report saber más iii (english)

8/3/2019 Report Saber Ms III (English)

1/119


2/119

2

TABLE OF CONTENTSTitle Page

i. Presentation 4

ii. Introduction and Work Methodology 7

iii. Survey Format 9

PART I.

1.1. Access to Information and the Protectionof Personal Data in Argentina 12

1.2. Access to Information and the Protectionof Personal Data in Bolivia 16

1.3. Access to Information and the Protectionof Personal Data in Brazil 22

1.4. Access to Information and the Protectionof Personal Data in Chile 28

1.5. Access to Information and the Protectionof Personal Data in Colombia 36

1.6. Access to Information and the Protectionof Personal Data in Costa Rica 54

1.7. Access to Information and the Protectionof Personal Data in Ecuador 59

1.8. Access to Information and the Protection

of Personal Data in El Salvador 621.9. Access to Information and the Protectionof Personal Data in Guatemala 67

1.10. Access to Information and the Protectionof Personal Data in Honduras 68

1.11. Access to Information and the Protectionof Personal Data in Mexico 69


of Personal Data in Nicaragua 74


3/119

3

1.13. Access to Information and the Protectionof Personal Data in Panama 76


of Personal Data in Paraguay 77

1.15. Access to Information and the Protectionof Personal Data in Peru 81

1.16. Access to Information and the Protectionof Personal Data in Dominican Republic 85

1.17. Access to Information and the Protectionof Personal Data in Uruguay 87

1.18 Access to Information and the Protection

of Personal Data in Venezuela 92

1.19 Summary table 96

PART II.

Access to Information and the Protectionof Personal Data in EuropeHelen Darbishire and Victoria Anderica Caffarena(Access- Info Europe) 100

PART III.

Access to Information and the Protectionof Personal Data in the United States of AmericaReport supplied toAlianza Regional byCyrus R. Vance Center for InternationalJustice of the New York City Bar 110


4/119

4

i. PRESENTATION

Karina Banfi, Executive Secretariat.

Alianza Regional por la Libre Expresin e Informacin

Saber Ms is a regional report that Alianza Regional por la Libre Expresin eInformacinhas published for three years. The reports comprise the diverse opinionsof the networks members, based on their expertise and knowledge regarding thepromotion, implementation and defense of access to public information.

The present publication is our third issue, and it tackles the relationship andcoexistence of two rights: access to public information and the protection of personaldata. This relationship experiences constant tensions when the principle of maximumdisclosure of public acts is invoked over the right to privacy of private acts. Such

tensions should not exist if a clear line were drawn between the public and privaterealms. However, this is not always the case, since boundaries are usually blurredwhen promoting, implementing and, especially, defending, access to publicinformation. The report details cases in various countries which illustrate theseconcepts.

We have invited Article 19 Brazil to take part in Saber Ms in order to convey theirexperience in promoting the draft bill on access to public information, as well as itsrelationship with the protection of personal data. Aside from reports written by themember organizations, this publication includes a first chapter describing the diverseand particular situation of access to information activists and advocates in each theircountries. In addition, to enrich this publication, we have also included a paperdeveloped by the Cyrus Vance Center for International Justice of the New York CityBar Association from the US, which presents a technical-legal description of thesituation of protection of personal data and access to public information in the UnitedStates.

In addition to the situation of almost every country in the Americas plus reflectionson the US system we considered it relevant to include as well the criteria applied inEurope. The report provided by Access Info, organization which focuses on thesituation in Spain, helps us fully understand the need to review the conflicts betweenthe protection of personal data and the standards that a law on access to publicinformation should necessarily have.

Progress and setbacks in terms of transparency and access to information in LatinAmerica during the last decade allow us to describe access to information as ademocratic tool to monitor the public activity of the State. Additionally, it encouragesus to further deepen the analysis to maintain a balance in the exercise of rights.Thus, individuals are strengthened by the protection and guarantees provided by theState and the full access to fundamental rights.

Alianza Regional is a regional network comprised by CSOs from Central America,South America, Mexico and the United States devoted to the defense and promotionof freedom of expression and access to information in the region. It provides ameeting point for organizations to analyze and share experiences, in order to design

intervention actions aimed at multiplying research on, education for and promotion offreedom of expression and information in the region. We also intend to spawn


5/119

5

interaction between the civil society, multilateral organizations and Latin Americangovernments.

The International Right to Know Day encourages awareness on the collective

need to demand the State for information on its public acts. Knowing andelaborating our opinions is essential in order to strengthen and consolidatedemocracy.

We wish to acknowledge the contribution of Cyrus Vance Center, Article 19 Braziland Access Info. We are also especially thankful to the member organizations ofAlianza Regional por la Libre Expresin e Informacin which, once again, haveexcelled in conveying their experiences in the defense of rights. In this case, theyhave pursued a balance between the maximum disclosure of public information andthe right to privacy of private acts.

We also wish to acknowledge our consultant, Silvana Fumega, for her excellent work

in compiling and editing this report carried out with the assistance and follow-up ofJulia Fernndez Cruz, a member of the Executive Secretariat, as well as MoissSnchez, Executive Director of Pro Acceso Chile, who supported us in thedevelopment of this reports methodology.

Once again, the strategic nature of the collective work carried out by AlianzaRegional is thus broadly confirmed. We extend our gratitude to each of theorganizations which contributed their knowledge and analysis of the local specificsituation.

The member organizations of Alianza Regionalare:

1. Accin Ciudadana (AC), Guatemala

2. Asociacin de Periodistas de El Salvador (APES), El Salvador

3. Asociacin Nacional de la Prensa (ANP), Bolivia

4. Asociacin por los Derechos Civiles (ADC), Argentina

5. Centro de Archivos y Acceso a la Informacin (CAInfo), Uruguay

6. Comit por la Libre Expresin (C-Libre), Honduras7. Consejo Nacional de Periodismo (CNP), Panama

8. Fundacin Democracia sin Fronteras (FDsF), Honduras

9. Fundacin Institucionalidad y Justicia (FINJUS), Repblica Dominicana

10. Fundacin para el Debido Proceso Legal (DPLF), United States

11. Fundacin para la Libertad de Prensa (FLIP), Colombia

12. Fundacin Pro Acceso, Chile


6/119

6

13. Fundacin Salvadorea para el Desarrollo Econmico y Social (FUSADES), ElSalvador

14. Fundacin Violeta Barrios de Chamorro (FVBCH), Nicaragua

15. Fundamedios, Ecuador

16. Fundar - Centro de Anlisis e Investigacin, Mexico

17. Instituto de Derecho y Economa Ambiental (IDEA), Paraguay

18. Instituto de Prensa y Libertad de Expresin (IPLEX), Costa Rica

19. Instituto Nicaragense de Estudios Humansticos (INEH), Nicaragua

20. Instituto Prensa y Sociedad (IPYS), Peru

21. Participacin Ciudadana (PC), Dominican Republic

22. Transparencia por Colombia, Colombia

23. Transparencia Venezuela, Venezuela

24. Trust for the Americas (OAS), United States


7/119

7

ii. INTRODUCTION AND WORK METHODOLOGY

Silvana Fumega. Access to Public Information

and Open Government Specialist

Since the late 80s until today, major technological transformations have taken place.1Such progress in information and communication technologies has rendered dataand information treatment and exchange a simple task.2 While this poses newchallenges when safeguarding fundamental freedoms such as the right to privacy, italso creates new opportunities to further deepen the right of access to publicinformation (API) and, thus, transparency in governance.

At present, the right to Access to Public Information is regulated through statutory lawin 11 Latin American countries3, and over 80 countries throughout the world4. One ofthe fundamental principles which should be included in all laws governing the said

right is that of maximum disclosure. In this regard, all information developed and / orheld by government agencies should be available to anyone willing to access it.

Such disclosure is limited by a number of exceptions, in accordance withinternational standards in the field. The list of exceptions which must beestablished by a prior lawonly includes reasons considered legitimate forgovernment agencies to exempt certain information from disclosure. It is important topoint out, however, that in order to exempt information from disclosure, the fact that itfalls within the exceptions should not be sufficient: agencies should also demonstratethat disclosing such information would cause substantial harm to that legitimateinterest.5

One of the exemptions from disclosure is connected to the defense of the right toprivacy6 and, thus, the right to the protection of personal data.7 The latter may beunderstood as the right of individuals to monitor the collection, access and use oftheir personal information carried out by governments or private entities. That is why,in certain circumstances, disputes or tensions may result from the exercise of boththese rights tensions between the aim to disclose certain governmental informationand the need to protect personal data that may be contained therein.

Among the most frequently cited examples of situations that might cause conflict

1 One of the major advances has been the creation of the World Wide Web, around 1989, by TimBerners-Lee from England and Robert Cailliau from Belgium while working at CERN in Geneva,Switzerland.2 Data and information are not identical terms. However, throughout this paper they have been used asinterchangeable synonyms. The term "data" refers to a symbolic representation or an attribute of anentity. It is important to highlight that the data has no meaning in itself, but is used in decision-making orto perform calculations on the basis of proper processing and considering its context. In this sense, theconcept of "information" refers to an organized set of data.3 Chile, Dominican Republic, Ecuador, Guatemala, Honduras, Mexico, Nicaragua, Panama, Peru,Uruguay and El Salvador. Laws available at:http://alianzaregional.net/site/index.php?option=com_content&task=view&id=26&Itemid=194 For the full lsit, see: http://right2info.org/resources/publications/Fringe%20Special%20-%20Overview%20FOIA%20-%20sep%2020%202010.pdf/at_download/file5 See: http://www.article19.org/data/files/pdfs/standards/righttoknow.pdf6 For further information on this area, see: http://wbi.worldbank.org/wbi/news/2011/03/10/available-now-new-working-paper-right-information-and-privacy7 Any personally identifiable information on an individual.


8/119

8

between these two rights are the requests for disclosure of public servants salaries8and of beneficiaries of social welfare programs.

In the case of social welfare programs, one clear and renowned example illustrating

the relationship between these two rights was the conflict which arose in Mexico in2006. A request was filed for the disclosure of the list of beneficiaries of the programDerecho Humano Oportunidades in the State of Sinaloa, with the aim of identifyingbeneficiaries per district. In that case, the plenary of the Federal Institute for Accessto Public Information (Instituto Federal de Acceso a la Informacin Pblica, IFAI)resolved that the regulation on accountability had greater weight, and thus requiredthe program "Oportunidades" to comply with the request of the petitioner.

A similar case took place in Argentina, as described by the member organizationAsociacin por los Derechos Civiles(ADC) in their report. ADC sponsored a requestfiled by Cippec (Centro de Implementacin de Polticas Pblicas para la Equidad y elCrecimiento) to the Ministry of Social Development, demanding information on

beneficiaries of social welfare programs administered by that agency. The requestwas denied on the grounds that it implied access to sensitive data. Though theadministrative justice ruled in favor of Cippec, the Ministry filed an extraordinaryappeal,9 and the case has not yet been resolved by the Supreme Court.

Thus, based on the foregoing, the aim of Saber Ms III in 2011 is to determine thestatus of the relationship between the exercise of two rights: access to informationand the protection of personal data, as mentioned in the presentation. In order tofulfill this goal, as well as to obtain comparable information, the memberorganizations of Alianza Regional outlined their reports on the basis of a commonquestionnaire (included below). The questionnaire was designed with the aim ofconveying the convergences and tensions between laws mandating accountabilityand transparency, and those protecting personal information.

Compilation and edition were carried out considering the responses and narratives ofmember organizations regarding their local experience. Two reports containingsubstantive analyses were also included in Saber Ms 2011: one tackling thesituation of these rights in the European continent; another one describing thecoexistence between these rights in the legal system in the United States.

8 An example of this kind of conflict is available at: http://www.lanacion.com.ar/1214805-el-recibo-de-sueldo-de-la-presidenta-es-secreto.9 Alianza Regional por la Libertad de Expresin e Informacinappeared as Amicus Curiae (Friend of theCourt) in order to provide grounded opinion on the subject under litigation. For more information:http://www.idea.org.py/gfx/espanol/descargas/noticias/2010/amicus-cippec-ii.pdf


9/119

9

iii. SURVEY FORMATThe following survey was the device used to gather information.

INTERNATIONAL RIGHT TO KNOW DAYACCESS TO INFORMATION AND THE PROTECTION OF PERSONAL DATA

Instructions to fill out the questionnaire:

The aim of this survey is to obtain a report developed by each of the memberorganizations of Alianza Regional por la Libre Expresin e Informacin on therelationship between the right to access to information and the right to protection ofpersonal data. The latter is understood as the right of individuals to monitor thecollection, access and use of their personal information carried out by governmentsand private entities.

In order to obtain comparable descriptions, it is essential that all organizations limittheir responses to the following questionnaire. Each of the questions should beanswered by means of a brief narrative.

It is important to clarify that narratives must focus on the right to protection ofpersonal data in relation to the right of access to public information.

The report must include annexes (or footnotes) on the data and sources used tosupport the contents of each document.

Country: Organization:

Questionnaire:

1. Access to Public Information:a. Are there any regulations (law or decree) concerning the exercise of

the right to access to public information (API) in your country?

b. What are the main features and scope of the said regulation?

c. Briefly describe the features of the monitoring agency.

2. Protection of Personal Data:a. Are there any regulations (law or decree) concerning the protection of

personal data (PPD) in your country?

b. What are the main features and scope of the said regulation?

c. Briefly describe the features of the monitoring agency.

3. Relationship between both rights: Considering your responses to the first

two questions:


10/119

10

a. What is the relationship between both regulations? / Under thelegislation, does any of both rights takes precedence over the other?

b. How is the exercise of both rights monitored?

c. Which are the mechanisms to settle conflicts between the two rights?

4. Case studies:a. Please mention 2 cases to illustrate your response to the previous

question, regarding the relationship (however controversial) betweenAPI and personal data in your country?

5. Jurisprudence:a. Is there jurisprudence (including rulings or resolutions by the API and

Personal Data enforcement authorities) that has required the State toprovide information which was considered to be personal data?Transcribe the most substantial paragraph of such jurisprudence and cite case infootnote.

b. Is there jurisprudence (including rulings or resolutions by the API andPersonal Data enforcement authorities) that has required the State toprovide information which was personal data? Transcribe the mostsubstantial paragraph of such jurisprudence and cite case in footnote.

6. The role of the Civil Society:

a. Are there any civil society initiatives to promote the protection of datain your country? Describe them briefly.


11/119

11

Part I


12/119

12

1.1. ACCESS TO INFORMATION AND THE PROTECTION OF PERSONAL DATAIN ARGENTINA

Asociacin por los Derechos Civiles (ADC)

Executive Director: lvaro HerreroDirector of API Area: Ramiro lvarez Ugarte

Access to Public Information

In Argentina there are several regulations governing access to public information,depending on whether they apply to the national, federal, provincial or municipallevels. This analysis focuses on federal regulation, that is, Decree No. 1172/03.10

The Decree applies solely to the federal level and the Executive Branch, andregulates, broadly, the right to access to information. It establishes procedures toaccess information, and enables various judicial remedies to challenge cases where

access is denied. Furthermore, Article 16 provides several exceptions to the generalprinciple of "maximum disclosure" (guaranteed by Article 8), in some cases withreference to other regulations (such as, for example, the Law for Protection ofPersonal Data No. 25.326).

The enforcement authority for the said Decree, pursuant to Article 18 of theregulation, is an agency of the Executive Branch, the Under Secretary for InstitutionalReform and Strengthening of Democracy. This agency is led by a public servantappointed by the Executive Branch, and does not have a highly developed structure.However, Decree 1172/03 created a system of liaisons public officers, in eachgovernment agency, in charge of receiving and processing the requests for access toinformation submitted by the population. This system of liaisons is the most direct

mechanism to enforce access to information. It should be noted that, pursuant toArticle 19 of this regulation, the administrative agency responsible for receivingcomplaints and informing authorities on failures to comply with access to publicinformation is the Anti-Corruption Bureau, subordinate to the Ministry of Justice andHuman Rights of the National Executive Branch.

Protection of Personal Data

Regarding the exercise of the right to Protection of Personal Data (PPD), the statutein Argentina is the Law for the Protection of Personal Data No. 25.326.11

This law defines personal data in a broad manner, as any information relating toidentified or identifiable individuals or ideal existences(Article 2). The law regulatesthe management of personal data in all kinds of records, both public and private. Itestablishes that such data can only be collected with the consent of the individualthat is subject of the information, and their confidentiality must be guaranteed.Furthermore, the regulation mandates confidentiality to those handling filescontaining personal data, and establishes the principle of "finality", by which the datacannot be used for purposes other than those for which they were collected.Regarding transfer, Article 11 of the law provides that:

10 http://www.infoleg.gov.ar/infolegInternet/anexos/90000-94999/90763/norma.htm11 http://infoleg.mecon.gov.ar/infolegInternet/anexos/60000-64999/64790/norma.htm


13/119

13

The personal data subject to treatment can only be transferred tocomply with purposes directly related with the legitimate interest of thetransferor and the transferee, and with prior consent of the individualthat is subject of the data, who must be informed on the purpose of

such transfer and the identification of the transferee or elements whichwill allow for its identification.

We must highlight that this Article is the one causing the greatest difficulties inharmonizing with the regulations on access to public information.

The agency which monitors compliance with Protection of Personal Data is theNational Directorate for Personal Data Protection (Direccin Nacional de Proteccinde Datos Personales, DNPDP), which is led by a renowned professional. TheDirectorate is usually involved when the transfer of information held by the Statecontaining personal data is at stake. According to a study carried out by ADC onrulings issued by the Directorate over the past three years, most of the agencys

interventions are motivated by requests for access to public information.12

Relationship between both rights

There is no formal relationship between regulation governing access to publicinformation and the Law for the Protection of Personal Data. Furthermore, neitherright takes precedence over the other. However, the relationship between theexisting regulations generates several interpretive conflicts which cannot be resolvedwithin the Executive Branch and which in the existing legal framework can onlybe settled by the Judicial Branch.

However, given that the Law for the Protection of Personal Data has higher standingthan Decree 1172/03, and there is a specific monitoring agency with the power tocontrol and interpret all which concerns such law, one could argue that, within theExecutive Branch, interpretive conflicts between personal data protection and accessto information are resolved and such is the fact in favor of the first. Indeed,according to the above mentioned study carried out by ADC analyzing 45 rulings, in89% of the cases the Directorate either denied access to the requested data or more frequently set conditions for access which were not foreseen by the Decreeon access to information, i.e. the existence of legitimate interest.13

While the enforcement authority created by Decree 1172/03 and the NationalDirectorate for Personal Data Protection should both ensure proper access to these

rights by citizens, they are two separate agencies within the Executive Branch and as far as our findings go they lack any mechanisms to coordinate their work.

12 Research carried out by ADC, based on a survey of rulings of the National Directorate for theProtection of Personal Data (DNPDP) for the years 2008, 2009 and 2010. According to the survey, theDirectorates interventions are divided as follows: (a) Requests for access to public information, 43%; (b)Interpretation of law, 33%; (c) Records transfer, 9%; (d) International Transfer Agreements, 9%; (e)Creation of records, 4%; (f) Other, 2%. Analysis is currently in progress.13 Remarkably, within that 89%, in 80% of cases the Directorate recommended information to beprovided under conditions not foreseen by Decree 1172/03, but which are mandated by the Law for theProtection of Personal Data.


14/119

14

Case studies

Following are two cases which illustrate our previous response regarding therelationship (however controversial) between Access to Public Information andPersonal Data.

Example 1.CIPPEC vs. National State.In this case, Asociacin por los Derechos Civiles(ADC) sponsored the claim filed byCIPPEC. This organization had requested information regarding the distribution ofsocial welfare plans. The request was denied on the grounds that disclosingbeneficiaries implied access to sensitive data which, as defined by Law 25.326,consists of personal information revealing racial and ethnic origin; political opinions;religious, philosophical or moral beliefs; union affiliation; and information concerninghealth or sexual life. According to DNPDP (National Directorate for Personal DataProtection), while the fact that an individual is included in a list of beneficiaries of a

social program cannot be considered per se, in principle, to be sensitive information,if the financial assistance is due to a disease (health-related data), disclosure wouldreveal sensitive data, a circumstance which would correspond to the exemptioncontained in Article 16 of the regulation on Access to Public Information (Decree1172/03). The Under Secretary for Institutional Reform and Strengthening ofDemocracy supported this interpretation by DNPDP, although it acknowledged thatdisclosure could help monitor the implementation of social welfare programs.14

Example 2.The National Directorate for Personal Data Protection has considered in severaloccasions that access to State payroll records demands the demonstration of a

legitimate interest by the petitioner a requirement not established by Decree1172/03, but stated by Law 25.326. This is due to the broad definition of personaldata provided by this law, which in practice deeply restricts the scope of the right toaccess to information. Thus, for instance, the DNPDP made the disclosure ofinformation conditional to the existence of a legitimate interest in the case of thefollowing requests: the salary of the presidential spokesman (1/10); people detainedduring a repressive wave in the 70s (4/09); persons decorated for services renderedduring the Malvinas (Falklands) War (30/09); budget transfers to nonprofitorganizations (38/09); list of authorities of the Federal Police Force (3/08); peopledetained during a conflict involving farmers (5/08); and the salary of the President ofArgentina (37/08), among others.15

Jurisprudence

Regarding jurisprudence which has ordered the State to provide information which itconsidered to be personal data, we can mention the ruling issued by Chamber II ofthe Court of Appeals for Federal Administrative Claims in the case Cippec vs.National State.16

14 See Note 495/08 from the Ministry of Social Development, Secretariat for Institutional Coordinationand Monitoring, April 9th 2008.15 Numbers in parentheses correspond to rulings of the National Directorate for Personal DataProtection, available at: http://www.jus.gob.ar/datos-personales.aspx16https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1G4ljEi5gq23c55hD5IoL1r0BomSUezHs15TMwEoeM5NP-Q80PhndtTXuhrSU&hl=en_US


15/119

15

The matter under discussion in this case was the State's refusal to provideinformation on beneficiaries of social programs (see Example 1 above). Theappointed judges considered that the exemption described in Article 16.i of the

regulation on Access to Public Information (Decree 1172/03) did not apply, given thatno valid reasons for such refusal are apparent, since these are not aspects whichinvolve the security of individuals, or which are in principle likely to affect theirprivacy and honor, or which could indicate an arbitrary invasion of the appellant.17

[The] Anti-Corruption Bureau clearly stated that lists of beneficiariesdo not constitute sensitive personal data (), and thus the informationrequired by the plaintiff (the Foundation), in accordance with Article 2of the organizations charter (), can be reasonably considered asincluded within the guidelines of community control of socialinvestment.18

Role of the Civil Society

As for the role of the civil society in the promotion of the right to personal dataprotection, noteworthy is the work carried out by Va LibreFoundation, devoted toissues relating to privacy and new technologies in particular, regarding the use ofsurveillance cameras and cyber-surveillance mechanisms by the State. However, theissue of privacy appears as secondary within their agenda, which is devotedprimarily to technology.

In general, the protection of personal data has been promoted mainly by governmentagencies, such as the above referred DNPDP, or the Center for Personal Data

Protection, in the Office of the Ombudsman in the City of Buenos Aires.

17 Court of Appeals for Federal Administrative Claims, Chamber II. CIPPEC vs. National State. Ruling:

April 8th 2010. Item 7.18 Court of Appeals for Federal Administrative Claims, Chamber II. CIPPEC vs. National State. Ruling:April 8th 2010. Item 7.


16/119

16

1.2. ACCESS TO INFORMATION AND THE PROTECTION OF PERSONAL DATAIN BOLIVIA

Asociacin Nacional de la Prensa (ANP)

Executive Director: Juan Javier Zeballos


The regulation that acknowledges access to public information in Bolivia is thePolitical Constitution of the State, in force since February 7th, 2009. Article 21, item 6,in the Civil Rights section, stipulates that Bolivian citizens have a right to freelyaccess, interpret, analyze and disseminate information, either individually orcollectively.19 The Political Constitution of the State is the supreme law of the legalsystem. Its application takes precedence over any law or decrees, and it rules overall State agencies and individuals.

In addition, Bolivia currently has two decrees that deal tangentially with the right toaccess to public information: Supreme Decree 28168 (May 17 th 2005) and SupremeDecree 0214 (June 22nd 2009). Supreme Decree 28168 regulates access to publicinformation in relation to agencies of the Executive Branch (now named ExecutiveBody), while the latter, Supreme Decree 0214, is intended for the approval of theTransparency and Anti-Corruption National Policy, in order to provide instrumentssuitable for prevention, research, transparency, access to information, andpunishment of acts of corruption.

Moreover, Article 18 of the Administrative Procedure Law (No. 2341), in force sinceApril 2004 and regulatingessentially the proceedings to be followed before executiveagencies from all levels of government (central, departmental and municipal),

establishes as follows:

Article 18th(Access to files and records and obtainment of copies)I. Individuals have a right to access files, public records and documents held by thePublic Administration, as well as to obtain certificates or certified copies of suchdocuments, notwithstanding their format, either print, sound, image or other, nor thetype of hardware containing them.II. Any limitation or reserve of the information must be specific and regulated byexpress statute or the ruling of an administrative authority with power established forthis purpose, identifying the level of such limitation. The following are spared:regulations establishing confidentiality privileges or professional secrets, as well asjudiciary regulations which decide on matters concerning access to information.

III. For the purposes described in the prior item on access to information andobtainment of certificates and copies, the following records are exempted: a) recordscontaining information relating to national defense, State security or concerning theexercise of constitutional powers by the State; b) records subject to confidentiality, orprotected by commercial, banking, industrial, technological and financial secrecy, asestablished by statute.20

On the other hand, regarding legitimate interest, the law ascertains as follows:

19 http://www.oas.org/Juridico/mla/sp/bol/sp_bol-int-text-const.html20 http://bolivia.infoleyes.com/shownorm.php?id=153


17/119

17

Article 11 of the law notes that any individual or legal entity, either public or private,whose subjective right or legitimate interest is affected by an administrative action,may appear before the proper authorities to enforce their rights or interests.

As for an agency which monitors the exercise of the right to access to pubicinformation, there is none carrying out specialized preventive control, except for theMinistry of Transparency and Fight against Corruption. However, being part of theCabinet, the Ministry is not autonomous and, therefore, its practical scope of action islimited. Notably, the preventive control carried out by the Ministry is not significant,since the agency focuses mainly on developing administrative and judicialproceedings after the act of corruption or lack of transparency takes place.

As for allegations related to the exercise of the said right, they may be directed to theOmbudsman Office (non-binding decisions), or to ordinary courts.


The right to protection of personal data in Bolivia is recognized by the PoliticalConstitution of the State in Article 21, item 2. This article states that the Bolivianpeople have the right to privacy, private affairs, honor, self-image and dignity. Thecharter also establishes constitutional actions for privacy in Article 130, under thefollowing system:

Article 130. I. Any individual or group which considers to be improperly or illegallyprevented from seeing, objecting to, or achieving deletion or amendment of datarecorded in any format (physical, electronic, magnetic or computerized), in public orprivate files or databases, or which affect their fundamental right to privacy and

personal or family affairs or their self-image, honor and reputation, may bring anaction for the protection of privacy.

Furthermore, Article 18 of the Civil Code states that: "No one can disrupt or disclosethe private life of an individual. The individuals situation will be taken into account.Cases established by the law are exempted.

On the other hand, Article 55 of the recently enacted Telecommunications Lawprovides the following:

Article 55. (Inviolability and secrecy of communications) Within the frameworkestablished by the Political Constitution of the State, public network operators and

providers of telecommunication services and information and communicationtechnologies must guarantee the inviolability and secrecy of communications,as wellas the protection of personal data and the privacy of users, except for those listed inphone books, invoices and other pursuant to regulations.21

Article 83 of the same law states, on the subject of suppliers, the obligation toprovide protection for personal data by preventing unauthorized dissemination onthe side of users, within the framework of the Political Constitution of the State andthis law.

In terms of actions to settle conflicts regarding the protection of privacy and personaldata, given the specific actions established by the Constitution, they are resolved

21 http://www.itu.int/ITU-D/treg/Legislation/Bolivia/ley_tlc.pdf


18/119

18

through the constitutional justice for extraordinary appeals or actions. This is theupdated version of what, in the former Constitution, was meant by the writ of habeasdata. In essence, the right protected by these actions does not change.Constitutional actions are brought before the District Superior Courts, with a

mandatory review request before the Plurinational Constitutional Court.

Given that constitutional courts are the appropriate supervisory bodies, the onlyfeature worth noting regarding the oversight of the right to protection of personal datais the jurisdiction of such courts. District Superior Courts are ordinary courts ofappeal. When extraordinary constitutional actions are brought, they function ascourts of first instance, to recognize and resolve such actions. Once the action issettled, it is submitted for review to the Constitutional Court the body appointed bylaw to review all constitutional actions brought before the Superior Courts throughoutthe country. The ruling resulting from this review creates binding jurisprudence.


There is no explicit criterion regarding the hierarchy of these rights. In theory, theright to access to information and the right to personal data protection are understoodas different issues. Access to public information refers to information falling outsidethe scope of privacy or private affairs. However, both access to information andprivate data protection can be accomplished through constitutional actions forprivacy.

Currently, oversight of the validity of such rights is performed in accordance withrequests by affected individuals or groups. There is no state agency responsible forthe prevention of probable breach of these rights. However, the Ombudsman Office

stands as the agency promoting human rights in general, and thus promoting thedefense of these rights.

Although the Ombudsman has no power to issue enforceable decisions, its rulingscan put pressure on authorities who, in a specific case or complaint, might risk oreffectively affect any of the rights protected by the Political Constitution of the State.

The proper, legally established authorities to settle disputes and issue bindingjurisprudence with more specific criteria are the Supreme Court and the PlurinationalConstitutional Court.

Case studies

With regard to cases that illustrate the relationship between access to publicinformation and personal data protection, we can mention the refusal of the ArmedForces to comply with a Supreme Court ruling which required them to disclosedocuments establishing the location of the remains of victims of the 1981 coup.

Jurisprudence

Given that oversight of access to information and personal data protection isperformed by ordinary courts and the constitutional justice; and since only

constitutional jurisprudence is available and systematically organized, it has not beenpossible to identify a case in which the State was forced to provide personal data due


19/119

19

to a request for access to public information. After extensive research, we were notable to locate a landmark ruling regarding the collision of the right to access toinformation with the right to personal data protection. Thus, below we include ageneral statement drawn from Constitutional Ruling 0030/2006-R of January 11 th,

2006, issued by the Constitutional Court.

III.1.The legal nature and scope of habeas data

To this end, prior to review and elucidation of the issues herein raised, it is necessaryto undertake the legal nature and scope of the writ of habeas data, as well as therights protected by this remedy, established by Article 23 of the Political Constitutionof the State.

According to the doctrine of Constitutional litigation, habeas data is a constitutionalremedy designed to protect the individuals right to information self-determination. Itis a constitutional guarantee that provides the individual with effective and suitable

protection against the illegal or improper use of personal data created, recorded andstored in public or private databases, and disseminated electronically.

Thus we can infer that habeas data is a constitutional guarantee pertaining to legalprocedure for the protection of personal data, that is, data that comprise the core ofthe right to privacy and private affairs of an individual, against the illegal, improper orunlawful collection, storage or dissemination of such information by public or privateentities or organizations. This constitutional guarantee provides every individual whether natural or legal the authority or right to sue public or private databases inConstitutional courts in order to view, update, rectify or delete the information or datareferring to them which has been collected, stored or disseminated.

Accordingly, following the constitutional doctrine, we come to the conclusion that theprotection provided by habeas data covers the following areas:

a) The right to access information or personal data records obtained and stored inpublic or private databanks, with the purpose of knowing the contents concerning theindividual who files the habeas data, and thus verify the accuracy and truthfulness ofthe collected and stored data, and whether it qualifies as sensitive to his/ her honor,dignity and good reputation.b) The right to update information or personal data filed in the database, addingmissing data or updating out-of-date information, in order to avoid the use ordissemination of unsuitable, incorrect or inaccurate information which could seriously

harm the individual i.e., an individual is said to be charged with an offence that hasalready been dismissed.c) The right to amend or modify inaccurate information or personal data stored inpublic or private databases, with the purpose of removing false information or datawhich do not conform to the truth, which could gravely harm the individual i.e., acriminal conviction recorded in personal records, although the individual was neversubjected to any criminal proceedings, nor was ever sentenced.d) The right to confidentiality of certain information obtained through legalproceedings, but which should not be disclosed to third parties becausedissemination could gravely harm the individual i.e., balance sheets submitted to arevenue agency which should not be provided to competitor businesses.e) The right to exclude sensitive information concerning the individuals privacy; that

is, data that will lead to establishing fundamental aspects of the development of thepersonality, such as religious or political beliefs, union affiliation, sexual behavior,


20/119

20

information likely to engender discrimination or which would infringe the individualsprivacy.

In short, according to doctrine, habeas data is a constitutional remedy which states

the right of every individual to verify the information about him/ her which is beingdisseminated, and corroborate the foundation of such information. It also establishesthe right to emend or clarify inaccuracies, and to request the deletion of false datawhich could harm the individuals good name, or which constitute an unwarrantedinvasion of privacy, both personal and familiar.

III.2 The habeas data in the Bolivian constitutional system

Habeas data is a constitutional remedy pertaining to legal procedure for theprotection of the right to information self-determination with regard to thefundamental right to privacy. It was included in the Bolivian Constitutional system

through the Constitutional Reform Law No. 2631, February 20th2004.Pursuant to Article 23.I of the Constitution: Any individual or group which considersto be improperly or illegally prevented from seeing, objecting to, or achieving deletionor amendment of data recorded in any format (physical, electronic, magnetic orcomputerized), in public or private files or databases, or which affect theirfundamental right to privacy of their personal or family affairs, or their self-image,honor and reputation, may file a writ of habeas data before the District Superior Courtor before any judge he/ she may choose. Thus, it may be inferred that within theBolivian Constitutional system, a writ of habeas data is a remedy pertaining to legalprocedure for the protection of the right to information self-determination, whichseeks to ensure that all individuals can access data or information concerning theirprivate and family life which has been collected and stored by public or privatedatabases, in order to ascertain which data have been obtained and stored that is,the amount of data collected and stored, the purpose of its collection and storage,and the past, present and future recipients of such data.Therefore, it is possible to infer that, within the current constitutional framework inBolivia, habeas data intends to protect the right to privacy and private affairs againstelectronic management of personal data, which according to doctrine is known as theindividuals right to information self-determination. It thus guarantees the followingrights:

1 Right to access data or information collected and stored by public or privatedatabases concerning the individual, in order to know the contents and foundations

of such information, and to ascertain the purpose and goals of such collection andstorage that is, how the information will be used.2 Right to amend and correct the collected and stored information, and decidewhether it contains inaccurate or false personal data that could gravely harm theindividual recorded in the database.3 Right to achieve the deletion or exclusion of sensitive information concerning theindividuals privacy or his/ her familys privacy; that is, data that could lead toestablishing fundamental aspects of the development of the personality, such asreligious or political beliefs, union affiliation, sexual behavior, information likely toengender discrimination or which would infringe the individuals privacy.22

22 Extract from Cosntitutional Ruling 0030/2006-R, January 11th, 2006 issued by the Constitutional

Court. http://www.tribunalconstitucional.gob.bo/resolucion13415.html


21/119

21


There are no known CSOs devoted to the promotion of the right to personal dataprotection.


22/119

22

1.3. ACCESS TO INFORMATION AND THE PROTECTION OF PERSONAL DATAIN BRAZIL

Article 19

Coordinator of Article 19 Brazil: Paula MartinsObserver organization


The right to access to public information in Brazil is guaranteed by Article 5, XXXIII ofthe Federal Constitution of 198823. Such article describes the fundamental rights, andis considered an eternity clause (clausula petrea). It establishes that its mechanismsshould be regulated by law, but until now Brazil does not have a national lawgoverning access to information. Nevertheless, devices for access to information arepresent in various topic laws, such as the environmental licensing law, the law tocombat violence against women, and the law of urbanism (also known as the City

Charter).Although Brazil still lacks regulation regarding access to public information, two lawsare in force which do have an impact on the right to access, and which list theexceptions to the principle of transparency described in Article 5: laws 11.111/200524and 8.159/199125. These laws state specifications regarding the classification ofpublic documents and about public records (both are restrictive, especially the first).We must draw the attention to the fact that, in the absence of regulation on the rightto information, the existence of laws dealing with the secrecy of public documents isquite controversial. These two standards are currently the subject of lawsuitsquestioning their constitutionality.

In 2003, Member of Congress Reginaldo Lopes presented a draft bill for access topublic information at the Chamber of Deputies. The bill was never voted on by the fullHouse and was stalled for many years. It was discussed both within the Chamberand with society; even public hearings were carried out. A revised bill, with a numberof major modifications, was passed by the Chamber of Deputies in 2010 and sent tothe Senate. There, it was approved by 3 internal committees with no furthercorrections, and is currently being treated by the Foreign Affairs Committee. Amember of such Committee, Senator Collor, has suggested several amendmentswhich, if accepted, would force the return of the bill to the Chamber of Deputies.Moreover, the corrections are inadequate: they jeopardize essential, establishedprinciples, and place the bill far from international principles and legislative practicesregarding Access to Public Information.

Jurisdiction:The bill applies to all federal, state and municipal agencies; executive, legislative and judiciary; direct and indirect administration (independent agencies, publicfoundations, public sector companies, mixed companies), as well as private non-profit organizations that receive funds from the State.

Information defined as public:

23 http://www.constitution.org/cons/brazil.htm24http://legislacao.planalto.gov.br/legisla/legislacao.nsf/Viw_Identificacao/lei%2011.111-

2005?OpenDocument25http://legislacao.planalto.gov.br/legisla/legislacao.nsf/Viw_Identificacao/lei%208.159-1991?OpenDocument


23/119

23

information produced or gathered by public agencies; information produced or held by an individual or an organization as a result of

their connection with agencies or private entities; information on the activities of agencies and entities, even if they concern their

policy, organization and services; information regarding public property, use of public resources, procurement and

management contracts; information regarding public policy, inspections, audits and accountability

How the bill facilitates access to information:

All public agencies will be required to facilitate the dissemination of informationthrough: (i) the creation of an information service for citizens in proper locationand conditions, to receive and guide the general public on document processingand storage, and on filing claims/ requests for access to information; and (ii) theencouragement of citizenship involvement, especially through the organization of

hearings and public consultations. Internet is to be considered a privileged means for the dissemination of

information. Public agency websites must contain layman-friendly and clearlanguage and tools, but also provide devices for those who manage morecomplex data (open data). Information must stay updated and available in variouselectronic formats, allowing electronic access. Only districts with less than 10,000inhabitants are exempted from the obligation of publishing information in theirwebsites.

How the information should be disclosed: There are two main ways to publish data under the new law: proactive disclosure,

independently from requests, and publication that responds to specific demands.All information relevant to the public and collective interest produced and storedby public agencies must be published, regardless of demand. However, anyinformation not previously published may be subject to requests for information.Public agencies should provide guidance to the user on how to accessinformation, and must provide primary data which is comprehensive, genuine andup-to-date. In the case of confidential information, access is granted to all otherparts of the document containing the information, and only the confidentialfragments are concealed.

Routine disclosure: Proactive / voluntary dissemination is established in the draft

bill on the basis of minimum criteria. That is, every agency must provideautomatically, through all available means, at least: information on the scope ofits authority, its organization and contracts, financial transactions andexpenditures, information on bidding procedures, general information on policyand public works, and answers to the citizenrys frequently asked questions. Allagencies must keep a website with yearly information on: the list of documents tobe declassified, the list of documents currently classified/ confidential, and astatistical report on requests for information received, replied to and denied.

Requests for information: requests can be sent to public agencies even via theInternet. The petitioner should be identified, although the requirement for

identification should not prevent the request from being processed. Furthermore,agencies cannot demand petitioners to justify the reasons that led them to file their


24/119

24

requests for information. Once the request has been received, the agency mustauthorize or grant immediate access to the information. Should that not be possible,the petitioner must receive a response within a maximum of 20 days, with thefollowing information: (i) date, place and procedure to access the information; (ii)

grounds for denial of access, indicating as well the proper procedure for appeal; (iii)statement explaining that the information is unavailable, or that the request has beenforwarded to an agency which does have the information; (iv) justification to extendthe period for response to 10 additional days.

Appeals:Appeals are always possible in case access is denied or remains unanswered. Thesystem for appeals remains confusing and decentralized, and there is noindependent agency in charge of final decisions.

Duty to promote the right of access:

The bill also imposes on public authorities certain minimum duties regarding thepromotion of the right to access, including public servants training, development ofinstruction materials, etc.

The creation of a monitoring agency is not included in the bill. Promoting activitiesmust be assigned to an already existing agency, and assessment and analysis ofresources is in charge of various agencies, none of which is entirely independentfrom the State. The main role in the implementation of the bill will be carried out bythe Controloladoria Geral da Unio (CGU), an agency which has historicallystruggled against corruption, but which is an internal monitoring agency within theFederal Executive Branch.


There is no specific law on personal data protection in Brazil. The issue is generallyregulated by the Constitution and the Civil Code. However, other statutes includedevices related to personal data protection, such as the Consumer Protection Code especially the articles dealing with personal data management by commercialentities. Moreover, there is a law in Brazil regulating habeas data, a remedydesigned for individuals to know, withdraw or amend personal information availablein governmental or public databases.

A draft bill on the protection of personal data is currently under discussion, although it

is still being analyzed by the Ministry of Justice. This Ministry has organized a publicconsultation on the original draft, although whether the results of such consultationwill affect the draft bill has not yet been established. Information regarding theprocess is available at the Ministrys website: http://culturadigital.br/dadospessoais.

Article 5 of the Constitution protects the privacy (X) and the inviolability of the secrecyof personal data (XII). The draft bill on personal data protection will regulate suchConstitutional articles. The draft does not only apply to data processing for personaland domestic purposes, and to databases used by journalists. In addition, the draftbill establishes that databases related to public and State security shall be governedby a specific law.

The bill demands the free, explicit and informed consent of the individual for themanagement of his/ her personal data by public and private entities, excepting data


25/119

25

necessary for the proper operation of the State. Data can be kept by an entity solelyduring the period necessary to achieve the originally stated purposes, and to whichthe individual consented. The bill comprises specific chapters on sensitive datamanagement (i.e., which can engender discrimination against the individual that is

subject of the data), and regarding the security of data. It also demands theindividuals consent for data dissemination and interconnection, as well as specificregulation for international transfer.

For the defense of rights related to personal data use and management, anadministrative agency will be created, the National Personal Data Council. The draftencourages the adoption of codes of good practices by those in charge of personaldata management.

Notably, however, the bill does not include the necessary specific provisionsregarding the personal data of public servants.

At present, no monitoring agency has been established, but the draft bill on personaldata protection provides for the creation of a National Personal Data ProtectionCouncil, with administrative, budgetary and financial autonomy. This Council shouldfunction as the authority that guarantees the protection of personal data, with thepower to plan, propose, coordinate and enforce the national policy on dataprotection, as well as to draft regulation, receive complaints and enforce sanctions,among other duties.

Administrative sanctions proposed range from fines to prohibiting the operation of agiven database.


It is currently difficult to establish the connection between the right to access toinformation and the right to personal data protection in Brazil, especially consideringthat the draft bill on data protection has not yet been sent to Congress, while the billon access to information remains in the Senate. However, the Brazilian legal systemtraditionally sides with civilians and the private sector, and therefore it might tend tostrongly protect privacy over the right to access to information. Moreover, the draft billon data protection provides for the creation of a specialized and independentmonitoring agency, while the bill on access merely assigns new responsibilities toexisting agencies which are already overwhelmed by their current duties.

At present, the exercise of both these rights is protected via judiciary proceedings. Tosettle disputes concerning these rights, citizens may refer to the procedure known asmandado de segurana (writ of mandamus), which challenges any unlawful actcommitted by a public authority. Habeas data is also a possible remedy, although itonly grants access to personal information.

In addition, in the event that the State discloses data considered private, the partymay sue for compensation through an action for moral and material damage.

Case studies

Disclosure of public servants salaries: The decision of the Municipality of Sao

Paulo to publish on their website (De Olho nas Contas) the list of public servants,


26/119

26

their functions and effective salaries (that is, nominal wages and other benefits)engendered ardent debate.26

Expansion of online available information on court proceedings:

The issue of boundaries between privacy and personal data protection was alsomuch discussed when the National Council of Justice decided to launch an initiativeto expand access to judicial information in Brazil.

Jurisprudence

Regarding the case mentioned above (that is, the disclosure by the Municipality ofSao Paulo of the names, position and salaries of public servants on a websitedesigned to increase municipal transparency), we should add that the citygovernment lost their case in the first and second instance verdicts. However, thecase remains on appeal.

The stalemate, however, began after the publication of names of public servantsalong with their salaries. In truth, information relating to each position is publishedyearly, but not necessarily together with the name of the office holder or employee ofthe Public Administration, under threat of an invasion of public employees privacy. Inother words, the name of the public servant is published on the website along withhis/ her position and amount, pursuant to local regulations, while publishing yearly,on the other hand, the value of subsidy and salary of each position, in accordancewith Article 39, item 6 of the Federal Constitution. () This is why the informationpublished on the website, rather than favoring transparency, went beyond what isdetermined by the constitutional legislator, and attacked the servants privacy,disregarding the principles established in Article 37, 3, II, of the Constitution, whichexplicitly refers to Article 5, X of the charter. It goes without saying that publicservants (individuals, first and foremost, and subjects of law par excellence) see theirsafety violated when the State, in order to allegedly comply with transparencyrequirements, publishes on one same website, at the same time, and one beside theother: on the one hand, a piece of information that should be limited to a simplereference on wages per position; and on the other hand, information that, in order tocomply with local regulations, should merely list the employees name, position andtasks. () We thus state the unconstitutionality and illegality of the joint publication,in the same document or electronic record, of information regarding "gross wages"for municipal employees side by side with information regarding the name of suchpublic employees, as is the case of the website of the City of So Paulo. Therefore,we determine the removal of information thus published, and prevent its disclosure in

such terms, by any other means.

27

26 More information regarding this case:http://jus.com.br/revista/texto/13163/divulgacao-da-remuneracao-dos-servidores-publicoshttp://www.correioforense.com.br/noticia/idnoticia/46610/titulo/stf_permite_divulgacao_de_salarios_de_servidores_municipais_de_sp_na_i.html27 Proceeding 0020793-83.2009.8.26.0053, 8a Vara da Fazenda Publica, Central Forum, So Paulo.http://www.apmsp.org.br/documento.pdf Original text in portuguese: A situao de impasse, de outraforma, surgiu com a publicao do nome dos servidores acompanhado das respectivas remuneraes,quando certo que a informao relativa retribuio do cargo h de ser feita anualmente, mas semnecessria correlao com o nome do titular do cargo ou do empregado da Administrao Pblica,pena de invaso da esfera da privacidade do servidor. Em outras palavras, trata-se de publicar, no stioda Internet, o nome do servidor, juntamente com o cargo e a lotao, em cumprimento norma local, etodo ano, vale dizer, a cada ano, o valor do subsdio e da remunerao do cargo ou da funo, em

cumprimento norma do artigo 39, 6, da Constituio Federal. (...)Da porque a publicao feita nostio eletrnico da Prefeitura, no lugar da to propalada "transparncia", acabou mesmo por despir ocidado, pois, ao ir alm do que manda o legislador constitucional, investiu contra a intimidade do


27/119

27


The civil society initiatives concerning personal data protection that have beensurveyed are solely devoted to increasing debate on the proposed regulations whichimpact privacy and the protection of personal data28, including devices for personaldata protection comprised in the draft regulation for the defense of civil rights on theInternet.

Consequently, although there is no organized civil society movement, the followinginstitutions working individually in the field are worth mentioning:

Consumer rights organization which deals with the issue of personal data protection:Instituto de Defensa do Consumidor - IDEC

www.idec.org.br

Research center working on the draft bill for the protection of personal data:Centro de Tecnologia e Sociedade - CTS, Fundao Getlio Vargas

http://direitorio.fgv.br/cts/

Habeas Datawww.habeasdata.org

servidor, sem atender ressalva feita no artigo 37, 3, II, da Constituio, que remete expressamente norma do artigo 5, X, da Constituio Federal. No preciso dizer que o servidor pblico ("pessoanatural", antes de mais nada, sujeito de direito por excelncia), v a sua segurana vulnerada quando oEstado, sob o argumento de cumprir um suposto "dever de transparncia", divulga, no mesmo portaleletrnico e ao mesmo tempo, lado a lado, informaes que deveriam se resumir a simples referncia remunerao do cargo ou da funo, de uma parte, e informaes outras que, para dar cumprimento lei local, deveriam ser prestadas com a s publicao do nome do servidor, cargo e lotao. (...)declar[o] a inconstitucionalidade e a ilegalidade da publicao conjunta, em um mesmo documento ouregistro eletrnico, de informao relativa "remunerao bruta" dos servidores municipais e deinformao referente ao nome daqueles mesmos servidores, tal qual se encontra na listagem existenteno site da Cidade de So Paulo. Por conseguinte, determino a remoo das informaes que naquela

forma se fez, impedida a divulgao, naqueles termos, por qualquer outro meio.28 To read about the opinions of the Brazilian civil society (NGOs and private sector) regarding the draftbill on data protection (see left sidebar): http://culturadigital.br/dadospessoais/


28/119

28

1.4. ACCESS TO INFORMATION AND THE PROTECTION OF PERSONAL DATAIN CHILE

Fundacin ProAccesoExecutive Director: Moiss Snchez


The right to access to public information in Chile is regulated through law No.20.28529, published on the Official Gazette on August 20th, 2008, and in force sinceApril 20th, 2009. In addition, this statute was regulated through Supreme DecreeNo.13/2009 of the General Secretariat of the Presidency of Chile.

Law 20.285 establishes a procedure for the exercise of the right to access toinformation, and provides for the creation of an autonomous public agency, theCouncil for Transparency, with the power to monitor and thus ensure effectivecompliance with the rules of transparency. In turn, the agency is responsible for the

promotion and publicity of the right of access to information, as well as to ultimatelyensure its compliance. In the third place, it develops at the legal level the grounds forconfidentiality referred to in Article 8 of the Constitution of the Republic of Chile,pursuant to which the administration can refuse to provide certain information.Finally, it imposes the obligation on State agencies to permanently upload publicinformation to their websites, which is known as active transparency.

The Council for Transparency is an autonomous public agency, with assets of itsown. The Council is familiar with the appeal for legal protection (writ of amparo) thatcitizens can file when they are denied access to certain information, so thatcircumstances can be analyzed as required by law. In addition, the Council isacquainted with the claims people can file regarding violations of the active

transparency rules; that is, information that should be available on a regularlyupdated basis on public agencies websites. The Council for Transparency can alsofunction through the internal control carried out by each of the entities, since theinternal control units will be required to enforce the law. Finally, the Council has thepower to ensure the protection of personal data, although the exercise of suchfunctions is not yet regulated by legal guidelines. In order to amend this situation,there are draft bills currently at the National Congress which seek to address theissue.


The protection of personal data in Chile is governed by Law No. 19.628, also knownas Law on privacy protection, published on the Official Gazette on August, 28 th,1999.

This law incorporates a number of basic definitions regarding the issue of dataprotection, but does not provide for the creation of a public agency to monitor thecompliance with personal data protection. Moreover, there is no public agency whichpromotes and applies the law. In addition, the law does not establish a precisecatalogue of offences and penalties for breaches of the law.

It applies to both public and private databases and data processing entities.

29 http://www.leychile.cl/Navegar?idNorma=276363


29/119

29

At present, Chile does not have a public agency to monitor the right to protection ofpersonal data.

As was mentioned, the Council for Transparency pursuant to the law on

transparency, not to the law on privacy protection is only intended to ensure theproper implementation of Law No. 19,628 by the agencies of the Stateadministration.30 Therefore, it is the responsibility of the Council to ponder in eachcase when to provide the public information requested, or whether to deny it becauseit may affect people's private lives. Thus, the Council has three different courses ofaction when it comes to personal data protection:

1. Regarding public databases, it must ensure protection. However, within thishypothesis, the Council has not yet issued any rulings regarding data protectionwhen they are subject of a claim. Recommendations are under analysis to properlydeal with this kind of situations.2. Regarding information held by the State administration which may affect the rights

of third parties given a request for access (prerequisite), the Council must ponder thesituation.3. Regarding private databases, the Council does not monitor their operation.Therefore, people affected by them can only resort to administrative or judicialproceedings in some cases. This is a quite burdensome course of action forcitizens to protect their personal data.


The relationship between the two regulations is that they govern two sides of thesame coin.31 On the one hand, the law on transparency addresses the exercise of

the right to access information held by the State which gathers information on mostof the countrys citizens. On the other hand, the law on privacy protection putsemphasis on the treatment of data comprised in databases, ensuring these do notaffect personal data. Under current legislation, neither right is supposed to takeprecedence over the other.

Given the lack of a monitoring agency to ensure adequate data protection, the Courtsor administrative agencies (such as superintendents offices) are the ones whichpenalize through fines companies that fail to comply with the due confidentialityand privacy of certain data.

Through the creation of the Council for Transparency an agency devoted to

advertising, promoting and enforcing the right of access to information legislationnow provides a means to facilitate the exercise of this right. Thus, in principle,legislators appear to be concerned with ensuring the exercise of this right, without theproper development of data protection.32

In cases in which the Council has the responsibility to protect personal data, theywork on the basis of requests which could generate a contest with the administrationregarding the protection of data. The Council resolves appeals (amparos) and issues

30 Article 33, item m, Law 20.285 (LAIP)31 RAJEVIC MOSLER, Enrique. Reflections on the use and abuse of personal data in Chile [online].Santiago, Chile< http://www.expansiva.cl/media/publicaciones/libros/pdf/12.pdf >p.14732 It is worth noting that there are currently projects pending in Congress which precisely intend to adjustregulations to international standards on data protection. See, for example, Gazette 6120-07. Availableat:


30/119

30

decisions. There are also cases which generate no contest with the administration, orwhich do not emerge from a request (i.e., information leaking from public databases,or when an individual believes his/ her data have been sold). In such cases, adifferent proceeding is carried out to eliminate their data from databases in

accordance with Law 19.628. Decisions in these cases are not in the hands of theCouncil, but of Courts or other administrative agencies.

In the case of the right of access to information, monitoring is carried out in two ways:actively, through the presentation of a request for access (inadequately calledpassive transparency), or through active transparency. The first allows anyindividual to file a request for access to information held by any state agency, exceptin cases exempted by the law. Thus, should the administration fail to respond to arequest, or should a third party potentially affected by the delivery of such informationoppose the request, individuals have the right to file an appeal (writ of amparo)before the Council for Transparency. The Council, an autonomous agency, willdecide to either deny or grant access to the information. On the other hand, active

transparency enables all individuals to file complaints directly before the Council,whenever an agency required by law to keep updated information on their websitefails to comply with such regulations.33

Given that these rights are antagonistic in nature, whenever the administrationreceives a request for public information that simultaneously contains personal data,the state must inform the third party potentially affected by the delivery of suchinformation. In this way, the affected third party can exercise his/ her right to rebuffthe delivery (through a written and grounded document) invoking reasons for reserveestablished in Article 21, item 2 of the law on transparency.34 In such case, theadministration is prevented from delivering the information, notwithstanding the factthat the petitioner might appeal the decision before the Council for Transparency forits revision. The Council will then have to ponder whether the public interest indisclosing the information outweighs the personal interest which prevents itsdisclosure. Eventually, should the Council deny the release of information, an appealof illegality can be filed before the Court of Appeals corresponding to the petitionersaddress, and an eventual revision can thus take place.

Case studies

Following are situations in which the Council for Transparency, in the event ofrequests for information, has had to ponder between the public interest in disclosingcertain information and the protection of private data.

The first case relates to two requests made to one agency,35 the National Directorateof Civil Service, regarding the same issue: applications for senior managementpositions in public administration.36 In one of the requests, the petitioner demanded

33 Information that must be uploaded to websites is described in Article 7 of Law 20.285 (LAIP), as wellas in General Instruction No. 4 On active transparency, and No. 5, On active transparency in publicenterprises, state enterprises and state companies.34 2) When its dissemination, communication or knowledge affects the rights of individuals, particularlyin the case of their safety, health, private affairs or commercial or economic rights. Article 21, item 2 ofLaw No. 20.285 on Access to Public Information.35 Appeal decisions A35-09, available at: http://www.cplt.cl/data_casos/ftp_casos/A35-09/A35-

09_decision_web.pdf and decision A29-09, available at: http://www.cplt.cl/data_casos/ftp_casos/A29-09/A29-09_decision_web.pdf.36 Proceeding regulated by Law No. 19.882.


31/119

31

information on his/ her assessment, as well as regarding the person who was finallyappointed. In the second request, the petitioner required the list of candidatesselected for the position he/ she had applied to. In both cases, the agency refused toprovide the requested information arguing mainly that: a) both the list of candidates

as the assessments are secret and confidential, as mandated by law No. 19.882; b)that providing this information would be detrimental to the selection system for seniorpublic officers; c) that disclosure would affect the applicants right to privacy, as itcould affect their present and future ability to apply for employment. Accordingly, thelaw on data protection would also deny supply of this sort of information, sinceassessments contain sensitive data (psychological tests). Acquainted with the case,the Council required the agency to deliver all of the requested data to the firstpetitioner (results of his/ her application, together with information on the appointedperson selected, exempting sensitive data). The second petitioner was granted fullaccess, that is, the agency had to disclose the list of candidates selected for theposition. Regarding data protection, the Council grounded its decision arguing that,even if they contain personal data, applications to senior public positions concern the

public interest. Therefore, during such scrutiny, privacy is outweighed by socialcontrol the Council considers that this even benefits the senior public managementsystem. Sensitive data comprised in the reports is exempted from disclosure.

Interestingly enough, when acquainted with the appeal of illegality filed by theagency37, the Court of Appeals voided both decisions. They argued that: a) theprocess for appointment, as established by law, is confidential; b) given that theprocess is confidential, it guarantees the inexistence of present and future negativeconsequences, thus avoiding pressures which may affect the process or the dignityof applicants; c) in the case of third party opposition they argue, on the basis ofdecontextualization, that revealing the information could result in consequences bothto the applicant (affecting their dignity) and the examiner (objectivity).

Another suitable case is the decision regarding appeal No. A53-09.38 After beingdenied access to a copy of records on fines imposed on him by the Department ofLabor, the petitioner filed an appeal for access to information. While the Councildeemed that confidentiality during audit procedures applies solely while they arebeing carried out, it also recognized that part of the information comprised in therequested records might contain third parties personal and even sensitive data,which should be protected. The Council stressed that they could not ignore thespecial nature of complaints filed by workers before the Department of Labor, andthat disclosing them, as well as disclosing the identity of workers who reported ortestified against their employers during the audit process, might affect their job

security or render them subject to reprisals. In consequence, the Council decidedthat, in the case of such personal data, its dissemination, communication orknowledge might affect the rights of third parties whistleblowers or witnesses,especially since it concerned their private life and economic rights arising from therelationship of employment. Thus, the data corresponded to what is regulated inArticle 21, item 2 of the Law on Transparency.

37 SC de A. 943-2010, date September 3rd, 2010. Available at:http://www.cplt.cl/consejo/site/artic/20100906/asocfile/20100906163335/sentencia_ri_rol943_2010_dnsc.pdf38 This is merely a summary of the case, which was fully described in the paper: Emerging strategiesfor the development of data protection in Chile. Written by: Jessica Matus, lawyer at the Legislation and

Regulation Unit; and Alfredo Steinmeyer, lawyer at the Promotion and Clients Unit, both before theCouncil for Transparency. Ruling available at: http://www.cplt.cl/data_casos/ftp_casos/A53-09/A53-09_decision_web.pdf


32/119

32

It is interesting to reflect on the situation of privately managed databases. As will beillustrated with the following cases, the problem lies in is the inexistence of a publicagency with sanctioning powers. Thus, the affected individuals can only resort to

judiciary or administrative proceedings, which deem their data protection quiteburdensome.

The first case relates to data transfer from the Preventive Health Institution(Institucin de Salud Previsional, Isapres) to pharmacies without the consent of thesystems beneficiaries. The case is as follows: a pharmacy employee, through theuse of a clients national identification number (RUT), became acquainted with hisdisease and offered him a cheaper product for treatment. Upon learning about thecase, the Superintendents Office for Isapres imposed a millionaire sanction forviolation of confidentiality.

A second case relates to storage of biometric data for the sale of health-care bonds.

A company called I-med S.A. keeps a database on beneficiaries. When they placetheir print as indicated by a short text next to the reader beneficiaries areauthorizing the eventual free transfer of data to other institutions. The issueunderlying this case is that, if beneficiaries do not by their bond online, they mustobtain it personally at Isapres, a much more burdensome procedure. After a claimwas filed, the short text was modified, and now guarantees that the data will not bedisclosed to third parties.

Jurisprudence

Following are two cases that involved pondering the public interest against the

disclosure of personal data. The reasons underlying these rulings by the Council forTransparency do not relate to balancing of rights, but rather to public interest. Thesereasons are the ones which have evolved in jurisprudence, which has grown from astage of feeble understanding of the scope of protection to a phase in which thescope of these rights is fully understood.

Ruling on appeal A35-0939:On July 27th of 2009, Mr. Eduardo Hevia Charad required the Internal RevenueService to report the value to the date of the agencys response of all thevariables considered in the appraisal of the following assets: No. 528-003; 528-497;528-607; 528-617; 528-747; 528-748; 528-837; and 591-1. In addition, he requestedinformation on the value of such assets by December 2005, January 2006 and

December 2008.

The agency responded arguing reasons of personal data:

d) The justification for secrecy or confidentiality is referred to in Article 21, No. 2 ofthe Law on Transparency, in relation to Article 19 No. 22 of the Constitution. Thelatter regulation stipulates that it is the duty of all State agencies to refrain fromactions that may alter the natural balance between the various economic agents, inthis case, the tenants of a shopping center. It points out that the petitioners requestaims at knowing the real values charged to tenants, and that such data wouldprovide him with an advantage regarding the other owners of commercial premises.

39 Ruling available at: http://www.consejotransparencia.cl/data_casos/ftp_casos/A315-09/A315-09_decision_web.pdf


33/119

33

In addition, pursuant to Article 19 No. 26, the Internal Revenue Service and thisCouncil have the constitutional and legal duty to assess whether their actions mayaffect in essence the guaranteed right.

e) That supplying details on the features of estates belonging to individuals or legalpersons (in this case, owners are legal persons) might affect rights such as thesecurity or privacy of individuals, or of the representatives of legal persons.

The Council for Transparency, on the other hand, ascertained:

12) Regarding this matter, we do not notice an impairment of the legal right which isintended to be protected by deeming the information confidential. On the one hand,at present none of the commercial competitors have an advantage over the other,given the general lack of information regarding variables and values for thecalculation of appraisals. On the other hand, if the information were deemed worthyof public disclosure, given its very nature, all competitors would be able to access

such information, which is why no advantage in the estate market could be alleged.In any case, if we consider that the information relating to the required appraisals ofproperties is public, the variables and values that enable their determination cannotbe recognized as a market differentiator which will allow the petitioner to hold anadvantageous position over other participants in this trade.

13) Regarding breaches of the right to privacy or safety of individuals, beyond thegeneral invocation, the agency has not properly argued how disclosure of therequired information would affect such legal rights. In this regard, bearing in mind thevariables necessary for the appraisal (location, infrastructure, available equipment,kind, quality, age, use, etc), we do not notice that their disclosure might likely leadto a breach of the privacy or safety of individuals.

For these and other reasons, the Council for Transparency granted the appeal andrequired the agency to deliver the data as requested by the petitioner.

Electoral service case (ruling on appeal C407-84)40:A digital copy of the current electoral roll was requested. The agency replied arguingthat, pursuant to Laws No. 18.556 and 18.768, a payment should be made before theinformation was provided, as well as compensation to cover reproduction costs, inaccordance with Law No. 20.285: it amounted to $21,698,799. In light of thisresponse, the petitioner filed an appeal before the Council for Transparency, arguingthat the cost of reproduction should be significantly lower, since it only required the

storage of information in a blank CD. The electoral roll encloses data on allindividuals registered to vote in elections: name, identification number, address, dateof birth, profession or trade, literacy or disability. The reproduction cost demanded bythe agency corresponds when the information is being sold to private companies.The petitioner deems that, since the information is kept by the State in an electronicdata source (aside from books in which it is recorded in hard-copy), it should beconsidered public. Thus, he should only have to cover reproduction costs equivalentto the price of a blank CD. In this case, the Electoral service had to provide theelectoral roll at a price not higher than $200 pesos. The then Council President, Mr.Juan Pablo Olmedo, issued a dissenting vote, as follows:

40 Available at:


34/119

34

he stands for granting the appeal only partially, eliminating from the copy to bedelivered to the petitioner the profession, date of birth, address, identity card numberand disabilities (blind, illiterate) of the registered individuals.

In items 6 and 7 of the dissenting vote, he states:

6) Instead, the other personal data comprised are of no interest in electoral matters.Neither profession, nor date of birth, nor address, nor identity card number isessential to monitor these processes. On the other hand, their indiscriminate transfergiven the low cost of reproduction of such information in electronic format,pursuant to the criterion adopted by this ruling which he agreed to puts the right toprivacy of individuals at serious risks, implying that anyone could access the data, incircumstances under which the Electoral Service would not be allowed to process itby digital means.

7) Even more serious is the intention to provide information regarding disabilities

(blind, illiterate) since such information is, in accordance with Law No. 19.628, of asensitive nature, thus prevented from treatment unless in the cases preciselyestablished in Article 10, and which do not apply here.


Regarding civil society initiatives to promote the protection of data, noteworthy is thework ca

report saber más iii (english)

Documents