Privacy and Data Protection in Latin America: towards a regional standard similar to the European GDPR?

InLaw Alliance | Europe has been a leader in personal data protection. Back in 1981, the Council of Europe adopted Convention 108, the first binding international instrument on data protection. It was even opened for signature by non-European states in 2013, with the addition of nine countries, including Argentina, Mexico, and Uruguay.

Integrated markets, the advance of the Internet, international transactions, and, of course, the consideration of personal data as a tradable commodity revealed the inadequacy of existing regulations. The European Union’s General Data Protection Regulation of 2016 (hereinafter "GDPR") marked a milestone in this area, expanding protections for personal information and transferring responsibility to the companies that handled it. 

The wave of changes initiated by the GDPR was soon felt in Latin America. Just one year after its entry into force, in Chile, Brazil, Colombia, Mexico, Argentina, Uruguay, and Peru, both in enacted laws and in reform bills, a convergence could be seen in structural elements that came from the GDPR: the recognition of personal data as an extension of the right to privacy, the enshrinement of common principles (lawfulness, purpose, proportionality, quality, security, transparency), and the recognition of the rights of access, rectification, cancellation/erasure, and opposition of the data subject ("ARCO rights").

Brazil fully implemented its Lei Geral de Proteção de Dados (LGPD) in 2020, which closely replicates the structure of the GDPR: broad principles, alternative bases for legitimacy to consent, the figure of the data controller, impact assessments, and a specialized administrative authority. Ecuador, for its part, adopted its Organic Law on Personal Data Protection (LOPDP), which develops ARCO rights, strict rules for large-scale processing and international transfers, and a penalty regime with significant fines, also inspired by the European standard. Meanwhile, Peru, which had already amended its Law No. 29,733 on Personal Data Protection in 2017, recently issued a new regulation (Supreme Decree No. 016-2024-JUS), which came into force in March 2025.

In this context, Chile’s recent reform of Law No. 19,628 on personal data protection (hereinafter "LPDP") marks a turning point and brings Chile much closer to the group of countries within the GDPR sphere. The new text will come into force on December 1, 2026, and poses major compliance challenges for companies, but also at the institutional level. 

Among the main contributions is, first, the adoption of a broader definition of personal data, very close to that of the GDPR, and the incorporation of categories that did not previously exist within sensitive data, such as those relating to health, human biological profile, genetic and biometric data, sexual orientation, and gender identity. In addition, it establishes a highly restricted processing regime based on express consent and limited exceptions in the public interest. 

The new LPDP then enshrines in greater detail the principles that should govern the use and processing of data, in terms similar to those of the GDPR. It should be noted that prior to this amendment to the LPDP, the guarantee of personal data protection had already been incorporated into the Chilean Constitution in 2018. Along the same lines, in addition to ARCO rights, the right to data portability and the temporary blocking of data processing are also incorporated.

Following the GDPR framework, along with maintaining the rule of free, informed, specific, and unambiguous consent—which must be accredited by the data controller—other bases for legitimizing use and processing are recognized.

As has been the trend since the GDPR, a specialized public body—the National Agency for the Protection of Personal Data (ANPDP)—has been established with powers similar to those of the European supervisory authorities. But even at the private organizational level, internal control figures have been created, such as the data protection officer, who can develop preventive models in order to act in advance of potential risks.

It should be noted that the new legislation imposes very severe penalties for infringements, which can be as high as 4% of annual revenue for larger companies, again in line with the GDPR.

Protection duties are imposed on public or private bodies that handle personal data, with an obligation to report any incidents or security breaches to the ANPDP or, in certain cases, even to the data subjects themselves.

At the legislative level, it may appear that we are adopting a regional standard similar to the European one, but it is still too early to confirm this. However, it is clear that Latin America has stopped viewing data protection as an appendage of privacy and now conceives of it as an autonomous right with constitutional, economic, and regulatory dimensions. Ultimately, everything will depend on interpretation, institutional capacities, and the practical application that data subjects, users, companies, and national agencies in our region are able to make of it.