In 2018 the National Assembly passed Bill 665 concerning
data protection. The Bill was later sanctioned by the president
and publicised through the Official Gazzette No. 28,743-A as
Law 81 of March 26, 2019.
The Data Protection Law is stated to enter into force two
years after enactment and represents a major overhaul of
Panama's lacking data privacy regulation.
Unlike other jurisdictions, Panama does not have a general
data protection law. There are some general concepts providing
for the protection of personal data and privacy included in the
constitution and in the criminal code. The issue has been
regulated in more detail in certain sector-specific
legislation, such as credit reporting, patients' history,
banking and insurance sectors, among others.
Absent an express set of rules, the general and conservative
approach adopted in Panama is that personal information should
not be collected or revealed without the prior consent of the
incumbent. For cases outside the sector-specific laws indicated
above, there are no rules as to how this consent must be
provided, nor whether this should be expressed or implicit
consent. It is reasonable to conclude that, to the extent that
it can be considered that consent was obtained, it would not
matter whether the consent was expressed or implicit.
It is unclear whether the new set of rules set forth in the
law will apply to the banking sector, however. The law provides
that it is not applicable in those cases where treatment of
data is regulated in sector-specific laws. The banking law is
indeed one such sector-specific law, however, it does not
regulate many of the matters covered under the data protection
Articles 110 and 111 of the banking law deal with privacy.
The former relates to the use of client information when the
regulator is auditing or inspecting banks. The latter deals
with the disclosure by banks of client information, the general
rule being that such information may not be disclosed without
consent except in cases of judicial investigation, compliance
(AMLFT procedures), credit rating agencies and data processors
for accounting and operational purposes.
Article 111 was further regulated by the banking regulator
pursuant to Accord 008-2015, which essentially requires banks
to put in place mechanisms to ensure adequate client
identification prior to the delivery of client information. It
also regulates access to client data by third parties when
authorised by clients. Banks will be required to maintain a
copy of the third-party authorisation and a log with the name
of the employee who provided the information.
Because the banking law does not regulate many of the
aspects set forth in the data protection law, it is
questionable whether those aspects of the law which have no
equivalent regulation in the banking law are not applicable to
Roberto Harrington Arango
Alfaro, Ferrer & Ramírez