The Latin-American Response
to Data Protection
Queens University of Belfast
'Information is power'
The study of privacy law in the last two years has been concentrated in the conflict that has been waged between the European Union and the United States regarding data protection legislation. This has been a legal battle that has had severe implications for the future of Electronic Commerce and has been prompted by some requirements set by the EU on the export of data to countries that do not have adequate privacy protection laws in place. So far, the debate has missed the issue of whether or not other countries possess adequate levels of data protection, and other types of data protection have not been properly analysed.
Some Latin-American countries have enacted a new type of constitutional protection of personal data in order to insure individual privacy from the abuse of data registers. This is a new approach to the whole issue of data protection. This article will describe this new figure and its evolution it has had during its relatively short life, and it will attempt to assess if it fulfils the levels of adequacy required by the European Union.
Keywords: Habeas Data, Privacy, Data Protection, Freedom of Information, Latin-America, Brazil, Argentina, Peru, Costa Rica, United Kingdom, Europe.
This is a Refereed Article published on 30 June 2000.
Citation: Guadamuz A, 'Habeas Data: The Latin-American Response to Data Protection', 2000 (2) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/00-2/guadamuz.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/cos/law/elj/jilt/2000_2/guadamuz/>
On today's information rich society, this phrase is more accurate than ever before. With the advent of automated means of gathering and storing information, concerns about who stores data, and the purpose of such storage, have become increasingly important.
The new information superhighway brings worries to many people about sensible personal data held in public and private databases. Orwellian fears of a society where there is no privacy have prompted the enactment of laws in many countries that attempt to control the abuse of data storage in manual and automated databases. These laws are usually known as Data Protection laws.
One of the relatively most recent types of Data Protection is a new constitutional right that has been enacted in several Latin-American countries, the Habeas Data right. The present essay will attempt to describe this new privacy protection tool, trying also to measure the efficiency of the Habeas Data right. To place it in context, the existing Data Protection systems will receive a brief description.
Until now, it is almost impossible to find any literature about Habeas Data outside of Latin America; there is hardly any mention of it even in the most specialised legal publications. That fact may raise the question: why study Habeas Data in the first place? There are two main reasons: First is the obvious lack of information about it. Second, as it will be shown, the European data protection system has imposed a burden on the rest of the world by placing restrictions on data transfer to countries that do not have in place any type of privacy protection.
Given this picture, a Data Protection map of the world should be drawn. It is not the purpose of this essay to do that; but by describing a new type of privacy protection, the first sketches of such an international map should begin to appear.
2. Data Protection around the World
2.1 European Data Protection
Before defining and describing Habeas Data, it is imperative that the other Data Protection systems that exist around the world are examined to be able to understand this new figure.
Europe is the birthplace of modern privacy protection. Countries such as Germany and Spain had in place different provisions that recognised a need to protect individual privacy from abuse by others. After several studies conducted by various European commissions, the Council of Europe voted the 108th Convention for the protection of individuals concerning automatic processing of personal data in 1981. In Britain, there were a series of investigative government commissions that preceded the 1984 Data Protection Act.
Though limited in certain technical aspects, the first European efforts were a push in the right direction. However, the evolution of privacy protection had not lost momentum, and in 1995, the European Council enacted the European Directive on Data Protection. The Directive poses a burden to member states to put in place laws that comply with its provisions. Although the United Kingdom already had an Act in place, the 1998 Data Protection Act was passed by Parliament.
Other members of the European Union have passed laws in accordance to the Directive. As it is not the goal of this study to enter into a lengthy description of the different data protection acts in Europe, the 1995 EC Directive and the United Kingdom's 1998 Act will be taken as the latest examples of the European style of Data Protection.
There are several interesting stipulations contained both in the Directive and in the UK Data Protection Act. Among those, a few can be highlighted as being relevant to the present study. They are:
The creation of a strong government agency and special tribunals in charge of Data Protection;
Determination of the conditions under which personal data processing is lawful;
Stipulation of certain Data Protection Principles;
Severe rules regulating the processing of sensitive personal data such as race, religion, sexual preferences, health information, political or union affiliation;
Procedural provisions about notification, registration and information by 'data controllers';
Creation of a number of rights for the individual (data subject); such as an access to data right, a right to prevent processing likely to cause distress, a right to object to personal data used for direct marketing, etc;
Exceptions on the grounds of journalism or sensitive freedom of expression rights;
Strict regulations against the transfer of data to countries that do not protect privacy.
The last point described is of particular importance. The UK Data Protection Act of 1998 states that:
'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data'.
The EC Directive also has a similar rule on that respect. This principle leaves a large area for interpretation for the responsible government agencies and for the courts. What is exactly an 'adequate level of protection'? Although the EC Directive provides some guidelines on the interpretation that 'adequate' should receive, there is not yet a definitive interpretation that explains what adequacy means. The Working Party on Data Protection has issued some guidelines, it recommends that the privacy legislation of the third country should contain at least include some basic principles which are:
1) 'the purpose limitation principle - data should be processed for a specific purpose and subsequently used or further communicated only insofar as this is not incompatible with the purpose of the transfer. The only exemptions to this rule would be those necessary in a democratic society on one of the grounds listed in Article 13 of the directive.
2) the data quality and proportionality principle - data should be accurate and, where necessary, kept up to date. The data should be adequate, relevant and not excessive in relation to the purposes for which they are transferred or further processed.
3) the transparency principle - individuals should be provided with information as to the purpose of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fairness. The only exemptions permitted should be in line with Articles 11(2) and 13 of the directive.
4) the security principle - technical and organisational security measures should be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.
5) the rights of access, rectification and opposition - the data subject should have a right to obtain a copy of all data relating to him/her that are processed, and a right to rectification of those data where they are shown to be inaccurate. In certain situations he/she should also be able to object to the processing of the data relating to him/her. The only exemptions to these rights should be in line with Article 13 of the directive.
6) restrictions on onward transfers - further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward transfer) is also subject to rules affording an adequate level of protection. The only exceptions permitted should be in line with Article 26(1) of the directive'.
It is obvious that the strict rules against the export of data are likely to create more problems than any other provision stipulated in the European system of privacy protection. The determination of which countries provide an adequate level of data protection will become vital to some countries that want to maintain close economic relations with the European Union. We are yet to find out if the Latin-American Countries enacting Habeas Data laws will meet the challenge.
2.2 North American Data Protection
After describing the European system, it is time to take a brief look at the other side of the coin. Indeed, the North American system is diametrically opposed to the European one. The North America has been increasingly reluctant to implement legislation, and in its place, it has gone for a self-regulatory system. Many different experts agree with this approach:
'Although Americans are acutely sensitive about their privacy in cyberspace, they are also reluctant to empower government to protect their privacy. (...) Consumer demand should lead providers to advertise their privacy protections in an effort to garner greater market share over competitors who fail to offer similar protections'.
Some other legal experts in the United States began issuing early warnings about the problems that the new European Directive would bring to the US e-commerce industry. They stated that the US was not ready to meet the challenge that would certainly come from the EU, but their words went largely unheeded. A series of talks were conducted between the European Union and the United States, as a result of these the idea of the implementation of a 'safe harbour' was seriously discussed as one of the best options for compromise between the two economic giants.
After the EU Directive on Data Protection took effect on October of 1998, the US government scrambled to try to reach an agreement with the European Union on privacy protection policies for the US. When the attempts to convince the Europeans that the US had already adequate privacy protection failed, the Clinton administration went ahead and made several moves towards improving its privacy policies.
Soon after this, David Aaron, the Under-secretary of Commerce for the Clinton administration presented a draft proposal for a 'Safe Harbour'. This scheme proposes that certain US companies will voluntarily comply with the Safe Harbour Principles, which are loosely based on the 1995 EU Directive. By doing so, these companies will obtain a presumption of adequacy by the EU, giving them the right to continue their normal data transactions across the Atlantic.
After more negotiations and the inclusion of opinions from privacy groups and e-commerce firms, the US Department of Commerce released an updated version of the draft principles in April 19, 1999. This proposal contains the following interesting points:
A business may apply for safe harbour directly, or by belonging to an organisation that abides by its principles. It is possible that this provision was included thinking about some e-commerce industry groups such as the Direct Marketing Association or the Online Privacy Alliance.
The company will make sure that it informs its customers that personal information is being gathered, and that it provides the choice whether that information will be disclosed to third parties or not.
The organisation involved in data gathering will make sure that any type of personal information is stored in a secure manner.
The organisation will make sure that the information is only used for the purposes for which it was collected.
The companies will provide its customers with the possibility to access the personal information held about them, and to correct any discrepancy or inaccuracy.
The European Union has recently accepted the Safe Harbour proposal as an example of adequacy, probably prompted by increasing pressure from economic interests.
2.3 Data Protection in other parts of the World
Is the world left with these two opposite options of Data Protection? New Zealand, Hong Kong and Quebec have enacted laws that protect privacy in a similar style to the European system.
In the opposite side, and despite historic links with the United Kingdom's legal system, Australia has decided to follow the North American style of data protection, refusing to vote any legislation that regards privacy because it is too expensive. The only proposed law that has a chance of being approved is one that will encourage self-regulation of the Australian private sector.
This panorama of world polarisation in Data Protection leaves only one other alternative for individual privacy defence: the Latin-American Habeas Data legislation, which will be discussed in detail on the next section.
3. Habeas Data in detail
3.1 History of the Habeas Data right
The individual complaints before a Constitutional Court have a long tradition in the history of the Law. The first complaint that existed, and perhaps the most famous, is the Habeas Corpus (which is roughly translated as 'you should have the body'). It originated in the Middle Ages in England and it is a writ issued by a court commanding that a person held in custody is brought before a court so that it may determine whether the detention is legal. Some other individual complaints exist, such as the writ of mandamus (USA), amparo (Spain and Mexico), Respondeat superior (Taiwan), etc. The newest of these legal mechanisms is Habeas Data.
The Habeas Data writ itself has a very short history, but its origins can be traced to certain European legal mechanisms that protected individual privacy. This cannot come as a surprise, as Europe is the birthplace of the modern Data Protection.
In particular, certain German constitutional rights can be identified as the direct progenitors of the Habeas Data right. In particular, the right to information self-determination was created by the German Constitutional Tribunal by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.
The other direct predecessor of the Habeas Data right is the Council of Europe's 108th Convention on Data Protection of 1981. The purpose of the convention is to secure the privacy of the individual regarding the automated processing of personal data. To achieve this, several rights are given to the individual, including a right to access their personal data held in an automated database.
However, we must ask ourselves how did the first European privacy protection efforts cross the Atlantic and landed in Latin-America under a new guise.
The end of the 1980s and the beginning of the 1990s can only be described as a very interesting period in the history of Latin-America. The end of the Cold War brought a resurgence of stability and democracy to the region. The old military regimes gave way to young and vibrant democracies. These new regimes had to start from scratch in most cases, and that is why so many new Constitutions were created in this period.
That is the case of the Federal Republic of Brazil. In 1988, the Brazilian legislature voted a new Constitution, which included a novel right never seen before: the Habeas Data individual complaint. It is expressed as a full constitutional right under article 5, LXXI, Title II, of the Constitution. It is clear from the details of the new constitutional right that the framers of the Brazilian Constitution were aware of the developments and huge advancements in data protection taking place in Europe. It is unclear however why it was decided to create it in the form it took, which does not resemble any of the existing European solutions to the Data Protection problem. The fact is that the new legal right offered a new type of privacy defence, unlike both the North American and the European types of Data Protection. In 1997, the Brazilian Parliament enacted the Law No. 9507, which is the Regulatory Law of the Habeas Data Proceeding. It was voted to regulate certain aspects of the law offered in the Constitution, as it lacked the proper procedural and administrative guidelines.
Following the Brazilian example, Paraguay incorporated the Habeas Data right to its new Constitution in 1992. After that, many countries followed suit and adopted the new legal tool in their respective constitutions: Peru in 1993, Argentina in 1994, Ecuador in 1996, and Colombia in 1997.
Habeas Data is gaining momentum and moving northwards. There are projects to incorporate the new right in Guatemala and Costa Rica, and several important writers and political groups support the implementation of the figure both in Panama and in Mexico.
It is very interesting to notice that Chile, one of the most legally advanced countries in South America, has not yet approved any legislation that protects privacy. A new privacy protection law is under discussion and will probably be approved by the Chilean congress soon. Nevertheless, this law does not create a constitutional individual complain, it is a lengthy and complicated legislation that regulates privacy in a very European way. Chile has a very strong private industry sector, which may account for a different approach to data protection than its neighbours. Despite this only exception, it is obvious that the Habeas Data right will continue to spread to more countries in Latin-America because of the growing need to protect individual privacy.
3.2 What is Habeas Data?
The literal translation from Latin of Habeas Data is 'you should have the data'. The name is quite appropriate, for it describes its nature very accurately. Habeas Data is a constitutional right granted in several countries in Latin-America. It shows variations from country to country, but in general, it is designed to protect, by means of an individual complaint presented to a constitutional court, the image, privacy, honour, information self-determination and freedom of information of a person.
Habeas Data can be brought up by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public. The legal nature of the individual complaint of Habeas Data is that of voluntary jurisdiction, this means that the person whose privacy is being compromised can be the only one to present it. The Courts do not have any power to initiate the process by themselves.
Most of the local laws concerning Habeas Data do not differentiate whether the mechanism should be used against manual or automated databases. It will then have to be assumed that it covers both. The efficiency of the tool as an adequate privacy protection action for the individual will be discussed in detail later.
Because Habeas Data is a new figure, it is obvious that it is in constant evolution as it responds to different local situations. The particularities from country to country will be discussed next, but certain nations will not be studied in detail because they do not provide anything new to the figure.
Being the birthplace of the Habeas Data action, the Brazilian legislation is the less evolved one, and it can be said that it provides one of the poorest privacy protection tools. The 1988 Brazilian Constitution stipulates that:
'Habeas Data shall be granted:
a) to ensure the knowledge of information related to the person of the petitioner, contained in records or databanks of government agencies or of agencies of a public character;
b) for the correction of data, when the petitioner does not prefer to do so through a confidential process, either judicial or administrative'.
It is interesting to notice that the Constitution only allows for the access to and the correction of data, not for its update or destruction. The 1997 regulatory law to the Habeas Data procedure provides the individual with the right to add an annotation to the data stored on a registry where it is stated that such data is under legal dispute. This provides a novel way to inform third parties that certain personal data is under contention.
The tribunal where the Habeas Data action is presented changes depending on who is it presented against, thus creating a rather complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:
The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
The Superior Justice Tribunal for actions against Ministers or itself;
The regional federal judges for actions against federal authorities;
State tribunals according to each state law;
State judges for all other cases.
The 1992 Paraguay constitution follows the example set by Brazil, but enhances the protection in several ways. The Article 135 of the Paraguayan constitution states:
'Everyone may have access to information and data available on himself or assets in official or private registries of a public nature. He is also entitled to know how the information is being used and for what purpose. He may request a competent judge to order the updating, rectification, or destruction of these entries if they are wrong or if they are illegitimately affecting his rights'.
Besides giving the individual the opportunity to find out what the information is being used for and for what purpose, the Paraguayan system allows for the updating, rectification or destruction of the data. In just four years, and in another country, the Habeas Data constitutional guarantee has evolved and gained strength. This is a much better definition than the Brazilian one, and shows that the Paraguayan congressional representatives not only copied its neighbour's version, but actually undertook some research on the subject.
The Habeas Data version of Paraguay is also better than the Brazilian one in its procedural aspects. The constitutional chamber of the Supreme Court is the one in charge of hearing and deciding cases of Habeas Data, centralising the application of the constitutional guarantee in an existing tribunal.
It is now the turn of Peru. As the previous two countries, the Habeas Data right was introduced by means of a new constitution that was enacted after momentous political upheaval.
The Habeas Data is created by the Article 200, section 3 of the new constitution. In a sense, the Peruvian constitution allows for less privacy protection than that of its predecessors, but in some other ways provides more. It provides less protection because it does not allow for the rectification or removal of incorrect data stored on a database, such as the Paraguayan version. Nevertheless, it provides more protection because it forbids the broadcast, copying, transfer or distribution of the incorrect data. Strangely though, the Peruvian version of the Habeas Data right allows only for one case of rectification of inaccurate or aggravating information. The press is the only institution in all of Peru compelled to rectify such type of data according to the constitution.
The Peruvian Habeas Data version is also the first one that specifically mentions that the citizens have the right not to have any personal data supplied by any 'information service, automated or not'. It is clear now that both manual and automated systems are covered by the Habeas Data.
A regulatory law was enacted by the Peruvian Legislature on April 18, 1995. Among several procedural provisions, the Congress decided not to apply the Habeas Data right to the press. This measure came because of various complains by human rights activists that saw this as a way to interfere with the freedom of expression rights, protected also by the constitution.
It can be argued that the Peruvian version of Habeas Data seems less effective and more politicised than its predecessors. The actual effectiveness will be discussed in the next section.
The Argentinean version of Habeas Data is not specifically called that. For an unknown reason, the Argentinean legislators have merged several individual constitutional complaints under the name of amparo, which can be roughly translated as 'shelter'. The amparo is a constitutional guarantee that exists in many other countries in Latin-America and the civil system in Europe such as Spain and Portugal. Whatever it is called, the Argentinean version of Habeas Data is the most complete to this date. The article 43 of the Constitution, amended on the 1994 reform, states that:
'Any person shall file this action to obtain information on the data about himself and their purpose, registered in public records or data bases, or in private ones intended to supply information; and in case of false data or discrimination, this action may be filed to request the suppression, rectification, confidentiality or updating of said data. The secret nature of the sources of journalistic information shall not be impaired'.
This version includes most of the protection seen in previous constitutions, such as the right to access the data, rectify it, update it or destroy it, such as the Paraguayan one. Nevertheless, the Argentinean constitution also includes a couple of excellent features. The first is that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. The second is that it specifically excludes the press from the action, which is only sensitive in a country that is remaking its democratic institutions after years of ruthless military dictatorship.
A regulatory law of the Habeas Data action approved by the Argentinean congress in 1996 was vetoed by the Executive Branch because it was vague and provided controversial provisions about the exchange of data between different public institutions. A new project of law is under discussion.
3.2.5 Costa Rica
Although the constitutional action of Habeas Data has not yet been approved by the Costarrican congress, the existing project promises to be the most comprehensive so far. The law will modify the Article 48 of the constitution to add the Habeas Data action, but it will also amend the law No. 7128, the Law of Constitutional Jurisdiction. This law is the one that regulates the individual complaints to the constitutional court. The existing actions are Habeas Corpus, amparo and the unconstitutionality action.
The new law seeks to protect the privacy of the individual in a similar way to the Argentinean constitution. It provides that the action, once accepted by the constitutional court, will allow for the access, rectification, update, inclusion, destruction or confidentiality of the personal data in dispute. This adds one more tool to the Habeas Data action: the right to include data into a registry.
Besides these tools, the Costarrican version also includes several principles, probably translated literally from the European Union's data protection Directive. One just needs to glimpse at some of them to confirm that suspicion: personal data will be treated adequately and will not be excessive in relation to the purpose or purposes for which they are processed; the individual has the right to receive information about the treatment given to his data, etc.
One of the principles is quite novel though. The individual has to authorise specifically that his personal data will receive an automated treatment. It is unclear if this is a good idea; in theory, this principle could be used to make businesses cumbersome. It sounds unlikely that any type of operation will be able to ask for this type of permission on every transaction.
As for the procedural provisions, the project states clearly that the action can only be presented to the constitutional court. It will be processed before other actions with exception of the Habeas Corpus.
4. Will Habeas Data be an effective way to protect privaccy
4.1 Is Habeas Data effective?
After describing the evolution of the Habeas Data right, the next task is to analyse its effectiveness as an adequate Data Protection tool.
Whether Habeas Data will be successful will depend on many different factors, but the main one will be the effectiveness of each judicial system. It is rather difficult to measure each country's judicial institutions lacking actual caseload statistics and other hard data. Nevertheless, it can be stated as a fact that Latin-American courts are often understaffed and overworked, common characteristics of the legal systems of developing countries.
An encouraging sign though is that the Habeas Data guarantee is receiving full constitutional strength in most of the countries in which it is being enacted. In civil systems of law, this is the highest level of protection possible, and it is usually accompanied by faster procedures and better courts.
It may be a problem that Habeas Data has been incorporated into the constitutions of a lot of countries in Latin America, but the efforts to regulate the figure and make it ready for everyday use have been slow. Brazil has finally passed a regulating law, but as it has been pointed out, it offers a very complicated set of rules for venues. Argentina has not passed a regulating law yet, but that has not stopped the flow of Habeas Data actions being presented. In other countries, like Paraguay and Peru, the regulating laws are in place but only some time after the right had been approved. Costa Rica will avoid that problem by enacting simultaneously the constitutional reform and the regulating law. It will obtain the highest constitutional protection and it will be covered by a specialised Constitutional Court.
Another encouraging sign that points towards the Habeas Data principle becoming an adequate and popular tool is an unforeseen effect when the law was passed. The action is being hailed as an excellent Human Rights tool, mostly in the countries that are recovering from military dictatorships, turning Habeas Data into a tool for Freedom of Information in countries where such a concept has never been developed. In Paraguay for example, it was used to view the records from an old police station, bringing to light several atrocities that were committed at that site.
In a landmark case in Argentina, an important ruling from the Supreme Court stated that the Habeas Data right applied implicitly also to the families of the deceased. This opened the door to families of the 'disappeared', the victims of the military regime, to request access to police and military files, otherwise closed to them.
These examples show an encouraging sign. If the legal mechanism is regarded favourably by the general public because of its use as a Human Rights and Freedom of Information tool, it is possible that its use will increase and spread to other areas of life, such as the protection of personal data in electronic databases.
Regarding automated databases and on-line information, which are the real subjects of this essay, the Habeas Data right may crash against two big problems. The first is a problem that can be found world wide, and is also common to all areas of Information Technology Law: the legal profession is usually slow to understand computers. If this is true in developed countries, it is more evident in developing countries. It is foreseeable that many courts in Latin America will find problems when faced with complicated descriptions of mainframes, databases, data processing and information storage devices.
The other problem faced by Habeas Data, as an effective on-line privacy protection tool, is the very nature of the global Information Superhighway. An excellent example would be a multinational company that gathers information in a country and then sends it through a corporate network to another country. How can this be stopped? In addition, how do you present a Habeas Data action against a company that is not based in your country?
The Internet is another example of a problematic field for Habeas Data. Imagine that you make commercial transactions regularly on the Internet, by doing so you are providing personal data. This information may be innocuous in some instances, your date of birth, occupation, etc. Some may have commercial value such as your address, telephone number and income. However, you are also giving away sensitive personal information passively, your credit card number, the books you read, sexual orientation, political and religious views, etc. How do you stop this data from being processed? How can you present a Habeas Data action against a company that abuses this information if it is located overseas?
The Habeas Data guarantee gives the individual the right to access, rectify, update, include, destroy or maintain the confidentiality of sensitive personal information, but it is obvious that it will be difficult to achieve that if the data is stored abroad. Nevertheless, everything suggests that it will be an adequate tool for protecting privacy locally.
It then can be stated that the Latin American countries that have incorporated the Habeas Data guarantee to their constitutions can be considered as countries that provide an adequate level of protection of personal privacy, as implied by the European Directive on Data Protection and the UK 1998 Data Protection Act. These countries then, can be added to the Data Protection map of the world.
4.2 Who opposes and who is in favour of Habeas Data?
The effectiveness of the constitutional right of Habeas Data cannot be left in a legal vacuum; there are several political considerations to take into account.
The opposition to Habeas Data comes from very different camps, depending on the country. For example, the most outspoken opposition to the resource can be found in Peru, where Human Rights groups continuously voice the view that the government intends to use Habeas Data to hinder the press and freedom of speech rights[ 46].
In Argentina, the opposition comes from the conservative right wing and the banks, which see Habeas Data as a burden to competition and their enterprises. The pressure has been so great that the lobbying from these same groups prompted the veto of the regulatory law of Habeas Data, as it was pointed out before. Some groups also see the law as a menace to the various direct marketing companies that thrive in Argentina.
In Costa Rica, there is strong opposition to the Habeas Data Law from the press. This is caused because it does not have provisions that protect freedom of speech rights, such as those of Peru and Argentina. It is feared that the guarantee will be misused by corrupt characters to avoid investigations by the press into their affairs. The law has not yet been enacted and is still under revision by the Costarrican Parliament, so these shortcomings may yet be corrected.
Despite the strong opposition from some quarters, there is strong support for the figure from various left wing Human Rights organisations. In Guatemala, the law is being pushed by very similar organisations than the ones that oppose it in Peru.
International Human Rights organisations and the United Nations are also in favour of the adoption of Habeas Data as a tool that strengthens democracy and individual rights in Latin America. It is quite clear that any type of legislation that will provide more rights to the individual is welcome. In particular, this tool will certainly prove useful as a means to protect the right to individual privacy.
4.3 The future of Habeas Data
What does the future hold for the Habeas Data action?
It is easy to see that the figure is in a constant state of evolution. Every new country that adopts it adds better protection to individual privacy than the one before. In the beginning, it only granted individuals with the right to access and correct inaccurate data. It now allows for the same, but it also permits the subject to destroy, add and prevent the data from being distributed, apart from providing protection for the press.
The figure is also spreading rapidly throughout Latin-America. Even those who oppose the law recognise that the advances in information technology pose a serious threat to individual privacy. That widespread worry may be the engine that is pushing the legislation so fast around the region. It is possible that by the end of this decade most Latin-American countries will have as part of their constitutions the Habeas Data provision.
However, can it be instituted elsewhere? The Latin-American version of data protection offers a different system than the European or North American ones, although it may have evolved from the first. It would be safe to say that Habeas Data is a type of protection in the middle of the other two; a Third Way, if you may. It does not leave privacy concerns to self-regulation schemes as the American. It does not create more bureaucracy as the European one. One may say that it is just right for developing countries.
The advantage is that it uses existing constitutional institutions and gives them a new function without creating more government institutions and more courts. This is a real benefit for Third World countries that already have bloated bureaucracies in place. The institution is also very accessible to the public.
Developing countries are not the only ones that may benefit from this new data protection tool. From the other options available, Habeas Data is the easiest for the largest number of countries to adopt. It may eventually get to be enacted in the United States. Some people have already noticed this new constitutional guarantee in the USA, stating that:
'Some minimum national standards might be legislated if a combination of voluntary codes and sector regulations is not adequate to protect individuals' control over their identifying information. Individuals' ownership of personal information should be strengthened, perhaps by a rule of 'habeas data' allowing an individual to subpoena all the data held on him or her by an organization and to challenge the accuracy of that data'.
The ideal way to insure real privacy protection on the Internet and other troublesome international databases may be to internationalise certain basic Data Protection mechanisms using regional agreements, such as Europe has done. An Inter-American Convention on Data Protection seems like a good project that the Organisation of American States could undertake. That would be the best step to insuring that the private personal information of an individual will stay just like that, private.
There are two very distinct traditional systems of Data Protection, the European system, which proposes an extensive method of privacy protection; and the North American system, which protects individual privacy through industry self-regulation schemes. The Habeas Data right is a new third option that protects the personal information of an individual by allowing that person to request the rectification, update or even the destruction of the personal data held in a database.
The figure of Habeas Data is in constant evolution and is spreading rapidly throughout the region because of its simplicity. That same simplicity makes it the best option for other countries interested in enacting privacy protection legislation, as it can be adopted at a minimum cost. There is no need to create more government agencies as the action can be implemented within existing judicial structures.
As Habeas Data is an adequate way to protect individual privacy, the countries where it has been enacted will be able to comply with the EC's Directive prohibition of Data export to countries that do not protect privacy. These countries will have a competitive advantage over others that do not posses any type of Data Protection.
As it is shown by the present study, the institution is not perfect. There are several problems for the Habeas Data system, such as multinational databases, Internet privacy, and local opposition to Data Protection and privacy laws from different fronts. The best way to bypass some of these problems would be by adopting international conventions on Data Protection, so that an individual may be able to place a legal action against information held in another country. This would also serve to standardise the legal figure of Habeas Data, as it differs greatly from country to country.
Amazon.com. Your Privacy (1998). Online. Available at: < http://www.amazon.com/exec/obidos/subst/misc/policy/privacy.html>
APC. Servicio informativo de Cerigua . Newsgroup posting on reg.guatemala. Online. Available at: < http://www.antenna.nl/news/reg/guatemala/mn02725.html>
Aveleyra, Antonio. Propuesta legislativa de nuevos tipos penales en relación con la informática (1996). Online. Available at: < http://www.inegi.gob.mx/pdi/nv/asesoria/foro/temas6/propinf.htm>
Base de Datos Políticos de las Américas. Constitución Política del Perú, 1993 (July 1st, 1993). Translated by the author of this essay. Online. Available at: < http://www.georgetown.edu/pdba/Constitutions/Peru/peru.html>
Calloni, Stella. 'Los Archivos del Horror del Operativo Cóndor'. Published originally in CovertAction Magazine (August 1994). Online. Available at: < http://www.derechos.org/nizkor/doc/condor/calloni.html>
Cameron E. & Hegarty C. 'Never Mind the Quality, Feel the Width: a Sceptical View of Legal Interference with Cyberspace' (1996). 10 International Review of Law Computers and Technology 79.
Campbell, Andrea. 'Law may hurt Argentina's direct marketers'. Marketing Online (January 1997). Online. Available at: < http://www.marketingmag.ca/Content/2.97/int2.html>
Chirino, Alfredo. 'Las tecnologías de la información y el proceso penal. Análisis de una crisis anunciada'. Revista de Ciencias Penales (December 1997) No. 14. Online. Available at: < http://www.nexos.co.cr/cesdepu/revelec/penal/Chirino14.htm>
Chirino, Alfredo. Autodeterminacion Informativa y Estado de Derecho en la sociedad Tecnologica (1997). San Jose, C.R., Edit. CONAMAJ.
Clarín Digital. 'Habeas Data: El Poder Ejecutivo vetó una ley cuestionada por los bancos' El Clarín Digital (December 31 1996). Online. Available at: < http://www.clarin.com.ar/diario/96-12-31/o-01401d.htm>
Congresso Nacional do Brasil. Lei 9507 Regula o direito de acesso a informaçóes e disciplina o rito processual do habeas data. November 12 1997. Online. Available at: < http://infojur.ccj.ufsc.br/arquivos/Direito_Administrativo/9507-97.htm>
Constitution of the Federal Republic of Brazil (1988). Online. Available at: < http://www.georgetown.edu/LatAmerPolitical/Constitutions/Brazil/brtitle2.html>
Data Protection Act 1984 (c. 35). Online. Available at: < http://www.hmso.gov.uk/acts/acts1984/1984035.htm>
Data Protection Act 1998 (1998). Online. Available at: < http://www.hmso.gov.uk/acts/acts1998/19980029.htm>
Data Protection Working party. Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive (24 July 1998). Online. Available at: < http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp12en.htm# 1>
Dixon, Tim & Greenleaf, Graham. 'Private Parts: Hong Kong's New Privacy Law'. Privacy Law & Policy Reporter (1995). Vol. 2, No. 100. Online. Available at: < http://www.austlii.edu.au/au/other/plpr/Vol2No05/v02n05i.html#hk>
Electronic Frontiers Australia. On-line Privacy issues (December 1998). Online. Available at: < http://www.efa.org.au/EFA/Issues/Privacy/Welcome.html>
Equipo Nizkor. La APDH promueve un recurso de Habeas Data (May 1997). Online. Available at: < http://www.derechos.org/nizkor/arg/apdh/habeas.html>
ESC. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1996). Online. Available at: < http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html>
European Commission. Data protection: Commission endorses 'safe harbor' arrangement with US (29 March 2000). Online. Available at: < http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm>
European Council. Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (1981). Online. Available at: < http://europa.eu.int/comm/internal_market/en/media/dataprot/inter/con10881.htm>
González, Antonio. Archives of the Security Services of former repressive regimes: Report prepared for UNESCO (1997). Online. Available at: < http://www.unesco.org/webworld/ramp/secret_english.htm>
Herrera Bravo, Rodolfo. 'Breves antecedentes sobre el proyecto de ley de protección de los datos personales en Chile'. Boletin Hispanoamericano de Informática & Derecho (November 1998). No. 5. Online. Available at: <http://members.theglobe.com/boletin/bol5.htm>
Herrera, Berlioth. Freno a hábeas data. La Nación (August 5th, 1998). Online. Available at: < http://www.nacion.co.cr/ln_ee/1998/agosto/25/pais4.html>
Hoffman, Lance J. Civilizing Cyberspace: Priority Policy Issues in a National Information Infrastructure (March 1994). Online. Available at: < http://www.seas.gwu.edu/seas/instctsp/DOCS/PAPERS/ictsp-94-03.html>
Hoyos, Arturo. '¿Adónde van nuestras democracias?' El Panamá Améríca (January 29 1997). Online. Available at: < http://www.epasa.com/El_Panama_America/archive/012997/opinion1.html>
ICL. Constitution of the Argentine Nation (1853). Translation by the Argentine. Online. Available at: <http://www.uni-wuerzburg.de/law/ar00000_.html>
ICL. Paraguay Constitution (June 20th 1992). Translated by Peter Heller. Online. Available at: <http://www.uni-wuerzburg.de/law/pa00t___.html>
IFEX. Habeas Data law modified and approved (April 1995). Online. Available at: <http://holland.ifex.org/alert/00000712.html>
International Trade Administration. Draft Safe Harbor Principles (April 19, 1999). Online. Available at: <http://www.ita.doc.gov/ecom/shprin.html>
International Trade Administration. Letter from Ambassador Aaron and Safe Harbor Principles (November, 1998). Online. Available at: <http://www.ita.doc.gov/ecom/aaron114.html>
Kirsh, E. Philips, D. & McIntyre, D. 'Recommendations for the Evolution of Netlaw: Protecting Privacy in a Digital Age' (1996) Journal of Computer-Mediated Communication. On Line. Available at: < http://jcmc.mscc.huji.ac.il/vol2/issue2/kirsh.html>
La Nación (Editorial). 'Un proyecto descaminado'. La Nación (August 1st, 1998). Online. Available at: < http://www.nacion.co.cr/ln_ee/1998/agosto/01/opinion1.html>
Lloyd, Ian. Information Technology Law (1997). 2nd Edition. London, Butterworths.
Mavcic, Andre. Individual Complaint proceedings before Constitutional Courts. Online. Available at: <http://www.vcilp.org/us/map/powers/compl.html>
McWilliams, Brian. 'Protect Your Own Privacy on the Internet'. PC World Online (July 1998). On line. Available at: < http://www.pcworld.com/pcwtoday/article/0,1510,7488,00.html>
Mendez, William. 'Recurso de hábeas data: Ley limita divulgar datos privados'. La Nación. (July 30th, 1998). Online. Available at: < http://www.nacion.co.cr/ln_ee/1998/julio/30/pais4.html>
Oficina de Derehos Humanos del Arzobispado de Guatemala. El camino de la reconstrucción social (1997) Online. Available at: < http://www.guateconnect.com/odhagua/infremhi/recomend.htm>
Perritt, Henry H. 'Regulatory Models for Protecting Privacy in the Internet'. Privacy and Self-Regulation on the Information Age (June 1997). U.S. Department of Commerce. Online. Available at: < http://www.ntia.doc.gov/reports/privacy/selfreg3.htm>
Prescott, 'Charles A. Recent Developments in Latin America and Asia Are Driven by Local Interests and Technology'. Privacy & American Business (1998). Online. Available at: <http://hudson.idt.net/~pab/global.html>
Reuters. 'U.S. proposes privacy principles'. November 9, 1998. CNET News. Online. Available at: < http://www.news.com/News/Item/0,4,28510,00.html?owv>
Roitman, Horacio. Hábeas Data. Análisis del texto constitucional. Online. Available at: < http://www.veraz.com.ar/spanish/noframes/conferen/con11.htm>
Saborío, Rodolfo. 'El bloque de libertades públicas en Costa Rica'. Revista Jurídica Electrónica (January 1996). Online. Available at: < http://www.nexos.co.cr/cesdepu/revelec/consti.htm>
See, Dianne. GeoCities, FTC Reach Settlement in First Internet Privacy Case (August 13, 1998). The Industry Standard. Online. Available at: < http://www.thestandard.com/articles/article_display/0,1449,1402,00.html?01>
Swire, P. and Litan, R. 'Avoiding a Showdown Over EU Privacy Laws'. February 1998. Brookings Institue Policy Briefs. No. 29. Online. Available at: < http://www.brook.edu/comm/policybriefs/pb029/pb29.htm >
Torres, Carlos. 'El Habeas Data en el Extranjero'. El Peruano (June 30th 1994). Online. Available at: <http://www.asesor.com.pe/teleley/p3511.htm>
U.S. Department of State Date. Peru Human Rights Practices 1995 (March 1996). Online. Available at:
Universidad de Valencia. Derecho Informático (1997). Online. Available at: < http://bugs.uv.es/guia/asignatu/ISIII/tema_2.html>
US Federal Trade Commission. About Privacy (1998). Online. Available at: <http://www.ftc.gov/privacy/index.html>
US Federal Trade Commission. Privacy Online: A Report to Congress (June 1998). Online. Available at: <http://www.ftc.gov/reports/privacy3/conclu.htm>
Verbitsky, Horacio. 'El camino de la verdad' Página 12 (October 16 1998). Online. Available at: < http://www.pagina12.com.ar/1998/98-10/98-10-16/pag02o1.htm>
1. Universidad de Valencia. Derecho Informático (1997). Online. Available at: < http://bugs.uv.es/guia/asignatu/ISIII/tema_2.html>
2. European Council. Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (1981). Online. Available at: < http://europa.eu.int/comm/internal_market/en/media/dataprot/inter/con10881.htm>
3. Data Protection Act 1984 (c. 35). Online. Available at: < http://www.hmso.gov.uk/acts/acts1984/1984035.htm>
4. ESC. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1996). Online.Available at: < http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html>
5. The Data Protection Act 1998 (1998). Online. Available at: < http://www.hmso.gov.uk/acts/acts1998/19980029.htm>
6. The Data Protection Act 1998. Ibid. Schedule 1, Part 1, Section 8.
7. Data Protection Working party. Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive (24 July 1998). Online. Available at: < http://europa.eu.int/comm/internal_market/en/media/dataprot/wpdocs/wp12en.htm# 1>
8. Data Protection Working party. Transfers of personal data to third countries : Applying Articles 25 and 26 of the EU data protection directive. Ibid.
9. Kirsh, E. Philips, D. & McIntyre, D. 'Recommendations for the Evolution of Netlaw: Protecting Privacy in a Digital Age' (1996) Journal of Computer-Mediated Communication. On Line. Available at: < http://jcmc.mscc.huji.ac.il/vol2/issue2/kirsh.html>
10. Swire, P. and Litan, R. 'Avoiding a Showdown Over EU Privacy Laws'. February 1998. Brookings Institue Policy Briefs. No. 29. Online. Available at: < http://www.brook.edu/comm/policybriefs/pb029/pb29.htm>
11. Reuters. 'U.S. proposes privacy principles'. November 9, 1998. CNET News. Online. Available at: < http://www.news.com/News/Item/0,4,28510,00.html?owv>
12. International Trade Administration. Letter from Ambassador Aaron and Safe Harbor Principles (November, 1998). Online. Available at: <http://www.ita.doc.gov/ecom/aaron114.html>
13. International Trade Administration. Draft Safe Harbor Principles (April 19, 1999). Online. Available at: <http://www.ita.doc.gov/ecom/shprin.html >
14. European Commission. Data protection: Commission endorses 'safe harbor' arrangement with US (29 March 2000). Online. Available at: < http://europa.eu.int/comm/internal_market/en/media/dataprot/news/harbor4.htm>
15. Dixon, Tim & Greenleaf, Graham. 'Private Parts: Hong Kong's New Privacy Law'. Privacy Law & Policy Reporter (1995). Vol. 2, No. 100. Online. Available at: < http://www.austlii.edu.au/au/other/plpr/Vol2No05/v02n05i.html#hk >
16. Electronic Frontiers Australia. On-line Privacy issues (December 1998). Online. Available at: < http://www.efa.org.au/EFA/Issues/Privacy/Welcome.html >
17. Mavcic, Andre. Individual Complaint proceedings before Constitutional Courts. Online. Available at: <http://www.vcilp.org/us/map/powers/compl.html>
18. Chirino, Alfredo. 'Las tecnologías de la información y el proceso penal. Análisis de una crisis anunciada'. Revista de Ciencias Penales (December 1997) No. 14. Online. Available at: < http://www.nexos.co.cr/cesdepu/revelec/penal/Chirino14.htm>
19. Chirino, Alfredo. Ibid.
20. Prescott, 'Charles A. Recent Developments in Latin America and Asia Are Driven by Local Interests and Technology'. Privacy & American Business (1998). Online. Available at: <http://hudson.idt.net/~pab/global.html>
21. European Council. Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data. Ibid. Article 8.
22. Congresso Nacional do Brasil. Lei 9507 Regula o direito de acesso a informaçóes e disciplina o rito processual do habeas data. November 12 1997. Online. Available at: < http://infojur.ccj.ufsc.br/arquivos/Direito_Administrativo/9507-97.htm>
23. Hoyos, Arturo. '¿Adónde van nuestras democracias?' El Panamá Améríca (January 29 1997). Online. Available at: < http://www.epasa.com/El_Panama_America/archive/012997/opinion1.html>
24. Aveleyra, Antonio. Propuesta legislativa de nuevos tipos penales en relación con la informática (1996). Online. Available at: < http://www.inegi.gob.mx/pdi/nv/asesoria/foro/temas6/propinf.htm>
25. Herrera Bravo, Rodolfo. 'Breves antecedentes sobre el proyecto de ley de protección de los datos personales en Chile'. Boletin Hispanoamericano de Informática & Derecho (November 1998). No. 5. Online. Available at: <http://members.theglobe.com/boletin/bol5.htm>
26. Mavcic, Andre. Ibid., 1st Paragraph.
27. Constitution of the Federal Republic of Brazil (1988). Article 5, Section LXXI. Online. Available at: < http://www.georgetown.edu/LatAmerPolitical/Constitutions/Brazil/brtitle2.html>
28. Congresso Nacional do Brasil. Lei 9507. Ibid. Article 7, sub-section III.
29. Brazilian Constitution, Title IV, Chapter III, Sections II-VI. 1997 Regulatory law, Art. 20.
30. ICL. Paraguay Constitution (June 20th 1992). Translated by Peter Heller. Article 135. Online. Available at:
31. Paraguay Constitution. Ibid. Articles 131, 136 and.259.
32. Torres, Carlos. 'El Habeas Data en el Extranjero'. El Peruano (June 30th 1994). Online. Available at: <http://www.asesor.com.pe/teleley/p3511.htm>
33. Base de Datos Políticos de las Américas. Constitución Política del Perú, 1993 (July 1st, 1993). Article 2, section 6. Translated by the author of this essay. Online. Available at: < http://www.georgetown.edu/pdba/Constitutions/Peru/peru.html>
34. IFEX. Habeas Data law modified and approved (April 1995). Online. Available at: <http://holland.ifex.org/alert/00000712.html>
35. Mavcic. Ibid.
36. ICL. Constitution of the Argentine Nation (1853). Translation by the Argentine congress. Article 43. Online. Available at: <http://www.uni-wuerzburg.de/law/ar00000_.html>
37. Clarín Digital. 'Habeas Data: El Poder Ejecutivo vetó una ley cuestionada por los bancos' El Clarín Digital (December 31 1996). Online. Available at: < http://www.clarin.com.ar/diario/96-12-31/o-01401d.htm>
38. Mendez, William. 'Recurso de hábeas data: Ley limita divulgar datos privados'. La Nación. (July 30th, 1998). Online. Available at: < http://www.nacion.co.cr/ln_ee/1998/julio/30/pais4.html>
39. Herrera, Berlioth. Freno a hábeas data. La Nación (August 5 th, 1998). Online. Available at: < http://www.nacion.co.cr/ln_ee/1998/agosto/25/pais4.html>
40. Saborío, Rodolfo. 'El bloque de libertades públicas en Costa Rica'. Revista Jurídica Electrónica (January 1996). Online. Available at: < http://www.nexos.co.cr/cesdepu/revelec/consti.htm>
41. Equipo Nizkor. La APDH promueve un recurso de Habeas Data (May 1997). Online. Available at: < http://www.derechos.org/nizkor/arg/apdh/habeas.html>
42. Freedom of Information is a concept alien to Latin-America. In the European sense of the expression, we can take the example of Freedom of Information legislation in the United Kingdom, which allows access to government documents.
43. Calloni, Stella. 'Los Archivos del Horror del Operativo Cóndor'. Published originally in CovertAction Magazine (August 1994). Online. Available at: < http://www.derechos.org/nizkor/doc/condor/calloni.html>.
44. Verbitsky, Horacio. 'El camino de la verdad' Página 12 (October 16 1998). Online. Available at: < http://www.pagina12.com.ar/1998/98-10/98-10-16/pag02o1.htm>.
45. This is a general view, see on that respect: Cameron E. & Hegarty C. 'Never Mind the Quality, Feel the Width: a Sceptical View of Legal Interference with Cyberspace' (1996). 10 International Review of Law Computers and Technology 79.
46. U.S. Department of State Date. Peru Human Rights Practices 1995 (March 1996). Online. Available at:
47. Roitman, Horacio. Hábeas Data. Análisis del texto constitucional. Online. Available at: < http://www.veraz.com.ar/spanish/noframes/conferen/con11.htm>.
48. Clarín Digital. 'Habeas Data: El Poder Ejecutivo vetó una ley cuestionada por los bancos'. Ibid.
49. Campbell, Andrea. 'Law may hurt Argentina's direct marketers'. Marketing Online (January 1997). Online. Available at: < http://www.marketingmag.ca/Content/2.97/int2.html>.
50 . La Nación (Editorial). 'Un proyecto descaminado'. La Nación (August 1st, 1998). Online. Available at: < http://www.nacion.co.cr/ln_ee/1998/agosto/01/opinion1.html>.
51. Oficina de Derehos Humanos del Arzobispado de Guatemala. El camino de la reconstrucción social (1997) Online at:
52. González, Antonio. Archives of the Security Services of former repressive regimes: Report prepared for UNESCO (1997). Online. Available at: < http://www.unesco.org/webworld/ramp/secret_english.htm>.
53. La Nación (Editorial). 'Un proyecto descaminado'. Ibid.
54. Hoffman, Lance J. Civilizing Cyberspace: Priority Policy Issues in a National Information Infrastructure (March 1994). Online. Available at: < http://www.seas.gwu.edu/seas/instctsp/DOCS/PAPERS/ictsp-94-03.html>.