Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD in May of 2021. The scope of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.
Derechos Digitales, 2021
The article analyzes the draft law on the protection of personal data and remarks its importance for Ecuador. It also contains notes on the development of data protection laws in the Latin America region.
SIT Graduate Institute, 2019
This report conducts a case study on digital privacy in Ecuador, how it is protected and how protections should be improved. It begins by presenting the lack of proper privacy regulation, discusses different cases of data breach and lists surveillance technologies deployed across the country. Then, it analyzes local jurisprudence.
APC, Access Now, & Derechos Digitales, 2020
An open letter from CSOs to the National Assembly of Ecuador regarding the data protection bill that was finally approved in 2021. In the letter, assembly members are asked to vote in favor of the law, which will ensure a more privacy-friendly legal framework.
Revista de Derecho Foro, 2018
This article aims to analyze the legal shortcomings of the draft law on data protection in order to correct them, and propose the development of a law that is synchronized with the legislation of other countries, and the technical reality of information technologies in Ecuador. The article also has a historical account of the privacy regulation process in the country.
The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.
Exclusive Statute/Bill/Draft
Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD. It was introduced in May 2021.
Features of Statute
The scope of material application of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.
The Law determines a total of fifteen obligations for the person in charge of processing personal data. Among other obligations, the person in-charge must:
Related and Sector-Specific Laws
Ecuadorians have also had a constitutional right to protection of personal data since 2008. Ecuador has issued some secondary regulations of a referential nature that contain clauses dealing with sector-specific aspects of data protection, personal or otherwise. These include:
State Public Security Law
Comprehensive Organic Criminal Code
Organic Law of Telecommunications
Organic Code of the Social Economy of Knowledge
Features of Enforcement
Composition and oversight of the regulatory body
The data protection authority, Superintendent of Protection of Personal Data, is expected to implement sectoral codes of conduct. It is the responsibility of the data protection authority to establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity and a simple procedure for the citizen to revoke his consent, similar to the process with which consent was obtained when applicable, carry out audits and verify processes of international transparency of personal data.
It is also expected that the data protection authority, together with academia, civil society organizations, and other interested parties, will report on the international situation of personal data protection.
In addition, the data protection authorities will also have to educate citizens about their rights and resources that assist them and train the business sector on the role they play in the processing of personal data.
The functions of the Superintendent of Protection of Personal Data, according to the draft Regulation of the passed Law, are summarized in the following:
Related Draft Legislations
Considering that Ecuador approved the Organic Law for the Protection of Personal Data in May 2021, for November 23, 2021, two working groups have been formed that allowed comments on the draft of the Regulation of the approved Law.
The draft regulation seeks to clarify the practical application of the law in the right to the protection of personal data. To this end, it will apply to all public and private sector bodies, entities, and institutions that process personal data, contained in any type of support, automated or not, as well as any subsequent use modality, inside or outside the territory.
Predominant Hurdles In Implementation
A lack of education and awareness about data protection issues is among the chief hurdles in the implementation of the new law. The government transition period post the recent presidential election of 2021 has also slowed down processes.
The absence of a more exhaustive definition of personal data along with poorly-defined exceptions could potentially lead to ambiguity in implementation.
Key National Issues in the Field
In the wake of the COVID-19 pandemic, the Ecuadorian government approved the use of satellite imagery for georeferencing local populations as a containment measure. Civil Society Organisations registered their protest against the move, pointing out it would violate the principles of necessity and proportionality. This is among the most recent issues in data protection. Adequate security for personal data is another pressing issue. A 2019 breach of a marketing and analytics firm’s database was a watershed event concerning private data, exposing the personal details of nearly 17 million Ecuadorians.
In recent years, there have also been large-scale cases of improper use and sharing of data. In 2015, for example, an Ecuadorian bank used the database of a public institution, to deny services to a person who happened to be a drug user.
Current Political Climate
In April 2021, Ecuador elected Guillermo Lasso as its president. Considered to be pro-business, the new president is seen as markedly different from his predecessor, two-time office holder Rafael Correa, who had authoritarian tendencies.
Ecuadorian citizens have ensured in recent years the defense of freedom of expression, access to public information, freedom of association, and confronting all kinds of forms of violence, advocating respect for digital privacy.
Recognizing that we people are a digital manifestation will put us in a situation of empowerment. Narratives and messages that could generate public interest in privacy and data rights will have to convey that the personal data is us. The prevention of damage caused by the inappropriate use of personal data must ensure State intervention and assign it to the entity with competence to guarantee rights.
Ecuador has to build its model for the treatment of personal data in practice, in conjunction with the international standards of the European Union and other international instruments that establish adequate guidelines and reasonable procedures
Competent authorities will have to coordinate efforts with civil society organizations and data protection activists to investigate the use of data by Ecuadorian citizens and raise awareness among citizens. For this, it is essential to emphasize that the autonomy of the protection institution is vital since being separated from the executive branch, it will have its budget to develop as it establishes its criteria.
The passage of the LOPD being so recent, it remains to be seen how the implementation will balance upholding the right to privacy with the right to free expression and information access.
Goals
Advocacy efforts are currently focused on public education, following which, they will shift to identifying influential actors in the implementation process and engaging them.
Challenges
Emphasizing that the Law has to be adjusted and adopted within two years, it is vital to expeditiously hold workgroups that include civil society organizations that protect personal data and guarantee that all legal gaps are covered. In this way, the regulatory entities would carry capacity-building processes for all sectors in a meaningful and helpful manner.
Exclusive Statute/Bill/Draft
Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD. It was introduced in May 2021.
Features of Statute
The scope of material application of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.
The Law determines a total of fifteen obligations for the person in charge of processing personal data. Among other obligations, the person in-charge must:
Related and Sector-Specific Laws
Ecuadorians have also had a constitutional right to protection of personal data since 2008. Ecuador has issued some secondary regulations of a referential nature that contain clauses dealing with sector-specific aspects of data protection, personal or otherwise. These include:
State Public Security Law
Comprehensive Organic Criminal Code
Organic Law of Telecommunications
Organic Code of the Social Economy of Knowledge
Features of Enforcement
Composition and oversight of the regulatory body
The data protection authority, Superintendent of Protection of Personal Data, is expected to implement sectoral codes of conduct. It is the responsibility of the data protection authority to establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity and a simple procedure for the citizen to revoke his consent, similar to the process with which consent was obtained when applicable, carry out audits and verify processes of international transparency of personal data.
It is also expected that the data protection authority, together with academia, civil society organizations, and other interested parties, will report on the international situation of personal data protection.
In addition, the data protection authorities will also have to educate citizens about their rights and resources that assist them and train the business sector on the role they play in the processing of personal data.
The functions of the Superintendent of Protection of Personal Data, according to the draft Regulation of the passed Law, are summarized in the following:
Related Draft Legislations
Considering that Ecuador approved the Organic Law for the Protection of Personal Data in May 2021, for November 23, 2021, two working groups have been formed that allowed comments on the draft of the Regulation of the approved Law.
The draft regulation seeks to clarify the practical application of the law in the right to the protection of personal data. To this end, it will apply to all public and private sector bodies, entities, and institutions that process personal data, contained in any type of support, automated or not, as well as any subsequent use modality, inside or outside the territory.
Predominant Hurdles In Implementation
A lack of education and awareness about data protection issues is among the chief hurdles in the implementation of the new law. The government transition period post the recent presidential election of 2021 has also slowed down processes.
The absence of a more exhaustive definition of personal data along with poorly-defined exceptions could potentially lead to ambiguity in implementation.
Key National Issues in the Field
In the wake of the COVID-19 pandemic, the Ecuadorian government approved the use of satellite imagery for georeferencing local populations as a containment measure. Civil Society Organisations registered their protest against the move, pointing out it would violate the principles of necessity and proportionality. This is among the most recent issues in data protection. Adequate security for personal data is another pressing issue. A 2019 breach of a marketing and analytics firm’s database was a watershed event concerning private data, exposing the personal details of nearly 17 million Ecuadorians.
In recent years, there have also been large-scale cases of improper use and sharing of data. In 2015, for example, an Ecuadorian bank used the database of a public institution, to deny services to a person who happened to be a drug user.
Key National Issues in the Field
In the wake of the COVID-19 pandemic, the Ecuadorian government approved the use of satellite imagery for georeferencing local populations as a containment measure. Civil Society Organisations registered their protest against the move, pointing out it would violate the principles of necessity and proportionality. This is among the most recent issues in data protection. Adequate security for personal data is another pressing issue. A 2019 breach of a marketing and analytics firm’s database was a watershed event concerning private data, exposing the personal details of nearly 17 million Ecuadorians.
In recent years, there have also been large-scale cases of improper use and sharing of data. In 2015, for example, an Ecuadorian bank used the database of a public institution, to deny services to a person who happened to be a drug user.
The passage of the LOPD being so recent, it remains to be seen how the implementation will balance upholding the right to privacy with the right to free expression and information access.
Goals
Advocacy efforts are currently focused on public education, following which, they will shift to identifying influential actors in the implementation process and engaging them.
Challenges
Emphasizing that the Law has to be adjusted and adopted within two years, it is vital to expeditiously hold workgroups that include civil society organizations that protect personal data and guarantee that all legal gaps are covered. In this way, the regulatory entities would carry capacity-building processes for all sectors in a meaningful and helpful manner.
ADAPT’s partner FCD has been conducting advocacy promoting data privacy in the country since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.