Database

In Chile, courts are authorized to impose a fine for privacy violations of 2 to 50 UTM (approximately US$150 to $3,400). However, fines have never been imposed until now.

A new proposal for a Data Protection Law will create a Personal Data Protection Agency that will have the ability to monitor and enforce compliance and penalize violations of the law by applying fines of up to CLP 236,500,000 (approximately USD 370,000).

The Chilean Criminal Procedure Code imposes a mandatory data retention regime that compels Internet service providers (ISPs) and telecommunication companies to collect and store for at least one year records documenting the online activities of users.

According to a proposed Data Protection Law, data transfer is permitted when (i) the data subject consents to it and in order to fulfill the purposes of the processing; (ii) it is necessary for performing a contract to which the data subject is a party; (iii) there is a legitimate interest by the transferor or transferee; and (iv) the law provides it as such. Additionally, international transfers of data will be considered lawful when the transfer is made to a person subject to the legal system of a country that provides adequate levels of protection, understood as meaning that such protection meets the standards similar or higher than those of the data protection law. The Personal Data Protection Agency will determine the countries that have adequate levels of data protection, considering the elements provided for by the data protection law.

If a foreign government, court, tribunal or other authority requests access to personal information held by a public body or a service provider in British Columbia, then the public body or service provider must provide notice to the B.C. Government of the request and general information regarding who made the foreign demand, when it was received and the general nature of the personal information sought in the foreign demand.

Further, the public body or service provider must provide notice of any demand made by a local organization or person which it reasonably believes was made in response to a foreign demand. This means a public body or service provider must provide notice if it thinks the demand is indirectly a foreign demand. The obligation to report foreign demands also extends to the individual employees of the public body and service provider.

Alberta’s Freedom of Information and Protection of Privacy Act permits the disclosure of personal information controlled by a public body in response to a “subpoena, warrant or order” only if issued by a court with “jurisdiction in Alberta.”

In 2006, Québec amended its Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information to require public bodies to ensure that information receives protection “equivalent” to that afforded under provincial law before “releasing personal information outside Québec or entrusting a person or a body outside Québec with the task of holding, using or releasing such information on its behalf.”

According to the Canadian Federal Law Personal Information Protection and Electronic Documents Act, consent is not necessary for transfer to third country as the Canadian law does not distinguish between domestic and international transfers of data. The company should, however, grant a comparable level of protection while the information is being processed by a third party. This is preferably achieved on a contractual basis with the third party.

British Columbia requires that personal information held by a public body (primary and secondary school, universities, hospitals, government-owned utilities and public agencies) must be stored or accessed only in Canada. A public body may override the rules where storage or access outside of the respective province is essential. Moreover, the data can be transferred outside Canada "if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction".

Nova Scotia requires that personal information held by a public body (primary and secondary school, universities, hospitals, government-owned utilities and public agencies) must be stored or accessed only in Canada. A public body may override the rules where storage or access outside of the respective province is essential. Moreover, the data can be transferred outside Canada "where the individual the information is about has identified the information and has consented, in the manner prescribed by the regulations, to it being stored in or accessed from, as the case may be, outside Canada".

Brunei has laws that require that data generated within the country should be stored only in servers within the country.

Following Decree No. 1353. issued in January 2017, data controllers have new obligations to notify any new data processors or data transfers that result from a company’s mergers and acquisition. Additionally, database owners must now inform the data subject of the identity of the data processors that he or she hires as well as any changes in processor that occur. For example, if a company decides to outsource the management of its customer database, it must inform its customers of the identity of the supplier that will take charge of the management of this aspect of the database.

The Personal Data Protection Law grants to the subject the right to access, rectify, update, include, cancel and/or eliminate their data, as well as the right to object to the processing of such data.

Telecom providers in Peru are required to retain "user data derived from telecommunication" for one year in a system which allows real time access to authorities and for two additional years with any other storage procedure.

The data holder generally must abstain from making transfers of personal data if the destination country does not offer 'adequate protection levels', which are equivalent to those offered by the Personal Data Protection Law or in international standards.

If the destination country fails to offer adequate protection levels, the controller must guarantee that the treatment of personal data meets such requirement (for example, via a written agreement). This guarantee is not necessary if the owner of the personal data has given its prior, informed, express and unequivocal consent to the transfer or if other exceptions apply.

Moreover, any cross border data transfers must be reported to the Peruvian Data Protection Authority.

In May 2015, the Australian Privacy Commissioner clarified that 'metadata' may also be personal information where an organisation has the capacity and resources to link that information to an individual. This determination poses high costs on companies as they have to grant access to individuals to such data.