Produced by Fundación Ciudadanía y Desarrollo. In 2019, Ecuador went through the biggest data breach in its history, with the personal data of most citizens leaked online. The consequences are still difficult to measure, but the gravity of the situation pushed everyone to act- FINALLY privacy advocates who had been pushing for data protection legislation for years were able to capitalize on this event to get a law passed in May of this year. The best part of the story, –and the one we’re telling in this episode– is, what happened behind the scenes: how privacy advocates and experts in Ecuador came together to discuss the issues and build a comprehensive and innovative privacy law. Guided by Ricardo Chica from Fundación Ciudadanía y Desarrollo we also look at what activists are doing now that the law has passed and what needs to change in Ecuador to not only prevent future data breaches and violations but to also promote a culture of privacy in the country.
Research and Interviews: Rircardo Chica, Laura Vidal, Laura Schwartz-Henderson
Concept and script: Laura Vidal & Ricardo Chica
Entrevistas: Daniela Macías and Matthew Armijos Burneo. Con extractos de La Regla del Pomodoro, de Fundamedios, en los que participan Lorena Naranjo, Frank LaRue and Luis Enríquez.
With the voices of Ben Whitehead, Gina Helfrich and John Remensperger
Editing & Mixing: Laura Vidal & Ergi Shkëlzeni
Visual Design: Ura Design
Executive Producers: Laura Schwartz-Henderson and Laura Vidal
Sponsored by Internews and Heinrich-Böll-Stiftung Washington DC
[Intro]
Laura Vidal:
In 2019, Ecuador saw the worst data breach incident in history, the Novaestrat case, which is called by the name of the Ecuadorian marketing and analytics company responsible for the leak. It was 18 GB of data distributed in a variety of files on a server in Miami that did not have adequate protection and that included personal data of up to 20 million people. What happens when personal data from an entire country is leaked from one system? In short, the basic personal data of all of Ecuador was ready for anyone who wanted to use it …
Daniela Macías – Spanish:
Números de tarjetas, cuentas de banco… [fades]
Daniela Macías – English:
there were: account numbers, bank codes, card numbers, sensitive data, there was everything about everyone, the personal information of each and every Ecuadorian. Even many of them are already deceased.
Laura Vidal:
This is Daniela Macías, an expert lawyer in new technologies and security. The data leak was a disaster and it is still impossible to measure the consequences … but …
Daniela Macías – Spanish:
Nos empezamos a dar cuenta de lo grave que nos había pasado… [fades]
Daniela Macías – English:
we began to realize that given the magnitude of what had happened to us and how serious it was. We had no legislation that could help us stop this. Some tried to use the Penal Code, as there were certain criminal types that could be tackled, but since there was no law of personal data protection, it was difficult and complicated to determine who was responsible, and how they should respond.
Laura Vidal:
Activists and interested stakeholders have been advocating for a comprehensive personal data law in Ecuador since 2017, but the Novastrat case gave the process a powerful push … From there, Ecuador moved from having a relatively slow discussion, led mainly by activists and experts on the subject, to become one of the countries in Latin America with a comprehensive and detailed law, as a result of rich debates and discussions that included experts on a large number of topics. How did one thing lead to another and how much does everything change now that there is a law? That’s what we’re going to talk about in today’s episode…
[Music]
Laura Vidal:
Welcome and welcome Privacy is Global – A podcast created in collaboration with Internews and the Heinrich Boell Foundation where we will share experiences and information on data protection, privacy of course, and the valuable work of organizations in various countries of the world dedicated to these issues. I’m Laura Vidal. Laura Schwartz-Henderson is in the production desk this week.
Most of you probably know by now, but for those joining the party, each week this podcast passes the mic to an organization in each episode to discuss issues related to data privacy and legislation in many countries around the world. In our previous episode we explored the challenges and work of some of our member organizations in Nigeria, Kenya and Bolivia; and before that our friends at Paradigm Initiative, again in Nigeria, told us more about the challenges of advocating got data privacy and data protection. Most of our episodes are in English; but the ones that we will make with our friends in Latin America will have their initial version in Español… Don’t miss them. The next one is in Bolivia …
Today it’s Ecuador’s turn with Fundación Ciudadanía y Desarrollo (FCD), whose mission is to promote the rule of law, democracy and transparency… Our dear Ricardo Chica guided us from Quito in this exploration around privacy issues in Ecuador. He also told us a bit of the projects and ideas that FCD is developing, now that a new Data Protection Law finally was approved in May this year.
As Teki Akoueteh from Ghana said in our episode last week “Every law has its own context”. And Ecuador’s data protection law has the backdrop of this huge data breach of 2019. Ricardo explained a bit further, and took us through what can happen in daily life when the data of a whole country leaks into the internet…
Ricardo Chica – Spanish:
Es muy preocupante… [fades]
Ricardo Chica – English:
It is actually very worrying for the entire country … We have around 20 million Ecuadorians who were affected, including children and teenagers. Whole families were victims of a massive information leak. We are yet to know for sure if it was an oversight, a lack of proper management… or if it something that came out of the process of becoming a digital State… We don’t know where all this data was sent, but we do know it was leaked from the Civil Registry. There you have data from families and their networks, and you can find out the interests of a person. We are not sure to what extent this can be connected to the personal information and the interests that have already been shared online. I’m thinking mainly of young people constantly sharing what they like on social media for example. But we should also think of people’s conversations online and their daily activities, from going to the supermarket to what they spend every month. We still don’t know how worried we should be, the consequences haven’t been immediate. However, I believe we can already see how this type of information has been used to build narratives, political and social narratives, something that could directly affect how much Ecuadorians can be controlled.
Laura Vidal:
And that includes fraud and cybercrimes that can bring down systems, right?
Ricardo Chica – Spanish:
Te cuento… [fades]
Ricardo Chica – English:
Let me tell you something: it is very easy for a banking system to just break down. The Pichincha bank, for example. It’s system fell for days just last week. This makes life very hard for people who need to pay their bills, or who have an emergency, or that need to send money abroad… All of this is directly connected to the fact that we do not have platforms that could protect our data from this type of cyber attack
Laura Vidal:
Incidents on digital platforms and problems of abuse in the handling of personal data are not limited to the great data breach of 2019. And as we said at the beginning, the fight for legislation predates the incident. In fact, the Ecuadorian State has recognized the right to privacy since 2018, but making this right effective and useful has been very complex. We asked Daniela Macías, the same expert we heard at the beginning of the episode, how the new law makes these protections possible:
Daniela Macías – Spanish:
El Estado Ecuatoriano reconoce… [fades]
Daniela Macías – English:
The Ecuadorian State recognizes the right to the protection of personal data from 2018, in the 66th article of the constitution. However, its execution has been very difficult to materialize due to the lack of regulation on the essential content and the scope of protection provided by this right. In the year 2021 with the Organic Law on Data Protection, this right is endowed with a regulatory body, and all the necessary elements and definitions.
Laura Vidal:
The process behind today’s law was not simple at all. We’re talking countless work tables to arrive at a preliminary draft, bills that were not approved, even tense moments regarding the regulation of social networks… Now, this process and these complex conversations make the most interesting aspect of the law. It gave us a text fed by experiences inside and outside of Ecuador, and inside and outside of Latin America; as well as experience of experts and representatives from many areas and sectors… Ricardo tells us a bit more…
Ricardo Chica – Spanish:
Lo más importante del proceso… [fades]
Ricardo Chica – English:
What’s most important about the process is that it was participatory, and also that it was sustained. It started in 2017 and didn’t stop or get interrupted, in other words, it wasn’t forgotten and remained in the public eye. They started having a variety of workshops and roundtables organized by the National Public Data Registry Office. Civil society groups went further and organized other roundtables with academics, the private sector and the general public. The process of making this law was exceptional in that it was a real co-creation with wide participation. The result are complex conversations, but also several gratifying experiences that are illustrated in the wide support for the bill. The process allowed a lot of collaboration to determine the structure of the law, its chapters, the amount of articles in a certain area, the exceptions, and what kind of organism needs to be regulated or sanctioned. You can see how this dialogue helped to take into account the needs from different groups and make the text stronger.
Laura Vidal:
Matthew Armijos Burneo, who collaborated directly with the preparation of the preliminary draft of the law explains it…
Matthew Armijos Burneo – Spanish:
Fue un eje primordial de la preparación del documento… [fades]
Matthew Armijos Burneo – English:
The preparation of the document involved several actors from different sectors. Not only were there lawyers specialized in the protection of personal data and rights of new technologies but there was also the participation of economists from the financial and banking sector, representatives of the health sector, of the telecommunications sector; professionals and experts in cybersecurity, experts in the field of information technology… All of them strengthened the technical nature of this law, which also goes hand in hand with all the new international trends regarding the right to protection of personal data; including the European Union’s Regulation as well as the Latin American conventions, which integrate both a preventive and a reactive level. All of this makes our law both innovative and exceptional.
Laura Vidal:
What comes now is the application of the law, which starts with a period given to both the public and private sector to catch up with the new requirements and avoid penalties. This will most probably translate into an avalanche of calls and emails, only now they won’t be pushing products or services, but rather asking people for permission to use their personal data and explaining how they will use it. Lorena Naranjo, Head of the National Direction of Public Data Registry, explains this a little more thoroughly, and also gives us a clue: this process also aims to regulate illegal data markets and also rise awareness of the value of our data, something that needs a great change of the public mentality around privacy and data protection.
…This conversation was organized by Fundamedios, an Ecuadorian NGO devoted to freedom of expression and access to information. The event took place on May 21, 2021, little after the law was passed, and it is available on Fundamedios’ YouTube channel:
Lorena Naranjo – Spanish:
Que una compañía adopte una lógica de protección de datos no es un proceso simple… [fades]
Lorena Naranjo – English:
Having a company or an institution adopting a data protection logic is not a simple process. We’re not used to this. The simplest example could be that of companies outsourcing call center services. They’ll have to organize trainings for their employees, write scripts for them to ask customers in a single call if they can use their data, and explain how they’ll be using it. They’ll have to think how to articulate all of this within their system departments, and their product design so they can be able to segment and analyze data properly. And this would be the case of a responsible company, it will be a costly and complex adaptation process; one in which they’ll have to realize that their most important capital now is not their physical assets, but their digital assets: the data of their clients. The State needs to become aware of the same thing. There must also be a series of actions; like the creation of a institution devoted to data protection, for example; one that will have to work very hard throughout the country, come up with guidelines and regulations that can help with the challenges that will arise; and also to tackle the regularization of all the illegal data markets that exist today. Training is also a big part of this transition process. We will need to structure education initiatives, training for professionals, for young students, for children. The challenge will be huge, but I believe that’s what’s coming…
Laura Vidal:
This period is also the time when the law begins to show what works and what doesn’t through everyday use. That is why one of the most important challenges at this stage is for people to become aware of both the law and what it entails. In other words, the great conversation about privacy and data that is taking place everywhere, each time in a local flavor. Now, the question here is … what’s the state of the conversation now in Ecuador?
Ricardo Chica – Spanish:
Es un tema del que se habla poco en Ecuador…. [fades]
Ricardo Chica – English:
It’s an issue that is not being discussed enough. Now that the law has passed, a broad communication process should take place. One that goes beyond the spaces lead by those of us who work advocating for data privacy. It is important that this conversation can take place everywhere: with our neighbors, at the store, among relatives, at the dinner table. It is important that everyone knows that personal data is a digital manifestation of our own selves. This can empower us to face the risks that could be coming our way. We use our data daily, it is time for us to know what’s behind it and how it’s handled.
[Webinar sounds]
Laura Vidal:
What we hear in the background is one of the webinars organized by FCD. These webinars are part of the communication and education process that Ricardo was talking about, starting with actors from the public and the private sector. In these webinars there are experts who share reports and informative material, refer to other cases inside and outside of Ecuador, and also answer questions from the audience… This webinar in particular is led by Daniela Macías, the same expert we heard some minutes ago in this episode. We are talking about an expanded educational process taking place in many spaces, on a lot of platforms. This is the first step for the conversation about data privacy to go beyond experts, find and create different kinds of bridge and reach “the dinner table”…
Laura Vidal:
This is something that also was put forward by two experts interviewed by Fundamedios in the online conversation we featured minutes ago in this episode. They discuss the need for data privacy and data protection to be an integral part of digital literacies. We’ll be listening now to Frank LaRue, legal and Human Rights director of Fundamedios:
Frank LaRue – Spanish:
Gracias a Dios, en América Latina hay numerosas organizaciones trabajando… [fades]
Frank LaRue – English:
Thankfully, in Latin America there are countless organizations working on digital issues from a human rights perspective, taking into account people’s rights. I believe this is the perspective we need for digital literacy. That is, not just learning how to use the internet, but also how to protect yourself, your personal information, and have some control over how it is handled…
Laura Vidal:
and this is Luis Enríquez, coordinator of the Observatory of Cyber Rights and Technosociety of the Universidad Andina Simón Bolívar of Ecuador.
Luis Enríquez – Spanish:
A mi entender no tenemos la costumbre de leer los términos de uso… [fades]
Luis Enríquez – English:
We don’t really have the habit of reading the terms of use. We need to learn how to do it and build that habit. The law also aims to help us understand what is being done with our data, to oppose fraudulent uses, and also to stop companies from writing obscure terms of use. Remember Google’s sanction in France for having terms that were not clear! At the end… this data flow is inevitable; we need to empower ourselves and take control over the use of our data. As Lorena said before…
Laura Vidal:
He means Lorena Naranjo
Luis Enríquez – English:
…our data is an asset, but it is a conditional one. The law pushes companies to empower their users. And there, I see a connection with digital literacy. Digital literacy means knowing about data protection and data privacy. We have to get out of the populist deception that giving tablets to teachers is to digitize the country… That’s not true.
Ricardo Chica – Spanish:
En Fundación Ciudadanía y Desarrollo ha sido importante traer expertos de Ecuador… Fades
Ricardo Chica – English:
At FCD it has been quite important to bring together experts from Ecuador and abroad. Meaning that we count on people who have experienced the process and the struggle, who have advocated for the law, who participated in its first proposal, its corrections; but also with international experts who specialize in much more advanced topics. And by advanced I mean experienced in other regional contexts. We have worked with experts from Bolivia and Germany; and we have national experts who work at the National Direction of Public Data Registry. Ours has two phases: the first is aimed at the private sector, civil society organizations and Academia; and the second is focused on the public sector […]
Laura Vidal:
So, all of this, and what we just heard, means one of the most important challenges now is education…
Ricardo Chica – Spanish:
Totalmente… [continues and fades]
Ricardo Chica – English:
Totally … And following with what we were saying before… The institution that will be in charge at the end, of protecting personal data, making sure it’s treated appropriately and punishing those who don’t, has to provide educational resources and spaces for the general public. This can be done through campaigns, even in the streets, you know, or through information that reaches you directly and in the most appropriate way. Information that can be both simple, but complete enough, so that you as a citizen, as someone who does not know about law, or that doesn’t care much about the issue, can be aware of what’s going on, what the reality is. A kind of education that can make everyone aware to what extent that our personal data is very much who we are in the digital world and the real world.
Laura Vidal:
This is the end of our episode! Many thanks to all the experts who helped us in the development of the episode: Daniela Macías, Matthew Armijos Burneo, Marcelo Espinel, Mayli Rosas and of course Ricardo Chica, who led and guided us to understand and highlight the most important points of this story. Privacy is Global is produced (and many times also hosted) by Laura Schwartz Henderson and myself, it is mixed and designed by Ura and comes to you thanks to Internews and the Heinrich Boell Foundation. Follow us on social networks! You’ll find us on Twitter as @InternewsADAPT and on Instagram as @internews_ADAPT. There you can find more information about our episodes, the organizations that are part of the ADAPT consortium and a lot of the material we use to make our episodes.
We’ll be back soon with more data and privacy stories around the world. In the meantime, start reading those terms of use… thank you for listening!