This paper is mostly an update on an article that first appeared in this journal in June 2000 [1 ] regarding the relatively recent legal figure of Habeas Data, which has been implemented in some countries in Latin America. The need to update the original article arose from the fact that there have been many new developments regarding the implementation of this legal tool in Latin America, and because of some other interesting developments in the European Union that required that some of the original conclusions be revisited and amended. This paper was first presented in the 16th Annual Conference of the British and Irish Legal Education and Technology Association (BILETA) in April 2001, my thanks to the attendants for their input, which helped in revising the present work. The paper has many sections that are similar to the original, with the intention of making the update a stand-alone document. A shorter two-part version of the paper appeared in the World Data Protection Report.
Keywords: Habeas Data, Privacy, Data Protection, Freedom of Information, Latin- America, Brazil, Argentina, Peru, Costa Rica, United Kingdom, Europe.
This is a revised Refereed article published on 7 November 2001.
Citation: Guadamuz A, 'Habeas Data vs the European Data Protection Directive', Refereed article, 2001 (3)The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/01-3/guadamuz.html>.New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2001_3/guadamuz/>.
The European Union has been enacting serious Data Protection legislation by the means of a Data Protection Directive that poses a burden on member states to put in place laws that comply with its provisions. Among those provisions there is a prohibition to the member states to transfer data to countries with no adequate Data Protection legislation in place. This provision in particular has proven to be incredibly contentious because of the nature of the modern global economy and the importance of data transfer and electronic commerce to the major trading countries. This has sparked an international debate that has engulfed the United States and the European Union in colossal struggle to resolve the issue. It is not the role of the present essay to delve into the detail of such struggle, but many important questions have risen from this debate.
This is where the new Latin American Habeas Data right becomes important. Does it comply with the standards of adequacy established by the European Union? What is Habeas Data anyway? Is it effective? This paper will attempt to answer these questions.
1.1 History of Habeas Data
The individual complaints before a Constitutional Court have a long tradition in the history of the Law. The first complaint that existed, and perhaps the most famous, is the Habeas Corpus (which is roughly translated as 'you should have the body'). It originated on the Middle Ages in England and it is a writ issued by a court commanding that a person held in custody is brought before a court so that it may determine whether the detention is legal. Some other individual complaints exist, such as the writ of mandamus (USA), amparo (Spain and Mexico), Respondeat superior (Taiwan), etc. The newest of these legal mechanisms is the Habeas Data.
The Habeas Data writ itself has a very short history, but its origins can be traced to certain European legal mechanisms that protected individual privacy. This cannot come as a surprise, as Europe is the birthplace of the modern Data Protection.
In particular, certain German constitutional rights can be identified as the direct progenitors of the Habeas Data right. In particular, the German Constitutional Tribunal created the right to information self-determination by interpretation of the existing rights of human dignity and personality. This is a right to know what type of data is stored on manual and automatic databases about an individual, and it implies that there must be transparency on the gathering and processing of such data.
It has been pointed out that by the 1960's the right to controls the information about oneself was being extensively discussed in quite a lot of specialised legal literature, where the need of the citizens to control the information stored about them was not only an act of self defence against abuses by others, but it had become an active right against the technological handling of personal data, which created a new type of problem for the individual.
The direct predecessor of the Habeas Data right is the Council of Europe's 108th Convention on Data Protection of 1981. The purpose of the convention is to secure the privacy of the individual regarding the automated processing of personal data. To achieve this, several rights are given to the individual, including a right to access their personal data held in an automated database.
However, we must ask ourselves how did the first European privacy protection efforts cross the Atlantic and landed in Latin America under a new guise.
The end of the 1980s and the beginning of the 1990s can only be described as a very interesting period in the history of Latin America. The end of the Cold War brought a resurgence of stability and democracy to the region. The old military regimes gave way to young and vibrant democracies. These new regimes had to start from scratch in most cases, and that is why so many new Constitutions were created in this period.
That is the case of the Federal Republic of Brazil. In 1988, the Brazilian legislature voted a new Constitution, which included a novel right never seen before: the Habeas Data individual complaint. It is expressed as a full constitutional right under article 5, LXXI, Title II, of the Constitution. It is clear from the details of the new constitutional right that the framers of the Brazilian Constitution were aware of the developments and huge advancements in data protection taking place in Europe. It is unclear however why it was decided to create it in the form it took, which does not resemble any of the existing European solutions to the Data Protection problem. The fact is that the new legal right offered a new type of privacy defence, unlike both the North American and the European types of Data Protection. In 1997, the Brazilian Parliament enacted the Law No. 9507, which is the Regulatory Law of the Habeas Data Proceeding. It was voted to regulate certain aspects of the law offered in the Constitution, as it lacked the proper procedural and administrative guidelines.
Following the Brazilian example, Paraguay incorporated the Habeas Data right to its new Constitution in 1992. After that, many countries followed suit and adopted the new legal tool in their respective constitutions: Peru in 1993, Argentina in 1994, Ecuador in 1996, and Colombia in 1997.
Habeas Data is gaining momentum and moving northwards. There are projects to incorporate the new right in Guatemala, Uruguay, Venezuela and Costa Rica, and several important writers and political groups support the implementation of the figure both in Panama and in Mexico.
1.2 What is Habeas Data?
The literal translation from Latin of Habeas Data is 'you should have the data' and it describes its nature very accurately. Habeas Data is a constitutional right granted in several countries in Latin America. It shows variations from country to country, but in general, it is designed to protect, by means of an individual complaint presented to a constitutional court, the image, privacy, honour, information self-determination and freedom of information of a person.
Habeas Data has been described as:
'a procedure designed to safeguard individual freedom from abuse in the information age'.
The importance that this figure has is stressed by the fact that it can be a mechanism available to citizens that will insure a real control over sensible personal data, stopping the abuse of such information, which will be detrimental to the individual.
In general, the Habeas Data complaint can be brought up by any citizen against any register to find out what information is held about his or her person. That person can request the rectification, update or even the destruction of the personal data held, it does not matter most of the times if the register is private or public. Ekmekdjian points out that all Habeas Data legislations should provide the individual with at least the following rights:
Provide access to the registers to control the personal or family data.
Provide means to update or correct obsolete data.
Insure the confidentiality of important personal information.
Provide means to remove or cancel sensible data, which may injure the individual's right to privacy, such as religion, political ideology, sexual orientation or any other potentially discriminatory information.
The legal nature of the individual complaint of Habeas Data is that of voluntary jurisdiction, this means that the person whose privacy is being compromised can be the only one to present it. The Courts do not have any power to initiate the process by themselves.
Most of the local laws concerning Habeas Data do not differentiate whether the mechanism should be used against manual or automated databases. It will then have to be assumed that it covers both. The efficiency of the tool as an adequate privacy protection action for the individual will be discussed in detail later.
1.3 Habeas Data From Country to Country
Because Habeas Data is a new figure, it is obvious that it is in constant evolution as it responds to different local situations. The particularities from some of the countries where it has been used will be discussed next.
Being the birthplace of the Habeas Data action, the Brazilian legislation is the less evolved one, and it is also the one that provides one of the poorest privacy protection tools. The 1988 Brazilian Constitution stipulates that:
'Habeas Data shall be granted: a) to ensure the knowledge of information related to the person of the petitioner, contained in records or databanks of government agencies or of agencies of a public character; b) for the correction of data, when the petitioner does not prefer to do so through a confidential process, either judicial or administrative'.
It is interesting to notice that the Constitution only allows for the access to and the correction of data, not for its update or destruction. The 1997 regulatory law to the Habeas Data procedure provides the individual with the right to add an annotation to the data stored on a registry where it is stated that such data is under legal dispute. This provides a novel way to inform third parties that certain personal data is under contention.
The tribunal where the Habeas Data action is presented changes depending on who is it presented against, thus creating a very complicated system of venues. Both the Brazilian constitution and the 1997 law stipulate that the court will be:
The Superior Federal Tribunal for actions against the President, both chambers of Congress and itself;
The Superior Justice Tribunal for actions against Ministers or itself;
The regional federal judges for actions against federal authorities;
Besides this system, there are several mentions about Habeas Data in the existing military legislation in Brazil, mostly regarding jurisdiction issues and further confusing the already complicated system.
The 1992 Paraguay constitution follows the example set by Brazil, but enhances the protection in several ways. The Article 135 of the Paraguayan constitution states:
'Everyone may have access to information and data available on himself or assets in official or private registries of a public nature. He is also entitled to know how the information is being used and for what purpose. He may request a competent judge to order the updating, rectification, or destruction of these entries if they are wrong or if they are illegitimately affecting his rights'.
Besides giving the individual the opportunity to find out what the information is being used for and for what purpose, the Paraguayan system allows for the updating, rectification or destruction of the data. In just four years, and in another country, the Habeas Data constitutional guarantee has evolved and gained strength. This is a much better definition than the Brazilian one, and shows that the Paraguayan congressional representatives not only copied its neighbour's version, but actually did some research on the subject.
The Habeas Data version of Paraguay is also better than the Brazilian one in its procedural aspects. The constitutional chamber of the Supreme Court is the one in charge of hearing and deciding cases of Habeas Data, centralising the application of the constitutional guarantee in an existing tribunal.
As the previous two countries, the Habeas Data right was introduced to Peru by means of a new constitution that was enacted after a large political upheaval.
The Article 200, section 3 of the new constitution, creates the Habeas Data. In a sense, the Peruvian constitution allows for less privacy protection than that of its predecessors, but in some other ways provides more. It provides less protection because it does not allow for the rectification or removal of incorrect data stored on a database, such as the Paraguayan version. Nevertheless, it provides more protection because it forbids the broadcast, copying, transfer or distribution of the incorrect data. Nevertheless, the Peruvian version of the Habeas Data right allows only for one case of rectification of inaccurate or aggravating information. The press is the only institution in all of Peru compelled to rectify such type of data according to the constitution.
The Peruvian Habeas Data version is also the first one that specifically mentions that the citizens have the right not to have any personal data supplied by any 'information service, automated or not'. It is clear now that the Habeas Data covers both manual and automated systems.
The Peruvian Legislature enacted a regulatory law on April 18, 1995. Among several procedural provisions, the Congress decided not to apply the Habeas Data right to the press. This measure came because of various complains by human rights activists that saw this as a way to interfere with the freedom of expression rights, protected also by the constitution.
It can be argued that the Peruvian version of Habeas Data seems less effective and more politicised than its predecessors. It is unclear how this figure will be affected by the change of government and the end to the polemical rule of Alberto Fujimori. It does appear that the legislation was created to insure control over the press, but that function should no longer be important in a more open political environment.
The Argentinean version of Habeas Data is not specifically called that. For an unknown reason, the Argentinean legislators have merged several individual constitutional complaints under the name of amparo, which can be roughly translated as 'shelter'. The amparo is a constitutional guarantee that exists in many other countries in Latin America and the civil system in Europe such as Spain and Portugal. Whatever it is called, the Argentinean version of Habeas Data is the most complete to this date. The article 43 of the Constitution, amended on the 1994 reform, states that:
'Any person shall file this action to obtain information on the data about himself and their purpose, registered in public records or data bases, or in private ones intended to supply information; and in case of false data or discrimination, this action may be filed to request the suppression, rectification, confidentiality or updating of said data. The secret nature of the sources of journalistic information shall not be impaired'.
This version includes most of the protection seen in previous constitutions, such as the right to access the data, rectify it, update it or destroy it, such as the Paraguayan one. Nevertheless, the Argentinean constitution also includes a couple of excellent features. The first is that it incorporates the Peruvian idea of confidentiality of data, being interpreted as the prohibition to broadcast or transmit incorrect or false information. The second is that it specifically excludes the press from the action, which is only sensitive in a country that is remaking its democratic institutions after years of ruthless military dictatorship.
A regulatory law of the Habeas Data action approved by the Argentinean congress in 1996 was vetoed by the Executive Branch because it was vague and provided controversial provisions about the exchange of data between different public institutions. However, Argentinean legislators have recently muddied the application of the Habeas Data by the approval of a European style Data Protection legislation. The problems that this new law presents to the existing Habeas Data will be discussed in the next section.
Colombia passed a new Constitution in 1991, which included provisions that defended the right to privacy. This was reformed in 1997 to include the new figure of habeas data specifically. The text now recognises the right to individual privacy, and states that citizens have:
'the right to know, access, update and rectify any information gathered about them in databases, both public and private'.
The Colombian Constitutional Court declared a legislation specifying the regulation of this right unconstitutional in 1992. After that, there have been several rulings by the Colombian Constitutional Court recognising habeas data as part of the Colombian Constitution and admitting the information self-determination right as a fundamental part of the constitutional system. This fact is important because it shows that habeas data is being used and recognised in the Colombian courts.
1.3.6 Costa Rica
Although the constitutional action of Habeas Data has not yet been approved by the Costa Rican congress, the existing project promises to be the most comprehensive so far. The law will modify the Article 48 of the constitution to add the Habeas Data action, but it will also amend the law No. 7128, the Law of Constitutional Jurisdiction. This law is the one that regulates the individual complaints to the constitutional court. The existing actions are Habeas Corpus, amparo and the unconstitutionality action.
The new law seeks to protect the privacy of the individual in a similar way to the Argentinean constitution. It provides that the action, once accepted by the constitutional court, will allow for the access, rectification, update, inclusion, destruction or confidentiality of the personal data in dispute. This adds one more tool to the Habeas Data action: the right to include data into a registry.
Besides these tools, the Costa Rican version also includes several principles, probably translated literally from the European Union's data protection Directive. One just needs to glimpse at some of them to confirm that suspicion: personal data will be treated adequately and will not be excessive in relation to the purpose or purposes for which they are processed; the individual has the right to receive information about the treatment given to his data, and others.
One of the principles is quite novel though. The individual has to authorise specifically that his personal data will receive an automated treatment. It is unclear if this is a good idea; this principle may be used to bog down businesses. It sounds unlikely that any type of operation will be able to ask for this type of permission on every transaction.
As for the procedural provisions, the project states clearly that the action can only be presented to the constitutional court, thus being subjected to the procedure of set out in the Constitutional legislation. It will be processed before other actions with exception of the Habeas Corpus.
Unfortunately, the law that will implement habeas data as another constitutional defence in Costa Rica has not yet been enacted and is still under revision by the Costa Rican Parliament. There is strong opposition to the Habeas Data Law from some sectors of the press. This is caused by the fact that it does not have provisions that protect freedom of speech rights, such as those of Peru and Argentina. It is feared that corrupt characters will misuse the guarantee to avoid investigations into their affairs by the press.
2. Adequacy of Habeas Data as a Data Protection Tool
2.1 Is Habeas Data Effective?
After describing the evolution of the Habeas Data right, the next task is to analyse its effectiveness as an adequate Data Protection tool.
Whether Habeas Data will be successful will depend on many different factors, but the main one will be the effectiveness of each judicial system. It is rather difficult to measure each country's judicial institutions lacking actual caseload statistics and other hard data. It is clear that the legislation ahs already been creating case law in Brazil, Argentina, Paraguay and Colombia. Nevertheless, it can be stated as a fact that Latin American courts are often understaffed and overworked, common characteristics of the legal systems of developing countries.
An encouraging sign though is that the Habeas Data guarantee is receiving full constitutional strength in most of the countries in which it is being enacted. In civil systems of law, this is the highest level of protection possible, and faster procedures and better courts usually accompany it.
It may be encouraging that Habeas Data has been incorporated into the constitutions of a lot of countries in Latin America, but the efforts to regulate the figure and make it ready for everyday use have been slow. Brazil has finally passed a regulating law, but as it has been pointed out, it offers a very complicated set of rules for venues. Argentina has not passed a regulating law yet, but that has not stopped the flow of Habeas Data actions being presented. In other countries, like Paraguay and Peru, the regulating laws are in place but only some time after the right had been approved. Costa Rica will avoid that problem by enacting simultaneously the constitutional reform and the regulating law. It will obtain the highest constitutional protection and a specialised Constitutional Court will cover it.
Another encouraging sign that points towards the Habeas Data principle becoming an adequate and popular tool is an unforeseen effect when the law was passed. The action is being hailed as an excellent Human Rights tool, mostly in the countries that are recovering from military dictatorships. In Paraguay for example, it was used to view the records from an old police station, bringing to light several atrocities that were committed at that site.
In a landmark case in Argentina, an important ruling from the Supreme Court stated that the Habeas Data right applied implicitly also to the families of the deceased. This opened the door to families of the 'disappeared', the victims of the military regime, to request access to police and military files, otherwise closed to them.
These examples show an encouraging sign. If the general public regards the legal mechanism favourably because of its use as a Human Rights tool regards the legal mechanism favourably, it is possible that its use will increase and spread to other areas of life, such as the protection of personal data in electronic databases.
Regarding automated databases and online information, which are the real subjects of this essay, the Habeas Data right may crash against two big problems. The first is a problem that can be found world wide, and is also common to all areas of Information Technology Law: the legal profession is usually slow to understand computers. If this is true for the developed countries, it can be expected to be more so in developing countries. It is foreseeable that many courts in Latin America will find problems when faced with complicated descriptions of mainframes, databases, data processing and information storage devices.
The other problem faced by Habeas Data, as an effective online privacy protection tool, is the very nature of the global Information Superhighway. An excellent example would be a multinational company that gathers information in a country and then sends it through a corporate network to another country. How can that be stopped? In addition, how do you present a Habeas Data action against a company that is not based in your country?
The Habeas Data guarantee gives the individual the right to access, rectify, update, include, destroy or maintain the confidentiality of sensitive personal information, but it is obvious that it will be difficult to achieve that if the data is stored abroad. Nevertheless, everything suggests that it will be an adequate tool for protecting privacy locally.
2.2 Does Habeas Data Comply With European Standards?
After analysing the application of Habeas Data in some Latin American countries, it is important to point out that perhaps the greatest test to Habeas Data will come from abroad, in particular from Europe. As it was mentioned in the Introduction, the European Directive on Data Protection requires its members to impose strict restrictions against the transfer of data to countries that do not posses data protection regulation.
For example, The United Kingdom's Data Protection Act of 1998 states that:
'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data'.
This principle leaves a large area for interpretation for government agencies and for the courts. What is exactly an 'adequate level of protection'?
At first there was no consensus on what level of protection would be considered adequate, the Commission informed that:
'Dialogues between the European Commission and a number of the EU's important trading partners are designed inter alia to improve our knowledge and understanding of their systems'.
The Commission later issued a report that established the minimum set of principles that a country should have to be able to be considered as providing adequate protection. These are:
Purpose limitation principle: data should be gathered for a specific purpose only;
Data quality and proportionality principle: Data should be accurate and kept up to date;
Transparency principle: individuals should be provided with information as to the purpose of the processing and the identity of the data controller;
Security principle: the data should be secure from unwanted access by others;
Rights of access, rectification and opposition: the individual should have a right to obtain a copy of all data relating to him/her, and a right to rectification of those data where they are shown to be inaccurate;
Restrictions on onward transfers: Data should only be transferred onward of the second recipient complies with the minimum data protection requirements[49 ].
The Working Party also recommended that each case should be considered individually, as:
'...data protection rules only contribute to the protection of individuals if they are followed in practice. It is therefore necessary to consider not only the content of rules applicable to personal data transferred to a third country, but also the system in place to ensure the effectiveness of such rules'.
The discussions with the United States regarding this issue helped immensely to setup an understanding of what adequacy means. In particular, several documents by the Commission's Working Party on Data Protection offer a better insight into the issue, and ratified the fact that these minimum requirements are necessary before granting permission for data transfer.
It would seem that Latin American Habeas Data fulfils at least requirements of transparency, rectification, update, accuracy and purpose, but that not all versions of Habeas Data provide security provisions, and none place restrictions on transfer to other countries. Only the Costa Rican project is close to fulfilling most of the requirements, something more is certainly required if Habeas Data is going to be considered up to European standards. It then can be stated that the Latin American countries that have incorporated the Habeas Data guarantee to their constitutions cannot be considered as countries that provide an adequate level of protection of personal privacy.
What then can these countries do? Perhaps as a result of the lengthy discussions between the EU and the United States, and maybe fearing that this provision will have an adverse effect on electronic commerce, the Commission's Working Party has opened the possibility to accept transfer of personal information to countries with no protection by means of a contract by which the data handler will agree to comply with the basic principles required by the EU Directive. This proposal is on consultation at the time of writing this paper.
2.3. Habeas Data vs. European Style Legislations in Latin America
If Habeas Data fails to live up to European standards as it exists today, it may not come as a surprise that some countries in Latin America are choosing to implement a more restrictive version of data protection that resembles the levels established on the other side of the Atlantic.
It is very interesting to notice that Chile, one of the most legally advanced countries in South America, bypassed entirely the Habeas Data route and enacted a data protection law that regulates data handling and storage in a very European way. Chile has a very strong private industry sector, which may account for a different approach to data protection than its neighbours.
Brazil and Argentina have also decided to follow the European lead. A Data Protection legislation based on the Portuguese law is under discussion in the Brazilian Federal Parliament. Being based on the existing legislation of a EU member, it is fair to assume that it will provide more protection than the existing Habeas Data Constitutional provisions and that it will include some of the principles required for obtaining adequacy level from the EU.
Argentina has recently passed new European style data protection legislation to complement and enhance its existing constitutional provisions. This new legislation is very comprehensive and provides more than the minimum requirements of adequacy established by the European Commission. Among many others, the new law:
Requires data handlers to be registered;
Establishes that data should be gathered for the purpose it was created, and should not be excessive, or that it cannot be used for other means;
Provides the right to individuals to access, update, rectify or delete inaccurate or outdated information;
Commands data handlers to insure the security of the data;
Prohibits the transfer of data to countries that do not posses data protection regulation.
It is important to point out that the approval of this legislation does not affect the existing Habeas Data provision described in the Argentinean constitution, but actually complements it. It can be said that this trend to enact tougher regulation of information may not be a threat to Habeas Data, but it is certainly making its future an uncertain one.
Habeas Data is a legal tool for data protection that has been undoubtedly evolving to provide better protection to personal information from one country to the other. Undoubtedly, Habeas Data in its better expressions can be a very important tool to insure the information self-determination of the individual. Besides this, Habeas Data has proven that its constant evolution and rapid spread throughout the region can be attributed to its simplicity. That same simplicity makes it the best option for other countries interested in enacting privacy protection legislation, as it can be adopted at a minimum cost. There is no need to create more government agencies as the action can be implemented within existing judicial structures. The other advantage of Habeas Data is that it provides the highest level of constitutional protection to the average citizen.
Nevertheless, some of the existing forms of Habeas Data fail to provide adequate levels of protection according to the minimum European standards, which may be a problem for countries that want to join in the electronic commerce revolution, as information is the currency of the Digital Age.
It is imperative that the nations that want to provide adequate protection of personal privacy and the transfer of information must make sure that they comply with the minimum levels of protection established by the European Directive on Data Protection, failing to do so will only be detrimental to the basic individual rights.
Despite this problem, Habeas Data is still the most viable solution for the implementation of safeguard of information in developing countries, providing an effort is made to properly institute it. In that respect the example of Argentina has to be noticed and followed, stronger protections seems the proper way to go.
3. 'Habeas Data: An Update on the Latin America Data Protection Constitutional Right - Part 1', World Data Protection Repo rt, Volume I, Issue 4, April 2001, BNA International, London. And 'Habeas Data: An Update on the Latin America Data Protection Constitutional Rght - Part 2', World Data Protection Report. Volume I, Issue 5, May 2001, BNA International, London.
9. Chirino, Alfredo (1997), Autodeterminacion Informativa y Estado de Derecho en la Sociedad Tecnologica (1997), San Jose, Costa Rica, Edit CONAMAJ. P.14.
10. Prescott, Charles A (1998), Recent Developments in Latin America and Asia Are Driven by Local Interests and Technology', Privacy & American Business (1998), <http://hudson.idt.net/~pab/global.html>.
45. This is a general view, see on that respect: Cameron, E and Hegarty, C (1996), 'Never Mind the Quality, Feel the Width:A Sceptical View of Legal Interference with Cyberspace', 10, International Review of Law Computers and Technology 79.
46. European Council. Directive 95/46/EC, Article 26 (4).
56. Herrera Bravo, Rodolfo (1998), 'Breves Antecedentes Sobre el Proyecto de Ley de Protección de Los Datos Personales en Chile', Boletin Hispanoamericano de Informática & Derecho (November 1998), No.5, <http://members.theglobe.com/boletin/bol5.htm>.
Herrera Bravo, Rodolfo (1998), 'Breves Antecedentes Sobre el Proyecto de Ley de Protección de los Datos Personales en Chile', Boletin Hispanoamericano de Informática & Derecho (November 1998), No.5, <http://members.theglobe.com/boletin/bol5.htm>.