Broadband Policies for Latin America and the Caribbean A Digital Economy Toolkit www.ebook3000.com Broadband Policies for Latin America and the Caribbean A DIGITAL ECONOMY TOOLKIT www.ebook3000.com This report was approved and declassified by the OECD Committee on Digital Economy Policy on 31 March 2016 and prepared for publication by the OECD Secretariat The opinions expressed in this publication not necessarily reflect the views of the Inter-American Development Bank, its Board of Directors, or the countries they represent This document and any map included herein are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area Please cite this publication as: OECD and IDB (2016), Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit, OECD Publishing, Paris http://dx.doi.org/10.1787/9789264251823-en ISBN 978-92-64-25181-6 (print) ISBN 978-92-64-25182-3 (PDF) The statistical data for Israel are supplied by and under the responsibility of the relevant Israeli authorities The use of such data by the OECD is without prejudice to the status of the Golan Heights, East Jerusalem and Israeli settlements in the West Bank under the terms of international law Photo credits: © Robert Biedermann/Shutterstock.com, © Sashkin/Shutterstock.com Corrigenda to OECD publications may be found on line at: www.oecd.org/publishing/corrigenda © OECD, IDB 2016 You can copy, download or print OECD content for your own use, and you can include excerpts from OECD publications, databases and multimedia products in your own documents, presentations, blogs, websites and teaching materials, provided that suitable acknowledgment of the source and copyright owner is given All requests for public or commercial use and translation rights should be submitted to rights@oecd.org Requests for permission to photocopy portions of this material for public or commercial use shall be addressed directly to the Copyright Clearance Center (CCC) at info@copyright.com or the Centre franỗais dexploitation du droit de copie (CFC) at contact@cfcopies.com Preface Preface D igital technologies are profoundly changing our economies and societies Broadband networks are essential in enabling this transformation By reducing the cost of accessing information and by expanding the means for sharing knowledge, these networks can empower people, encourage greater civic engagement and improve the delivery of public services, as well as helping to create opportunities for new goods, services, business models and jobs Nonetheless, these opportunities come with challenges, the first of which is to ensure that everyone has access to this extraordinary tool The capacity of broadband to accelerate economic and social development is recognised globally Its importance for the three pillars of development – economic development, social inclusion and environmental protection – was recently acknowledged by the United Nations (UN), which set a provision of universal and affordable access to the Internet in least developed countries by 2020 as one of the targets of the Sustainable Development Goals (SDGs) We are also mindful of the UN’s call for sharing knowledge and expertise in the service of the SDGs Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit offers a clear example of partners coming together to share good practices In setting out some guidelines for designing a whole-of-government approach to policies, this Toolkit aims to assist countries in the region enhance their digital prospects and make progress on international, regional and national policy objectives Today, Latin America and the Caribbean (LAC) is experiencing an economic slowdown, but the time is ripe for both implementing much needed structural reforms that can promote sustainable growth and for designing policies that seize the benefits of the digital economy The first challenge is making sure opportunities are more evenly spread An estimated 300 million people in the region, half of the population, still have no access to the Internet, with the situation varying greatly between countries, income groups, and those living in rural or urban areas Successful broadband policies, designed to improve social inclusion, productivity and governance, can be a catalyst for expanding the “digital dividends” which stem from broadband access and use Policymakers and regulators have a variety of instruments at their disposal to stimulate and encourage investment, competition and network deployment They can also assist in making services more affordable, relevant, usable and safer for individuals and businesses The OECD is committed to supporting accessible and affordable broadband This joint publication with the Inter-American Development Bank (IDB), to be presented at the Digital Economy Ministerial meeting in Cancún, Mexico, is designed to generate fruitful Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com Preface policy dialogue on how to achieve this goal This will mean enlisting all stakeholders to make the most of the opportunities ahead and to tackle the evolving challenges of the digital economy to promote further social inclusion, increase productivity and enhance governance in the region It is time to act together to put accessible, affordable broadband at the fingertips of all Angel Gurría, Secretary-General OECD Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 Foreword Foreword B roadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit is the result of a partnership between the OECD and the Inter-American Development Bank (IDB) Its aim is to encourage the expansion of broadband networks and services in the region by assisting policy makers and regulators with the implementation of policies based on a coherent and whole-of-government approach In order to so, the publication puts forward good practices and case studies It builds on the combined expertise of the OECD and IDB The OECD has extensive experience in policy analysis associated with broadband access and usage, as well as in developing recommendations aimed at fostering deployment, investment and competition Many of the policy and regulatory issues faced in the LAC region are common to those in OECD countries, and sharing good practices can be a valuable resource The wide variety of issues covered by expert groups within the OECD, whether on education, health, government or taxation, make it possible to compile an extensive set of good practices on both supply and demand-side issues with a proven record of success The IDB has been a major supporter of LAC countries as they design and implement digital and broadband strategies and has assisted its member countries in the challenge of developing this critical technological infrastructure This ranges from supporting the design of national broadband plans to nurturing public-private partnerships, where necessary, to expand broadband coverage This Toolkit draws on a wealth of information collected by the OECD and IDB using an extensive questionnaire on policy and regulatory issues that was distributed to all 26 LAC countries in 2014 and 2015 It has benefited from an up-to-date and comprehensive perspective of the region, thanks to this stocktaking exercise, which has also helped to identify a variety of good practices drawn from LAC countries The OECD/IDB Broadband Policy Toolkit for LAC will complement existing toolkits and regulatory references by drawing on extensive accumulated experience on policy making and regulation across different countries with a range of contexts and challenges This Toolkit covers supply and demandside broadband policy issues and hopes to offer a holistic overview of the subject that can help policy makers and regulators prepare for the future Good practices included in this Toolkit rely on the IDB’s experience in the LAC region and the OECD’s recommendations and evidence-based analysis of broadband policy issues, which are referenced throughout each chapter Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com Acknowledgements Acknowledgements B roadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit was prepared by the OECD Secretariat and the Inter-American Development Bank (IDB) Secretariat The lead authors were Jorge Infante González and Lorrayne Porciuncula, together with Sam Paltridge, of the OECD Digital Economy Policy Division, headed by Anne Carblanc, under the overall direction of Andrew Wyckoff, OECD Director of Science, Technology and Innovation (STI) The IDB team was led by Antonio García-Zaballos and included Enrique Iglesias Rodriguez, Lorena Cano Cuadra and Carolina Valencia Márquez Further authors of chapters from the OECD Digital Economy Policy team were Elettra Ronchi, Verena Weber, Laurent Bernat and Gaël Hernández, and from the Public Governance and Territorial Development Directorate, Barbara Ubaldi and Rodrigo Mejía Ricart Valuable comments were received from Dirk Pilat and Molly Lesher, from STI, and Tom Neubig, David Bradbury and Dimitra Koulouri, from the Centre for Tax Policy and Administration Particular acknowledgement is made to Diego Molano Vega, former ICT Minister of Colombia and advisor to the IDB, for his insights on the LAC region and to the Office of the President of the IDB, Luis Alberto Moreno Special thanks goes also to Ernesto Flores Roux, independent consultant and president of the Advisory Board of the Instituto Federal de Telecomunicaciones (Mexico); Cristos Velasco, founder of ProtDataMx; Heimar F Marin, professor at the Universidade Federal de São Paulo (Brazil); Taylor Reynolds, director of the Massachusetts Institute of Technology’s Cybersecurity and Internet Policy Research Initiative, and Dimitri Ypsilanti, for their substantial contributions to different chapters The publication also benefited from preliminary research and contributions from Agustín Díaz-Pinés, Alexia González Fanfalone, Rudolph van der Berg, Félix González Herranz, Michele Rimini, Yuki Yokomori and Susana Cuervo Statistical support for the preparation of the Toolkit was undertaken by Frédéric Bourassa, while editorial support was provided by Victoria Elliott, Angela Gosmann and by the OECD Public Affairs and Communications Directorate This Toolkit is indebted to representatives of the ministries and regulators of Latin America and Caribbean (LAC) countries who have kindly replied to the questionnaires, received the team for meetings, revised the text of this publication and contributed cases of good practices in their countries For all their essential contributions and efforts, acknowledgement is made to colleagues from Argentina, the Bahamas, Barbados, Belize, the Plurinational State of Bolivia, Brazil, Chile, Colombia, Costa Rica, the Dominican Republic, Ecuador, El Salvador, Guatemala, Haiti, Honduras, Jamaica, Mexico, Nicaragua, Panama, Paraguay, Peru, Suriname, Trinidad and Tobago and Uruguay We also thank our delegates from the Committee on Digital Economy Policy (CDEP), chaired by Jørgen Abild Andersen (Denmark) and the Working Party on Communication Infrastructures and Services Policy (CISP), chaired by Tracey Weisler (United States), for their guidance and contributions Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 Table of contents Table of contents Executive summary 15 Chapter Broadband and beyond in Latin America and the Caribbean 17 Broadband is crucial for socio-economic development 19 Broadband policy making 20 The Latin American and Caribbean Region 23 Main challenges 27 Leading good practices 28 Notes 30 References 31 Further reading 32 Chapter Regulatory frameworks and digital strategies 33 Policy objectives for the LAC region 34 Tools for measurement and analysis in the LAC region 36 Overview of the situation in the LAC region 37 Good practices for the LAC region 39 Conclusion 51 Notes 52 References 52 Further reading 52 Annex 2.A1. Regulatory frameworks in the LAC region 54 Annex 2.A2. National digital Strategies 56 Annex 2.A3. Policy/regulatory bodies in the LAC region 57 Annex 2.A4. Distribution of powers among policy/regulatory bodies in the region 60 Chapter Spectrum policy 63 Key policy objectives for the LAC region 65 Tools for measurement and analysis in the LAC region 66 Overview of the situation in the LAC region 66 Good practices for the LAC region 69 Conclusion 87 Notes 87 References 88 Further reading 88 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com Table of contents Chapter Competition and infrastructure bottlenecks 91 Key policy objectives for the LAC region 92 Tools for measurement and analysis in the LAC region 93 Overview of the situation in the LAC region 94 Good practices for the LAC region 97 Conclusion 134 Notes 135 References 136 Further reading 138 Annex 4.A1. Number portability implementation in the region 139 Chapter Extending broadband access and services 141 Key policy objectives for the LAC region 143 Tools for measurement and analysis in the LAC region 143 Overview of the situation in the LAC region 147 Good practices for the LAC region 150 Conclusion 167 Notes 168 References 168 Further Reading 169 Annex 5.A1. National Broadband Plans in the LAC region 172 Annex 5.A2. Universal service funds in the LAC region 174 Chapter Affordability, government charges and digital inclusion 177 Key policy objectives for the LAC region 179 Tools for measurement and analysis in the LAC region 179 Overview of the situation in the LAC region 180 Good practices for the LAC region 190 Conclusion 199 Notes 199 References 199 Further reading 200 Chapter Convergence 203 Key policy objectives for the LAC region 205 Tools for measurement and analysis in the LAC region 206 Overview of the situation in the LAC region 208 Good practices for the LAC region 212 Conclusion 229 Notes 229 References 230 Further reading 232 Chapter Regional integration 235 Policy objectives in the LAC region 237 Tools for measurement and analysis in the LAC region 238 Overview of the situation in the LAC region 241 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection T he increased collection and processing of personal data for economic and social activities that rely on the digital environment raises a number of privacy challenges These must be addressed both to protect fundamental values and individual liberties, and to ensure a digital environment that inspires confidence and in which individuals can fully participate Privacy protection frameworks, also known as “data protection” frameworks, aim to create the conditions for public and private organisations to process personal data to pursue economic and social objectives while protecting privacy In general, they set the requirements that organisations must respect when they collect, process and share personal data, as well as the rights granted to individuals Although privacy protection frameworks are generally developed at the national level, flows of personal data often cross borders, raising the issue of the interoperability of these frameworks In addressing this, policy makers face a double challenge: i) developing a framework that protects privacy while promoting economic development; and ii) ensuring a sufficient level of international interoperability to prevent the privacy protection framework from hindering blocking or inhibiting international trade The OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (hereinafter OECD Privacy Guidelines) aim to assist policy makers in the development of privacy frameworks (OECD, 2013) They were initially adopted in 1980 and revised in 2013 They define key concepts used in this area (“personal data”, “data controller” and so on) and include principles that can be used as a basis for privacy protection frameworks worldwide The OECD Privacy Guidelines are high-level policy recommendations that can be used as a basis to develop a privacy protection framework with the flexibility to accommodate regional and local variations Meanwhile, they should facilitate international interoperability for transborder flows of personal data Most regional conventions, recommendations and standards for privacy and data protection are in line with the Privacy Guidelines, including the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter Convention 108) (CoE, 1981),1 the United Nations Guidelines concerning Computerized Personal Data Files (UN, 1990), the Asia-Pacific Economic Co-operation (APEC) Privacy Framework (APEC, 2005), the International Standards on Privacy and Data Protection (hereinafter the Madrid Resolution)2 (AEPD and PFPDT, 2009) and more recently, the Organization of American States’ (OAS) Model Law on Data Protection (OAS, 2014) It is important to underline that privacy protection frameworks generally intersect with other frameworks, for example those governing digital security risk management (OECD, 2015), broadband policy and consumer protection, as well as with policies related to specific economic sectors such as health or finance This section presents a set of policy objectives, tools and measures for assessment in meeting key objectives to advance policies on privacy, data protection and e-identity It provides an overview of the situation in the region based on national and regional indicators, points to good practices in the Latin America and Caribbean (LAC) region and establishes recommendations based on the work of international and regional organisations like the OECD and OAS 432 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection Key policy objectives in the LAC region Privacy protection is regulated in relevant instruments on international public law, such as the Universal Declaration of Human Rights (UN, 1948),3 the International Covenant on Civil and Political Rights (UN, 1966a),4 the International Covenant on Economic, Social and Cultural Rights (UN, 1966b)5 and the Inter-American Convention on Human Rights (OAS, 1969).6 It is therefore essential to ensure the continuity of privacy protection from the offline to the digital environment However, the main policy objective is to develop and implement a policy framework that protects privacy while i) encouraging the use of the digital environment for economic and social prosperity; and ii) enabling transborder flows of personal data through appropriate international policy and legal interoperability This general policy goal can be met through policy tools, such as: Developing a national privacy strategy A national privacy strategy that reflects a co-ordinated approach across governmental bodies is one of the key measures of national implementation included in the OECD Privacy Guidelines Elements of the national strategy can include: ●● the adoption of laws protecting privacy establishment of privacy enforcement authorities with the governance, resources and technical expertise to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis ●● the ●● the encouragement and support of self-regulation ●● the provision for adequate sanctions and remedies in case of failure to comply with laws protecting privacy ●● the adoption of complementary measures, including education and awareness campaigns, skills development and the promotion of technical measures, that help to protect privacy.7 Implementing accountability Accountability is one of the key principles of the OECD Privacy Guidelines Data controllers8 should be accountable for complying with measures that enshrine the other OECD privacy principles A privacy protection framework can encourage data controllers to implement accountability by: ●● setting up a privacy management programme prepared to demonstrate the propriety of its privacy management programme, in particular at the request of a competent privacy enforcement authority or other entity responsible for promoting adherence to a code of conduct or similar arrangement that gives binding effect to the Guidelines ●● being ●● providing notice, as appropriate, to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data Where the breach is likely to adversely affect data subjects, a data controller should notify affected data subjects.9 Free flow and legitimate restrictions Recognising that a data controller remains accountable for personal data under its control without regard to the location of the data, the OECD Privacy Guidelines call on countries to refrain from restricting transborder flows of personal data (TBDF) between Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 433 15. Privacy protection themselves and another country and for any restrictions to TBDF to be proportionate to the risks presented, taking into account the sensitivity of the data, and the purpose and context of the processing.10 International co-operation and interoperability LAC countries should co-operate in the enforcement of privacy laws and facilitate international interoperability of privacy frameworks This implies, for example: appropriate measures to facilitate cross-border privacy law enforcement co-operation, in particular by enhancing information sharing among privacy enforcement authorities ●● taking ●● encouraging and supporting the development of international arrangements that promote interoperability among privacy frameworks that give practical effect to the OECD Privacy Guidelines ●● encouraging the development of internationally comparable metrics to inform the policy making process related to privacy and transborder flows of personal data public the details of their observance of the international or national privacy guidelines ●● making Tools for measurement and analysis for the LAC region There is no general agreement on indicators to measure the various aspects of privacy protection policy frameworks However, in the context of their reporting and transparency obligation, privacy enforcement authorities generally publish an annual report reflecting their activities This includes statistics on, for example: ●● number of complaints received ●● number of requests for information from individuals and data controllers ●● number of fines, etc Unfortunately, the methodologies to collect and aggregate data are generally not comparable, and there is no systematic comparative analysis of these statistics, whether at the regional or international level Overview of the situation in the LAC region National privacy strategies None of the countries in the LAC region have a comprehensive national privacy strategy or programme This is not surprising considering that the concept of national privacy strategy is relatively new However, the proportion of LAC countries with privacy and data protection legal frameworks in place is relatively high (around 40%), and the number is growing Nine countries (Colombia, Costa Rica, Chile, the Dominican Republic, Ecuador, Mexico, Nicaragua, Peru and Uruguay) have privacy and data protection laws, including supervisory or regulatory authorities (Box 15.1) Brazil, Chile, Jamaica and Paraguay are in the process of consultation and drafting new laws in this area The great majority of countries in the LAC region, for example Brazil, Panama and El Salvador, have sectoral laws with scattered provisions on privacy and data protection, but no independent laws and regulations so far on data protection and national data protection authorities (OAS, 2015) 434 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection Box 15.1 Selected national laws and regulations on privacy and data protection (2010-15) Colombia ●● Statutory Law No 1581 containing General Provisions for the Protection of Personal Data (17 October 2012) ●● Decree No 1377 that Partially Regulates Statutory Law No 1581 of 2012 (27 June 2013) ●● Decree No 866 that Regulates the National Registry of Databases pursuant to Article 25 of Statutory Law No 1581 (13 May 2014) Costa Rica ●● Law No 8968 of Protection of the Individual for the Processing of his Personal Data (5 September 2011) ●● Regulation of Law No 8968 contained in Executive Decree No 37554-JP (30 October 2012) Dominican Republic ●● Law No 172-13 on Protection of Personal Data (26 November 2013) Mexico ●● Federal Law on Data Protection in the Possession of Private Parties (5 July 2010) ●● Regulation of the Federal Law on Data Protection in the Possession of Private Parties (19 December 2011) ●● Self-Regulation Standards on Protection of Personal Data (29 May 2014) Nicaragua ●● Law No 787 on Protection of Personal Data (29 March 2012) Peru ●● Regulation of Law No 29733 of Protection of Personal Data (22 March 2013) ●● Law No 29733 of Protection of Personal Data (3 July 2011) Law enforcement continues to be a challenge in the LAC region The proportion of countries with an independent national Data Protection Authority (hereinafter DPA) is very low Only two countries (Mexico and Uruguay) have a fully independent and autonomous DPA In other countries, the DPA is part of a ministry, as in Colombia (Ministry of Economy), Costa Rica and Peru (Ministry of Justice) and Ecuador (Ministry of Telecommunications and Information Society) Policy makers in the LAC region tend to view privacy and data protection as a legislative and regulatory issue, rather than from the economic and social public policy perspective Implementing accountability The concept of accountability has not yet gained wide acceptance in the LAC region Only Mexico11 incorporates this concept in its national data protection legislation and regulation Colombia recently published a guide for the implementation of accountability in organisations as part of the implementation of Articles 26 and 27 of Decree No 1377 of 27 June 2013 (SIC, 2014) However, the extent of the use of this principle by data controllers is not entirely clear The implementation of a privacy management programme is not compulsory under most data protection laws of LAC countries Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 435 15. Privacy protection Free flow of data and legitimate restrictions There are remarkable differences of approach to the regulation of transborder data flows and restrictions on the transfer of personal data from LAC countries to third countries The proportion of countries with restrictions and regulations on the free flow of information is quite high Six countries (Argentina, Colombia, Costa Rica, Mexico, Peru and Uruguay) have provisions that stipulate special conditions for national and international transfers of personal data, as well as the use of mechanisms to export information to third countries, which includes model contractual agreements and clauses and binding corporate rules (Velasco, 2015) International co-operation and interoperability The proportion of countries with international co-operation agreements and other mechanisms for the exchange of information for the enforcement of cross-border privacy is very low Only three LAC countries (Argentina, Colombia and Mexico) are part of the OECD’s Global Privacy Enforcement Network (GPEN).12 The concept of privacy interoperability has not yet gained wide acceptance in LAC countries The proportion of LAC countries promoting interoperability with other privacy frameworks is very low Only Mexico participates in the APEC’s Cross-Border Privacy Rules (CBPR) System (Box 15.2).13 This country is seeking the interoperability of its national framework on data protection – in particular the implementation of self-regulation schemes through certification agents – with APEC economies Other LAC countries, such as Chile and Peru, are also members of the APEC Box 15.2 Countries on interoperability with other data protection frameworks Mexico Mexico, through the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), participates in APEC’s Cross-Border Privacy Enforcement Arrangement (CPEA) This is a vehicle for regional co-operation in enforcing privacy laws among APEC member economies Mexico is the only LAC country promoting interoperability with other data protection frameworks Mexico’s Ministry of Economy has participated in APEC’s Cross-Border Privacy Rules (CBPR) System since February 2013 Source: APEC (2009), APEC Cross-Border Privacy Enforcement Arrangement (CPEA), www.apec.org/Groups/ Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group/Cross-border-Privacy-EnforcementArrangement.aspx Notification of data breaches and enforcement of data protection laws Data security breaches are on the rise in LAC countries Only three countries (Colombia, Costa Rica and Mexico) have established in their data protection legal framework obligations to notify affected data subjects and imprisonment sanctions for data controllers in case of a data breach (Box 15.3) 436 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection Box 15.3 Selected laws and regulation with data breach notification obligations Colombia Article 17(n) of Statutory Law No 1581 establishes the obligation for data controllers to inform data protection authorities when security breaches occur and present risks in the administration of information of data subjects Article 18(k) establishes an obligation to inform the Superintendencia de Industria y Comercio (DPA) when security breaches occur and to present risks in the administration of information of data subjects The law provides fines for the equivalent of 2 000 days of minimum wage and the suspension of activities for six months Source: Colombia (2012), Ley Estatuaria No 1581 – Disposiciones Generales para la Protección de Datos Personales, www.sic.gov.co/drupal/sites/default/files/normatividad/Ley_1581_2012.pdf Costa Rica Articles 38 and 39 of Regulation of Law No 8968 of Protection of the Individual for the Processing of his Personal Data establish an obligation for data controllers to inform data subjects on any irregularity in the processing and storage of their personal data as a result of a security vulnerability within five working days from the day the vulnerability occurred, to initiate a comprehensive review to determine the magnitude of the breach and the corrective and preventive measures to be taken and to inform both data subjects and the DPA (PRODHAB) Source: Prohab (2011), “Marco Jurídico”, www.prodhab.go.cr//conozcanos/?marco-juridico Mexico Article 20 of the Federal Law on Data Protection in Possession of Private Entities (FLDPPPP) establishes obligations for data controllers to immediately inform data subjects in case of a data breach Articles 67 and 69 of the FLDPPPP set forth imprisonment sanctions from three months to three years The punishment may be doubled when sensitive information is involved The former IFAI (now INAI) used the data breach notification provision of the FLDPPPP to request from Sony Mexico a report of the affected users located in national territory when the data breach scandal of Sony’s Play Station Network and Qriocity occurred between 17 and 19 April 2011 INAI enforced the data breach notification provisions of the FLDPPPP to request the national retailer Puerto de Liverpool S.A.B information regarding the status of its databases containing personal information of employees and customers as a result of a data breach that occurred in December 2014 Source: Mexico (2010), Ley Federal de Protección de Datos Personales en Posesión de los Particulares, http://inicio.ifai.org mx/LFPDPPP/LFPDPPP.pdf Although enforcement of data protection laws still needs to be improved in LAC countries, some DPAs have started to levy fines and sanctions for noncompliance against data processors and data controllers (Box 15.4) Summary of the overall situation In recent years, many LAC countries have passed laws, regulations and policies to protect privacy and personal data as a fundamental human right, in line with various international and regional instruments on data protection Brazil, Colombia, Costa Rica, the Dominican Republic, Ecuador, Mexico, Nicaragua, Peru and Uruguay are among the LAC countries with data protection legislation and regulation in force Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 437 15. Privacy protection Box 15.4 Selected NDPAs levying sanctions for noncompliance with data protection laws Mexico Mexico’s DPA (INAI) is perhaps one of the leading enforcement authorities in the region INAI reports a total of 21 sanction procedures for an estimate amount of USD 6.6 million (MXP 108.3 million) from January 2012 to 22 May 2015, divided into the following segments: ●● insurance and financial services: USD 3.17 million (14 sanction procedures) ●● massive media and information sector: USD 1.86 million (4 sanction procedures) ●● education services sector: USD 612 394 (3 sanction procedures) Source: INAI (2015), “Autoridades de Protección de datos de la Región – Retos Mundiales de Supervisión”, 3er Congreso de Protección de Datos: Privacidad en la Práctica, www.sic.gov.co/recursos_user/memorias_3congreso_ proteccion_datos/GUSTAVO_PARRA.pdf Peru Despite the recent enactment of the Regulation of Law No 29733 of Protection of Personal Data, the DPA in Peru reports five procedures resulting in economic sanctions and fines against data controllers Source: MINJUS (2016), Procedimientos administrativos sancionadores, www.minjus.gob.pe/procedimientos-administrativossancionadores/ Only one country (Mexico) has moved to a pro-active co-regulatory approach that includes the use and implementation of binding self-regulation on data protection It has minimal regulatory restrictions on cross-border data flows, to facilitate trade and the exchange of data with third countries while encouraging technology innovation However, the majority of countries of LAC still face numerous challenges, including: ●● pro-active enforcement of data protection laws and regulations by the DPA ●● encouragement of privacy management programmes that include obligations to respond, notify and provide redress to data subjects in case of a security breach affecting personal information ●● harmonised cross-border privacy co-operation with other DPAs and law enforcement authorities, and encouragement of interoperability with other regional and national frameworks on privacy and data protection (e.g APEC’s Privacy Framework) The majority of LAC countries have not developed national privacy strategies that take into consideration the recommendations in the OECD Privacy Guidelines In addition, DPAs in LAC countries have not been conducting ongoing national campaigns for the protection of personal data that help to comply with the laws and regulations on privacy and data protection and to inform users about the mechanisms available to help them exercise their data protection rights Implementation of cross-border co-operation agreements to enforce privacy laws in LAC countries is limited Only Argentina, Colombia and Mexico are members of the GPEN through their respective DPAs National budget constraints are likely to be among the reasons for this, given that few countries have allocated annual budgets in this area In the field of cross-border data transfers, the legal frameworks of Peru and Colombia establish conditions to conduct international data transfers to third countries based on the adequacy level of protection contained in the European Union Data Protection Directive of 199514 and the draft European Union General Data Protection Regulation.15 Paradoxically, neither Colombia nor Peru has yet met the adequacy level of protection standard of 438 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection the European Commission.16 Only the data protection laws and regulations of Argentina17 and Uruguay18 have met the European Union adequacy decision standard However, after the decision handed down by the Court of Justice of European Union (CJEU) in October 2015 (CJEU, 2015), some uncertainty remains over the status of the adequacy decisions related to Argentina and Uruguay The data protection laws of Colombia, Peru and Mexico contain provisions for the use of standard contractual clauses, binding corporate rules and other legal instruments to conduct international transfers of data to third countries However, such mechanisms have not yet been fully implemented at a practical level, and the DPAs of LAC countries have not yet made official statements on the validity of such instruments Good practices for the LAC region Good regulatory practice in the area of privacy protection includes the promotion of privacy risk management19 by the policy makers of LAC countries, as a useful methodology for data controllers to protect privacy.20 This is perhaps one of the greatest challenges in the region, since it is a novel concept and the consensus is that “work is needed to understand practical applications and implications” of privacy risk management National privacy strategies should incorporate each of the policies contained in Part Five of Principle 19 of the OECD Revised Privacy Guidelines (Box 15.5) Box 15.5 Policy recommendations for national Implementation of the OECD privacy framework ●● Develop national privacy strategies that reflect a co-ordinated approach across governmental bodies ●● adopt laws protecting privacy ●● establish and maintain privacy enforcement authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis ●● encourage and support self-regulation, whether in the form of codes of conduct or otherwise ●● provide for reasonable means for individuals to exercise their rights ●● provide for adequate sanctions and remedies in case of failures to comply with laws protecting privacy ●● consider the adoption of complementary measures, including education and awareness raising, skills development, and the promotion of technical measures that help to protect privacy ●● consider the role of actors other than data controllers, in a manner appropriate to their individual role ●● ensure that there is no unfair discrimination against data subjects Source: OECD (2013), OECD Privacy Framework, www.oecd.org/internet/ieconomy/privacy-guidelines.htm The broad implementation of the accountability principle is also relevant The actions contained in Principle 15 of the OECD Revised Privacy Guidelines need to be implemented by both data controllers and data processors (Box 15.6) Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 439 15. Privacy protection Box 15.6 OECD Principles for Implementing Accountability A data controller should: ●● Have in place a privacy management programme that: ❖ gives effect to these Guidelines for all personal data under its control ❖ is tailored to the structure, scale, volume and sensitivity of its operations ❖ provides for appropriate safeguards based on privacy risk assessment ❖ is integrated into its governance structure and establishes internal oversight mechanisms ❖ includes plans for responding to inquiries and incidents ❖ is updated in light of ongoing monitoring and periodic assessment ●● Be prepared to demonstrate its privacy management programme as appropriate, in particular at the request of a competent privacy enforcement authority or another entity responsible for promoting adherence to a code of conduct or similar arrangement giving binding effect to these Guidelines ●● Provide notice, as appropriate, to privacy enforcement authorities or other relevant authorities where there has been a significant security breach affecting personal data Where the breach is likely to adversely affect data subjects, a data controller should notify affected data subjects Source: OECD (2013), OECD Privacy Framework, www.oecd.org/internet/ieconomy/privacy-guidelines.htm Policy makers should encourage balanced policies on TBDF and legal instruments, such as for example model contractual clauses and agreements and binding corporate rules for the transfer and process of personal data across different regions To encourage policies on privacy, active participation in international and regional enforcement networks on cross-border privacy networks is also important These would include the GPEN and APEC’s Cross-Border Privacy Enforcement Arrangement (CPE) and national data protection laws’ interoperability with other regional data protection frameworks to reinforce the protection of personal information of data subjects across borders Conclusion This chapter focused on policy measures to develop and implement a policy framework that protects privacy while encouraging the use of the digital environment for economic and social prosperity and enabling transborder flows of personal data through appropriate international policy and legal interoperability It introduced the main elements of a privacy policy framework: a national privacy strategy including relevant legislation and a privacy enforcement authority, measures to encourage self-regulation and the adoption of privacy management programmes to increase accountability by data controllers, as well as mechanisms to facilitate interoperability of privacy frameworks across borders In addition, after underlining the lack of indicators to measure the various aspects of privacy protection, this chapter provided an overview of the situation in the LAC region While no LAC country has yet developed a national privacy strategy, a relatively new concept, several have associated legislation and a privacy enforcement authority and others are currently developing their framework Only a few countries in the region are part of an international co-operation agreement, and the concept of accountability has not yet gained wide acceptance in the region 440 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection Notes This convention, like most European legal instruments on data protection, is currently going through a reform and modernisation process The Madrid Resolution was adopted on the November 2009 at the annual meeting of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), a global forum of field experts and the highest authorities and institutions guaranteeing data protection and privacy (AEPD and PFPDT, 2009) See Article 12 See Article 17 See Article See Article 11 See Part Five, principle 19 of the OECD Revised Privacy Guidelines (OECD, 2013) According to the OECD Privacy Guidelines (OECD, 2013), a data controller is the “party who, according to national law, is competent to decide about the contents and use of personal data regardless of whether or not such data are collected, stored, processed or disseminated by that party or by an agent on its behalf” See Part Three, principle 15 of the OECD Revised Privacy Guidelines (OECD, 2013) 10 See Part Four, principles 16, 17, 18 of the OECD Revised Privacy Guidelines (OECD, 2013) 11 See Articles and 14 of the Federal Law on Data Protection in Possession of Private Entities (FLDPPPP) and Articles 47 and 48 of the Regulation of the FLPPDPP 12 GPEN was established as part of the implementation of the 2007 OECD Recommendation of the Council on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy (OECD, 2007) GPEN’s website is available at www.privacyenforcement.net 13 APEC’s Cross-Border Privacy Rules (CBPR) System is available at www.cbprs.org/default.aspx 14 See Chapter IV (Articles 25 and 26) of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (European Parliament and Council of EU, 1996) 15 For information about the adoption of the draft Regulation, see http://ec.europa.eu/justice/newsroom/ data-protection/news/index_en.htm 16 Ibid., note 45, p 895 17 As stated in the Commission Decision of 30 June 2003 pursuant to Directive 95/46 of the European Parliament and of the Council on the adequate protection of personal data in Argentina (EC, 2003) 18 As stated in the Commission Executive Decision C (2012) 5704 of 21 August 2012 pursuant to Directive 95/46 of the European Parliament and of the Council on the adequate protection of personal data in the Republic of Uruguay (EC, 2012) 19 In the opinion of the Centre for Information and Policy Leadership at Hunton & Williams, “the role of risk management is a valuable tool for calibrating the implementation of and compliance with privacy requirements, prioritizing action, raising and informing awareness about risks, identifying appropriate mitigation measures and, in the words of the Article 29 Working Party, providing a ‘scalable and proportionate approach to compliance’” See pp 1-3 of Centre for Information Policy Leadership (2014) 20 Paragraph Six and Principle 15(a)(iii)(vi)(c) of the OECD Revised Privacy Guidelines takes into consideration the role of “risk assessment approach” in the development of policies and safeguards to protect privacy References AEPD and PFPDT (2009), International Standards on Privacy and Data Protection or Madrid Resolution, International Conference of Data Protection and Privacy Commissioners, Agencia Espola de Protección de Datos (AEPD) and Préposé fédéral la protection des données et la transparence (PFPDT), Madrid, http://privacyconference2011.org/htmls/adoptedResolutions/2009_Madrid/2009_M1.pdf Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 441 15. Privacy protection APEC (2009), APEC Cross-Border Privacy Enforcement Arrangement (CPEA), Asia-Pacific Economic Co-operation, Singapore, www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-SteeringGroup/Cross-border-Privacy-Enforcement-Arrangement.aspx APEC (2005), Privacy Framework, Asia-Pacific Economic Co-operation, Singapore, www.apec.org/Groups/ Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/05_ecsg_privacyframewk.ashx Centre for Information Policy Leadership (2014), The Role of Risk Management in Data Protection: Project on Privacy Risk Framework and Risk-based Approach to Privacy, Centre for Information Policy Leadership at Hunton & Williams CJEU (2015), Judgement of the Court (Grand Chamber) of October 2015 – Case C-362/14, Court of Justice of European Union, Luxembourg, http://curia.europa.eu/juris/document/document.jsf?text=&docid= 169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=116872 CoE (1981), Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data – Treaty No 108, Council of Europe, Strasbourg, http://www.coe.int/en/web/conventions/full-list/-/ conventions/treaty/108 Colombia (2012), Ley Estatuaria No 1581 – Disposiciones Generales para la Protección de Datos Personales, Gobierno Nacional de Colombia, Bogotá, http://www.sic.gov.co/drupal/sites/default/files/normatividad/ Ley_1581_2012.pdf EC (2012), Commission Implementing Decision of 21 August 2012 – 2012/484/EU, European Commission, Brussels, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32012D0484 EC (2003), Commission Decision of 30 June 30 – C(2003)1731 final, Commission of the European Communities, Brussels, http://ec.europa.eu/justice/policies/privacy/docs/adequacy/decision-c2003-1731/ decision-argentine_en.pdf European Parliament and Council of EU (1996), Directive 95/46/EC, the European Parliament and the Council of the European Union, Brussels, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri= celex:31995L0046 INAI (2015), “Autoridades de Protección de datos de la Región – Retos Mundiales de Supervisión”, 3er Congreso de Protección de Datos: Privacidad en la Práctica, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos, Personales, www.sic.gov.co/recursos_user/memorias_3congreso_ proteccion_datos/GUSTAVO_PARRA.pdf Mexico (2010), Ley Federal de Protección de Datos Personales en Posesión de los Particulares, Mexico DF, http:// inicio.ifai.org.mx/LFPDPPP/LFPDPPP.pdf MINJUS (2016), Procedimientos administrativos sancionadores, Ministerio de Justicia y Derechos Humanos de Perú, www.minjus.gob.pe/procedimientos-administrativos-sancionadores/ OAS (2015), Panama and Salvador Responses to OAS Questionnaire Regarding Privacy and Data Protection Legislation and Practices CP/CAJP-3026/11, Department of International Law, Washington D.C., www.oas.org/dil/data_protection_questionnaire.htm OAS (2014), Model Law on Data Protection, Department of International Law XII Meeting of the Ibero-American Data Protection Network, Mexico City, http://eventos.ifai.org.mx/XIIEncuentroIbero americanoPDP/images/VersionesEstenograficas/Panel2/MM.pdf OAS (1969), American Convention on Human Rights, Inter-American Specialized Conference on Human Rights, San José, www.cidh.org/basicos/english/Basic3.American%20Convention.htm OECD (2015), Digital Security Risk Management for Economic and Social Prosperity: OECD Recommendation and Companion Document, OECD Publishing, Paris, www.oecd.org/sti/ieconomy/Digital-Security-Risk- Management.htm OECD (2013), OECD Privacy Framework, OECD Publishing, Paris, www.oecd.org/internet/ieconomy/ privacy-guidelines.htm OECD (2007), Recommendation of the Council on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, OECD Publishing, Paris, www.oecd.org/sti/privacycooperation Prohab (2011), “Marco Jurídico”, Agencia de Protección de Datos de los Habitantes – República de Costa Rica, www.prodhab.go.cr//conozcanos/?marco-juridico SIC (2014), Guía para la Implementación del Principio de Responsabilidad Demostrada (Accountability), Superintendencia de Industria y Comercio de Colombia, Bogotá, www.sic.gov.co/drupal/recursos_user/ documentos/noticias/Guia_Accountability.pdf 442 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 15. Privacy protection UN (1990), Guidelines for the Regulation of Computerized Personal Data Files - A/RES/45/95, United Nations General Assembly, New York, www.un.org/documents/ga/res/45/a45r095.htm UN (1966a), International Covenant on Civil and Political Rights, United Nations General Assembly, New York, https://treaties.un.org/Pages/ViewDetails.aspx?src=IND&mtdsg_no=IV-4&chapter=4&lang=en UN (1966b), International Covenant on Economic, Social and Cultural Rights, United Nations General Assembly, New York, https://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtdsg_ no=IV-3&chapter=4&lang=en UN (1948), The Universal Declaration of Human Rights (UNDR),United Nations General Assembly, Paris, www.un.org/en/universal-declaration-human-rights/ Velasco, C (2015), “The European Data Protection Adequacy Decision and its Effects on Third Countries: A Failed and Inadequate Standard for Latin America”, in Towards a New European Data Protection Regime, A.R Lombarte and R.G Mahamut (eds.), Tirant Lo Blanch, Valencia Further reading APEC (2015), Cross-Border Privacy Rules System, Asia-Pacific Economic Co-operation, Singapore, www.cbprs.org/default.aspx OAS (2015a), Work on Privacy and Data Protection, Organization of American States, Washington D.C., www.oas.org/dil/data_protection.htm OAS (2015b), Questionnaire Regarding Privacy and Data Protection Legislation and Practices, Washington D.C., www.oas.org/dil/data_protection_questionnaire.htm Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 443 OECD PUBLISHING, 2, rue André-Pascal, 75775 PARIS CEDEX 16 (93 2016 01 P1) ISBN 978-92-64-25182-3 – 2016 www.ebook3000.com Broadband Policies for Latin America and the Caribbean A Digital Economy Toolkit Contents Chapter Broadband and beyond in Latin America and the Caribbean Chapter Regulatory frameworks and digital strategies Chapter Spectrum policy Chapter Competition and infrastructure bottlenecks Chapter Extending broadband access and services Chapter Affordability, government charges and digital inclusion Chapter Convergence Chapter Regional integration Chapter Skills and jobs in the digital economy Chapter 10 Business uptake, entrepreneurship and digital content Chapter 11 E-Health Chapter 12 Digital government Chapter 13 Consumer protection and e-commerce Chapter 14 Digital security risk management Chapter 15 Privacy protection Consult this publication on line at http://dx.doi.org/10.1787/9789264251823-en This work is published on the OECD iLibrary, which gathers all OECD books, periodicals and statistical databases Visit www.oecd-ilibrary.org for more information isbn 978-92-64-25181-6 93 2016 01 p ... Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 1. Broadband and beyond in Latin America and the Caribbean Box 1.1 This Toolkit and other ICT and broadband. .. www.itu.int/en/ITU-D/Statistics/Pages/publications/wtid.aspx Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 www.ebook3000.com 25 1. Broadband and beyond in Latin America and the Caribbean The. .. 18 Broadband Policies for Latin America and the Caribbean: A Digital Economy Toolkit © OECD, IDB 2016 1. Broadband and beyond in Latin America and the Caribbean Table 1.1 Sustainable Development