Privacy Law at Puerto Rico (US)
Puerto Rico's data privacy and breach notification framework is primarily governed by the Citizen Information on Data Banks Security Act (10 P.R. Laws Ann. §§ 4051–4055). This legislation mandates that entities owning or controlling databases containing personal information of Puerto Rican residents must adhere to specific protocols in the event of a data breach.
🔐 Key Provisions of Puerto Rico's Data Breach Notification Law
1. Scope of Covered Information The law applies to personal information that includes, at a minimum, an individual's name or first initial and last name, along with any of the following
2. Notification Requirements
To Affected Individuals: Entities must notify affected individuals "as expeditiously as possible," considering law enforcement needs and system restoration efforts If direct notification is not feasible due to the number of affected individuals or other challenges, substitute notice methods include Prominent display of an announcement at the entity's premises and on its websit Communication to the media informing the public and providing contact information for follow-u
To Government Authorities:Entities must inform the Department of Consumer Affairs within 10 days of detecting a breach The Department is then required to make a public announcement within 24 hours of receiving the informatio
3. Encryption Safe Harbor The law does not apply to personal information that is protected by encryption or other cryptographic means, provided that the information remains secure and inaccessible without the decryption ke
4. Penalties for Non-Compliance Violations of the notification requirements can result in civil penalties The Secretary of Consumer Affairs may impose fines ranging from $500 to $5,000 for each violation These fines are in addition to any rights consumers may have to pursue legal actions for damages in cour
🔄 Proposed Legislative Changes
In November 2023, the Puerto Rico Senate approved House Bill No. 1548, known as the *Consumer Data and Personal Information Protection Act. This bill proposes significant updates to the existing data privacy laws, aiming to align Puerto Rico with more regulated jurisdictions such as California and the European Unio. Key proposed changes include: Requiring data controllers to have a visible privacy policy that is reviewed and updated every six monts Mandating that privacy policies be written in clear, understandable language and be accessible to consumes Ensuring privacy policies are presented in both Spanish and Englih As of now, this bill is under consideration and has not yet become la.
🧭 Enforcement Authorit
The Department of Consumer Affairs (Departamento de Asuntos del Consumidor) is responsible for enforcing data breach notification laws in Puerto Rio Entities found in violation of these laws may face penalties imposed by the Secretary of Consumer Affars
📌 Summay
Puerto Rico's data breach notification law establishes clear requirements for entities handling personal information of residet. While the existing law provides a framework for breach notifications, proposed legislative changes aim to enhance consumer privacy protections and bring Puerto Rico's laws in line with more stringent regulations elsewhr. Entities operating in Puerto Rico should stay informed about these developments to ensure compliance with current and future data privacy requiremets.
RELATED Blog
0 comments