The National Assembly announced, on 21 July 2016, that its President, Gabriela Rivadeneira, presented a bill on the Protection of Privacy and Personal Data (‘the Bill’). The Bill sets out the rationale behind its introduction, highlighting that there is a necessity in Ecuador to regulate the public and private use of personal information and start an awareness process on the same in order to tackle the risks that the development and expansion of information technology and communications bring.
Mario Flor, Partner at Bustamante & Bustamante, told DataGuidance, “There is a lack of data protection culture in Ecuador. We believe that it would take some time for people and companies to become accustomed to the new legal requirements. Companies will have to implement compliance agents, as well as design data protection policies and protocols in order to fulfill the Bill’s requirements.”
In particular, the Bill provides for data subject rights with regards to the use and processing of their data, including provisions on access, rectification, erasure, and consent. Specifically, the Bill requires organisations to obtain prior consent of the data subject before collecting and using data. It also regulates international data transfers by prohibiting transfers to countries or international organisations, which do not provide appropriate levels of protection in accordance with international or regional standards.
Juan Javier Canessa, Partner at Larrea & Canessa, highlighted, “Based on the fact that up to this date Ecuador does not have a uniform law regarding protection and management of personal databases, we consider positive the intention to issue such a law that gathers and develops non-existing concepts such as ‘sensitive data,’ ‘data controller’ vs. ‘data processor,’ ‘consent’ and ‘international data transfer.'”
We remain concerned about the creation of a governmental entity with very broad powers to control and impose penalties
The Bill would create the National Authority for Personal Data Protection to oversee compliance with the law and imposes a requirement on organisations to register their databases on a national register, which will be managed by the former. Sanctions for violations are also outlined, including fines, the temporary suspension of databases and even permanent closure.
Canessa noted, “We remain concerned about the creation of a governmental entity with very broad powers to control and impose penalties. We also found the state interference on this topic worrying, since it even requires the registration of private databases in a governmental public record, which could end up creating several problems for database users in general.”
The Bill’s preamble highlights that although the 2008 Constitution provides for the right to privacy under Article 66, in practice, personal information which should only be provided by the data subject has become relatively simple to access.
Pedro Hajj, Senior Associate at FERRERE, stated, “It is important for our legal system to include a privacy law in order to protect the personal information of the people. Many public and private institutions handle sensitive and confidential information that need to be protected according to our constitutional rights.”
This is not the first data protection bill that has been presented to the Ecuadorian National Assembly, namely, in January 2015, a different bill on the same matter was presented.
“The new Bill has no connection with the previous one,” Flor confirmed. “We believe that the Bill will be discussed by the end of the year. It is important to note that national elections will take place in February 2017, in which new congress members will be elected. This leads us to believe that there is less of a chance that the Bill will be debated in the medium term.”
Francisca Arguinarena and Paola Ycaza | Privacy Analysts