Selecione abaixo o tema e/ou o comissão que deseja pesquisar:
THE RIGHT OF PRIVACY AND ITS DEVELOPMENT IN ARGENTINA AND OTHER LATIN AMERICAN COUNTRIES VIS-A-VIS NEW TECHNOLOGIES AND COMMERCIAL TRAFFIC REQUIREMENTS
Por: Emilio Beccar Varela
Data: 17/06/2006
THE RIGHT OF PRIVACY AND ITS DEVELOPMENT IN ARGENTINA AND OTHER LATIN AMERICAN COUNTRIES VIS-A-VIS NEW TECHNOLOGIES AND COMMERCIAL TRAFFIC REQUIREMENTS
Emilio Beccar Varela
Estudio Beccar Varela
Buenos Aires – Argentina
I. BACKGROUND
The right of “privacy” as a specific branch of study finds its origin in the late XIXth Century in an essay by Samuel D. Warren and Louis Brandeis and this may be considered as the starting point of development and systematization of the “privacy” concept which has been defined as “the right to be alone” or “the right to be left alone”. However, the Argentine Constitution of 1853 -inspired in the American Constitution which does not deal with this issue- contemplated this category of rights and ranked them at the level of the main rights of the individuals, as we shall discuss below.
As set forth above, the Argentine Constitution of 1853 includes certain standards that are related to the nowadays called right of “privacy” or right “to be let alone”, and acknowledges their substantive nature. This issue is specifically dealt with in sections 18 and 19.
The pertinent portion of section 18 of the Argentine Constitution of 1853 provides that “… The residence is inviolable as are mails and personal papers; and a special law will determine in what cases and for what reasons their search and occupation will be allowed…” Accordingly, scholars have sustained that the provisions of section 18 of the Constitution cannot be construed literally and the fact of only the residence, mail and personal papers having been mentioned as the subject matter of the constitutional protection does not mean that other spheres of privacy have been left out of the mentioned standard.
In turn, the first paragraph of section 19 of the Argentine Constitution reads as follows: “Private acts of men which in no way offend the public order and morality or harm third parties are reserved to God only and exempted from the magistrate’s authority…”
The development of the right of individual security, both under doctrine and case law, resulted in the enactment of more specific laws or to the inclusion of certain standards in more extensive regulatory contexts which in view of their special features required the above mentioned constitutional principles to be recognized.
Such is the case, for instance, of Law 11,179 which in 1921 enacted the Criminal Code, which code under the heading “Crimes against Liberty” classified the “Violation of Residence” and “Breach of Secrecy” and penalized certain acts as: (a) to break in an alien’s dwelling or business against the will of the person entitled to exclude the intruder; or (b) to improperly open a letter, sealed envelope or telegram, telephone message or otherwise, addressed to an addressee other than the opener, or to appropriate them or delete or deviate the destination of a mail not addressed to him; or (c) to improperly publish mail not intended to be advertised, although addressed to the publisher, or (d) the disclosure without cause of a secret that has come to a person’s knowledge because of his status, profession or employment. It should be clarified that the classification of the criminal behaviors mentioned above are still in force and included in sections 150 to 157 of the National Criminal Code.
The same applies to Intellectual Property Law 11.723 enacted in 1926, which in section 31 provides that “The photographic portrait of a person is not allowed to be marketed without the express consent of the person involved, and if he/she is dead, of his/her spouse or direct descendants…”
In 1975, Law 21.173 gave lieu to a most significant amendment of the Civil Code by introducing section 1071 bis which incorporates the principle of the “right of privacy” or “right to be left alone” which, as we have seen, grows out of the Constitution itself. The wording of the mentioned rule reads as follows: “Anyone who arbitrarily interferes with an alien’s life by publishing portraits, disclosing mail, mortifying other people in their customs or feelings or otherwise disturbing their private life, where the act is not deemed a criminal offence, will be forced to stop such activities, unless previously stopped; and to pay an indemnity to be fixed fairly by the judge according to the circumstances…”.
On the basis of section 1071 bis multiple judgments of case law were issued and we may say that the most famous of all is the decision of the National Supreme Court of Justice dated December 11th 1984 in re “Ponzetti de Balbín, Indalia et all vs. Editorial Atlántida”, where two material rights under the Argentine Constitution were at stake, as are the right of privacy and the freedom of press. Among the highly relevant principles that arise from the mentioned decision we shall remark the following: “The right of privacy and the right to private life, based on section 19 of the Constitution gives legal protection, in direct relationship with individual freedom, to a space of personal autonomy, and to acts, facts and data which, according to the way of life acknowledged by the community, are reserved to each individual, and the knowledge and disclosure of which by aliens entail an actual or potential danger to private life itself”.
Another milestone in the field of acknowledgement of the right of privacy is marked by the judgment issued on August 29th 1986 by the National Supreme Court of Justice in re “Bazterrica, Gustavo M.” where it was sustained that “Section 19 of the National Constitution sets lawmaking limits which consist in demanding that a behavior within the private environment should not be prohibited, such private environment to be understood as the acts that do not offend public order and morality, i.e. do not cause any harm to third parties, rather than the acts made in private as protected by section 18”, thereby excluding from the scope of the prohibitions any human conducts that are addressed against one’s own self.
In addition to the constitutional precepts and criminal and civil standards discussed above, Argentina incorporated to its local legal rulings certain principles involving the protection of the right of privacy contemplated in international treaties which, according to the provisions of the 1994 Amendment to the Argentine Constitution, section 75, paragraph 22, rank senior to the local laws.
In this sense, Argentina incorporated the following principles through the execution of international treaties:
• American Declaration on Rights and Duties of Man, approved by the IXth International American Conference, Bogotá, Colombia, 1948.
Article V of the Declaration provides that “All persons are entitled to the right of protection under the law against abusive attacks to their honor, reputation and private and family life”. In turn, Article IX and Article X reiterate the right of inviolability of residence and mail, which as we have discussed, are expressly protected under the Argentine Constitution of 1853.
• Universal Declaration of Human Rights, approved by the United Nations General Assembly on December 10th 1948.
Article 12 reads as follows: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
• American Convention on Human Rights, subscribed to in the City of San José, Costa Rica, November 22nd 1969.
Article 11 - Right to Privacy provides that: “1. Everyone has the right to have his honor respected and his dignity recognized. 2. No one may be the object of arbitrary or abusive interference with his private life, his family, his home, or his correspondence, or of unlawful attacks on his honor or reputation. 3. Everyone has the right to the protection of the law against such interference or attacks.”
• International Convention on Civil and Political Rights. United Nations, 1995.
Article 17.1 establishes that: “No one shall be subjected to arbitrary or unlawful interference with his private life, family, home or correspondence, nor to unlawful attacks upon his honor and reputation”. “Everyone has the right to be protected against such interference and attacks”.
II. THE RIGHT OF PRIVACY VIS-A-VIS THE EVOLUTION OF TECHNOLOGY
Late in the 60’s and in the early 70’s some people started to become aware of the threat that the use of electronics meant to the proper respect of individual rights, specifically the right of privacy. However, the debate at worldwide level took many years to set since, at that time, the use of information technology was not as generally spread as nowadays.
In the field of data processing privacy the first law enacted in Argentina which dealt with this issue was Law 17,622 enacted in 1968, which created the National Institute of Statistics and Census (“INDEC” from the Spanish Instituto Nacional de Estadísticas y Censos) and established the confidential nature of the data obtained by INDEC in the performance of its duties. Accordingly, section 10 of the mentioned law established the following: “The information provided to the bodies that comprise the National System of Statistics… will be strictly confidential and may only be used for statistical purposes…” and it further provides that “The data will be supplied and published exclusively on general compilations, so that the commercial or proprietary secrecy will not be infringed and so as to avoid the individualization of the persons or entities involved…”. Excepted from the confidentiality of statistical data are the name and surname or corporate name and the address and branch of business.
With the lapse of time, the technological advances gave lieu to the birth of an information community, through network, telephone, television and satellite links and most recently with the development and generalization in the use of the Internet, a globally virtual community on which our most “private” data are more and more exposed and available to everyone, which permits the elaboration of consumer profiles, for commercial or other purposes, but definitely causing an invasion to our private life, to the extent that the data so obtained are used indiscriminately.
Starting with the Portuguese Constitution of 1976, various other constitutions incorporated standards expressly addressed to protect the rights of individuals in the field of information technology. As a result of this evolution, scholars theses and opinions commenced to produce discussions on the existence of a fundamental right of personal data protection.
Concurrently with this trend, the Argentine Constitution of 1994 included section 43 which consecrates the habeas data action granting the right to control the personal data, whether private or not, and installing the principle that such data are not exclusively proprietary of the involved parties as they may be used for scientific or commercial purposes or by the State in the exercise of its police power.
The mentioned section 43 reads as follows: “Any person may lodge an expedite and prompt action of protection, unless there is a different judicial means more qualified therefor, against any act or omission from public or private authorities, which will cause actual or threatened damages, restriction, alternation or threat, with manifest arbitrariness or unlawfulness, upon rights and guarantees recognized by this Constitution, a treaty or the law…” and it further adds: “Any person may lodge this action in order to get knowledge of the data referred to him and their purpose, as recorded with public data registries or banks, or with the private ones intended to provide information, and in the event of falsehood or discrimination, to demand their deletion, rectification, confidentiality or updating. The secrecy of press sources may not be affected.”
The development in Argentina of the registration and storage of personal data for commercial, statistical, police and other purposes had started long before the 1994 constitutional amendment. Thus, there exists in Argentina a large number of registries (most of them of public law) intended to provide information concerning legal security, mainly for business relationships, such as real property, automobile and corporation registries.
As we mentioned, while the third paragraph of section 43 of the Argentine Constitution of 1994 recognizes certain rights to the subjects of personal data upon their use on the part of third parties, it also implicitly acknowledges the right that such third parties have to use such data for themselves or to transfer them to others. In this environment, on October 4th 2000 the Personal Data Protection Act No. 25,326 (the “DATA ACT”) was enacted. This law, inspired in the guidelines of the European Commission General Directorate XV and the conclusions and recommendations of the Working Party created under European Union Directive 95/46, established the limits to the storage of data for further transmission to third parties, as well as the guidelines which those engaged in the collection of third parties’ data will be subjected to, imposing obligations and creating a specific authority to control and penalize their actions. It is worth mentioning that the enactment of the DATA ACT was preceded by Law 24,745 of similar contents but which was vetoed in its entirety by the National Executive Branch as it was very much criticized for the rigidity in the requirement of consent for data obtention and transmission to third parties.
III. PERSONAL DATA PROTECTION LAW No. 25,326
The DATA ACT, as regulated by the National Executive Branch Decree No. 1558 dated November 29th 2001, contains 48 sections which deal with: (a) general provisions; (b) general principles concerning data protection; (c) data subject’s rights; (d) rules for users and supervisors of data files, registries and bases, control and sanctions; and (e) legal actions for personal data protection.
Section 1 of the DATA ACT begins by defining its scope of application to “… the integral protection of personal data recorded on files, registries, data bases or other technical data processing means, whether public or private, intended to provide information, in order to guarantee people’s right of honor and privacy, as well as the access to the information recorded about them…”. It is specifically stated that the provisions of the DATA ACT are applicable both to natural and legal persons, as appropriate, this being an innovation in the field of compared law, where the latter are not usually included.
According to the DATA ACT the following are expressly excluded from its provisions:
a) personal or internal use filing cards;
b) journalists’ data bases and sources of information, since otherwise the source confidentiality would be infringed and we would be in front of a sort of previous censorship, which definitely is a breach of the constitutional principles; and
c) the files of data compiled for statistical purposes, market surveys, scientific, medical and similar research works, only to the extent that it is not possible to attribute the data gathered to an identified or identifiable person.
Next, the DATA ACT defines several terms that determine its competence and thus the following expressions are given the meanings set forth below:
• “Personal Data”: any information concerning identified or identifiable natural or legal persons;
• “Sensitive Data”: personal data that reveal racial and ethnic origin, political opinions, religious, philosophical or moral beliefs, trade-union membership and health and sex life information;
• “Data Bank or Base and/or Registry and/or File”: the arranged set of Personal Data that are subjected to treatment or processing, electronically or not, regardless of the formation, storage, organization or access modality;
• “Data Processing”: systematic operations and proceedings, electronic or not, that allow the collection, preservation, arrangement, storage, modification, traceability, evaluation, blocking, destruction and generally the processing of Personal Data, as well as their assignment to third parties through communications, inquiries, interlinks or transfers;
• “Supervisor of a Data Bank or Base, Registry or File”: a public or private natural or legal person who owns a Data Bank or Base, Registry or File;
• “Data Subject”: any natural or legal person having in-country legal residence or delegations or branches, whose Data are the subject matter of Processing;
• “Data User”: any public or private person who carries out the Data Processing, in his discretion, either in proprietary Data Bases, Registries or Files or through links to them;
• “Data Disassociation”: any Personal Data Processing in a way that it will not be possible to associate the information obtained to an identified or identifiable person;
As regards the general principles involving Data protection, the DATA ACT provides the following:
• Lawfulness: The creation of Data Files and the Data Processing are lawful when (i) such data are duly registered in accordance with the provisions of the DATA ACT; (ii) their purposes are not contrary to law or public morality; and (iii) when the Data Subject has given his free, expressed and informed consent.
• Quality: The Personal Data obtained for Processing purposes will be certain, suitable, appropriate and not excessive as regards the environment and purpose they have been obtained for and they may not be used for purposes other than or incompatible with those that were the cause of their obtention.
• Accuracy: The Personal Data must be accurate and should be updated as necessary. In the event the Data are inaccurate, in whole or in part, or incomplete, they should be deleted and superseded or completed, as applicable, by the Supervisor of the Data Base or File upon his becoming aware of the inaccuracy or incompleteness of the information.
• Access: The Data should be stored in such a way that the Data Subject will be allowed to exercise the right of access to them.
• Consent: The Data Subject must give his consent to the Data Processing, and he should be previously informed of the following:
a) The purpose of the processing, the allowed recipients or categories of recipients;
b) The existence of electronic or other Data Bank, Registry or File involved and the identity and address of responsible supervisor;
c) The mandatory or optional nature of the answers to the proposed questionnaire, depending on the Data involved;
d) The consequences of supplying, refusing to supply or inaccuracies in the Data;
e) The ability of the interested party to exercise the rights of access to, rectification and deletion of Data.
The consent is also required when the Data are assigned or transferred.
On the other hand, the consent is not necessary when:
a) The Data are obtained from a source the access to which is not restricted to the public;
b) The Data are obtained for exercising duties germane to the State’s power or under a legal obligation;
c) The matter involved consists of lists the Data of which are limited to name, national identity document, tax or social security identification, occupation, date of birth and address;
d) The Data derive from a contract, scientific or professional relationship of the Data Subject and they are necessary for its development or performance;
e) The Data involve operations made by financial entities and information received from their customers, it being prohibited to affect the banking confidentiality and to disclose data concerning current accounts and interest bearing accounts and fixed term deposits transacted by the financial entities and their customers.
f) The assignment of credit information obtained from (x) sources available to the public, (y) information provided by the interested party or (z) information provided by a third party with the consent of the interested party.
• Sensitive Data: No person may be compelled to provide Sensitive Data, and it is prohibited to create Files, Banks or Registries to store information which directly or indirectly disclose Sensitive Data (except for health related information subject to professional secrecy). They may only be gathered and subjected to Processing (i) when there are general interest reasons authorized by law involved and (ii) for statistical or scientific purposes provided that the Data Subjects are not likely to be identified.
• Data Security: The Responsible of the Data File has to adopt such technical and organizational actions as will be necessary to guarantee the security and confidentiality of the Personal Data, so as to avoid their forging, loss, unauthorized consultation or Processing and to allow the detection of any intentional or otherwise deviation of the information.
• Confidentiality: The Supervisor and any person who participates in any of the Personal Data Processing stages are bound by the professional secrecy duty that attaches to them and they may only be released from the secrecy duty by a court order, provided that there are solid reasons concerning the public security, national defense or public health underlying such decision.
In the field of international Data transfer, the DATA ACT prohibits the transfer of any Personal Data of any kind to countries or international bodies which will not provide the proper protection levels, such prohibition not being applicable in the following cases:
a) International judicial cooperation;
b) Medical data exchange;
c) Bank or stock exchange transfers, as far as the respective transactions are concerned and in accordance with the applicable laws;
d) Where the Data transfer has been agreed in the framework of international treaties the Republic of Argentina is a party to;
e) Where the purpose of the Data transfer is the international cooperation between intelligence bodies in the fight against organized crime, terrorism and traffic of narcotics.
Notwithstanding the fact that Chapter III of the DATA ACT is entitled "Rights of the Data Subjects", many of the rights recognized by the DATA ACT are also discussed in other Chapters. Accordingly, and based on the systematization made by Alejandra M. Gils Carbó , we may say that the DATA ACT acknowledges the following rights:
• The right to be informed, when a person’s Data are required, about the destination of such Data and the option not to consent to their being collected (sections 5 and 6).
• The right to be informed by the Supervisor of Data Bases or Banks, Registries and Files of whether they have information stored that belongs to the data subject (section 13).
• The right to know the Data, the purpose of their processing and to whom they are likely to be or will be disclosed (sections 14 and 15).
• The right to the deletion of Sensitive Data that will allow any discrimination (section 7).
• The right for the Personal Data to be used in accordance with the envisaged purpose (section 4 paragraph 3).
• The right to demand the confidentiality of the Personal Data through their blocking or cancellation (section 16, paragraphs 5 and 6).
• The right to obtain the rectification of the Data, if they turn out to be false, incorrect or inaccurate or their completion if they turn out to be incomplete, or their updating if they were obsolete (section 4, paragraphs 4 and 5 and section 16).
• The right to ask for the deletion of the expired Data (sections 4, paragraph 7 and 26, paragraph 4).
• The right to cause the destruction of the Personal Data where their storage is unlawful or where the circumstances that justified their collection no longer exist (sections 4, paragraph 7 and 23, paragraph 3).
• The right to object to administrative or judicial actions involving an evaluation of the conduct on the sole grounds of Data Processing (section 20).
• The right to have the Supervisors of Data Bases adopting security and confidentiality actions (section 10).
Sections 21 through 28 of the DATA ACT contain the rules applicable to Data Users and Supervisors of Data Banks, Registries and Files, providing for the general obligation that all Data Banks or Bases and/or Registries and/or Files, except for those intended for personal use exclusively, have of being registered with the National Administration of Personal Data Protection.
As regards the Data kept by Public Registries, the DATA ACT distinguishes two categories of files: those that collect Personal Data for administrative purposes on permanent basis and those that keep personal records for further communication to administrative and/or judicial authorities in accordance with the respective laws, in none of which cases it is necessary to have the data Subject’s consent for their creation, although the Registries are constrained to collect only such information as is strictly necessary for the proper purpose within the scope of their incumbency; the law further expressly provides that the personal Data stored for police purposes shall be erased where they are not necessary for the inquiries that caused their collection.
Next, the DATA ACT provides the rules to be complied with by those who supply services related to or Process Personal Data with commercial purposes, among which the following provisions can be mentioned:
• As regards automated Personal Data services supplied on behalf of third parties, the Data Processing may not be applied or used for a purpose other than that which appears on the service contract, nor can they be assigned to other persons, and upon the termination of the supply contract they should be destroyed.
• Referring now to the supply of credit information services, which in Argentina gave lieu to the largest number of conflicts upon the development of Data Bases, the DATA ACT provides that the supply of this kind of services may only process Personal Data involving the estate of a person to the extent they refer to the economic solvency or creditworthiness, as obtained from sources available to the public or from information provided by the Data Subject or with his consent; it has been ruled that it is allowed to Process Personal Data concerning performance or non performance of obligations involving the estate as furnished by a creditor but provided that the respective information will not be traced back for more than five years.
• With respect to the Data Banks, Registries and Files for advertising purposes, the DATA ACT allows the Processing of Data that are suitable to establish certain profiles with promotional, commercial or advertising ends; or allowing to set consumption habits, to the extent they (i) appear on documents available to the public, (ii) have been provided by the Data Subjects or (ii) have been obtained with his consent, the Data Subject being entitled to request at any time the removal or blocking of his name from the respective Data Banks.
• The DATA ACT expressly excludes from its provisions the Data Banks, Registries or Files that refer to opinion surveys, ratings and statistics obtained by INDEC, market forecasts, scientific or medical research and analogous activities, to the extent that the collected data are not capable of being attributed to an identified or identifiable person.
In the field of Sanctions, the DATA ACT creates sanctions that are administrative in nature (warning, suspension, fine and closing or cancellation of the Data Bank, Registry or File) as imposed by the controller, and it also creates two new criminal types incorporated to the Criminal Code as sections 117bis (among the Offences to Honor) and 157bis (among the Crimes of Secrecy Violation), which read as follows:
“Section 117bis: 1° Anyone who knowingly inserts or causes to be inserted false data in a personal data file will be sanctioned with one month to two years imprisonment. 2° The sanction will be six months to three years for anyone who knowingly supplies to a third party false information contained in a personal data file. 3° The penal scale will be increased by half the minimum and the maximum, when the event results in damages to any person. 4° Where the authorship or responsibility for the unlawful act lies on a public servant holding office, he will be subjected to an accessory disqualification for the holding of public offices for twice the time corresponding to the sanction”.
“Section 157bis: A sanction of one month to two years imprisonment will be applied to: 1° anyone who knowingly or illegitimately, or by violating confidentiality and security data systems, accesses, in any manner, to a personal data base; 2° anyone who discloses to third parties any information recorded on a personal data base the confidentiality of which he is bound to keep by provisions of law. Where the author is a public servant, he will be subjected, in addition, to a special disqualification from one to four years”.
Chapter VII of the DATA ACT refers to the action for the protection of personal data or habeas data, which is referred to in the third paragraph of section 43 of the Argentine Constitution of 1994 and that we have transcribed above.
The incorporation of this action which finds its source in the Constitution shows the lawmakers’ intent to rank high the right of the individuals to know and control their own data contained in public or private files bound to provide information, as a response to the degree of vulnerability suffered by the protection of individual rights with the spreading of new technologies and the value that information has today in the commercial market, and we may say that somehow a significant portion of the right of privacy has given way to the right of information through the circulation of personal data.
In this context, the DATA ACT establishes that the habeas data action is applicable:
a) to become aware and to know the destination of the Personal Data stored in public or private Data Banks or Registries or Files bound to provide information; and
b) to demand the rectification, deletion, confidentiality or updating of Personal Data in the case of their alleged falsehood, inaccuracy, outdating, for such Data the registration of which is prohibited, for instance Sensitive Data.
The habeas data action may be exercised by the affected party, his successors or legal representatives and against the Supervisors of public or private Data Banks, Bases, Registries or Files intended to provide information, as well as against users. The competent judges for hearing these actions are the local judges of the plaintiff’s residence, the defendant’s residence or the place where the event or act is evident or might take effect, at the plaintiff’s option. The federal venue is applicable where the action is brought against public Data Files belonging to national bodies or where the data files are interlinked on national or international interjurisdictional networks.
The right of access is firstly submitted to out of court proceedings and only when it has been denied or the inaccuracies cannot be corrected or deleted through this channels. Thereafter the way is free for in court litigation through the filing of the proper claim which has to identify accurately the Data Bank or File and set forth the reasons why they allegedly contain discriminatory, false or inaccurate information concerning plaintiff.
Quite recently (on March 6th 2001) the National Supreme Court of Justice resolved the case “Lascano Quintana, Guillermo vs. Veraz S.A.”, which constitutes one of the first interpretations made by the mentioned High Court in respect of the scope of the DATA ACT. Accordingly it ordered to dismiss “the habeas data action tending to delete from the plaintiff’s personal file with a private data bank, information related to a corporation he is the president of, since there has not existed any excessive interference with his privacy, as evaluated in respect of the purpose of such registry”.
IV. NATIONAL INTELLIGENCE LAW 25,520
The National Intelligence Law (“NIL”) was enacted on November 27th 2001 and regulated on Ju
