Bill introduced to protect, regulate personal data in Puerto Rico
Would require companies to eliminate data at customer’s request
SAN JUAN – Puerto Rico Senate Majority Spokesman Carmelo Ríos introduced legislation Monday that seeks to regulate the use of personal digital information that companies have access to. Senate Bill 1231 would create the Digital Privacy Protection Act.
At a news conference, Ríos said that to guarantee an individual’s right to privacy, the law would include information that is registered in automated databases and even private sector business manuals.
The bill explains that many companies compile extensive personal information on consumers in Puerto Rico that “is not essential or necessary” for the provision of their services.
Due to the absence of parameters, companies that compile the data are able to sell or transfer the information to others, without a customer’s permission or consent.
The New Progressive Party (NPP) lawmaker said he was concerned about the absence of local legislation that regulates the practice.
“The laws and existing regulations to protect an individual’s privacy have not been up to par with the growth of personal information disclosed in our society, which can reveal almost a consumer’s entire life,” he said. “Currently, the government of Puerto Rico doesn’t have legislation or the focus necessary to address and protect the growing avalanche of personal information. In the absence of federal legislation that [can] effectively protect this right, it’s necessary to legislate and fill that void to protect the digital privacy [of consumers].”
Ríos further noted that it “wasn’t until after the Facebook and Cambridge Analytica scandal” that the idea to protect an individual’s digital privacy and the first comprehensive legislation was implemented in California last year. “In fact, as recently as this January, Washington became the second state that introduced a measure on this issue,” he said.
The legislation would establish that consumers have the right to require that companies holding their personal information not sell it to a third party.
Before selling any information, the entity that compiled the data would be forced to notify individuals that their personal information may be sold. Furthermore, consumers would need to be informed about their rights if they oppose the action. In addition, if the company understands that the security of data has been breached, affected consumers would have to be notified within 72 hours.
Meanwhile, if an entity receives a request from a consumer asking for their personal information to be excluded, it would have to eliminate the data from its records and databases and advise any service providers with which the data was shared to do so as well.
To facilitate access to the personal information a company may hold, it must offer consumers more than two methods–such as a toll-free number, a website and physical address–to which the request for disclosure can be made.
Another stipulation provides that individuals who have been affected by the disclosure of personal information can take the matter to court or file for a review with the Consumer Affairs Department.