After many years of discussion and failed attempts, a comprehensive new data privacy law is expected to be enacted in the short term.
Bill 665, concerning the protection of personal data, was approved by the National Assembly on October 24,2018. Presidential approval is pending but expected. Upon publication of the bill with the Official Gazzete, it will become law. However, the law will enter into force on the second anniversary of its publication.
The new law regulates much needed aspects such as electronic consent and guidance regarding the location of servers and international transfer of data. Other aspects regulated by the law are the obligation to maintain a data collection register available for inspection by the regulator (Autoridad Nactional de Transparencia y Acceso a la Información), rights of data holders to have information deleted or rectified (which the law requires to occur within 10 business days), privacy policy disclosure requirements and certain carve-outs regarding medical and criminal record data. Automated decision processes based on personal data is also regulated, as is the joint liability of the “responsible entity for data management” (which may be a legal or natural entity) with the entity actually utilizing the data.