In 2018 the National Assembly passed Bill 665 concerning data protection. The Bill was later sanctioned by the president and publicised through the Official Gazzette No. 28,743-A as Law 81 of March 26, 2019.
The Data Protection Law is stated to enter into force two years after enactment and represents a major overhaul of Panama's lacking data privacy regulation.
Unlike other jurisdictions, Panama does not have a general data protection law. There are some general concepts providing for the protection of personal data and privacy included in the constitution and in the criminal code. The issue has been regulated in more detail in certain sector-specific legislation, such as credit reporting, patients' history, banking and insurance sectors, among others.
Absent an express set of rules, the general and conservative approach adopted in Panama is that personal information should not be collected or revealed without the prior consent of the incumbent. For cases outside the sector-specific laws indicated above, there are no rules as to how this consent must be provided, nor whether this should be expressed or implicit consent. It is reasonable to conclude that, to the extent that it can be considered that consent was obtained, it would not matter whether the consent was expressed or implicit.
It is unclear whether the new set of rules set forth in the law will apply to the banking sector, however. The law provides that it is not applicable in those cases where treatment of data is regulated in sector-specific laws. The banking law is indeed one such sector-specific law, however, it does not regulate many of the matters covered under the data protection law.
Articles 110 and 111 of the banking law deal with privacy. The former relates to the use of client information when the regulator is auditing or inspecting banks. The latter deals with the disclosure by banks of client information, the general rule being that such information may not be disclosed without consent except in cases of judicial investigation, compliance (AMLFT procedures), credit rating agencies and data processors for accounting and operational purposes.
Article 111 was further regulated by the banking regulator pursuant to Accord 008-2015, which essentially requires banks to put in place mechanisms to ensure adequate client identification prior to the delivery of client information. It also regulates access to client data by third parties when authorised by clients. Banks will be required to maintain a copy of the third-party authorisation and a log with the name of the employee who provided the information.
Because the banking law does not regulate many of the aspects set forth in the data protection law, it is questionable whether those aspects of the law which have no equivalent regulation in the banking law are not applicable to banks.
Roberto Harrington Arango
Alfaro, Ferrer & Ramírez