Ecuador

Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD in May of 2021. The scope of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.

To learn more about data protection topics and programming in Ecuador, take a look at the Bolivia resource page here, or browse resources via specific categories below

Ecuador Resources

Protección de datos personales en Ecuador: El momento es ahora

Tags - Data Protection Laws
Ecuador
Spanish

Derechos Digitales, 2021

The article analyzes the draft law on the protection of personal data and remarks its importance for Ecuador. It also contains notes on the development of data protection laws in the Latin America region.

Privacidad digital en Ecuador: el papel de la vigilancia, la jurisprudencia y los derechos humanos

Tags - Country Context, Legal Framework
Ecuador
Spanish

SIT Graduate Institute, 2019

This report conducts a case study on digital privacy in Ecuador, how it is protected and how protections should be improved. It begins by presenting the lack of proper privacy regulation, discusses different cases of data breach and lists surveillance technologies deployed across the country. Then, it analyzes local jurisprudence.

Por una Ley Protección de Datos centrada en los derechos del ciudadano

Tags - Advocacy, Data Protection Laws, Engaging Government
Ecuador
Spanish

APC, Access Now, & Derechos Digitales, 2020

An open letter from CSOs to the National Assembly of Ecuador regarding the data protection bill that was finally approved in 2021. In the letter, assembly members are asked to vote in favor of the law, which will ensure a more privacy-friendly legal framework.

Paradigmas de la protección de datos personales en Ecuador. Análisis del proyecto de Ley Orgánica de Protección a los Derechos a la Intimidad y Privacidad sobre los Datos Personales

Tags - Country Context, Data Protection Laws, Legal Framework
Ecuador
Spanish

Revista de Derecho Foro, 2018

This article aims to analyze the legal shortcomings of the draft law on data protection in order to correct them, and propose the development of a law that is synchronized with the legislation of other countries, and the technical reality of information technologies in Ecuador. The article also has a historical account of the privacy regulation process in the country.

Looking to understand existing case law to guide advocacy and strategic litigation?
Interested to learn more about the status of data protection in Ecuador?
Click below for more resources to inform advocacy, community building, enforcement, and other topics in support of rights-respecting data protections.
What does the legal landscape look like in Ecuador?

The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.

Exclusive Statute/Bill/Draft

Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD. It was introduced in May 2021.

Features of Statute

The scope of material application of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.

The Law determines a total of fifteen obligations for the person in charge of processing personal data. Among other obligations, the person in-charge must:

 

  • Treat personal data in strict adherence to the principles and rights.
  • Apply and implement appropriate administrative, technical, physical, organizational, and legal requirements and tools.
  • Use risk analysis and management methodologies.
  • Carry out evaluations of adequacy at the security level.
  • Sign confidentiality contracts and ensure proper handling of personal data.
  • Ensure mechanisms sufficient to guarantee the right to protection of personal data.
  • Allow and contribute to the performance of audits or inspections.
  • Align with other obligations established in data protection regulations, guidelines, and rules on the matter.

 

Related and Sector-Specific Laws

Ecuadorians have also had a constitutional right to protection of personal data since 2008. Ecuador has issued some secondary regulations of a referential nature that contain clauses dealing with sector-specific aspects of data protection, personal or otherwise. These include:

 

State Public Security Law

Comprehensive Organic Criminal Code

Organic Law of Telecommunications

Organic Code of the Social Economy of Knowledge

Features of Enforcement 

Composition and oversight of the regulatory body

 

The data protection authority, Superintendent of Protection of Personal Data, is expected to implement sectoral codes of conduct. It is the responsibility of the data protection authority to establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity and a simple procedure for the citizen to revoke his consent, similar to the process with which consent was obtained when applicable, carry out audits and verify processes of international transparency of personal data.

It is also expected that the data protection authority, together with academia, civil society organizations, and other interested parties, will report on the international situation of personal data protection.

In addition, the data protection authorities will also have to educate citizens about their rights and resources that assist them and train the business sector on the role they play in the processing of personal data.

The functions of the Superintendent of Protection of Personal Data, according to the draft Regulation of the passed Law, are summarized in the following:

 

  • Prepare and publish statistical information of the organizations subject to its control and personal data processing annually.
  • Formulate, approve and execute the budget of the Superintendency of Protection of Personal Data.
  • Prepare studies and proposals on legal and regulatory reforms required for the correct exercise of the right to the protection of personal data and put them into consideration by the bodies in charge of approving them.
  • Approve and issue internal rules, regulations, and manuals necessary for the Superintendency’s proper functioning under his charge.

 

Related Draft Legislations

 

Considering that Ecuador approved the Organic Law for the Protection of Personal Data in May 2021, for November 23, 2021, two working groups have been formed that allowed comments on the draft of the Regulation of the approved Law.

 

The draft regulation seeks to clarify the practical application of the law in the right to the protection of personal data. To this end, it will apply to all public and private sector bodies, entities, and institutions that process personal data, contained in any type of support, automated or not, as well as any subsequent use modality, inside or outside the territory.

Exclusive Statute/Bill/Draft

Ecuador enacted the Ley Orgánica de Protección de Datos Personales de Ecuador (Law for the Protection of Personal Data in Ecuador) or the LOPD. It was introduced in May 2021.

Features of Statute

The scope of material application of the Law includes both the public and private sectors. It has a broad scope and guarantees a framework for natural persons, reaching economic sectors and authorities, with certain exceptions. In addition, it safeguards the protection of fundamental data by establishing obligations that regulate the adequate treatment of data, including tools such as the notification of data breaches and the appointment of data protection delegates.

The Law determines a total of fifteen obligations for the person in charge of processing personal data. Among other obligations, the person in-charge must:

 

  • Treat personal data in strict adherence to the principles and rights.
  • Apply and implement appropriate administrative, technical, physical, organizational, and legal requirements and tools.
  • Use risk analysis and management methodologies.
  • Carry out evaluations of adequacy at the security level.
  • Sign confidentiality contracts and ensure proper handling of personal data.
  • Ensure mechanisms sufficient to guarantee the right to protection of personal data.
  • Allow and contribute to the performance of audits or inspections.
  • Align with other obligations established in data protection regulations, guidelines, and rules on the matter.

 

Related and Sector-Specific Laws

Ecuadorians have also had a constitutional right to protection of personal data since 2008. Ecuador has issued some secondary regulations of a referential nature that contain clauses dealing with sector-specific aspects of data protection, personal or otherwise. These include:

 

State Public Security Law

Comprehensive Organic Criminal Code

Organic Law of Telecommunications

Organic Code of the Social Economy of Knowledge

Features of Enforcement 

Composition and oversight of the regulatory body

 

The data protection authority, Superintendent of Protection of Personal Data, is expected to implement sectoral codes of conduct. It is the responsibility of the data protection authority to establish mechanisms that guarantee speed, efficiency, effectiveness, and gratuity and a simple procedure for the citizen to revoke his consent, similar to the process with which consent was obtained when applicable, carry out audits and verify processes of international transparency of personal data.

It is also expected that the data protection authority, together with academia, civil society organizations, and other interested parties, will report on the international situation of personal data protection.

In addition, the data protection authorities will also have to educate citizens about their rights and resources that assist them and train the business sector on the role they play in the processing of personal data.

The functions of the Superintendent of Protection of Personal Data, according to the draft Regulation of the passed Law, are summarized in the following:

 

  • Prepare and publish statistical information of the organizations subject to its control and personal data processing annually.
  • Formulate, approve and execute the budget of the Superintendency of Protection of Personal Data.
  • Prepare studies and proposals on legal and regulatory reforms required for the correct exercise of the right to the protection of personal data and put them into consideration by the bodies in charge of approving them.
  • Approve and issue internal rules, regulations, and manuals necessary for the Superintendency’s proper functioning under his charge.

 

Related Draft Legislations

 

Considering that Ecuador approved the Organic Law for the Protection of Personal Data in May 2021, for November 23, 2021, two working groups have been formed that allowed comments on the draft of the Regulation of the approved Law.

 

The draft regulation seeks to clarify the practical application of the law in the right to the protection of personal data. To this end, it will apply to all public and private sector bodies, entities, and institutions that process personal data, contained in any type of support, automated or not, as well as any subsequent use modality, inside or outside the territory.

Predominant Hurdles In Implementation

A lack of education and awareness about data protection issues is among the chief hurdles in the implementation of the new law. The government transition period post the recent presidential election of 2021 has also slowed down processes.

The absence of a more exhaustive definition of personal data along with poorly-defined exceptions could potentially lead to ambiguity in implementation.

Key National Issues in the Field

In the wake of the COVID-19 pandemic, the Ecuadorian government approved the use of satellite imagery for georeferencing local populations as a containment measure. Civil Society Organisations registered their protest against the move, pointing out it would violate the principles of necessity and proportionality. This is among the most recent issues in data protection. Adequate security for personal data is another pressing issue. A 2019 breach of a marketing and analytics firm’s database was a watershed event concerning private data, exposing the personal details of nearly 17 million Ecuadorians.

In recent years, there have also been large-scale cases of improper use and sharing of data. In 2015, for example, an Ecuadorian bank used the database of a public institution, to deny services to a person who happened to be a drug user.

Key National Issues in the Field

In the wake of the COVID-19 pandemic, the Ecuadorian government approved the use of satellite imagery for georeferencing local populations as a containment measure. Civil Society Organisations registered their protest against the move, pointing out it would violate the principles of necessity and proportionality. This is among the most recent issues in data protection. Adequate security for personal data is another pressing issue. A 2019 breach of a marketing and analytics firm’s database was a watershed event concerning private data, exposing the personal details of nearly 17 million Ecuadorians.

In recent years, there have also been large-scale cases of improper use and sharing of data. In 2015, for example, an Ecuadorian bank used the database of a public institution, to deny services to a person who happened to be a drug user.

The passage of the LOPD being so recent, it remains to be seen how the implementation will balance upholding the right to privacy with the right to free expression and information access.

Goals

Advocacy efforts are currently focused on public education, following which, they will shift to identifying influential actors in the implementation process and engaging them.

Challenges

Emphasizing that the Law has to be adjusted and adopted within two years, it is vital to expeditiously hold workgroups that include civil society organizations that protect personal data and guarantee that all legal gaps are covered. In this way, the regulatory entities would carry capacity-building processes for all sectors in a meaningful and helpful manner.

Hear from FCD

ADAPT’s partner FCD has been conducting advocacy promoting data privacy in the country since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.

Ecuador Podcasts

EPISODE

La Culpa Es De Graciela: A Creative Storytelling Series on Data Rights [Español]

EPISODE

La Culpa Es De Graciela (Graciela is to Blame): A Creative Storytelling Series on Data Rights [English]

EPISODE 4

Ecuador: de la fuga de datos más grande de la historia a una de las leyes más innovadoras de la región

EPISODE 4

Ecuador: From a Country-Wide Data Breach to One of the Most Innovative Privacy Laws in the Region

Ecuador Blog Posts

15 minutes /
El constante desarrollo de las tecnologías y la expansión del uso de internet han determinado, a nivel global, la necesidad de contar con mecanismos que salvaguarden el ejercicio de derechos al momento de usar las tecnologías. Uno de esos mecanismos se refiere a la aprobación de Leyes específicas que amplíen garantías constitucionales referidas a la privacidad y autodeterminación informativa, tales...
Ricardo Chica Reino y Verónica Salinas

Ricardo Chica Reino y Verónica Salinas

30 minutes /
Available in English, Portuguese, and Spanish (see links below) Since 2018, over sixty countries around the world have enacted or proposed new data protection laws, with those numbers steadily increasing each year. Data protection regulatory bodies and agencies are entrusted with massive responsibilities to enforce these newly passed laws across all sectors of society- often while significantly under-resourced with small...
ADAPT

ADAPT

10 minutes /
The third workshop of the Data Privacy Learning Series took place on February 1st, 2022, and discussed the challenges in creating and maintaining independent data protection authorities in the ADAPT partner countries, some having passed comprehensive data protection legislation and others currently discussing it. The choice of subject for the workshop was validated by talks conducted with the partners prior...
Data Privacy Brazil

Data Privacy Brazil

10 minutes /
This workshop took place in the context of the Data Privacy Learning Series, a series of five events with members of the ADAPT project, whose goal is to tackle concrete issues around advocacy and activism on data protection in the Global South. The series is being conducted by Data Privacy Brasil Research Association with the support of Internews and the...
Data Privacy Brazil

Data Privacy Brazil