Juan Pablo Sanchez D. – Associate

Despite being in the year 2023, Bolivia remains one of the countries that has not yet implemented a specific regulation to regulate, control, and supervise the treatment of personal data by public entities and private individuals in the national territory. This situation occurs when neighboring countries in the region are already discussing the updating of current laws regarding the protection of personal data to adapt to the current reality regarding the application of new technologies regarding the treatment of personal data.

So, does the lack of a specific law regarding the treatment and protection of personal data in Bolivia mean that natural or legal persons, as well as public entities, can carry out personal data processing at their discretion?

Although there is no state entity that regulates and supervises the treatment of personal data in Bolivia, private companies (especially) cannot take this situation as a free pass to use (and abuse) the treatment of personal data in Bolivia. Despite the regulatory vacuum in this matter, commercial activity today is not limited to the borders that determine sovereign states but businesses transcend all kinds of physical borders in the highly globalized current market.

In this sense, a Bolivian company whose activities are closely linked to companies based in Colombia, Ecuador, the United States, or one of the countries that make up the European Union, will be forced to exchange information and data to fulfill its objectives and obligations. Then, the exchange of information carried out by this company, directly or indirectly, will involve or contain personal data, whether from its customers, suppliers, prospects, or even its employees. Thus, personal data processing is carried out, either voluntarily and consciously or not, configuring itself in the treatment of personal data.

Continuing with the example posed, if our Bolivian company, in the development of its activities, carries out personal data processing and subsequently, the data obtained is sent to its peers in Colombia, Ecuador, the United States, or the European Union, will our Bolivian company be exempt from complying with security measures when carrying out data processing due to the lack of a data protection law?

Well, despite what state sovereignty determines, the answer is no. Our Bolivian company will not be exempt from complying with security measures, having carried out an international transfer of personal data to companies located and domiciled in countries where there are data protection laws.

Taking the General Data Protection Regulation of the European Union as a reference, many laws regarding data protection have incorporated the extraterritorial application of the norm. This extraterritorial application determines that, even though the activity of personal data processing is not carried out in the country where the norm was issued, when the effect of personal data processing can be perceived in this country, its regulations will be applied in the country of origin where personal data processing takes place.

In that sense, when our Bolivian company carries out personal data processing in Bolivia (where we lack regulations on personal data protection), but as part of its final destination, this processing has an effect in a country where there is a law on personal data protection, our Bolivian company must obligatorily comply with the law on personal data protection in the country where its activity produces an effect. The implementation of procedures, measures, and policies for the treatment of personal data by Bolivian companies is necessary, even when in Bolivia, we still do not have a specific law on personal data protection.