-19 pandemic, but we consider it is likely that cybersecurity will be at the top of the legislature’s agenda in the near future – Colombia does not have comprehensive legislation regarding cybersecurity obligations, but rather sectoral (i.e., for financial institutions).
Costa Rica	We foresee that the COVID-19 pandemic will change the existing regulation on sensitive personal data. Also, companies may allocate in the future more resources to address cybersecurity protection issues and to train their employees to teach them how to avoid conduct that may have a negative impact on the technology and information systems and data protection policies of the company. For further information, please refer to the following link: https://www.blplegal.com/es/Biblioteca-COVID19-Coronavirus-Centroamerica
Ecuador	For Ecuador, COVID-19 has been a breaking point. The president recently declared that all regulations related to digital matters, including privacy and cybersecurity, are now a priority. The country is going through a digitalization process and new specific laws for matters such as privacy are necessary. Indeed, as mentioned above, as a result of the pandemic the national assembly has resumed the analysis of the draft of the first Ecuadorian privacy law that was previously postponed for months. We believe that the pandemic will affect the behavior of the companies on how they collect data. For example, although we currently know very little about COVID-19, getting and processing information related to COVID-19 in future hiring processes could help companies to be prepared for the so feared “second wave” or other future similar health crises.
Mexico	It is foreseeable that administrative data protection regulations will be reinforced by criminal provisions mandating corporations to implement compliance programs.
Panama	We anticipate new biosecurity measures to be implemented as lockdowns wind down and more companies resume their activity, which, may raise privacy issues. In our opinion, more guidance and rules related to privacy will be forthcoming in the near future. In this regard, it is a fact that social and business relations and governmental processes have already changed due to COVID-19. As a result, it is imperative to adapt the existing regulations to further protect personal data and the individual’s right to privacy.
Peru	From a regulatory point of view, we expect applicable regulations to remain unchanged in the short- and medium-term. However, we do expect the issuance of more opinions by the Data Privacy Authority to help companies navigate through the COVID-19 crisis.
Spain	There is currently an emerging debate about what should prevail, whether public health or the right to privacy and data protection. Despite the fact that on the part of society there is a more permissive view of data protection, the AEPD has expressed the importance of this and has clearly established that, although situations of health crisis exist, data protection must continue to be respected. The main challenge that companies are now going to face is a technological challenge, since the way of working has been modified and it has been demonstrated that many companies have not been able to face this new way of working because they do not have good technological structures. Likewise, the main risks will be linked to cybersecurity, and to the implementation of adequate security measures for each system to prevent the violation of systems and access to restricted information.
United States	The COVID-19 pandemic has forced companies to stress test their networks and contingency policies and plans in an unprecedented way. The unintended benefit may be that companies will use this as an opportunity to ensure that their cybersecurity and network assets are more agile, responsive, and robust than before the crisis. It does not appear the pandemic will have much effect on legislation in the privacy or cybersecurity spheres. While the crisis has highlighted many of the issues that companies must face in complying with multiple, confusing, and often overlapping state and federal laws, it has not helped to resolve some of the fundamental issues that continue to impede efforts at comprehensive federal privacy legislation.
Uruguay	We do not expect new legislation to be enacted in the short term as a consequence of the COVID-19 pandemic; we believe that URCDP will continue to actively issue decisions and guidelines regarding specific privacy-cybersecurity issues. Regarding the medium and long term effects, new legislation could be enacted, particularly to address the treatment of health-related data in more detail than current regulations. However, we do not expect a significant change on the quantity and type of employees’ personal information that companies will be allowed to collect or treat. Uruguayan current regulations include clear principles and boundaries on the collection and treatment of personal data, which inherently limit the amount and type of employees’ personal data that companies can collect. As a consequence, we believe that future regulations would focus on a more detailed analysis of specific issues, rather than on new limitations. Please see our report on Decree No. 64/020: https://www.guyer.com.uy/en/what_we_do/news-knowledge/on-line-news/informe-especial-modificaciones-en-materia-de-proteccion-de-datos-personales/. Please see: https://www.gub.uy/unidad-reguladora-control-datos-personales/comunicacion/publicaciones/recomendaciones-para-tratamiento-datos-personales-ante-situacion. Please see: https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/dictamen-2020.
Venezuela	We believe that companies in Venezuela will increase the amount of health information collected to protect the labor environment and will take additional security measures to guarantee the safety of such data, and the use of teleworking tools. This will probably prompt Venezuela to enact new legislation related to privacy or cybersecurity in the short term.

Click here to download this article.