10 minutes /

The need for regulations to comply with the new Data Protection Law in Ecuador

Ricardo Chica Reino

Ricardo Chica Reino

When talking about personal data, it is essential to study its value, importance, and transversality. Personal data is relevant for the design and architecture of communication technologies; however, we must not ignore its scope of protection. The inappropriate processing of personal data affects the effectiveness of public and private management and the constitutional rights of natural persons. In 2019, Ecuador witnessed one of the worst leaks of sensitive personal information in Latin America. It was a server that did not meet the established security requirements and was managed by Novaestrat, an Ecuadorian marketing and analysis company. It involved 18GB of data, spread across various files, including names, financial information, and civil data for up to 20 million people.


After this event, various strategic actors from civil society made up of non-governmental organizations, academic researchers, and the media emphasized the need for a data protection law in Ecuador. This alliance argued that it was necessary that Ecuador have dedicated legislation that regulate the collection, storage, use, communication, or transfer of personal data. One of the purposes of personal data legislation is to promote innovation, economic development, and the free flow of data.


After a collective advocacy process and two draft laws, Ecuador approved its first personal data law. On May 26, 2021, the Organic Law on Personal Data Protection (LOPDP for its acronym in Spanish) was approved. The Law determines that those in charge of processing the information have two years to adapt to Ecuador’s new personal data protection regime. The Law also establishes the spirit and the rules that will apply to the government and digital economy, and now, they have to be made operational in an efficient and enforceable way. However, a law is not enough to effectively guarantee the transversal rights of the holders of personal data. Therefore, it is necessary to issue a Regulation that makes the Law effective. Currently, Ecuador is in a new phase of this process, defining the fundamental elements that the LOPDP regulatory decree must integrate.


International experience indicates that the primary challenges in protecting personal data are in implementing legislation. Even the European Regulation on the Protection of Personal Data has encountered difficulties in this regard. That is why we need to commit and learn from comparative experience to determine what is necessary for the Ecuadorian Regulation to establish what is established in the Law. 


  • Elements that the Regulation must analyze 


The issuance of a Regulation must ensure the applicability of the Organic Law on the Protection of Personal Data. Considering that the Law has gaps on different issues, the objective of this section is to analyze the minimum elements that need to be incorporated into the regulations of the approved Ecuadorian Law. 


  • Extraterritoriality and application


The Personal Data Protection Law regulation should not be uncertain about the space of the territory in which it has to be applied. For example, a conflict of jurisdiction may occur regarding international data processors’ improper processing of personal data outside the national territory. This aspect must consider that the digitization of personal data plays a fundamental role in its treatment.


Such is the case of the European Union Regulation, which establishes that:


“The responsible of treatment who are located outside the European Union but who carry out activities that involve the processing of personal data of their citizens to track their behavior, as they are through the use of cookies or the IP address, they are relevant, and the Regulation applies to them.”


  • ARCO+ Rights 


The Personal Data Protection Law of Ecuador introduces the guarantee of constitutional rights of citizens in a transversal way. Likewise, it sets out a series of principles that ensure citizens’ understanding regarding the processing of their data. These concepts refer to the ARCO+ rights, protected by the legal system to protect personal data worldwide. The rights are divided into:


  1. Access: ask the data controller for information on how personal data is processed.
  2. Rectification: modify any erroneous data.
  3. Cancellation: the prohibition of using personal data in excess or inappropriate.
  4. Opposition: resistance or dissent, expressed in request or petition.
  5. Portability: the way a receiver or person responsible for the data sends it to another person in charge in a diligent and structured manner.
  6. Oblivion: the action of request to delete personal information.


ARCO + rights must be considered immediate rights in the owner-controller relationship of data processing (Martínez – Martínez, 2018). The classical theory reduced ARCO+ rights to access, rectification, cancellation, and opposition. When we speak of a Regulation, we must try to make the rights already guaranteed by the Regulation more effective in their exercise within an administrative sphere. This would mean ensuring their exercise, suitable ways to prove identity, and different mechanisms to guarantee requests.


  • Authority and sanctions


Two mechanisms make the Law applicable: an enforcement authority and sanctions. The enforcement authority has been one of the great battles of personal data regulations worldwide, particularly when it comes to assuring its independence. The rules of the Law must assume this process. Furthermore, the authority must be endowed with sufficient powers and capacities to face the tasks entrusted to it.

The Regulations must contain the functions of the authority explicitly. Between them:


  1. Faculty of deciding on conflicts of the Law interpretation.
  2. Capacity to carry out audits and ex officio controls.
  3. Requests from interested parties on suspicion of illegality.
  4. Verify compliance with legal and regulatory provisions.
  5. Mechanisms to determine legality in the transfer of data and even internal control and storage mechanisms.
  6. Provide cooperation between the public and private sectors to develop practical measures and processes that arouse trust in information systems and production and use modalities.
  7. Clarify which are the means to obtain consent.


All these procedures have to be developed by the Regulation, even though it is already mentioned in the Law. 

The sanctions system is one of the fundamental elements to resolve issues in the processing of personal data. The aspects of being determined must be:


  1. Data protection entities and their responsibilities
  2. The hierarchical order of application of sanctions
  3. Sanction Appeal Resources
  4. Administrative and judicial procedures


A crucial characteristic of these sanctions is that they are made up of fines and the imposition of corrective measures to prevent the infraction from being committed and the conduct from occurring again.

Per the Data Protection Law, corrective measures may include, among others:


  1. The cessation of treatment under certain conditions or periods;
  2. Data deletion;
  3. The imposition of technical, legal, organizational, or administrative measures


Last but not least, the fines for violating data protection regulations should amount to between 0.7% and 1% calculated on the turnover, corresponding to the financial year immediately before the imposition of the fines (Global Suite Solutions, 2021). 


Due to the vast number of new requirements that this new regulation brings, it is essential to undertake a project that guarantees faithful compliance with the legislation and the security measures to be implemented to ensure personal data privacy.


  • Conclusions and recommendations 


  1. Understanding the structure of the Law guarantees its proper application through the upcoming Regulations. For that reason, they should not be redundant or excessive in general terms. 
  2. A control authority is essential for the exercise of ARCO+ rights. Also, the institution must have personal, financial, and operational autonomy that allow it to exercise the functions delegated by the Law of the control authority to prevent interference from public or private entities.
  3. Before the adaptation period, Ecuador needs a control authority to generate adequate training, guidelines, and standards around data protection. When the sanctioning regime comes into force, the source must have fully defined and planned control processes.
  4. The implementation of personal data protection must be holistic, and the Regulation must encompass various views in pursuit of the principle of security. Proactive responsibility is connected with certifications and codes of conduct documented and demonstrated to the authority, owners, managers, and managers. This certification must be voluntary and must cover more levels.
  5. Any Data Protection Authority must belong to a public administration institution that oversees the proper application of the Personal Data Law in Ecuador. 
  6. It is necessary for Ecuadorian institutions to prepare for the adaptation of the Law in accordance with the fact that the protection of personal data is a process subject to continuous improvement.


Ricardo Chica Reino

Ricardo Chica Reino

Other Blog Posts