Currently, many VPN service providing corporation based in Panama, guarantee their clients, that Panama legislation does not obligate them to maintain a data record of their client´s online activity. Nonetheless, due to some international regulation and a new interpretation of the District Attorney´s office, it might not be as simple as it sounds.
Panama regulates every single data related issue, based first on concept established by the Data Access Law of 2002. This Law defines information as “Every type of data contained on any mean, document, register, printed, optical, electronic, chemical, physical or biological.”. As we can see, it is a very wide and comprehensive definition, that by any means covers, the data related issue that the clients is currently facing.
According to the Panamanian constitution, article 42, every Panamanian and/or foreign persons or corporations, have the right to access their personal information, kept in public or private records, and also to request its rectification, protection or suppression.
What is really important for this case is that the constitution, only establishes the right to access the “recorded data”, but does not grants the right to have it recorded. But, instead the constitution, restrict the right to record personal data to meet specific purposes, and only with the consent of the owner of the information. With the exception of the data that through a certain Law is requested by the government to be recorded.
This article of the constitution, clearly limits the capability of any corporation to openly record their clients data, without their previous consent, but if a Law complies them to record it, they will have to do it with or without their clients consent. Therefore, we must determine if there is indeed a specific Panamanian, Law that request VPN service providing corporation based in Panama, to record their client’s data.
The Law No. 51 of September of 2009 regulates all telecommunication network companies that provide services in and from Panama. This Law request telecommunication companies to record all their users data, retain and protect it for future possible legally requested disclosure orders, from a judicial competent authority.
Since this Law, formally establishes the legal obligation to record clients data by telecommunication networks companies that render their services and/or commercializes them, in or from the Republic of Panama, these companies are legally to record their clients data, establish data banks and conserve the recorded information of all the clients that hires their services, in order to be able to disclose it to a judicial competent authority, upon a future formal request.
Thus, to determine if a VPN provider company is indeed legally bound by the Law 51 of 2009 to record their client’s data and disclose it to the authorities upon formal request, we must first determine if a VPN provider is a Telecommunication network company.
According to Panamanian Law that regulates telecommunications the terms regarding telecommunications, will be ruled among other documents by the ones attributed by the International Telecommunication Union. (ITU).
The International Telecommunication Union rendered on 2008 the resolution ITU-T Y.2811 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (07/2012) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS Next Generation Networks – Generalized mobility Framework of the mobile virtual private network service in next generation networks. Within this resolution, defines a Virtual Private Network as a communication network, built over public and/or private network resources, used to support controlled and secure communications within a group of users as if they were on a private network.
If we start from a point, in which the legally applicable definition of VPN is a communication network, then we must consider VPN provider companies bound by the Law 51 of 2009 to record all their users data, retain and protect it for future possible legally requested disclosure orders, from a judicial competent authority.
Due to this interpretation, the District Attorney´s office is currently receiving and processing, international information requests, to enforce Panama based VPN provider corporations to provide the recorded data of their client´s online activity. This can represent a complicated situation due to the current practice of not recording data and guaranteeing their clients record of their online activity.
We strongly advice VPN provider companies, to contact us if you are currently facing any situation related with the disclosure of your client´s data with the local authorities. Also if you are not currently facing this issue, we advise you to let us help you properly structure your corporation, so you can avoid future related situations with the District Attorney´s Office.
Juan Raúl Sevillano
jrsevillano@padela.com
TweetJoin our mailing list to receive newsletter, awards, articles, team and more.
Get it now