Law No. 81 on Personal Data Protection (‘the Law’) was published, on 29 March 2019, in the Official Gazette, following its approval by the Panama National Assembly on 26 October 2018. In particular, the Law establishes that in order for the processing of personal data to be lawful, it must be carried out with the prior, informed, and unequivocal consent of the data subject, and establishes a number of data subject rights. Among other things, it provides for the right to access personal data that is stored or subject to processing; the right to request the rectification or cancellation of personal data that is incorrect, irrelevant, incomplete, outdated, inaccurate, false, or impertinent; the right to refuse to provide personal data or have it subject to certain treatment, as well as to revoke consent; and the right to data portability.
Siaska SSS Lorenzo, Managing Partner at Arias, told DataGuidance, “Up to now, Panama did not have a data protection framework, but isolated privacy and secrecy laws depending upon the activity involved. With the Law, Panama is following the trend on data protection, and it places Panama in a new light vis-à-vis the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), US laws, and international conventions such as the American Convention on Human Rights 1969, namely Article 11, and United Nations Resolution 68/167 (2013) on the right to privacy in the digital age, which mandates signatory countries to adopt internal laws for data protection […] Now, Panama can compete with first world countries in the same arena, with the same protections, and granting the same undefeatable data subject rights.”
The enactment of the Law will enforce compliance on such businesses, and in doing so, boost data protection
The Law also establishes the duty to compensate for pecuniary and/or moral damages caused by the improper treatment of personal data, with sanctions established according to the seriousness of the violation and ranging from PAB 1,000 to PAB 10,000 (approx. €890 to €8,880). In addition, the Law provides for the creation of a Personal Data Protection Council (‘the Council’), which will have the power to, among other things, develop internal regulations, recommend public policies on data protection, and evaluate cases and provide recommendations on the same.
Kharla Aizpurua Olmos, Partner at Morgan & Morgan, noted, “The Council will be an advisory body to the Panamanian National Authority of Transparency and Access to Information (‘ANTAI’) […] The creation of the Council and the new authorities granted to ANTAI will allow [these two bodies] to attend day to day situations with faster responses and management of regulations on these matters.”
Furthermore, the Law outlines that the cross-border processing of personal data originating in Panama which is confidential, sensitive, or restricted, will be permitted provided that the custodian or person responsible for the storage of such data complies with the personal data protection standards required by the Law, or demonstrates compliance with standards equal to or greater than those required by the Law.
Aizpurua Olmos concluded, “Panama has served and serves as a hub for Central American and South American businesses, given the existing incentives on foreign investments […] The enactment of the Law will enforce compliance on such businesses, and in doing so, boost data protection. The Law also allows businesses which are already complying with stricter international standards to be in compliance with its security and confidentiality requirements; notwithstanding, they will have ANTAI as a local supervising entity enforcing the Law.”
Iana Gaytandjieva Junior Privacy Analyst