Skip to content
Panama data privacy laws

What Do Panama Data Privacy Laws Look Like?


A look at the Panama data privacy laws that took affect in early 2021, and how they protect the data and online privacy of its citizens.

Surprisingly, almost half of Americans believe their private data is less secure than it was five years ago. Data from PEW Research suggests that Americans have little faith that government organizations and private companies can protect their private data.

In September 2017, credit reporting agency Equifax suffered a data breach that affected some 147 million people. This disastrous breach is one of the more popular data leaks that affected the public’s confidence that organizations can keep their private data safe.

Others include Yahoo’s admission that some three billion of its email accounts were compromised, and the accidental leakage of millions of U.S voter’s details from Deep Root Analytics.

Despite these record-breaking data breaches, inadequate data privacy practices in the United States have resulted in a few legislative actions, both at federal and state levels. But outside the U.S., other countries have begun introducing various privacy safeguards, promising a better future for data privacy legislation.

We outline below the expected adoptions of General Data Protection Regulation (GDPR)-inspired data privacy regulations in Panama.

New data protection laws:

Panama is the latest country in Central America so far to adopt data privacy laws inspired by the GDPR. Panama data protection laws were approved in 2019 and took effect on 29th March, 2021.

According to these laws, data handlers and processors should get consent from their subjects before data collection.

Data processors should also clearly define the main purpose of data collection, and take the necessary actions to ensure that private data stays secure. While these provisions closely resemble those of GDPR models, some provisions deviate from it and have an impact on how Panama implements and interprets these laws.

For instance, apart from consent, other extra bases of data legitimation guide the handling of private data.

Definition of private or personal data:

Like the GDPR definitions, laws in Panama have a comprehensive definition of personal data. As per the laws, personal data include any information about identified or unidentified people. But anonymized data in Panama is not within the scope of the law. By anonymized data, Panama laws define this as data that can’t be re-identified through reasonable means.

Right to data portability:

Panama has given users their right to data portability. This means that users can transfer their private data to other storage service providers. The right to data portability is an addition to the ARCO (Access, Rectification, Cancellation, and Opposition) rights, which allow users to exercise maximum control over their personal data.

But enforcers of data portability laws should make conscious decisions, especially on what to do when someone wants to port with data containing another person’s details. For instance, porting contract information that contains addresses and phone numbers of others implicates their data privacy rights.

Besides, while portability gives users a right to leave one platform, it doesn’t inform other users of the previous platform of any identified vulnerabilities. For instance, network effects can hinder startups from taking off. As such, interoperability should be encouraged to enable platform users to interact amongst themselves.

That said, data portability is a right and principle in Panama. It is among the general data protection principles guiding the interpretation and implementation of overarching data protection laws. Users have a legal right to receive copies of their personal data in a well-structured and machine-readable format.

Automated decision-making for individuals:

Advancing technology has enabled automated decision-making tools to make decisions about human lives, replacing human involvement in decision making. That said, there are emerging GDPR-inspired laws that individuals shouldn’t be subjected to automated decision-making in situations with possible legal consequences.

For instance, the tool can create your profile using your displayed personality, interests, behavior, movements, location, and habit. In Panama, users have a right to contest decisions and predictions made about them. Users can only exercise this right if the predictions of the automated system affect them in a negative way or infringe upon their rights.


Data protection laws play a great role in improving data governance by both government and private agencies.

While there are many essential safeguards in Panama, there is a lot to do to ensure the utmost safety of user data.

There must be a well-structured legal basis for processing personal data, and data protection frameworks in law enforcement.

Hopefully, Panama will continue adopting more legislation from general GDPR laws, and other countries in Central America will follow.

CA Staff

CA Staff