A presumed leak of information affecting the majority of Ecuador’s population was reported Monday, September 16.  The event prompted the Office of the President, through the Telecommunications Ministry, to announce that it will be submitting a bill of law for Personal Data Protection to the legislature. The National Public Data Registry (DINARDAP) has been preparing the bill for over three years.

The new law seeks to protect personal information that for any reason must be shared in order to access certain products or services.

Among other provisions, the bill includes the following:  

  1. Information compiled in databases must be consented, confidential, and requested and stored for specific purposes, for a limited or limitable period of time.
  2. Data transfer is regulated, per requirements provided by the law itself, in an effort to keep pace with worldwide trends.
  3. Information owners can access their data at any time, and require elimination or deletion.
  4. Third party information stored in databases must be protected and be subject to minimum technological standards.
  5. Persons compiling or handling personal data are responsible or in charge of treatment of same, and may be subject to material penalties in the event of noncompliance.
  6. Companies handling data must file a Code of Conduct with authorities, based on the specific needs of the pertinent sector.
  7. The bill creates the concept of personal data certifiers, who issue certification seals or marks for the pertinent purposes.
  8. The bill provides rules for data transfer to other countries (international transfer) for both the public and the private sectors. Companies or economic groups operating in and outside Ecuador must have binding corporate policies and rules for data protection, which must be approved by authorities.
  9. Authorities must indicate with which countries data transfers can be made, taking into account the local protection or legislation in each country, which must be similar to the law.

The law does not address in depth cyber security or programming issues in general, but simply establishes obligations on the subject. 

As a bill of law that is about to be submitted to the legislature, it will be open to changes during the approval process as provided in the Constitution, but it is ultimately the framework for what the law on the subject will be.

Insofar as this is a new area for protection, the bill does not include many of the pertinent issues, which will come to light during legislative proceedings as well as in practice once the law is in place. Nonetheless, its approval and implementation are a big step toward the country’s inclusion in the digital society of today’s world.

We will be tracking progress on the bill and will keep readers informed.

Please do not hesitate to contact us should you require further information.