[00:08.940 --> 00:11.200]  ...in the different jurisdictions.
[00:11.420 --> 00:24.560]  Today we are joined by three authorities of personal data protection in Latin America, which I will not introduce again, because I have already introduced them in other presentations, but I think that we really have a very interesting panel today.
[00:24.560 --> 00:52.680]  We are going to hear absolutely relevant topics for the companies that are present here, joining us in this session, so that they can understand and give us a better idea of how Latin America works and how it is being inserted in a global economy, while reinforcing this concept of personal data protection and demanding more and more from the companies that adopt the programs responsible for personal data protection.
[00:53.280 --> 01:01.200]  In addition, the authorities of Argentina, Mexico and Uruguay are represented.
[01:01.200 --> 01:17.620]  We are fortunate that one of the authorities, in the case of Uruguay, has just assumed the presidency of the American Network of Personal Data Protection, and Federico is going to tell us a little bit about where the network is moving and what are its plans for the future.
[01:17.640 --> 01:27.740]  So, without further ado, I give the floor to Eduardo Bertoni, so that he can tell us about Argentina's experience.
[01:27.760 --> 01:28.460]  Eduardo.
[01:30.700 --> 01:32.760]  Well, thank you very much.
[01:32.840 --> 01:46.480]  Thank you for being here, especially considering that in these APP meetings, there are many panels at the same time and all very interesting.
[01:46.480 --> 01:56.340]  So, that there is so much competition is something that seems important to us and I personally appreciate it.
[01:56.340 --> 02:04.700]  Well, I'm going to tell you a few things that are happening related to the regulation of data protection in Argentina.
[02:04.820 --> 02:31.780]  Let me start with some general questions, I don't know how many of you know them, but they serve to frame what I'm going to refer to in some more detail, which is the reform process that we are facing and leading in the National Direction on the Law of Personal Data Protection.
[02:32.460 --> 02:53.540]  First of all, what we have to say is that in Argentina, the application authority and control body for personal data protection is the National Direction for Personal Data Protection, which was created in a contemporary way with the sanction of the Law 25.326,
[02:53.540 --> 02:55.600]  which is the Law of Personal Data Protection.
[02:56.040 --> 03:03.800]  That law was sanctioned in October 2000, and a year later it was regulated.
[03:04.520 --> 03:18.680]  I ask you to take into account the dates, more than 16 years ago, when this law was sanctioned, because that has also been one of the reasons for which we were motivated to promote a reform.
[03:19.720 --> 03:33.260]  In 2016, that is, last year, we started, as I just said, a process to reform the current law, the law of the year 2000.
[03:33.520 --> 04:02.620]  We did this process from a participatory and open process in a platform of the Ministry of Justice and Human Rights of the Nation, which is known as the Justicia 2020 platform, through which different types of initiatives can be discussed in a face-to-face and online way through that platform,
[04:02.620 --> 04:04.500]  Justicia 2020.
[04:04.500 --> 04:15.700]  This process of reform of the law had several stages, mainly two, perhaps now three, and we are already in the third.
[04:16.460 --> 04:26.780]  The first stage was what we call the stage of reflection on the need for reform.
[04:27.320 --> 05:01.360]  That is, we do not start from any prejudice or preconception about the irrefutable need to modify the law, but first we wanted to listen to the different stakeholders, the different actors linked to data protection, about what they thought should be a regulation or should contain the regulation of data protection in Argentina.
[05:01.360 --> 05:07.760]  That is why we call that first stage a process of reflection.
[05:08.020 --> 05:17.740]  And in this process of reflection we had more than 30 face-to-face meetings, and I don't remember now how many online comments.
[05:19.020 --> 05:41.020]  That process culminated in December of last year, December 2016, and we from the board published a document that is accessible online on the board's website, which we titled Suggestions and contributions received in the process of reflection on the need for reform.
[05:41.020 --> 05:57.020]  We were not very original with the title, but we wanted to reflect that in reality it was not the position neither of any government office nor of the board about where we had to go.
[05:57.020 --> 06:04.420]  We simply reflected there what the comments had been, and we systematized them by topic.
[06:06.640 --> 06:30.340]  Once we had finished with that document, we had to get to work, and it was thus that this culmination gave way to the development of an antiproject of a new personal data law for Argentina.
[06:33.080 --> 06:46.040]  To develop that antiproject, the different international standards were taken into account, the new normative that is being discussed globally.
[06:46.040 --> 07:06.170]  I always insist a lot, not only the TDPR, but we also saw regulations of Latin American countries more recent than ours, like the Mexican law, like the Peruvian law, we also saw the Canadian law, the law of Singapore.
[07:06.170 --> 07:14.610]  That is to say, we had a sort of inspiration in different types of models, not in a single model.
[07:15.070 --> 07:37.650]  This is how we finished with that antiproject, and again we continued with the tradition of public discussion, and during the month of February of this year, 2017, it was again on this platform, Justicia 2020, that we had a public discussion to receive comments,
[07:37.650 --> 07:49.990]  not abstracted from what we wanted to see in a future law, but in concrete, referring to the development of the antiproject that the board had made.
[07:51.030 --> 08:08.350]  And the truth is that the process was very interesting because again we received many and very good comments and suggestions from sectors of civil society, from the private sector, from academic sectors.
[08:10.110 --> 08:18.630]  And once this process of receiving comments was over, we had two chances, two possibilities.
[08:18.630 --> 08:26.970]  One, that we had never encouraged, which was, well, we listen to what they criticize us, but we don't pay attention to them.
[08:26.970 --> 08:41.170]  Or, what we did was, well, we are going to study all the comments we have received and we are going to make an analysis if in some issues of the antiproject it deserves some kind of reform.
[08:41.970 --> 09:04.930]  And this happened, and I can tell you that at present, that antiproject, which is an antiproject that is, let's say, in the public domain, that many of you know it, has already suffered some changes, which is now in a study, let's say, internal to different government offices.
[09:05.310 --> 09:06.530]  Why?
[09:06.530 --> 09:33.710]  Because, in parallel to what has been happening, the President of the Argentine Nation, on March 1st of this year, announced, when opening the legislative sessions of the National Congress, that a reform project was going to be sent to Congress, a reform project to the Law on the Protection of Personal Data.
[09:33.710 --> 09:51.090]  With which I want to summarize at this point that there is a very advanced technical process that we are leading with this antiproject that we have presented and a political process that is in progress.
[09:51.090 --> 09:58.830]  And, as an objective fact, it is the President's own words when he announces it before the Congress of the Republic.
[09:58.970 --> 10:02.210]  If the question is, well, when is this going to be sent to Congress?
[10:02.210 --> 10:09.150]  These are evaluations of political interest that do not correspond to the direction we are taking.
[10:09.150 --> 10:11.690]  That is, I advance one of the questions.
[10:11.690 --> 10:18.130]  Do not ask me when this is going to Congress, because I am going to tell you that I hope soon.
[10:18.130 --> 10:35.850]  To go round, both the antiproject, as the first known, as the final product that we have worked on, which is the one that can still suffer some changes, but that we have practically culminated since the election.
[10:35.850 --> 10:47.050]  Let me tell you what are some, very few, in very rough strokes, changes compared to the current regime, with the current regulation of personal data.
[10:47.050 --> 10:56.790]  The first change, I would tell you, is a change of philosophic approach to the protection of personal data.
[10:56.790 --> 10:58.290]  Why do I say this?
[10:58.290 --> 11:06.290]  Because this, many times, I do not count it in non-specialized areas because the importance of the change is not well understood.
[11:07.630 --> 11:14.610]  The current legislation is based on a concept of protection of personal data bases.
[11:15.890 --> 11:29.990]  The antiproject that we are promoting has as a center of focus and focuses attention on the protection of the treatment of personal data.
[11:29.990 --> 11:32.170]  That is, the data base is no longer important.
[11:32.170 --> 11:36.970]  Yes, it is important, of course, but the important thing is how the data treatment is carried out.
[11:37.770 --> 11:43.070]  What are some consequences of these, let's say, philosophical changes?
[11:43.070 --> 11:55.250]  Well, one consequence is that in our antiproject, for example, we are including the obligations to notify incidents of security failures.
[11:56.010 --> 12:08.330]  The obligation to register the data bases is withdrawn and we move on to the principle of demonstrated responsibility as relevant changes.
[12:10.750 --> 12:16.550]  A principle is also incorporated, well known to you, which is the principle based on the risk of treatment.
[12:17.650 --> 12:24.930]  And, as I said, the obligations to notify incidents of security are incorporated.
[12:24.990 --> 12:35.290]  Another important change, and again, these are very thick lines, is your disposition in this project and you can make the comparison, those who have not done it.
[12:35.550 --> 12:44.750]  But the other change that I think is very important is related to consent in the treatment of data.
[12:45.230 --> 12:58.190]  There, the current and current regulation, by the way, in Argentina, requires a consent that is intended for an era that is not the one we are living.
[12:58.190 --> 13:05.530]  That is, the way in which consent is required is not suitable for the digital era.
[13:05.530 --> 13:24.310]  That does not mean in any way that the fundamental principle of consent is abandoned, of the titular, of the data, as a fundamental principle for the treatment of data, but what we did was to continue to maintain consent as a rector principle, however,
[13:24.310 --> 13:28.410]  to make it more flexible, in a more adequate way, these times.
[13:29.170 --> 13:41.910]  The consequences of this have to do, for example, with the possibility that it exists for a certain type of data treatment, in certain circumstances, a kind of tacit consent.
[13:44.610 --> 13:55.950]  Clearer rules were incorporated, that did not exist directly, on how the consent of minors has to work, that this is not in the current law either.
[13:56.650 --> 14:13.110]  And we incorporated something that has some relation with the subject of consent, which is to incorporate specifically the legitimate interest in which the data is treated as a basis for doing this treatment, even without consent.
[14:13.110 --> 14:24.550]  The idea of legitimate interest is not in the current law either, however, we believe that it is an important legal basis for the treatment of personal data.
[14:25.990 --> 14:34.090]  Another issue is linked, and I will talk about it today in a panel in the morning, with the international transfer of data.
[14:35.270 --> 14:41.790]  There, the current regulation is a contradictory regulation between the law and the regulation.
[14:42.310 --> 14:48.530]  The regulation tried, the regulation of the law, I mean, tried to correct some problems.
[14:49.050 --> 15:08.410]  What we did in this project is to give clearer guidelines on the international transfer of personal data, which follow more or less the guidelines that we also put forward in a disposition, in a regulation of the direction of last year, which is the disposition 60,
[15:08.410 --> 15:10.790]  on the international transfer of data.
[15:11.290 --> 15:30.750]  We hope that this type of regulation on the international transfer, while protecting personal data, is also a tool that encourages innovation and investment in technological matters.
[15:30.750 --> 15:47.490]  In fact, if anyone has the opportunity to see what the president of the nation said when he announced that this project of the law was being sent, he mainly linked it to the need that we have to have a more modern law for innovation and investment.
[15:48.770 --> 15:58.830]  And to finish, I ask you to give me the damn paper that we need in these conferences.
[15:59.110 --> 16:05.190]  The other issue that is very important is the issue of the application authority.
[16:07.750 --> 16:24.570]  We, from the direction, particularly me, I am convinced of the importance that the application authorities, the authorities themselves, have enough characteristics to guarantee their independence.
[16:26.090 --> 16:50.950]  Currently, although I can say that I enjoy independence because I do not have instructions nor have I received instructions on particular issues, the institutional design that the office has due to a series of issues that would be a little longer to tell you,
[16:50.950 --> 16:58.530]  does not comply with an institutional design that allows to reflect an independent and autonomous office.
[16:58.670 --> 17:28.110]  In fact, despite the fact that Argentina was certified in 2003 by the European Union, one of the observations made by the Working Party in Article 29 and that was made in the process of adequacy was that precisely Argentina had to evaluate the reform of the institutional design of the application authority to comply with international standards.
[17:28.430 --> 17:45.070]  Well, the Anteproyecto walks towards an office that although it remains in an institutional framework within, at least in the Anteproyecto, that is why I tell you that some positions could change within the Ministry of Justice.
[17:45.070 --> 18:07.170]  It is endowed with a much clearer autonomy and independence, from the appointment of the head of the office to issues related to the budget, incorporating procedure rules to designate the application authority.
[18:07.310 --> 18:28.050]  The application authority is granted precisely because it is going to be an autonomous independent authority, it is granted authoritative possibilities that are not in the law and we hope that with this we adapt the new legislation to international standards,
[18:28.050 --> 18:36.150]  a matter that is a pending subject and that we have not yet fulfilled.
[18:36.410 --> 18:40.610]  Well, those are just some of the issues that I wanted to tell you.
[18:40.610 --> 18:44.030]  I am open to any dialogue with you.
[18:44.030 --> 19:11.050]  It is very interesting what is happening in our region, that Argentina is promoting a new law on access to public information, that in Peru a little while ago they sent a reform to the law on access to public information, that in Chile they finally sent a law on protection of personal data,
[19:11.050 --> 19:14.930]  access to public information, protection of personal data.
[19:16.890 --> 19:26.730]  Mexico, we are going to hear it now, is in a much more modern process since a few years ago.
[19:26.730 --> 19:34.830]  In Colombia they are discussing now some modifications linked to the law on possible international transfers.
[19:34.830 --> 19:52.970]  That is to say, there is a lot of movement in Latin America regarding the regulation of the protection of personal data, and it is good that this is happening and it is good that events like this give us the opportunity to discuss them, tell them, and also learn from other experiences to improve them.
[19:52.970 --> 19:53.930]  Thank you very much.
[19:54.890 --> 19:56.610]  Thank you very much, Mr.
[19:56.610 --> 19:57.650]  Reynaldo.
[20:01.400 --> 20:03.680]  There are a few questions left.
[20:03.780 --> 20:05.600]  All the questions are at the end.
[20:20.070 --> 20:21.510]  Good afternoon.
[20:23.110 --> 20:29.130]  In my complex as a professor at the university, I take care of the students.
[20:29.130 --> 20:31.650]  You are students, you know more than I do, of course.
[20:32.110 --> 20:44.530]  Well, first of all, thank you very much for the presentation that was given to me to have the opportunity to talk to you about how the issue of the protection of personal data in Mexico is working.
[20:44.590 --> 20:58.810]  Although it is true that our first law, in a very rustic way, in 2002, about transparency, touched on the subject, it was just a passage that had no greater significance.
[20:59.710 --> 21:10.150]  Currently, to indicate this at the precise moment, we have a legislation, I do not want to say that it is perfect or that it is good.
[21:10.150 --> 21:21.270]  I could simply say that it is advanced and that, for it to be established, if you are not familiar with the Mexican system, I can tell you that we have two kinds of legislation.
[21:21.370 --> 21:25.170]  One that is for the public sector and the other that is for the private sector.
[21:25.710 --> 21:39.310]  The private sector has a federal law, a federal law that has been in force since 2010, which has the application of the federation, therefore, INAL is the competent authority to know about this.
[21:39.350 --> 21:54.650]  And the subject of the public sector is a law that we just got out of the oven, practically, it is a freshly made bread that is in force since January and that is a general law.
[21:54.650 --> 22:15.370]  And as a general law, what it has is a framework that applies to the entire republic, but that each of the 32 federative entities has the obligation to create their own law, that their congresses issue their own laws within the parameters that the general law outlines.
[22:15.730 --> 22:18.890]  This has a very important advantage.
[22:19.230 --> 22:38.950]  The general law gives us, then, a floor of equality, because it makes the provisions homologous and that it can offer to the users, to the people in general, that they have the same rights, the same means of defense, the same actions that they can carry out to protect their personal data.
[22:39.310 --> 22:46.570]  This new law, this new law, does not yet have the state complementary laws.
[22:46.990 --> 22:53.950]  I want to tell you that I don't think you will have time, because the legislator only gave six months to the congresses.
[22:53.950 --> 22:57.570]  Until now, only five states have their law prepared.
[22:57.570 --> 23:02.470]  Some are preparing it, but I think it will be a little complicated.
[23:02.910 --> 23:21.350]  This law, as I was saying, in addition to creating homogeneous procedures, also standardizes the treatment of personal data with the observation of the same principles of equity, loyalty, consent, purpose, proportionality, quality and responsibility.
[23:21.630 --> 23:32.630]  It regulates the transfer of personal data at the national and international level, in which, naturally, the consent of the owner is a basic part.
[23:33.190 --> 23:44.410]  On the other hand, it also establishes the possibility for regulated subjects to develop and adopt schemes of better practices to facilitate the exercise of ARPA rights.
[23:45.170 --> 23:50.470]  It also regulates, as a preventive action, the assessment of the impact on the protection of personal data.
[23:50.470 --> 23:53.390]  This is a real innovation.
[23:53.390 --> 23:55.390]  How to identify the risks?
[23:55.390 --> 23:59.290]  What kind of damage can the violation of ARPA rights cause us?
[23:59.290 --> 24:22.630]  And then, later on, there is even a proposal from a congressman who has not prospered, but maybe he will at some point, about the compensation payments that a person who is affected by the violation of ARPA rights On the other hand, this law establishes compensation measures.
[24:22.630 --> 24:31.890]  We have sanctions, compensation measures, that is, to call attention to violations, but also the application of fines.
[24:32.550 --> 24:34.170]  And we also have...
[24:34.170 --> 24:45.850]  All this, you can also see on our website, where all the statistical information is, where it is indicated how many violations or how many fines have been imposed.
[24:45.850 --> 25:07.330]  Unfortunately, they have not been paid in most cases because there is a resource that can be processed before the Administrative Justice Court in which the nullity of the trial and this sometimes leaves us without the possibility that the payment is really made.
[25:07.570 --> 25:30.920]  But we have been lucky to find a disposition also for reconciliation and to see that more and more more and more people become aware of the impact of the violation of their personal rights, of their personal data, both in their security, in their physical integrity,
[25:30.920 --> 25:35.660]  as well as what may be related to their patrimony.
[25:35.780 --> 25:54.800]  There is an example that in Mexico was very well known of an employee, of a fairly modest salary that, unfortunately, was denied to her by the Tax Administration for the payment of about 80 million pesos of taxes.
[25:54.920 --> 26:01.480]  Well, the poor woman was embarrassed, she had no idea, but of course she could not be charged, not even from her.
[26:01.480 --> 26:06.600]  There had been a theft of identity, that is very real, that is still happening more and more in Mexico.
[26:06.800 --> 26:08.340]  And well, this was clear.
[26:08.340 --> 26:19.220]  There was no action against this lady and of course she was helped to recover all her data, but that is the problem that is being faced.
[26:19.660 --> 26:30.740]  This law also makes us the obligation to create a series of guidelines that we are just doing for the very new issue of the same.
[26:30.820 --> 26:37.180]  And among them we have, for example, the issue that is already in a guide about
[26:40.960 --> 26:41.560]  the...
[26:41.560 --> 26:45.780]  The guide is about to come out, the guide to prevent the theft of identity.
[26:46.020 --> 26:51.820]  And another one to prevent the wrong treatment of personal data in the extracurricular collection.
[26:51.820 --> 26:54.860]  And another one for compensatory measures.
[26:54.860 --> 26:58.960]  And the one we already have is the guide for the embezzlement.
[26:59.160 --> 27:09.100]  That is, how can it be guaranteed that a person's personal data can be erased, can be cancelled, without any other problems.
[27:11.560 --> 27:13.200]  This is for a part.
[27:13.200 --> 27:23.840]  Now, here our moderator asked us to send some questions so that we can talk a little bit about the issue and I want to refer to one of them.
[27:23.840 --> 27:35.240]  Because it is about the contracts that the State would carry out, either at the federal, state or municipal level, with the individuals, now in the light of...
[27:35.240 --> 27:35.880]  or in the absence of...
[27:35.880 --> 27:39.160]  of this new law.
[27:39.160 --> 28:14.900]  And here we have that the companies that want to hire from the State have to submit, as in all the other cases, to the requests that are public and that now not only will they have to meet the requirements but with these more, which are the requirements that they may have the obligation to ask the public entities to those companies that they are going to hire so that they determine how they have the security measures to protect the personal data that comes to them for any of the reasons of their employment.
[28:14.920 --> 28:29.560]  On the one hand, and on the other hand, so that these companies can get rid of, delete, cancel the data at the time they are asked, that they do not misuse them, that they have safe formulas, reliable in all of this.
[28:29.660 --> 28:32.380]  What can we think about all this?
[28:32.420 --> 28:36.300]  That there may be, surely, like everything, a law is made and the trap is sought.
[28:36.300 --> 28:47.460]  Well, I already have the disposition, now I see how I can find a way out that is apparently legal and that I can, at some point, stop complying.
[28:47.600 --> 29:02.980]  I think this is going to be difficult because everything is like a great transparency linked to the law of transparency, naturally, and all the companies that they hire, the government has the obligation to be transparent as well.
[29:02.980 --> 29:06.920]  And the government entities also have the obligation to do it.
[29:06.920 --> 29:26.460]  Now, I want to tell you that with the constitutional reform that we had in 2014, the so-called are made up of all the bodies that are part of the government, as well as those constitutionally autonomous bodies, as is the case of UNAI, which, by the way,
[29:26.460 --> 29:41.100]  we are a participant because we ourselves have to monitor them, but there are others like the Superior Auditorium of the Federation, the National Institute of Statistics, the Bank of Mexico, which are really slave institutions.
[29:41.100 --> 29:46.560]  These autonomous bodies are also subject to this type of transparency.
[29:46.560 --> 29:49.240]  And also, I want to tell you a novelty.
[29:49.680 --> 29:59.280]  They are also subject to this the public commissions and the unions, physical and moral people, and the unions.
[29:59.280 --> 30:08.840]  Only that with the unions there is an absolute respect for the union freedom and for the patrimonies and the quotas that the workers give to the unions.
[30:08.840 --> 30:24.920]  But all those who receive public resources, and therefore some unions do it, have to give an information, a submission of accounts, and they are also obliged to submit to the protection of personal data.
[30:24.920 --> 30:40.560]  In the case of the unions and the physical and moral people who receive public resources, the protection of personal data is governed by the Federal Law of Protection of Personal Data in Particular Possession.
[30:40.560 --> 30:44.740]  It sounds a little complicated, but in reality it is not so much.
[30:44.740 --> 31:01.020]  This is the way it is, because it is complicated to think that a union can be fined because the unions in Mexico are subject to tax law, there is no way to apply fines in that sense.
[31:01.360 --> 31:05.120]  This is the panorama of the contracts.
[31:05.120 --> 31:17.800]  And as I was saying, this way of trying to evade compliance, one could think that through subcontractions the compliance of the law could be freed or mocked.
[31:18.080 --> 31:37.900]  But the legislator learned that the public organizations that are hiring companies and in turn have the obligation to demand the subcontractors to comply with all the same requirements that are required of the hiring companies.
[31:37.900 --> 31:41.540]  Naturally, the responsibility is solidarity.
[31:42.000 --> 31:57.580]  Finally, I want to tell you that one of the concerns that our moderator our good friend Alejandro talked about is that there is a bill that identifies personal data protection crimes.
[31:57.580 --> 32:08.920]  There are already 17 state laws that identify or penalize a crime related to theft or identity theft.
[32:09.280 --> 32:25.480]  And there is a proposal for the Federal Penal Code to talk about this crime and to apply a penalty that can be from several years in prison from 6 to 4 years more or less.
[32:26.140 --> 32:28.580]  And from 6 months to 5 years.
[32:29.100 --> 32:33.380]  And there is also a penalty of 3 months to 3 years in prison.
[32:33.500 --> 32:43.020]  The state authorized to identify personal data with profit causes a security violation to the database under its jurisdiction.
[32:43.400 --> 32:50.380]  When it comes to sensitive personal data the penalties mentioned are duplicated.
[32:50.380 --> 33:01.780]  They are also duplicated when the person who is using personal data is in charge or has access to the database.
[33:04.400 --> 33:25.040]  The bill presented by a congressman talked about that it was not enough to apply only ammortization or penalties but it was necessary to point out a prison sentence for all those who misused personal data.
[33:26.020 --> 33:27.980]  It has not prospered.
[33:27.980 --> 33:34.160]  It is not endorsed by a whole sector of congressmen but only by one congressman.
[33:34.160 --> 33:37.520]  It was discussed in commissions and it did not happen again.
[33:37.520 --> 33:40.020]  Congressmen are very busy.
[33:40.020 --> 33:45.280]  They have only one year and a half of service.
[33:45.280 --> 33:47.660]  They renew themselves every three years.
[33:47.780 --> 33:56.100]  They have a series of tasks because, as you know, Mexico has gone through a very serious crisis regarding corruption.
[33:56.100 --> 33:58.580]  And Mexicans still have faith.
[33:58.580 --> 34:09.020]  The majority of Mexicans are convinced of the ethics of work and the need to end corruption as reflected in the news that has been recently heard.
[34:09.020 --> 34:18.780]  In this way, we know that the INAI, which is also part of the National Anti-Corruption System, does its best task in this regard.
[34:18.780 --> 34:24.640]  But the congressmen, along with the senators, are now concerned about several issues.
[34:24.640 --> 34:32.400]  This is one, to name an anti-corruption prosecutor so that the piece of what is called the National Anti-Corruption System is assembled .
[34:32.400 --> 34:57.580]  In this way, this and another very important issue that is part of the National Transparency System, which is the General File Law, makes them very busy with other political issues, and I don't think there will be a serious discussion that leads us to the acceptance and approval of the proposal made by this congressman.
[34:57.580 --> 35:19.740]  I cannot give you an official opinion because in INAI we are seven commissioners, our opinions are not the same, we have not done a serious study among the seven of us to determine if we agree or not to have criminal sanctions, from prison.
[35:20.200 --> 35:27.160]  Maybe at some point most of us decide yes, and then we will bet on that idea.
[35:27.160 --> 35:29.500]  Maybe most of us decide no.
[35:29.820 --> 35:50.800]  Personally, I would not like to think that we need to reinforce ethics and that we need to create the fulfillment of values and principles before having to reach extreme measures when prisons are full and when in reality there is no rehabilitation in prisons.
[35:51.040 --> 35:53.380]  This is what I could tell you.
[35:53.380 --> 36:17.640]  And finally, I would like to point out that this new law also talks about the creation of a national system of data protection that already exists because with the General Law of Transparency this national system was formed in which it is integrated by the dependencies that I told you about a moment ago,
[36:17.640 --> 36:33.000]  the INEGI, the Superior Auditorium of the Federation, the General Archive of the Nation, and also the 32 guarantor bodies of each of the federative entities are represented .
[36:33.000 --> 36:41.600]  It is a system that takes decisions in a collegial way, it works in the form of commissions, it is working very well.
[36:41.600 --> 36:55.220]  The criteria and guidelines that have to be issued in order to be able to understand the apparatus of the law will be created both by the INEGI and by the national system itself.
[36:55.220 --> 37:15.020]  And to finish, let me tell you that all of this is a gear, because just as we have the Law of Transparency and the Law of Personal Data Protection that are linked, where we have to balance when yes and when no the data can be made known, when yes it can be erased,
[37:15.020 --> 37:17.900]  when no, when it can be cancelled, etc.
[37:17.900 --> 37:26.180]  So we have the need to create a system that is very robust about files.
[37:26.180 --> 37:35.640]  If we don't have information, if we don't have files stored, documented, with an adequate question, we can't give information.
[37:35.640 --> 37:44.060]  If we don't have a good system of information, it is also a little complicated to be able to comply with other rights such as the rights to...
[37:44.060 --> 37:55.740]  And well, I think that's all I have to tell you, except that my colleague, a friend from Uruguay, talks about the American religion.
[37:55.740 --> 38:16.340]  I would also like to tell you that we are completely convinced in Mexico of the need to join efforts to be able to create themes of conventions, of agreements, that allow us to regulate and control the transfer of personal data.
[38:16.340 --> 38:36.080]  Whether we make a multinational legal framework, or a multinational one, we have to find a way to meet the requests of the guarantor authorities that directly request the use of national data.
[38:36.080 --> 38:54.940]  And, of course, we know that it is important to promote the framework of professionalization, which demands more and more people prepared to evaluate impacts, to detect risks, to prevent them, and to be able to solve these serious problems that, as we see,
[38:55.540 --> 38:59.000]  increase every day and become more serious every day.
[39:00.500 --> 39:11.740]  Mexico is already very advanced in the procedures related to the approval of Convention 108 on the Protection of Personal Data of the European Council.
[39:11.740 --> 39:16.240]  We are already working with the Mexican authorities that correspond.
[39:16.260 --> 39:19.200]  We are already accepted as observers.
[39:19.260 --> 39:32.940]  We have already been participating in the sessions, both in Paris and in Strasbourg, and we hope that soon we can have a good result with the time that naturally passes so that an international agreement can be approved.
[39:32.940 --> 39:35.860]  But I hope that soon we can have good news.
[39:35.860 --> 39:36.680]  Thank you very much.
[39:36.680 --> 39:37.480]  That's all.
[39:42.340 --> 39:44.920]  Thank you very much, Patricia.
[39:44.920 --> 39:47.920]  We will give you time to finish the session.
[39:51.300 --> 39:53.500]  Thank you very much.
[39:53.500 --> 39:55.130]  Good afternoon to everyone.
[39:55.720 --> 40:05.580]  It is a pleasure to be here sharing with you these minutes, and I hope that it is a well-spent time.
[40:05.580 --> 40:20.900]  As our keynote speaker said, who opened today's sessions, and for me it is also an honor to share this panel with such respectable friends and colleagues in this matter.
[40:22.890 --> 40:38.040]  Before starting to talk specifically about Uruguay, I want to refer, as had already been anticipated, briefly to the Ibero-American Network of Personal Data Protection.
[40:38.040 --> 40:57.680]  Since March of this year, Uruguay is the country in charge of the presidency of the Ibero-American Network, having received, after an excellent management, the presidency of the network.
[40:57.680 --> 41:03.400]  And why do I bring to the table this topic?
[41:03.600 --> 41:20.100]  Because we understand, and here at this table we are represented by several countries that integrate the executive council of the Ibero-American Network, Mexico, Argentina, Colombia, Uruguay and Spain, the permanent secretariat.
[41:21.100 --> 41:25.020]  We understand that the Ibero-American Network is called to play
[41:28.480 --> 41:32.940]  an absolutely important role in our region.
[41:32.940 --> 41:53.300]  We are aware that one of the great difficulties that large corporations find when they want to come to our region and face the various forms of regulation, particularly in personal data protection, because when there is regulation it is diverse or directly there is not,
[41:53.300 --> 42:11.440]  we understand that forming a common front facilitates things for operation in the context of how it operates in this global world, the globalized world.
[42:11.440 --> 42:12.420]  This is in the first place.
[42:12.420 --> 42:43.260]  Secondly, because it is necessary, in addition to being good, it is necessary for the region to have an institutionality capable of being a valid interlocutor with other entities or other countries that, naturally, due to our relative size, our economic potential,
[42:43.260 --> 42:49.280]  however you want to classify it, it is difficult for us to sit down and talk at the table.
[42:49.280 --> 43:04.980]  So, as we establish certain common bases to be able to sit down and to talk, we will also advance for the benefit of our region.
[43:04.980 --> 43:25.740]  So, these two things are really very important and precisely in a few days, in Cartagena de Indias, Colombia, there will be a meeting of the Ibero-American that will deal with the Ibero-American standards for the creation of personal data.
[43:25.840 --> 43:27.280]  It is not
[43:30.320 --> 43:50.480]  a norm , but it is a standard that Mexico developed in a formidable effort on which we have been working in the network and will be closed in the next meeting in May in Cartagena de Indias.
[43:50.480 --> 44:00.880]  These standards are called to be the floor, the base, the common denominator that Latin American countries will be able to consider
[44:04.200 --> 44:20.900]  at the time of legislating, regulating, reviewing their regulations, taking it as a good practice, but we are taking a step in the direction I was mentioning at the beginning of my talk.
[44:21.500 --> 44:28.660]  Having said this, now I want to share with you the experience of Uruguay in Latin America.
[44:28.660 --> 44:50.200]  When I talk about the experience of Uruguay, I do not only want to refer to the experience we have had as regulators and in the protection of personal data, but also I would like to be able to transmit the experience of Uruguay as the experience of Uruguay.
[44:50.740 --> 44:59.000]  In the double sense of the word, the experience of having traveled a path, the experience of the country.
[44:59.000 --> 45:33.960]  To do this, and to talk about a regulation and to understand the way to regulate any issue in particular the protection of personal data, it is necessary in some way to get closer to the culture, to know at least some of the basic signs of identity of a nation to be able to understand what are in short the explanations to the results that are presented.
[45:33.960 --> 45:54.470]  For this, allow me to translate them in time, simply as a reference, 200 years, nothing more than 200 years ago, because I want to transmit three significant ideas that mark our sign of identity, the DNA of the Uruguayans.
[45:55.150 --> 46:08.450]  For this, I have to refer to the independentist process and at what time to speak, I will not be a Uruguayan theorist, rest assured, I will not summarize only in three concepts.
[46:10.110 --> 46:17.930]  The first one is part of a document that
[46:21.670 --> 46:31.190]  José Artigas thought and gave us to the Uruguayans, which is to promote freedom in all its imaginable extension .
[46:31.190 --> 46:36.350]  To promote freedom in all its imaginable extension.
[46:36.350 --> 46:40.110]  Think about the implication of these words and the depth they have.
[46:40.110 --> 46:46.650]  The second element is the importance of the Republic and the separation of powers.
[46:46.650 --> 47:02.910]  Therefore, the Uruguayans are impregnated and we have in our DNA for 200 years the defense of the institutions of the Republic and democratic values as one of the standards that guide us.
[47:03.170 --> 47:24.910]  And the third one, which we also bind to our liberator Artigas, is known as the prayer of April, in which he says My will is born of you and ceases from your sovereign presence.
[47:24.910 --> 47:29.030]  He is not trying to say anything else, he is the first among his equals.
[47:30.030 --> 47:38.490]  These three elements all together mark the identity of the Uruguayans.
[47:38.590 --> 48:00.370]  And in light of these signs of identity, we must understand the regulations and the importance that we give to the institutions and other elements that we are now going to share so that we can see that Uruguay is not only football, good meat, good beaches,
[48:00.370 --> 48:05.130]  but also that the institutions are very important.
[48:07.530 --> 48:13.330]  We share the honor with Argentina and football too.
[48:16.710 --> 48:31.310]  Without a doubt, those numbers that appear there, which are rankings, have the relative value of expressing in some way how Uruguay is seen in the international concert.
[48:31.310 --> 48:38.470]  I am particularly interested in highlighting the Democracy Index.
[48:38.470 --> 48:49.610]  It is an index that The Economist publishes every year and places Uruguay as the first in that dimension.
[48:49.610 --> 48:56.090]  But this is not a competition and I do not care too much about this.
[48:56.090 --> 49:04.570]  On the other hand, if we care more when we talk about football, for example, we are going to look at the table of positions of the World Series.
[49:12.890 --> 49:25.430]  Well, to be able to get to these things, one has to start from the identity sign that I referred to previously.
[49:27.510 --> 49:44.090]  Now, some things are happening in Uruguay and some things that are very important and I would say that they are a series of internal endogenous forces in our country that have radically changed the reality in recent years.
[49:44.090 --> 49:58.870]  This has to do with the multiplication of access to information, Internet access, availability and access to information and communication technologies.
[49:59.490 --> 50:13.970]  Uruguay is the first country to give free to all schools of public education, free computers and free Internet access.
[50:14.110 --> 50:18.310]  This has been in operation for practically 10 years.
[50:18.310 --> 50:19.410]  At the other end
[50:23.050 --> 50:36.470]  of the age scale, there is also a plan to give all retired and retired a free Internet access tablet.
[50:39.430 --> 50:49.330]  And within the framework of all the changes of the electronic government and the introduction of new technologies, Uruguay is currently having
[50:52.390 --> 50:59.750]  our electronic identity card that has a chip that allows us to sign documents electronically.
[51:00.030 --> 51:17.290]  So all these elements, if we add them up, we are seeing how important is the protection of personal data in this context of permanent growth and incorporation of new technologies in our society.
[51:17.730 --> 51:27.290]  How important is the protection of children, of retirees, of all Uruguayans, of all people in our country.
[51:27.290 --> 51:30.490]  And these are some examples of the things that are happening.
[51:30.990 --> 51:33.370]  These are the endogenous forces, as I was saying.
[51:33.370 --> 51:57.130]  We cannot forget all those that we have been hearing during all the conference, Big Data, Internet of Things, Machine Learning, what happens with transparency, all those technological revolutions that year after year astonish us and astonish us again.
[51:57.310 --> 52:20.170]  Some are repeated because they do not cease to be, but in some way they are also forces that do not originate in our country but do originate globally and of course we are in this globalized world subject to those technological changes and we must adapt to them.
[52:20.170 --> 52:39.850]  But I simply, to the effect that this is not a purely theoretical question, that Big Data is a massive treatment , I took the job after lunch just so you can see that it is not so difficult to work in Big Data, that one can do it in a while.
[52:40.450 --> 53:03.730]  That is an analysis of the conversation on Twitter that took place in this conference following the hashtag GPS17 where we can see who are the most influential in the conversation on Twitter during these two days of the conference.
[53:03.730 --> 53:08.590]  This was done a while ago.
[53:08.590 --> 53:19.330]  That is to say, Big Data, Internet and things are not abstract and complex issues that can only be done in supercomputers.
[53:19.890 --> 53:37.490]  This can be done in a hotel room with a laptop with little Internet connectivity and few resources and well, after having eaten so you can imagine what you can do in better conditions.
[53:38.450 --> 53:40.570]  All this, what does it imply?
[53:40.570 --> 53:42.290]  It implies challenges.
[53:42.370 --> 53:43.890]  Because what happens?
[53:43.890 --> 53:46.730]  The rules of the game have changed.
[53:46.830 --> 53:55.350]  The rules of the game are changing every day, be it for internal reasons or reasons that are not given by the outside world.
[53:55.450 --> 54:03.010]  What are the answers to these technological changes concerning the protection of personal data in Uruguay?
[54:03.010 --> 54:19.110]  Well, as an answer we have designed a public policy on personal data protection and I emphasize the public policy on personal data protection which is basically based on these three pillars.
[54:19.110 --> 54:20.750]  Sustainability.
[54:20.750 --> 54:30.990]  There is no point in promoting and trying to advance in personal data protection if we cannot sustain it in time.
[54:32.430 --> 54:41.250]  Involve all the actors that are somehow affected or are part of this public policy.
[54:41.250 --> 54:43.330]  This is one of the fundamental elements.
[54:43.930 --> 54:56.650]  And the third is a deep conviction and a deep sign of identity in the defense of human rights when we talk about personal data protection.
[54:56.650 --> 55:06.650]  These three elements are essential pillars within the public policy on personal data.
[55:06.750 --> 55:17.230]  Notice that our law on personal data protection is from 2008 and was unanimously approved by the National Parliament.
[55:17.230 --> 55:25.430]  That is, all the political sectors of our country unanimously voted for this legislation.
[55:25.910 --> 55:31.550]  What is the value of the unanimity surrounding this?
[55:31.550 --> 55:43.830]  It is that it allows us to establish a public policy that is sustainable, that is not subject to political biases and that allows us to project in the long term.
[55:43.830 --> 55:48.270]  It allows us to transform this public policy into a state policy.
[55:48.270 --> 56:04.290]  For us, this has great value and it is related to what I said at the beginning, to our sign of identity that we value especially when we refer to the institutions and the importance that the institutions have for us.
[56:04.490 --> 56:23.630]  That is, in a way, a chronology of the things that have happened in the protection of personal data in Uruguay, since the law was sanctioned in 2008, going through the process of adequacy and finally the decision of the European Union as a suitable country to Uruguay in 2012,
[56:24.210 --> 56:46.050]  the addition and ratification of the 108th Convention and its additional protocol , making it the first non-European country to be part of the 108th Convention, and another number of elements that have been happening that you can see in more detail later in the slides.
[56:47.010 --> 56:56.130]  But there are also some other elements that I would like to comment on, and especially one of them.
[56:56.530 --> 57:13.990]  Last year we managed to incorporate in the educational program of primary education for all children in public and private schools in our country, as part of the curriculum, the protection of personal data.
[57:13.990 --> 57:20.270]  That is to say, all our children are being trained in the protection of personal data.
[57:20.270 --> 57:29.730]  For me and for the members of the Council, from day one, we set ourselves that goal, and I think it is one of the most important achievements we have.
[57:29.730 --> 57:50.750]  We have the conviction, I personally and in the Council, that if it is not based on education, especially from the youngest, it is very difficult to achieve and internalize the importance of the protection of personal data and privacy.
[57:54.910 --> 58:07.670]  Our community of personal data protection basically has this structure, I will not go into details, but I do want to focus on one of the elements that compose it, which is the Consulting Council.
[58:07.670 --> 58:11.830]  It has an Executive Council, which I am part of, and a Consulting Council.
[58:12.050 --> 58:23.630]  The Consulting Council plays a fundamental role in what has to do with the update of the regulation of the normative in the protection of personal data in our place.
[58:23.630 --> 58:24.490]  Why?
[58:24.610 --> 58:38.310]  Because the Consulting Council is integrated by law by a representative of the Judicial Government , a representative of the Legislative Government , a representative of the Prosecutor's Office, a representative of the Public Ministry, a representative of the Academy,
[58:38.310 --> 58:41.070]  and a representative of the Chamber of Commerce.
[58:41.070 --> 59:02.530]  That is to say, in this Consulting Council are somehow integrated all the main actors of our society, and it is through this Consulting Council that we have begun to work and think about what would be the processes of reform of our legislation in case it is necessary.
[59:02.530 --> 59:23.310]  And in this sense we have been working silently, without pause, without hurry, but we have been working in a sustained way with all these actors in the Parliament, with the Judicial Government, with the Industry, with the Academy.
[59:23.310 --> 59:29.330]  That is to say, all the fundamental actors in this issue.
[59:29.330 --> 59:55.350]  That is how we plan to work in the moment that we consider the most opportune, taking into account, and I insist on what I said at the beginning, our deep republican vocation to defend the institutions and the separation of powers, following in some way those three concepts that are there.
[59:55.350 --> 01:00:16.470]  To be ready, to have all the tools available, to improve them, when it is necessary to improve them as much as possible, and to constantly rethink them and re-improve them, and re-prepare them again and again.
[01:00:16.470 --> 01:00:44.110]  This is the vision of our Unit of Protection of Personal Data, and I thank you for the time you have given me, and to conclude, a reflection that has to do with one of the three pillars that I mentioned that integrates our public policy of personal data protection,
[01:00:44.110 --> 01:00:46.730]  that has to do with the defense of human rights.
[01:00:47.450 --> 01:01:14.830]  Frequently, when we see ourselves overwhelmed by the advances of technology, when we get up and every day we have news that put intention at risk, or seem that there is nothing left to do in terms of personal data protection, voices arise saying that it is too late,
[01:01:14.830 --> 01:01:16.030]  that it is not worth it.
[01:01:16.030 --> 01:01:26.570]  But believe me, and I have the conviction that when it comes to the defense of human rights, it is always necessary and never too late.
[01:01:26.570 --> 01:01:27.730]  Thank you very much.