The Minister of Telecommunications and Information Society, Andrés Michelena, introduced, on 19 September 2019, a bill on the protection of personal data (‘the Bill’) to the National Assembly of Ecuador (‘the Assembly’). In particular, the Explanatory Statement of the Bill provides that its creation was influenced from developments in Europe and other countries. The Bill includes provisions for, among other things, various legal bases for data processing, data subject rights, data portability, and sanctions for any potential violations of it’s provisions.
Jaime Mantilla, Partner at Falconi Puig Abogados, told OneTrust DataGuidance, “The Bill presented to the Assembly resembles the GDPR in several aspects such as the recognition of the right to be forgotten, right of access, data portability and Privacy by Design. For instance, the conditions for data erasure established in Article 17 of the GDPR are practically the same in Article 27 of the Bill, however, the latter is more extensive and includes additional situations that allow the holder to request the suppression of the data. Data portability is also similarly conceived in the GDPR and the Bill, as both establish the possibility of a data holder to receive the personal data previously provided to a data controller in a readable format in order to transmit such data to another controller, for which certain conditions are stipulated in each case (as per Article 30 of the Bill).”
The Bill further seeks to provide for greater security of personal data, under Article 18, and places the responsibility on the organisation processing such data to implement the procedures necessary to protect data against any risk. Furthermore, the Bill presents additional changes and measures such as greater organisational transparency in data processing practices under Article 19 as well as the establishment of new roles and data protection bodies within Articles 58 and 90 respectively, while ensuring enforcement actions and adherence to the Bill’s provisions.
The Bill will create a new paradigm in the way that Ecuadorian consumers consider and manage their personal data
Mantilla highlighted, “The Bill will have a defining impact on data security as it has a whole chapter on the matter, establishing responsibilities, risk analysis, policies and proceedings for notifying data breaches. This chapter is also crucial as it establishes the obligation of appointing a data protection officer in certain situations due to considerations of the size, nature, purpose, category and scope of the data processing, making special emphasis on public sector entities and national security data. In addition, the Bill creates the National Registry of Personal Data Protection under tutelage of the Personal Data Protection Authority, as well as the obligation of data controllers to register in it their databases, international data transfers, timeline for data conservation, among others, [and the requirement] to keep that information always updated.”
Furthermore, Article 1 of the Bill provides that the purpose of the establishment of the Bill is to regulate individuals’ exercise of the right to the protection of personal data, informational self-determination and other digital rights in the processing and transfer of personal data through the development of principles such as legitimacy, data minimisation, proportionality of data processing, and consent.
Mario Alejandro Flor, Partner at Flor & Hurtado, noted, “The Bill will create a new paradigm in the way that Ecuadorian consumers consider and manage their personal data; with this in mind, it is expected that the Bill empowers consumers to request and demand permanent feedback and accountability from public and private entities for an adequate protection of personal data […] The Bill is the first real official action that the Government has taken to open the discussion for a personal data protection framework. We consider that despite the current Bill being modified or amended during the process of discussion, we are close to having the first personal data protection act in Ecuador.”
ALEXANDER FETANI Privacy Analyst
Clarification: On 27 September 2019, this article was amended to correct a statement on the creation of the National Registry of Personal Data Protection.