Peru Drafts Privacy Legislation to Strengthen its Regime | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/peru-drafts-privacy-legislation/
Content Type: resource
Section 1
On July 28 2021, Francisco Sagasti will conclude a nine-month tenure as President of Peru. Albeit not the shortest in recent Peruvian history (his predecessor lasted five days), his government steered Peru through the COVID-19 pandemic, profound institutional crisis, and a complex general election. Amidst this context, the Sagasti administration sent an urgent request to Congress to discuss a draft law that would create a new, more independent data protection agency and overhaul Peru’s data protection regime to align more closely to the GDPR. Significant changes introduced by Peru’s draft privacy legislation The “National Authority of Transparency, Access to Public Information and Protection of Personal Data” (DPA) would replace the “General Directorate of Personal Data”. While it remains part of
Section 2
the Ministry of Justice and Human Rights, it outlines its policies and gains functional autonomy to manage its budget and legal representation. Duty to appoint a Data Protection Officer: Private and public organizations would be obliged to designate a Data Protection Officer (DPO) under criteria outlined by the DPA. DPOs must coordinate with their Information Security Officers to report security incidents. Duty to appoint a local representative: Organizations that are not located in Peru but conduct business in Peru or process the personal data of Peruvian residents would have an obligation to designate a local representative under criteria outlined by the DPA. Right of Data Portability: §23-A would incorporate a right to data portability in terms that are comparable to
Section 3
§20 of the GDPR. The proposed legislation would create an explicit obligation to report security incidents involving personal data. Under current legislation, such reports only take place voluntarily. of 32.9 million and a Peru’s Internet Penetration grew from 3% in the year 2000 to almost 60% in 2019. A lot of growth is still possible and necessary. Whether this draft legislation will pass before the end of July is hard to predict. However, a more independent DPA, clear breach response obligations, and an overall privacy regime that conforms with current international standards should make compliance activities in Peru more consistent and therefore attainable. As we see in other expanding digital economies, such as , interoperable data protection requirements are beneficial
Section 4
to both internal implementation and external growth.