Have you ever wondered how you have been scammed online or why you receive calls or messages from companies you never subscribed to? It all starts with your personal data.
Let’s think about the number of times and places where you left your personal data: name, last name, identity card, address, bank account, health status, emails, passwords. Now, let’s think about the number of times in which they asked you for photocopies of your ID to do paperwork (In Bolivia, for any paperwork you need to do, the Government will ask you to provide a photocopy of your ID!) such as the enrollment in an educational center, the installation of a service, or even the correction of erroneous information somewhere. Finally, let’s think about the number of times you have left your personal data on internet platforms and social media: Facebook, Google, Twitter, Tik tok, among others.
- Can our personal data be violated?
We leave a bunch of personal data everywhere and we do not realize it. Our personal information is collected by public and private institutions and most of the time we do not reflect on where and why this is happening.
Alone, this is not that bad. Actually, our personal data is needed so that various things can be done. For example, to allow the execution of certain public policies or services, developing contracts, personalizing ads. However, such processing of personal data must have specific regulatory frameworks that allow the guarantee of the rights of the data subjects – people-, because in those cases in which there is a personal data infringement there may be enormous consequences.
In this context, we must reflect on the number of cases that have occurred in Bolivia related to the improper use of personal data (just to mention a few):
- Registration of persons as militants of political parties.
- Disclosure of the state of health of persons without their consent by public authorities.
- Dissemination of videos and photos of a sexual nature.
- Leaking of personal data of Covid-19 patients.
- Bank scams through unauthorized access and use of personal data.
These are examples of just some of the most notorious cases related to the violation of personal data, ranging from hundreds of people who, without knowing it, were registered in political parties (which in some cases did not even know they existed), the disclosure of sensitive health status data which resulted in discrimination processes related to diseases that are still stigmatized, and finally when more than thirty people lost around one million Bolivianos (the Bolivian currency) due to illegal banking transactions related to the use of personal data in an unauthorized way. In addition to these cases, other situations arise in our day-to-day life, such as: unsolicited messages sent to our e-mail addresses, telephone calls offering services, publication of attendance lists for events, among others.
- Personal data, digitalization and human rights
The Constitution of Bolivia outlines protections around access to basic services, including telecommunications (where we would include the Internet) including rights and guarantees to privacy, intimacy, honor, self-image, as well as informational self-determination. Therefore, despite not being established literally, the protection of personal data is indeed recognized and must be guaranteed, both in digital and non-digital environments.
The Covid-19 pandemic forced broad digitalization in Bolivia and around the world. Many of the activities and services that were provided in a physical form were transformed into digital ones; There was an increase in digital wallets and digital payment methods Companies had to transform to give continuity to their services and delivery of products, pushing a 150% growth in electronic transactions, and although there are still great challenges for Bolivian companies, a significant growth of e-commerce is expected.
At the public level, the aim remains to strengthen e-government and digital citizenship in order to improve the efficiency of public services, optimize resources and facilitate bureaucracy for citizens. This path started some years ago and was consolidated with the creation of the Agency of Electronic Government and Information and Communication Technologies- AGETIC (2015) and the Implementation Plans of Electronic Government, the Digital Citizenship Law (2018), among other actions. However, there is still a long way to go and most of the procedures and services of public institutions are not yet digitalized.
Some public institutions are starting this process and generating interoperability between them to verify and share information – including, of course, personal data-. Among these institutions are the Public Prosecutor’s Office, the Supreme Court of Justice, the Ministry of Government, the Magistrates Council, the General Service of Personal Identification, Civic Registry Service (SEGIP), and the Bolivian Police. Although there are some regulatory guidelines related to interoperability including Law No. 1173, Supreme Decree No. 3525 and Supreme Decree No. 3946, these regulatory frameworks have been established only in certain areas and without clearly determining relevant aspects related to personal data protection.
Some actions referring to digital economy, e-government, digital citizenship, and interoperability of data, among others, have been established. But there are no clear regulations in this regard because in some cases there are only few articles in-laws (for example Law 1173 that modifies Criminal Code and Criminal Procedure Code) and the other existing regulations are in Decrees or covenants that lack a strong legal background.
The lack of a personal data protection law prevents the handling of personal data from being carried out with a mechanism that fully respects the standards of personal data protection. We don’t have obligations established for public and private institutions that process personal data or specific rights determined for the owners of personal data.
All the aspects mentioned above are extremely important and will allow strengthening the digital transformation in Bolivia, because it is indisputable that we are in the digital and data era. However, Bolivia is not fully prepared because we lack clear and current regulatory frameworks because many of our laws a) are not updated and do not contemplate ways to exercise rights in digital environments, and b) do not establish obligations and some regulation are not at a legal level (decrees and covenants). All of this makes a weak normative regulatory framework that can cause some abuses and does not allow a real guarantee of the rights of individuals.
- Where should we go from here?
Bolivia is one of the few countries in the region – not to mention the world – that does not have a specific law governing personal data protection. In the absence of this kind of comprehensive federal regulation, we have scattered regulations that allude to personal data protection in some dispositions but without a specific data protection law the issue is seen diffusely and it is not clear what are the obligations and rights related to personal data processing.
In a moment in which everything is becoming digital and the cases in which personal data is being used without consent are putting in danger people’s privacy, we can no longer think in a future that does not have adequate regulation.
Having a personal data protection law is important because:
- It is a human rights issue that will fully guarantee what is established in the Constitution, allowing personal data to be protected by both public and private institutions, and both in a physical and digital environment.
- It is an enabler to advance in digital transformation, e-government and digital citizenship, because the strengthening of these aspects allows for more efficient public institutions, where bureaucracy is transformed and the population can optimize their time when dealing with public services. All these aspects require clear regulatory frameworks that allow both the improvement of the public function and the guarantee of rights.
- It strengthens the digital economy. Companies face new challenges to transform themselves using information and communication technologies but they also need a regulatory framework to be able to empower data-driven businesses and guarantee people’s rights.
- It will allow a clear and solid regulation at the legal level, which constitutes the mechanism through which rights and obligations must be established.
Having a personal data protection law is a necessity which must be resolved as soon as possible. The law will be only the first step, followed by a process of institutional integration, socialization processes for the understanding of obligations and rights, and the insertion in national and international debates on the subject. The time to take this first step is now.
Bolivia has entered the digital era and must assume this challenge by seeking to update the regulations and public policies in the digital field. This updating process must be implemented in a responsible and planned manner, since the digital world encompasses different aspects that must be addressed in order to improve state services, strengthen the digital economy, guarantee human rights and digital inclusion so that the digital transformation does not deepen social inequalities. The essential step for this digital update is to have a personal data protection law that establishes the rights and obligations in the personal data processing, and thus, to promote digital transformation processes where there is a clear basis of human rights guarantee and applicable to both the public and private sectors.