In 2016, the EU adopted the General Data Protection Regulation (GDPR). It has been in effect for nearly a decade.

Because of the fast changing technological landscape it became necessary to make harmonised rules across Europe to create awareness among citizens that in a digital world many transactions and interactions remain unseen and that agency on your data can not happen ad hoc but must be part of a set of rules and regulations.

It is recognised as a regulatory success:
“This article explores the pivotal role of European Union institutions in the global projection of EU regulatory power, focusing on the General Data Protection Regulation (GDPR) as a case study within the framework of the Brussels effect. The Brussels effect describes the process by which EU regulations become de facto global standards, driven by two key conditions: regulatory capacity and a preference for stringent rules. “

Source: The Brussels Effect and the GDPR: EU Institutions as Catalysts for Global Data Protection Norms By James Tamim – 17/06/2024 – PDF
DOI: 10.13140/RG.2.2.28132.59529

Instead of saying standards we prefer to say “global benchmarks.  For our context, it might be confusing to mix regulation and standards. Discussing the relationship is useful to show why it is important for target countries to care about EU standards.

We are InDiCo-Global and we actively advocate EU policies and standards in key ICT/digital domains to encourage collaboration. Over its 36 months duration, InDiCo-Global will direct 40% of its €2.5 million budget to Capacity Building initiatives through a series of open calls for micro-projects focused on the targeted regions. Through these collaborations we will engage in broad discussion that also includes the process of standardisation itself.

Our second Open Call will open shortly. You will learn everything about it here.
The most important output of InDiCo-Global is impact. Our basis for characterising the different categories of work in the InDiCo-Global ecosystem (of about thirty to forty international partners as the first immediate influence and co-creation) is (personal)  data and information privacy and security (as in measures taken to minimise risk in a connected world of devices, machines and AI enabled agents.

This means that projects can be divided in narrow GDPR, and broad GDPR., The former category is tuned to those locations and situations in which there is no privacy legislation. InDiCo-Global supports local initiatives to implement GDPR. The latter category brings the spirit of GDPR to situations in which GDPR is implemented but debates are around data created by machines, synthetic data created by Machine Learning and data created by AI programs and agents,  the security of storage (digital wallets) and identity (eID). There, InDiCo-Global guides, co-creates and learns from approaches that can be of interest to European standardization.

Through the Open Calls we have learned that a significant number of countries in Latin America have not yet installed nor adopted privacy regulation. The GDPR acts as a very important example of how such regulation can emerge and which stakeholders are necessary for this, how awareness among citizens acts as a push factor for demand and uptake, how the growing awareness of the use of private data in social media is a positive factor in this regard and how the fast growth of AI has revitalized the need for data protection of citizens (for example the consent to the use of data for training purposes in Facebook), and for SME that produce data which is currently being used for training without consent.

We present the current situation in Guatemala, Bolivia and Chile.

Narrow GDPR

Data Privacy and Security Regulations in Guatemala: from Julio Herrera Toledo, Red Ciudadana, Director Ejecutivo ( https://www.linkedin.com/in/julio-herrera-toledo-gt/?originalSubdomain=gt )

Guatemala currently lacks a dedicated data protection law comparable to the GDPR¹. While the country has some sectoral regulations related to privacy and cybersecurity, there is no unified legal framework governing data protection, nor an independent data protection authority. Existing regulations, such as consumer protection laws and financial sector rules, contain some provisions on personal data handling, but they do not comprehensively address modern digital governance challenges.

The Enhancing Digital Government in Guatemala through European Standards project focuses on aligning Guatemala’s digital governance framework with European ICT standards in open data, interoperability, and digital accessibility. The project² directly supports the objectives by fostering international cooperation, facilitating knowledge exchange, and strengthening the adoption of standardized ICT frameworks in the region.

The Data protection regulatory framework and implementation in Bolivia³ From: Nicole Angel Sánchez Rojas, Especialista de protección de Datos, Fundación Internet Bolivia. ( https://www.linkedin.com/in/nicole-angel-sanchez-rojas-44nasr/ )

Although Bolivia is a country, like others, that wants to advance in the implementation of digital services, digital government and lately, IA technologies, does not currently have a personal data protection law. This law is basic since all these technologies require processing a very big amount of a citizen´s personal data.  Our project, Fostering Data Protection and Responsible AI Compliance in Bolivia, seeks to bridge this gap by promoting data protection standards based on international best practices, particularly the GDPR and the European AI Act. We aim to raise awareness and provide practical tools for small businesses, universities, and organizations to implement responsible data governance.

There have been several advocacy efforts that led to the drafting of a data protection regulation, even the Government has advanced in its own draft bill, but its approval and implementation remains pending due to polarization in the Congress and disinformation about the issue.  In the absence of a legal framework, data breaches and the informal sale of personal databases are common, and citizens have limited recourse against such violations.

Despite this, awareness is growing among businesses and civil society organizations. The project works with private and academic stakeholders to encourage voluntary adoption of GDPR-based practices, preparing the ground for future regulatory developments. Small businesses are often unaware of data privacy requirements, but through our workshops and coaching programs, we aim to build their capacity to integrate responsible data governance practices.

Chile is at a crucial regulatory moment within Latin America, embracing new AI and data technologies across various sectors. From: Christian Robert Yepsen Marambio, Pontificia Universidad Católica de Chile (UC Chile) through its Law, Science, and Technology Program. https://seeblocks.eu/speaker/christian-robert-yepsen-marambio

In Chile, Law 19.628, enacted in 1999, was heavily influenced by Spanish legislation. However, it had a limited impact due to a lack of effective enforcement mechanisms, undefined fines, and broad exceptions in legal bases for data processing, which became the norm in practice. As a result, data controllers could comply with minimal effort under a law designed for a different era. Additionally, some sectoral entities regulated data protection in an unstructured manner, such as the Council for Transparency.

After a long congressional debate of at least seven years, a major amendment to the Data Protection Law was approved in 2024, strongly inspired by the European GDPR⁴. This new regulation, set to take effect in 2026, aims to align Chilean data protection standards with the GDPR, incorporating updates related to consent regulation, legal bases for processing, data subject rights, obligations for controllers and processors, international data transfers, sanctions and fines, and the creation of a national data protection agency, among other provisions.

Chile is at a crucial regulatory moment within Latin America, embracing new AI and data technologies across various sectors. In 2024, the country made significant advances in modernizing its technology regulations, including the enactment of the Fintech Act and Cybersecurity Act, with the Data Protection Law set to take effect in 2026. However, despite these important developments, Chile lacks robust mechanisms to promote standardization beyond the technical community, which is an essential factor for the effective implementation of these European-inspired laws.

Stay tuned for our events
https://indico-global.eu/events

Where we will discuss how to address and support this situation through the insight that instead of targeting national level for legislation the European Union also has to build a methodology for how to approach cities and municipalities as the primary points of entrance for GDPR consistent implementation.

In the coming months we will assist in building such a methodology.

We have covered the area of narrow GDPR in this article. In the next posts we will continue to report on the situation in Latin America and Mexico.

We will expand on the concept of broad GDPR in the upcoming articles and will address the concept and real practical implementation that we see of European dataspaces, especially in the scope of the EU activities in the range of GenAI, Data and Robotics. Europe is addressing the quality and compliance of data available for training, the necessity for more sharing of data between sectors and the lack of data which is – and this is new – tackled by promoting the use of synthetic data. We will address the three main policy documents on this topic Strategy for Data  (still applies), the Competitive Compass & AI Continent Action Plan, and the upcoming Data Union Strategy end of 2025.

In the next article we will focus on three main issues: proposing a framework for promoting GDPR in Latin America and specifically the InDiCo-Global countries, the relationship between the AI Act and GDPR and the webinar on this topic that we are hosting after summer, most likely September, with the key players that shaped the regulatory frameworks on data, identity and technological ecosystem.

Most Member States notice that GDPR and AI Act follow different regulatory approaches:

“GDPR is focused on the protection of data subjects’ personal data (fundamental rights based approach); its rules apply to all personal data processing activities within the scope of the GDPR following a risk-based approach. By contrast, the AI Act is a market based and product safety legislation that applies to AI systems, regardless of whether they process personal data or not that aims to ensure safety and fundamental rights within the whole AI system’s lifecycle.”

We will specifically focus on the observed need to establish a cooperation mechanism for national authorities responsible for both the GDPR and the AI Act at national level:

“This mechanism could take the form of joint task forces, technical working groups, coordination bodies, networks, and make use of tools such as conferences, policy forums, or memoranda of understanding. Such structures would facilitate collaboration and provide a platform for experts from the data protection and AI fields to jointly interpret and apply the regulatory requirements.”

Source: Main takeaways from the debate on the AI Act and the GDPR 
https://data.consilium.europa.eu/doc/document/WK-5269-2025-INIT/en/pdf

As a way to start the debate we are organising a webinar with the EU and US key players that have shaped GDPR from the beginning:

Gwendal Le Grand  Deputy Head of the EDPB Secretariat
Dr. Gwendal Le Grand is the Head of activity for enforcement support and coordination at the European data protection board (EDPB) since. October 2021.

Dan Caprio
Senior Policy Advisor | DLA Piper | Cybersecurity, Privacy, AI, public policy and regulatory risk | Former Senior Official at the FTC and Commerce Department | 

Gérald Santucci
President of European Education New Society (ENSA) Association.
At DG CONNECT he was Head of the Unit “Knowledge Sharing” (2012-2016) and Head of the Unit “Networked Enterprise & Radio Frequency Identification (RFID)” (2006-2012)

Andrea Servida 
Retired from the European Commission, Former Head of Unit “Knowledge Management & Innovative Systems” at DG CONNECT, European Commission at European Commission

Andrea Servida’s view is that, 
“whilst the principles and values underpinning and substantiating the need for GDPR still apply – and will always apply- , if the drafting work had to start now, I’m afraid that the approach in defining the rules/articles in the Regulation would have to be tailored much more to ensuring easy and workable enforceability via built-in privacy mechanisms. This has always been an obsession of mine but, with little if no success. In this regard, appended is a slide of mine I have often used while being still in charge of R&D activities and projects on IT security at the Commission (i.e. the years late nineties / early 2000!) as well as while being in charge of network and information security & CIIP policy (i.e. from 2006 to 2012) – the slide is actually from a PPT presentation on CIIP dated 2010.”

“Building-in enforceability mechanisms – not only in the law – would mean, for instance, incentivising and promoting much more the use of:

• verifiable proofs for authentication and/or expressing consent;  
• user’s privacy cockpits/agents to manage their rights;
• user’s personal (AI) agent to negotiate data disclosure with service providers;
• etc..”

If you have ideas, are interested in the Second Open Call, mail us at [email protected] or join our Linkedin Group https://www.linkedin.com/groups/2206279/

If you have any ideas on how GDPR is functioning or can be improved, please contact me at [email protected]

1. At Red Ciudadana, we are working to enhance digital government in Guatemala by adopting and implementing European ICT standards. Our goal is to improve transparency, efficiency, and accessibility in public administration through better data management, interoperability, and digital inclusion. We aim to bridge the digital divide and ensure that government services are more accessible to all citizens, including vulnerable populations. Through this initiative, we will conduct research, provide training to public officials, and develop digital platforms that enable seamless and secure data exchange. By learning from European best practices, we hope to build a more connected and responsive government that truly serves its people. ↩︎
2. Key activities include policy analysis, capacity-building workshops for public officers, and the development of digital platforms that enhance data interoperability and accessibility. The project also engages with key stakeholders, including government institutions and civil society, to promote evidence-based policymaking and regulatory alignment with European standards. This initiative is expected to improve government efficiency, increase citizen engagement, and enhance the overall quality of digital public services. ↩︎
3. Currently, Bolivia ranks 117 out of 130 in the Global Responsible AI Index (GIRAI) and according to the Latin American IA rank, is the country within the region with lesser conditions to implement IA technologies. Those rankings observe that one of the main obstacles for Bolivia is that lack of regulation and appropriate institutional frameworks. This regulatory vacuum creates significant risks for digital rights and hampers Bolivia’s competitiveness in the global digital economy. Our initiative aims to introduce GDPR-aligned data protection practices and responsible AI governance in Bolivia, particularly in the private and academic sectors.
   
   To achieve this, we are localizing European data protection and AI risk assessment frameworks through the development of a technical manual. This will be complemented by a structured coaching process for three private entities (SMEs and startups) and partnerships with organizations such as the UN Global Compact Bolivia, the National Chamber of Commerce, and telecommunications associations. Additionally, we will introduce a compliance certification seal for organizations that successfully implement these standards. Our ultimate goal is to build local capacity and readiness for future legislative developments while strengthening Bolivia’s digital governance ecosystem. ↩︎
4. Awareness campaigns have mainly been limited to large institutions and some financial entities, primarily focusing on preventing phishing and similar attacks. However, future campaigns are expected to expand public awareness beyond these initial efforts.
   
   Currently, there are no national awareness campaigns targeting SMEs or small businesses. For this reason, we aim to reach not only large enterprises but also smaller businesses. The  fund allows us to open the event to a broader audience, ensuring greater public engagement. Given the extensive real-world application of data protection and cybersecurity regulations, we believe it is essential to bring this knowledge to as many people as possible. ↩︎