I. Legal Framework
Data protection framework
The Uruguayan Penal Code1 establishes several offences related to the violation of privacy. Article 296 of the Penal Code guarantees the privacy of correspondence, establishing that whoever opens an envelope containing a letter (that is not directed to that person) with the intent of learning about its content is guilty of a felony. Article 298 also punishes the disclosure of information obtained by any means similar to those referred to in Article 296. Article 297 punishes the interception of telephone or telegraphic communications.2 Moreover, Articles 300 and 301 increase the maximum penalty when said "information was known by means of fraud and the document was supposed to remain secret by reason of its content or nature." The law also punishes a person who reveals confidential information that has been learned through his job. This provision establishes the obligation to respect professional secrecy. Article 333 of the Penal Code provides the penalty of up to three years' imprisonment for the defamation or slander of any person who can be subject to public scorn. Article 334 provides punishment to any person who by means of speech, gestures, writings, or actions offends the honour of another.
At various times the courts have reviewed disputes in which the right to information conflicts with the right of honor. The courts generally analyze the case and determine: whether the information disseminated concerns events of public interest; whether the description is objective and in accordance with reality; whether it is not aggravating; whether the purpose of providing the information was excessive; or whether the information was published when it was not necessary.3
The Uruguayan Tax Code4 and Banking Law No. 15.322,5 also regulate privacy and confidentiality in their respective areas. Article 686 of the Tax Code authorizes the Government to require taxpayers and parties in positions of responsibility to produce business records, documents, and correspondence. This documentation is not protected by professional confidentiality, since the taxpayer himself is obligated to produce it. "Business records" are understood to mean the journal and the inventory of assets and liabilities.
The Banking Law establishes the obligation to protect the confidentiality of funds or securities in the checking accounts, deposit accounts, or other accounts belonging to a specific individual or legal entity, and any confidential information received by the bank from its clients. There is some doctrinal discussion about whether secrecy is limited to operations that create liabilities, or also includes operations that create assets. While the financial system has always been opposed to the expansion of banking secrecy to include asset operations, in practice both types of transactions have always been kept secret.
Act 16.7137 protects the confidentiality of employment history and other labor records. The employment history includes information about the length of employment, the benefits and contributions paid by each company reported, and the outcome of inspections. The employee can ask for the correction of inexact information. While there are no regulations that protect information in the contractual stage, some writers have contended that it is unlawful to request information about criminal convictions or data about family status, political beliefs, religious beliefs, or union affiliations.8
Law No. 16.616,9 enacted on October 20, 1994, regulates the national statistical system. It establishes that the individual information obtained must be treated with the utmost confidentiality, and that a link should exist between the data requested and the objectives of the statistics or census.10
Law No. 16.011, which regulates the writ of relief, offers a procedural base to articulate the habeas data.11 In October 2004, the Parliament approved Law No. 17.838 on the Protection of Personal Data,12 also called the DBA. The Law regulates data banks containing commercial information13 and establishes the institution of habeas data.14
In Uruguay, an individual's access to credit is determined by his credit information. Being aware of this fact, the legislators regulated the handling of credit information with the intention of facilitating access to credit by establishing clear norms in this area.15 In Uruguay commercial reports are a very sensitive issue, considering the small population of the country (approximately 3,000,000 inhabitants). A single bad credit report takes a person out of the formal market for credit. Even though the law only regulates credit reports, its Section II regulates habeas data action in such a way as to enable a petitioner to access any information related to him and, if his information is erroneous, inaccurate or discriminatory, enables him to ask for its suppression or rectification. The law also innovates by establishing a data protection authority, which functions under the Ministry of Economy.
The DBA regulates "the recording, storage, distribution, transmission, modification, deletion, and in general, the processing of personal data contained in archives, registers, databases, and other media, whether public or private, designed to provide business reports." This means that any and every method of recording data about individuals or legal entities that are stored for the purpose of providing objective business information is regulated. While the law is vague, parliamentary history allows us to determine the meaning of "objective business information": any information that facilitates evaluation of the ability of individuals to meet their payment obligations.16 Possibly this is limited to credit data covering information about operations that create both liabilities and assets.17
In principle, the law provides that individuals who possess data are the owners of the data, and their consent is therefore required for the inclusion of the data in data banks. However, various exceptions establish that certain types of data may be entered without their holder's consent, including, for example, data from public information sources, data collected for the performance of legal assignments or functions, and personal credit data, including data used by companies to meet their own needs.
The data controller is responsible for ensuring that the data collected is true, appropriate, and impartial. Also, the data entered must not be excessive in view of the purpose for which it was collected and the scope of the consent given by the holder of the data.
The legislation establishes the "right to oblivion" (derecho al olvido) insofar as credit data entries must be deleted five years from their recording. If at the end of this period the obligation to the creditor has not been extinguished, the creditor may apply for maintenance of the record for an additional five years.
The DBA also provides that any individual may request access to any information pertaining to him that exists in any data bank, as well as the right to correct erroneous information. Individuals or companies may submit a request for information. If the information is not provided within 20 business days, or its delivery is refused for an unjustifiable reason, the applicant has the right to commence an action for habeas data. Deletion is permitted only if the error or the inaccuracy is obvious, or may cause damage to other individuals. The information must then be reviewed and, if appropriate, corrected within 20 business days from the filing of the request for correction. During this period, an entry must be made in the data bank to show that this information is being reviewed. If by the end of the 20-day period the information has not been corrected or deleted, the applicant has the option of starting an action of habeas data. Such action is aimed at persuading the court to order access to, or correction of, the information. Such an action can therefore be commenced in two cases: a) when the information has not been provided within the required period; or b) when the errors have not been corrected.
The DBA established that an action for habeas data must be treated in the same way as the action for protection of constitutional rights.18 The judge must schedule a public hearing within three days after commencing a habeas data action.19 The DBA designated the Ministry of Economy and Finance as the authority in charge of monitoring compliance with the law.20 The Ministry may punish violating companies by issuing warnings or assessing fines, or even shutting down the data bank.
In October 2006, Uraguay establised a register of public and private entities that process personal data. Aimed to provide objective reports of commercial information, this register will be under the responsibility of the Advisory Board that assists the Data Protection Authority. The individuals that process personal data according to the DBA must enroll in the Register within the 90 days of the beginning of their activities. The existing databases should register within 90 days after this Decree entered into force.21
- 1. http://www.jasesora.gub.uy/documentos/respuesta/codigo/codigo.doc
- 2. Id.
- 3. See Judgment No. 13 from the Civil Court of Appeals, Term 3 from February 27, 1999 of the Civil Court of Appeals, Third Session.
- 4. http://www.parlamento.gub.uy/htmlstat/pl/codigos/CodigoTributario/1997/c...
- 5. http://www.parlamento.gub.uy/Leyes/Ley15322.htm
- 6. Tax Code, Article 68 "Powers of the Government": "The Government shall have full powers of investigation and inspection. In particular, the Government may require taxpayers and persons in positions of responsibility to produce their own and outside business records, documents, and correspondence, and may require them to appear before the government agency in order to provide information."
- 7. http://www.parlamento.gub.uy/Leyes/Ley16713.htm
- 8. See Am√©rico Pla Rodr√≠guez, "Control de Supervisi√≥n Tecnol√≥gica del Trabajo y Privacidad del Trabajador" in Derecho Inform√°tico, Vol. III (Fundaci√≥n de Cultura Universitaria, Montevideo).
- 9. http://www.parlamento.gub.uy/Leyes/ley16616.htm
- 10. Marcelo Bauza, Computer and Personal Data in Uruguay, Derecho Inform√°tico, Instituto de Derecho Inform√°tico (Fundaci√≥n de Cultura Universitaria, Montevideo 2004).
- 11. http://www.parlamento.gub.uy/palacio3/index.htm
- 12. http://www.clearing.com.uy/clearing/Ley17838.pdf
- 13. Report prepared by the Instituto de Derecho Inform√°tico and sent to the Dean of the University of the Republic on August 6, 2003, with respect to the bill. It notes: "The bill concerns not all personal data but only 'business' data, and it has two primary objectives: One pertains to protection of personal data for business reporting purposes, and the other regulates the right to information by means of the institution of the Habeas Data action," in Derecho Inform√°tico, Vol. IV Fundaci√≥n de Cultura Universitaria, at 427.
- 14. Initially the bill regulated the processing of any and all personal information, but enough support for this bill could not be mustered. When Senators Alberto Brause and Luis Alberto Heber limited the scope of the bill to personal credit data, the bill passed.
- 15. See Marcelo Bauza, "Iniciativas para la Protecci√≥n de los Datos Personales de Car√°cter Comercial," in Derecho Inform√°tico, Vol. IV, Fundaci√≥n de Cultura Universitaria, at 294.
- 16. The Report on the bill sent to the Senate states: "This purpose of protection of personal business data contributes to the goal of ensuring greater transparency of the economy and of parties that grant and receive credit. It is an essential lever and tool for achieving genuine development." In its outline of the grounds for the law, the Report notes that: "Legislation with respect to the objectivity, transparency, and quality of information thus equates with facilitating and democratizing access to credit. The principal purpose is a public-policy purpose, since it promotes protection of the right to private life, transparency of the credit market, and protection of credit, and it facilitates their development by reducing their cost thanks to lower interest rates and indirect contribution to the fight against usury."
- 17. It is clear that the legislator intended to regulate only the processing of data that permits evaluation of an individual's economic solvency. However, the provision concerning data that makes it possible "to furnish objective business information" allows a broader interpretation that could be used by the courts.
- 18. http://www.parlamento.gub.uy/Leyes/Ley16011.htm
- 19. The judge may decide not to schedule a public hearing only if the action commenced is manifestly improper.
- 20. To advise the Ministry, a seven-member Consulting Committee was established, with three members representing the Ministry of Economy and Finance (one of whom will serve as Chairperson of the Committee); two representatives of the Ministry of Education and Culture; one representative from the National Chamber of Commerce and Services; and, lastly, one representative from the Business Defence League.
- 21. http://www.mef.gub.uy/pdp/normativa/dec_399_06_registro.pdf