Data security regulation in Latin America is becoming an increasingly significant and complex concern for U.S. businesses that outsource to the region, but there is little evidence that it is leading them to bring nearshore work back onshore.
Data protection laws vary from country to country across Latin America and their implications for outsourcers are not always immediately clear. Concerns over data security in the region were reignited with the recent news that AT&T was fined US$25 million after data customer breaches at call centers (the names of the service providers were not disclosed) in Mexico, Colombia and the Philippines. Yet this was not necessarily evidence that data protection laws are more lax in the Latin America; on the contrary, in several countries regulation appears more robust than in the United States.
Latin American data protection laws differ from both the European Union and U.S. models. Unlike the E.U., there is no international treaty or regional body that regulates personal data protection in Latin America. And in contrast to the United States, many Latin American countries have enshrined data protection in their constitutions, although in some cases they do not yet have specific laws to build upon those congressional guarantees. But this is beginning to change. Colombia, Costa Rica, Mexico, Peru and Uruguay have all implemented detailed data security regulations and breach notification rules in recent years, while Brazil also has privacy laws in draft form.
“It’s hard to say if regulation is tougher in Latin America or the United States. They’re different but they’re both increasingly tough,” Brian Hengesbaugh, a Partner at Baker & McKenzie law firm, told Nearshore Americas. “Places like Mexico, Argentina and Colombia are taking what could be described as a comprehensive approach to data privacy. As in the European style, any personal data is subject to regulation regardless of your industry sector and there are a comprehensive set of rules that you have to deal with. Whether you’re outsourcing business contact data, customer, consumer or employee data, whatever it is, it’s all going to be regulated,” he explained.
“In the United States we take both a sector-specific approach to privacy and a data-specific approach to privacy. So the financial, healthcare and telecom verticals all have sector-specific privacy rules, which can be quite rigorous and then there are data-specific rules, like the breach notice rule that applies at state level any time you have a social security number or credit number or health data,” Hengesbaugh added. “Each state is a little bit different but there’s a set of highly sensitive data that in quite a few states will be subject to affirmative security duties and in virtually all states it will be subject to breach notice duties. And then there’s the overlay of things like the federal trade commission authority that will pursue anything that it considers to be unfair or deceptive in the privacy world.”
Data Concerns Not Driving Reshoring
There has been some suggestion that concerns over data security in Latin America are leading buyers in the United States to reshore work that they had outsourced to the region. Everest Group noted recently that the proportion of new onshore delivery centers among all new set-ups by major service providers almost doubled from 21% to 39% from the first half of 2012 through the first half of 2014. Everest cited four main factors behind this onshore growth: “service complexity is rising faster than adequate offshore/nearshore support skill depth; buyers are pressing for easier coordination and better alignment than offshore/nearshore centers can provide; data security regulations are driving a preference, if not a requirement, for onshore services; and providers are increasingly exploring new models and newer tier-2 locations in onshore geographies.”
Nearshore Americas spoke to several industry insiders who dismissed the suggestion that data security concerns are driving onshoring. “We don’t have any data security concerns in Latin America at the moment,” said Phil Calvin, Vice President of Enterprise Technology Risk Management at financial services firm State Street, while Toby Redshaw, the CEO of Kevington Advisors, also debunked the idea.
“I started outsourcing to Latin America for FedEx in the 1990s and I’ve never heard of a single case where re-shoring from Latin America happened over data protection. In fact, outsourcing to Latin America, especially Mexico, is growing,” said Redshaw, who has strong knowledge of the subject, having helped write the Safe Harbor Provision, a part of the E.U. Data Protection Directive designed to prevent accidental information disclosure or loss at companies outside of the European Union.
As for the recent incident involving AT&T, Redshaw said, “I wouldn’t see this as an indication of some big trend.” Rather than driving re-shoring, it will probably just lead buyers to check even more thoroughly around third-party risk, he added.
Hengesbaugh agreed: “I don’t think it’s ever on the table to reshore work back to the States. What is on the table is ‘Gee, shall we go to the next country over?’ There’s a reason that buyers are sourcing something and it’s generally a cost reason so they’re probably still looking for that cost advantage. If there’s a local regulatory issue that they really don’t like then they’ll go to other countries in the region, but they won’t bring it back to the States.”
What Are the Major Concerns?
So what should buyers be wary of? “The first question that an American business would ask is not ‘is the law tougher in Latin America?’ but ‘should it even apply?’ If I’m putting a call center in Mexico but all my customers are in the United States, does the mere fact that my call center is in Mexico attract application of the Mexican data protection rules? And if so, is it the full set of Mexican data protection rules? Because if so, I may not want to open my call center there because of their comprehensive approach to data protection,” Hengesbaugh said. “There’s an important threshold question to ask, which is just by placing a call center or a business processing center there do I really have to comply with the local rules in additional to the rules where my customers are located? That’s a pretty important question but rarely do you find a perfectly clear answer.”
Hengesbaugh continued: “That’s a really big deal. In Mexico for example, the notice and consent rules could be tougher than in the States in terms of getting consent from individuals – even in the financial services sector, which is pretty regulated in the States. That would be a huge competitive disadvantage to have to deal with another layer of consent. Most of the time the analysis is ‘Do I really think the local rules will apply?’ and ‘If I do, what are the implications?’ And if there’s any kind of hint that they would be bad then that would be a reason not to go to that market.”
Hengesbaugh noted that “U.S. businesses are looking carefully at how the rules are written because they don’t like to incur any risk like that.” Yet he also observed that legal ambiguities mean regulations are not always enforced when outsourcers are involved. “One advantage of a place like Mexico is that the authorities have been relatively aggressive about enforcement against businesses with Mexican consumer but not against BPO providers or anybody who has access to data from the U.S.,” he stated.
India Example Shows Possible Solution
As for how the Latin American scenario might play out, Hengesbaugh pointed to lessons that can be learned from India. “A few years back India adopted stricter privacy rules and for a while it looked like if you put your call center or your business process center in India you’d then need extra consent from all your U.S. consumers because that’s what the India rules would require. It caused a lot of concern but eventually the Indian authorities came out and said the notice and consent duties only apply if you’re dealing with Indian consumers. This meant that call centers and business process centers only had to worry about India’s information security obligations, which are relatively easy to comply with,” he explained.
If Latin American countries want to become particularly attractive nearshore destinations then the “logical thing to do” would be to loosen data protection laws slightly, Hengesbaugh said. However, he added, “the challenge if you were writing legislation for a Latin American jurisdiction is that you might want it to be more relaxed to attract business from the United States, but if you were trying to attract business from Europe you might want it to be stricter. So you’re caught in a bit of a conundrum. For Europe you’d like to have a strict enough law to get an adequacy binding from the European Commission, like Argentina has, but for U.S. customers you’d rather have a more relaxed law to not make it more difficult for them.”
Ultimately, Hengesbaugh concluded that “the way India ultimately resolved its problem was a reasonably good way to go.” By setting strong baseline rules it comes close to E.U. data protection standards, but by ensuring that those rules don’t apply to non-Indian citizens it ensured that the market remains attractive to U.S. investors. “I think that’s a pretty good resolution but it requires a lot of sophistication to get that done in an open and clear way,” he added.
Which way Latin America decides to go on this pivotal issue will prove increasingly important as more and more countries pass data protection legislation. “I would expect that five years from now virtually every Latin American jurisdiction will have some form of protection – even Brazil, which is the big one that’s not got data protection laws in place yet,” Hengesbaugh said.