Ecuador

Exclusive Statute/Bill/Draft

Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD. It was introduced in May 2021.

Features of Statute

The scope of material application of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.

The Law determines a total of fifteen obligations for the person in charge of processing personal data. Among other obligations, the person in-charge must:

• Treat personal data in strict adherence to the principles and rights.
• Apply and implement appropriate administrative, technical, physical, organizational, and legal requirements and tools.
• Use risk analysis and management methodologies.
• Carry out evaluations of adequacy at the security level.
• Sign confidentiality contracts and ensure proper handling of personal data.
• Ensure mechanisms sufficient to guarantee the right to protection of personal data.
• Allow and contribute to the performance of audits or inspections.
• Align with other obligations established in data protection regulations, guidelines, and rules on the matter.

Related and Sector-Specific Laws

Ecuadorians have also had a constitutional right to protection of personal data since 2008. Ecuador has issued some secondary regulations of a referential nature that contain clauses dealing with sector-specific aspects of data protection, personal or otherwise. These include:

State Public Security Law

Comprehensive Organic Criminal Code

Organic Law of Telecommunications

Organic Code of the Social Economy of Knowledge

Features of Enforcement 

Composition and oversight of the regulatory body

The data protection authority, Superintendent of Protection of Personal Data, is expected to implement sectoral codes of conduct. It is the responsibility of the data protection authority to establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity and a simple procedure for the citizen to revoke his consent, similar to the process with which consent was obtained when applicable, carry out audits and verify processes of international transparency of personal data.

It is also expected that the data protection authority, together with academia, civil society organizations, and other interested parties, will report on the international situation of personal data protection.

In addition, the data protection authorities will also have to educate citizens about their rights and resources that assist them and train the business sector on the role they play in the processing of personal data.

The functions of the Superintendent of Protection of Personal Data, according to the draft Regulation of the passed Law, are summarized in the following:

• Prepare and publish statistical information of the organizations subject to its control and personal data processing annually.
• Formulate, approve and execute the budget of the Superintendency of Protection of Personal Data.
• Prepare studies and proposals on legal and regulatory reforms required for the correct exercise of the right to the protection of personal data and put them into consideration by the bodies in charge of approving them.
• Approve and issue internal rules, regulations, and manuals necessary for the Superintendency’s proper functioning under his charge.

Related Draft Legislations

Considering that Ecuador approved the Organic Law for the Protection of Personal Data in May 2021, for November 23, 2021, two working groups have been formed that allowed comments on the draft of the Regulation of the approved Law.

The draft regulation seeks to clarify the practical application of the law in the right to the protection of personal data. To this end, it will apply to all public and private sector bodies, entities, and institutions that process personal data, contained in any type of support, automated or not, as well as any subsequent use modality, inside or outside the territory.

Predominant Hurdles In Implementation

A lack of education and awareness about data protection issues is among the chief hurdles in the implementation of the new law. The government transition period post the recent presidential election of 2021 has also slowed down processes.

The absence of a more exhaustive definition of personal data along with poorly-defined exceptions could potentially lead to ambiguity in implementation.

Key National Issues in the Field

In the wake of the COVID-19 pandemic, the Ecuadorian government approved the use of satellite imagery for georeferencing local populations as a containment measure. Civil Society Organisations registered their protest against the move, pointing out it would violate the principles of necessity and proportionality. This is among the most recent issues in data protection. Adequate security for personal data is another pressing issue. A 2019 breach of a marketing and analytics firm’s database was a watershed event concerning private data, exposing the personal details of nearly 17 million Ecuadorians.

In recent years, there have also been large-scale cases of improper use and sharing of data. In 2015, for example, an Ecuadorian bank used the database of a public institution, to deny services to a person who happened to be a drug user.

Current Political Climate

In April 2021, Ecuador elected Guillermo Lasso as its president. Considered to be pro-business, the new president is seen as markedly different from his predecessor, two-time office holder Rafael Correa, who had authoritarian tendencies.

Ecuadorian citizens have ensured in recent years the defense of freedom of expression, access to public information, freedom of association, and confronting all kinds of forms of violence, advocating respect for digital privacy.

Recognizing that we people are a digital manifestation will put us in a situation of empowerment. Narratives and messages that could generate public interest in privacy and data rights will have to convey that the personal data is us. The prevention of damage caused by the inappropriate use of personal data must ensure State intervention and assign it to the entity with competence to guarantee rights.

Ecuador has to build its model for the treatment of personal data in practice, in conjunction with the international standards of the European Union and other international instruments that establish adequate guidelines and reasonable procedures

Competent authorities will have to coordinate efforts with civil society organizations and data protection activists to investigate the use of data by Ecuadorian citizens and raise awareness among citizens. For this, it is essential to emphasize that the autonomy of the protection institution is vital since being separated from the executive branch, it will have its budget to develop as it establishes its criteria.

The passage of the LOPD being so recent, it remains to be seen how the implementation will balance upholding the right to privacy with the right to free expression and information access.

Goals

Advocacy efforts are currently focused on public education, following which, they will shift to identifying influential actors in the implementation process and engaging them.

Challenges

Emphasizing that the Law has to be adjusted and adopted within two years, it is vital to expeditiously hold workgroups that include civil society organizations that protect personal data and guarantee that all legal gaps are covered. In this way, the regulatory entities would carry capacity-building processes for all sectors in a meaningful and helpful manner.