Data privacy for undersea cable owners in Latin America

Data privacy is one of the hottest topics of the moment and if we consider a scenario of data being constantly transferred across different countries, the subject gains a lot more flavour. 

Over 90% off all data transferred across the world nowadays is carried through undersea cables and with the increase in investments by some of the largest content providers such as Facebook and Microsoft, the traffic of data through these cables tends to attract a lot more attention from the regulatory agencies which manage data privacy in every country.

Before entering the discussion of best practices that could be adopted by undersea cable owners operating in Latin America, it is important to set a significant premise for those who might not be too familiar with the industry:

Undersea cables owners control is limited to the route through which the data is transmitted, i.e., those companies do not generally have access to the data been transmitted[1].

Submarine cable owners can have access to where the information that was transmitted by their infrastructure passed through. This is critical when talking about data privacy, as this might determine which regulations the company will be subjected to. For example, if a company’s infrastructure is limited to linear routes from Mexico to Brazil, there is no reason why the company should be familiar to the United States regulations[2]. However, regardless of the ending point, if the information passes through the United States, certain regulations might be applicable and the company shall be familiar to them.

It is a known fact that compliance officers and legal departments must work close to each other to make sure their companies are compliant with all laws and regulations applicable to the business, nevertheless, when we are talking about undersea cables, other departments must be deeply involved in this process.

All companies must ensure that they have at least basic protection measures in place regulating how its employees, in special its engineering team, will deal with the information when received in the company’s landing station[3]. The most important thing is to guarantee that the company only operates through compliant and certified equipment. All countries in Latin America have a regulatory agency that will govern this and determine what the standards to be followed in this case are. Also, the company must be diligent when selecting its equipment vendors, as those might have access to the end-traffic. In this last case, all companies shall implement at least a basic know your customer process, in order to identify which vendors are properly certified and have adopted all security measures as required by law.

Additional measures might include:

1. Limit the access to the information by creating profiles with restricted access to each employee;
2. Monitoring, on a daily basis, all key-employees access to the system to assure that no violations are committed;
3. Adopt security measures that will automatically create alerts in the event a violation is committed within the premises of the company.

Also, it is important to note that owners of undersea cables are not liable for the content of the information transmitted through its infrastructure, and for that it is essential to make sure all contracts have a specific section determining the owner of the content is solely responsible for its own content as well as that the company will have the right to disclose all information that it can have access to in the event of a request from an authorized governmental agency or court.

Finally, despite of the high volume of data transmitted through undersea cables we still do not have adequate data privacy regulations applicable to this industry. This is an unfortunate reality overall, but specially in Latin America, where there are countries (such as Brazil[4]) without a generic data privacy regulatory framework in place. In the case of companies that might be operating in markets where specific regulation is still lacking, the best practice should be to adopt, as much as possible, measures of control aligned with the strictest regulations from countries like the United States or regions like Europe.

About the Author: Neyde Correia is the Regulatory and Compliance Counsel at Globenet Cabos Submarinos America, based in Miami, a wholesale telecommunication provider and a portfolio company of BTG Pactual Infrastructure Fund II. Previously, Correia served as Legal Counsel at Diageo, the global leader in beverage alcohol, based in the United States, where she was responsible for the implementation of the Know Your Business Partner Program within the Americas and Europe Travel Retail region.

 4 As of January 2018, currently Brazil’s National Congress is debating two bills, one in the House and one in the Senate, which aim to create a general data protection law in the country.

[1] This is not applicable when we are talking about IP Services, as in this case the companies can have access to the data transmitted through their infrastructure.

[2] Exceptions might apply in the event of legal entities registered in different countries where they operate or depending of their corporate structure.

[3] Landing station is the location where a submarine or other underwater cable makes landfall. (source: https://en.wikipedia.org/wiki/Cable_landing_point)

[4] This is not applicable when we are talking about IP Services, as in this case the companies can have access to the data transmitted through their infrastructure.