On March 29 after an 2-year period of of vacatio legis (absence of law), the long-awaited Law 81 on Personal Data Protection in Panama, originally passed in 2019, came into force.
Like recent regulations on data protection in Latin America, Panama’s Law 81 was noticeably influenced by the European regulatory model and includes some of the innovations from the EU’s General Data Protection Regulation (GDPR).
Law 81 will apply to databases that are 1) located in Panamanian territory and store or contain personal data of nationals or foreigners and 2) are administered by a data owner domiciled in Panama.
It is an evident omission that the Panamanian law does not apply to personal data processing done within Panamanian territory by a person not domiciled in Panama, such as a database like the cloud, which is located outside of Panamanian territory.
Law 81’s Article 3 establishes five cases in which the law will not be applied, some of which are also included in Article 2 of the GDPR. For example, the law does not apply to the processing of personal data by individuals for personal or domestic purposes. It is also noticeable that processing for financial intelligence analysis is excluded from the scope of application. It is astonishing that Panama, a country with highly developed financial services, would allow the exclusion of a considerable amount of personal data processing from the protection standards that this legislation intends to guarantee, particularly given the indeterminate and broad nature of the concept of financial intelligence.
Panamanian law does not apply to personal data processing done within Panamanian territory by a person not domiciled in Panama, such as a database like “the cloud,” which is located outside of Panamanian territory
Article 6 of the law regulates the legal bases that legitimize the processing of personal data:
2) Performance of a contractual obligation
3) Fulfillment of a legal obligation
4) Processing authorized by law or regulations that develop them
This legislation follows the standards of the GDPR and is important because it is a significant paradigm shift from processing based solely on consent. It also includes other processing issues contemplated in the GDPR, such as processing to protect vital interests (medical or health emergency) or the legitimate interest, after considering the interests involved.
The new law recognizes ARCO Rights, which already recognized in the majority of data protection regulations. These concern access, rectification, cancellation (now called erasure in the GDPR), and opposition, which are guaranteed and granted inalienable character. The right to data portability is also regulated and is also new to the GDPR.
The law also requires, although unclearly, those responsible for and custodians of databases to keep records of processing activities. They must record all transfers of personal data to third parties (Article 31).
One area where the Panamanian legislation seems unnecessarily complicated, as a result of a conceptual error, relates to the data processor. The data processor – the person in charge of personal data – who performs the processing of such data on behalf of the data controller, is not regulated, whether individual or legal entity (even a public entity). A controller-processor relationship very frequently exists in service contracts; hence adequate regulation of it is essential for any law.
Notwithstanding this, Panamanian law defines the custodian of the database, denoting it as an individual or legal entity, public or private, lucrative or not, who acts on behalf of the data controller and is responsible for the custody and conservation of the database. This definition is limited to two operations of processing: custody, and conservation. The data processor usually performs not only this processing but others such as analysis, inquiries, removal, corrections and others.
One area where the Panamanian legislation seems unnecessarily complicated, as a result of a conceptual error, relates to the data processor
Article 10 regulates the so-called processing of personal data by mandate, stipulating that the agent must respect the conditions of the legal mandate in fulfillment of the command. The question remains, under Panamanian law, as to whether the assignment of the processing of personal data should then be structured as a mandate contract or a service agreement, although Article 14 itself speaks of the duty of care of the agent “by order or mandate” of the person in charge.
The regulatory authority that will assume the supervision of personal data processing is the already-existing National Authority of Transparency and Access to Information (ANTAI). This authority has functional independence, by resolving all complaints filed until its last resource. The law also contemplates the creation of a Council for the Protection of Personal Data, which will perform an advisory function to ANTAI and also prepare public policies.
Inadequate Fines and Charges
The Panamanian legislation undoubtedly did not follow the GDPR in terms of fixing the fines derived from the breach of its provisions. While in Europe these fines can reach twenty million euros or 4% of the annual income of a company, in Panama the maximum fine is ten thousand balboas (equivalent to the US dollar).
Although the economic realities in Panama and the European Union are significant, such low fines discourage compliance, as has happened in Costa Rica, where it is cheaper for many companies to include in their budgets the cost of paying fines rather than take all the necessary measures to comply with the law.
In Costa Rica it is cheaper for many companies to include in their budgets the cost of paying fines rather than take all the necessary measures to comply with the law
Regarding the violations of the law, there is a list: minor fault, serious fault, and very serious fault. Also, those responsible for the processing of personal data who violate the law will have to compensate victims for any pecuniary losses and/or moral damages caused by the improper processing of personal data, enforceable through court action. The current legislation does not limit such compensation to the owner of the personal data.
The Long Road
Despite the length of the vacatio legis period, the truth of the matter is that this time has not been used by most companies and institutions in Panama to adapt to the regulations, largely because the regulations to the law have not yet been enacted.
With this legislation, Panama settles a historical debt, however, it still has a long way to go and many challenges, starting with the regulatory authority (ANTAI), which will first have to promote a campaign to spread the law, to promote a culture of privacy in the country, which to date is non-existent.