Data Privacy in Peru: Considerations for foreign personal data controllers with no physical presence in the Peruvian territory.

20.09.2023

As in the case of other Latin American and European jurisdictions, the scope of data protection rules in Peru has been designed to be circumscribed to a territorial scope based on a local establishment criterion, which creates obligations for data controllers before personal data subjects and the Peruvian National Authority for the Protection of Personal Data (hereinafter, the “ANPDP”).

Notwithstanding this, reality is constantly testing the limits of the law’s scope and extending the applicability of this territorial principle to a broader span of particular scenarios. That occurs for instance, in the case of non-domiciled entities conducting digital businesses that target Peruvian users, which, under some circumstances, might end up being subject to Peruvian data privacy laws and regulations without having a physical presence in our country.

Currently, in the midst of a technological era, we see an increasing number of tech companies and startups soft-landing in the Latin American region, including Peru, with the aim of providing their digital products and services to Peruvian users. Therefore, a recurrent key question we get from foreign clients -right from the get-go-, is whether they will be subject to Peruvian data privacy laws and regulations even without having physical presence in our country. The answer is not always crystal clear and, it is definitely not the same for all scenarios. Consequently, a case-by-case analysis from the legal perspective is strongly recommended.

The Peruvian Personal Data Protection Law (Law 29733) applies to personal data contained or intended to be contained in public or private databases, whose processing is carried out in the Peruvian territory. Moreover, based on this territorial scope of application, article 5° of the Regulations of the Personal Data Protection Law, approved by Supreme Decree 003-2013-JUS (hereinafter, the “Regulations”), states that the Peruvian data privacy provisions will be applicable in the following circumstances:

  1. When the data controller  carries out personal data processing in an establishment located in Peruvian territory that belongs to the data controller.
  2. When the data controller is established in the Peruvian territory, and the data processing is carried out by a data processor  on its behalf, regardless of the location of the latter.
  3. When the data controller is not established in the Peruvian territory, but Peruvian law is applicable to it by contractual provisions or international law; and,
  4. When the data controller is not established in the Peruvian territory, but it uses means located in Peru for the processing of personal data, unless such means are used solely for transit purposes that do not involve processing.


Based on the above, it can be concluded that: (i) the first two scenarios foreseen in article 5° of the Regulations, target data controllers that have a physical presence in the territory; while (ii) the last two scenarios, target those data controllers that do not.  The purpose of the regulator has been to ensure that -if any personal data processing falling under any of these four scenarios takes place- data subjects will not be left unprotected, regardless of the territorial location of the data controller.

In the case of tech companies and startups who want to provide their digital services and/or products from abroad, the legal analysis usually focuses on the fourth criterion.

Consequently, in an effort to further elaborate and provide more clarity on the scope of applicability of the Regulations currently in force, the ANPDP has issued a series of advisory opinions that are available to the general public.

In particular, with regards to the scope of application of the fourth criterion foreseen in article 5° of the Regulations, the ANPDP advisory opinion has focused on addressing what a “mean used solely for transit purposes” should stand for, and therefore, what circumstances would not involve personal data processing in the Peruvian territory, and hence, not be subject to Peruvian privacy laws and regulations.

As stated by the ANPDP, “transit purposes” should be understood as a temporary circulation of personal information, in which telecommunication networks -that are part of internet platforms- are used to allow personal data to transit from one point to another (in all cases, without the Peruvian territory being considered as the sender or receiver location of such personal data).

This, however, does not detract from the fact that there is still debate as to whether the IP address or other technical and/or operational characteristics of the device through which a user registers in the platform should play a role in defining the territorial element. The reason for this is because -from an operational standpoint- it is disputed whether the traceability that the IP address or the aforementioned device’s characteristics generate, can determine, with a sufficient degree of certainty, if the personal data originates on or leaves the Peruvian territory. This discussion becomes further controversial since in Peru, unlike in other jurisdictions in the region such as Colombia, the concept of “international collection”  has no jurisprudential or doctrinal development so far.

Reality is that technological advances have allowed data collection to have a forefront design, that demands the same standard from our laws and regulations; and digital foreign companies and/or services have set a challenge not only when it comes to determine the applicability of the Peruvian data privacy rules but also -if deemed applicable- their enforcement by local authorities.

As the Peruvian authority has no jurisdiction over foreign entities, its supervisory and sanctioning capacity is in practice limited. Thus, in an effort to ensure the protection of the data subject and to try to mitigate the current -and real- problem of cyber-offenders, latest statistics show that the ANPDP is using different mechanisms to seek enforcement -of Peruvian data privacy laws and regulations- on non-domiciled data controllers that fall within the scope of the fourth criterion, and therefore, overcome the hurdle of imposing sanctions on legal entities that could lack a physical presence in the country, by locating means related to said controllers in Peru.

That is the case, for instance, of data controllers that have a Peruvian subsidiary or affiliate, even when such subsidiary or affiliate could develop a different line of business than the data controller or not execute any data processing activities, and despite the fact that, under Peruvian corporations law, subsidiaries and affiliates incorporated in the country shall be construed as independent legal entities from their foreign holding companies.

To deal with this situation, foreign data controllers seek to embrace their own safeguards to avoid being either directly or indirectly (through their Peruvian subsidiaries and affiliates) subject to the enforcement of additional data privacy laws and regulations.

For such purposes, many of these non-domiciled companies decide to retain the services of Peruvian data processors to be able to argue before the ANDP that under such structure they have complied with the implementation of essential protection measures on personal data as required by Peruvian law.

This approach is based on the provisions of article 5° of the Regulations, which foresee that when a data controller is not located in Peruvian territory, but its processor is, the latter is responsible for ensuring all -technical, organizational, and legal- measures necessary to guarantee the security of personal data.

Notwithstanding this, such a structure increases, in practice, the regulatory burden on the data processor located in Peru.  In such regard, since having an entity domiciled in Peru facilitates the enforcement, the local authority might seek, in practice, that the data processor complies with a number of additional obligations towards the data subjects -and even towards the ANPDP- that in another context should only be complied by the data controller, as the one who decides the scope of the processing of the personal information.

This scheme increases its liability exposure, as the data processor’s participation in the operation could suggest that they fulfill the “role” (although in paper) of the data controller before the Peruvian regulator and could -therefore- be supervised and enforced as such (despite of how specific they might be actually commissioned by the data controller).

This is why, as mentioned above, it is essential to carry out a specialized case by case legal analysis focusing on the flow of personal information (from its collection or access, to its final storage, and the means used to do so), in order to design a risk-mitigating and duty-assuming strategy that is reasonable and proportionate for the data processing, subject to Peruvian data privacy dispositions.

 

Article provided by INPLP member: Alexandra Orbezo and Camila Hernández (Rebaza, Alcázar & De Las Casas, Lima - Peru)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.