Supreme Decree No. 016-2024-JUS was recently published, which approves the new Regulation of the Personal Data Protection Law (the “New Regulation”), which will enter into force on March 31, 2025. This New Regulation contains new provisions on the protection of personal data in a digital environment and in a context of increasing use of new technologies.
Below, we present some novelties related to the processing of data in the digital environment and through the use of artificial intelligence systems:
1. Personal data require greater protection in the digital environment.
The New Regulation includes as part of its Object and Purpose the protection of personal data taking into account the use of platforms and tools connected to the Internet for the exchange of information. This update is especially relevant in a context where the digital economy is of growing importance and personal data are used as assets by many companies.
2. How do connected products influence the processing of personal data?
The rise of Internet-connected products (IoT) has increased the volume and value of data because they collect information about the service they provide and their environment. The IoT brings multiple opportunities for the well-being of individuals, but it also presents risks. The New Regulation applies to the processing of personal data that may be collected by the IoT so that the rights of individuals who use and/or are exposed to this technology are not affected.
Note that this regime does not regulate the treatment of non-personal data collected by the IoT, despite the fact that they have acquired great value to be used and reused in the development of new products and services. Peru has not yet issued a regulation in this regard, as has, for example, the European Union with the approval of the Data Act (2023), which establishes a legal framework to foster a competitive data market, clarifying who can use what data and under what conditions.
3. The list of protected personal data has been expanded.
The definition of “personal data” in the previous regulation was already broad and also included information that makes individuals “identifiable”. The new description of the term has expressly included some data that fit into this category, such as: (i) location data, (ii) information about a person’s physical, social, economic and cultural characteristics, and (iii) online identifiers (e.g., usernames in social networks).
4. Consent is required for automated decision making.
The New Regulation defines the automated processing of an individual’s personal data to analyze or predict his or her behavior, situation or characteristics as “profiling”. For this type of processing, it is necessary to be expressly authorized by the data subject. In addition, the New Regulation grants the right not to be subject to automated decisions without human intervention that significantly affect individuals, which could be carried out, for example, by artificial intelligence (AI) applications.
The new Regulation also regulates the risk assessment prior to the processing of personal data for profiling purposes as described above. If applicable, this obligation should be applied in accordance with the transparency obligations contained in the Draft Regulation of the Law on the Promotion of AI, published by the Presidency of the Council of Ministers last November 19, and which obliges to inform individuals about the level of risks of AI applications to be used.
5. The materialization of the right to objection in the digital environment: De-indexing
Internet search engines have become a means of recording personal data, even in situations in which the data subject has no interest in such processing. For this reason, the New Regulation has established, as part of the right to objection of individuals within the digital environment, the possibility of de-indexing, which is the process by which a URL or specific content of a website is removed or excluded from search engine results. The de-indexing can be carried out by the website owner or by the search engine itself.
6. The portability of personal data
The New Regulation has established that, as part of the right of access, the data subject may request the portability of his data, i.e., he may require a data controller or data bank owner to transmit personal data about himself to another data controller or data bank owner, under certain conditions (e.g., that the transmission does not impose an excessive financial and technical burden). These provisions will take effect 6 months after the entry into force of the new Regulation.
Peru has not established a legal framework for the portability of non-personal data that, for example, may be collected or generated by the IoT, which are of great value for the development of new products and services.
7. Interoperability of personal data
The New Regulation has only ruled on the interoperability of personal data between public authorities. On this point, it has been established that the Secretariat of Government and Digital Transformation is competent to determine the definition, scope and content of interoperability, as well as the guidelines for its application and operation, respecting the legal framework for the protection of personal data.
However, no provisions governing interoperability between private parties for the access, transfer and use of personal data have been established. This is relevant to facilitate data portability. At the international level, this matter is regulated by the Data Act of the European Union, which contains provisions to increase the interoperability of data processing services through harmonized standards and open interoperability specifications.
8. Consent of minors on the Internet
Provisions have been included for the processing of personal data of children and adolescents on the Internet, in order to ensure the protection of the best interests of the child and their fundamental rights. In particular, the New Regulation has established who can give consent for the processing of their personal data (for those over 14 years of age, their consent must be obtained for the processing of their personal data in the framework of the offer of digital services).
For further information, please contact María del Rosario Quiroga (rquiroga@estudiorodrigo.com), Andrea Morelli (amorelli@estudiorodrigo.com), Luis Fernando Roca (lroca@estudiorodrigo.com) and/or Adriana Chavez (achavez@estudiorodrigo.com).
