Peru DPA, Congress Act on Privacy, Consumer Protection
Peru's DPA and legislature earlier this year tackled questions surrounding privacy and consumer rights, BarLaw data protection and intellectual property lawyer Carlos Farfan said in an IAPP opinion posted Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The DPA in May issued recommendations relating to certain commercial practices that could involve the unintentional transmission of personal data through indirect methods, such as photographing a national identity document during a product delivery. The DPA stressed that data subjects can refuse to comply with such practices and urged companies processing personal data to use other methods to confirm product deliveries to customers.
Under the country's privacy laws, data processing must be proportional to the purpose for which it's done, and photographing an identity card doesn't meet that standard, Farfan noted.
Meanwhile, the Peruvian Congress in May amended provisions of the country's consumer protection code on telemarketing communications in an effort to combat spam contacts, Farfan said.
Peruvian data protection law explicitly addresses the processing of personal data for advertising purposes, he wrote. "One key issue surrounding the interplay of the country's data and consumer protection laws is the so-called first contact with the data subject."
Although privacy laws allow the first contact to be made using personal data obtained from publicly accessible sources without prior authorization, albeit only once, that appears to conflict with the recently adopted consumer law provisions, Farfan said. The new law changes the rule from allowing such contact unless the consumer expressly refuses, to prohibiting contact unless a consumer requests to be contacted.
The issue arises because "standard commercial practice involves first contact via phone calls and, even more concerning, third-party companies," Farfan said. "This could pose risks not only to personal data users -- who are also consumers -- but to companies benefiting from such advertising calls, exposing them to possible sanctions by both the data protection and consumer protection authorities."
Although experts have identified the legal contradiction, he added, the DPA has yet to issue an official position. He predicted the situation would be resolved either by an official interpretation or by legislative amendment.