Jun 01, 2005Personal privacy as it relates to technology is not an issue in Central America. Privacy issues seem trivial compared with the extreme poverty faced by many people in this part of the world. According to SIGET (a regulatory agency that oversees the electricity and telecommunications sectors in El Salvador), no Central American organizations or groups focus on technology’s impact on individual privacy. I have found that the great majority of Central American citizens, even the highly educated ones, have very low concern about data privacy. Identity theft is virtually unheard of, and people give away sensitive information easily.
But slowly, the public seems to take information-security issues more seriously. This increased awareness has been fueled by the regulation of some industries, including the financial sector. As part of the security discussion, privacy concerns are beginning to have an audience.
Large Central American companies routinely sell their customer information, and nobody seems to complain. Considering that more than half of the region’s population lives at extremely low income levels and the other half struggles to have a merely decent living, it’s easy to understand why someone might give away private information eagerly in exchange for small benefits.
RFID is being introduced at important conferences about supply chain logistics. Local industry players are just learning about RFID technology, and some larger companies are beginning to experiment with it. Several manufacturing plants produce products sold at Wal-Mart, and the retailer’s requirement for suppliers to tag merchandise has been one of the drivers for the adoption of RFID technology.
The regional bodies in charge of RFID implementation comprise each country’s GS1 organization. According to DIESCO (El Salvador’s GS1 member organization), RFID is being used in El Salvador for inventory management by the International Airport and by two of the nation’s major retail companies. Similar implementations are being experimented with in other Central American countries.
Old Assumptions in a New World
Central American nations are in the early stages of building information systems, and most people are in favor of a unique, government-provided ID number that can identify one individual anywhere. The advantages created through that kind of information link are so impressive and economically attractive that discussing the dangers is frowned upon. Additionally, the cultural assumption is that a person who does not want to share his or her “public” information must be hiding something evil.
In the work environment, an employee would never question an employer’s request for personal information. Nor would tracking systems be questioned. The relationship between employee and employer in these countries is such that it generally leaves no room to question the employer’s guidelines.
In 1965, the Organization of American States (OAS) called for protecting privacy as a human right in the “American Declaration of the Rights and Duties of Man.” One would expect to see legislation covering privacy issues in all American countries by now, but the reality varies greatly.
In its most recent survey of privacy laws and developments worldwide, Privacy International revealed that none of the Central American countries seem to have privacy legislation. According to the report, only Nicaragua has a pending effort to enact a privacy law. However, some South American countries are adopting laws to combat privacy violations that occurred under previous authoritarian regimes. For example, Argentina, Chile, Peru, Colombia and Brazil now have privacy-protecting legislation.
Without appropriate legislation, international transfer of personal information is prohibited. Argentina was the first Latin American country to obtain this approval from the European Union. Argentina passed the Law for the Protection of Personal Data in 2000 and the Regulation of Privacy Law in 2001. This legislation is primarily a result of Argentina’s strong economic and business relations with Europe.
In 1996, Brazil passed a bill promoting privacy of personal data in conformance with the Organization for Economic Cooperation and Development (OECD) “Guidelines for the Protection of Privacy and the Transborder Flows of Personal Data,” which address both public and private records. In addition to the standard prohibitions against unfair gathering and use of personal data, the bill entitles every citizen to access his or her data; correct, supplement or eliminate it; and even be informed that such data exists. Brazil also imposes prison sentences on those who insert false data into information systems.
The Colombian government, because of terrorism concerns, is trying to restrict privacy rights in terrorist cases so that it can intercept or record communications without a court order. The private sector has neither a law nor a legal framework to protect data. But initiatives now exist to create legislation that complies with international data protection principles. Colombia signed the American Convention on Human Rights and the United Nations International Covenant on Civil and Political Rights, but Colombian legislation hasn’t kept up with technology advances.
State of Emergency
In Peru, the president has the authority to remove privacy rights in a “state of emergency.” This tactic has been used frequently in the past, most recently in May 2003, during widespread strikes by farmers, judiciary workers and teachers. Peru has also signed the American Convention on Human Rights.
In May 2003, after the Electronic Privacy Information Center initiated Freedom of Information Act requests, it was brought to light that ChoicePoint, the leading provider of public-record information for law enforcement and other government agencies, was selling public registries of Latin American countries to the American immigration law enforcement agency. The transfer of personal information is strictly legislated in Argentina, and according to Privacy International, it will soon be legislated in Colombia, Costa Rica and Mexico. Several Latin American countries have started investigations into the legality of the transfer of such information.
Third-world nations replicate to a large extent what they see in the first-world nations. The United States and Europe must serve as a firm model for privacy legislation and enforcement to provide necessary privacy protection for all.
Reprinted from RFID: Applications, Security and Privacy, Simson Garfinkel and Beth Rosenberg, Editors. Copyright 2005 with permission from Pearson Publishing, Addison-Wesley Professional. Jennifer Torres-Wernicke is the chief information security officer of a Central American financial institution.