Setting a New Standard for Data Privacy in Ecuador

Ecuador’s Personal Data Protection Law is a data privacy law that was recently passed in May of 2021. The Personal Data Protection Law was passed to provide Ecuadorian citizens with the guaranteed rights of data protection and in turn, personal privacy. While the Constitution of the Republic of Ecuador 2008 does provide citizens of Ecuador with the right to personal privacy, such rights were expressed through general principles as opposed to strict terms or regulations. As such, the Personal Data Protection Law is the first law within Ecuador to provide citizens of the country with a true level of data protection. As such, the law sets forth the requirements that data controllers and processors within Ecuador must follow in order to maintain compliance.

How are data controllers and processors defined under the law?

Under Ecuador’s Personal Data Protection Law, a data controller is defined as a “natural or legal person, public or private, public authority, or other body, which alone or jointly with others decides on the purpose and processing of personal data”. Alternatively, the law defines a data processor as a “natural or legal person, public or private, public authority, or other body that alone or jointly with others processes personal data on behalf of and for the account of a data controller”. In terms of the scope and application of the Personal Data Protection Law, the law applies to all natural persons within Ecuador, with certain exceptions, such as the personal data of legal entities.

Moreover, the material scope of the law is rather broad, as it applies to all personal data that is collected or processed within Ecuador, whether said personal data was collected or processed using automated or non-automated means, as well as any subsequent use of said personal data. What’s more, the territorial scope of the law is applicable to both personal data that is collected and processed within Ecuador, as well as abroad, under the following circumstances:

• The collection or processing of personal data is carried out in any part of the national territory of Ecuador.
• The individual responsible for collecting or processing personal data is domiciled within any part of the national territory of Ecuador.
• The collection or processing of the personal data of data subjects is carried out by a data collector or processor who is not physically established within Ecuador, permitted said data processing activities are related to the offerings of goods and services to said data subjects, whether payment is collected for such goods or services or not, or the control of the behavior of data subjects within Ecuador.
• The data controller or processor is not physically established within Ecuador but is nonetheless “subject to national legislation by virtue of a contract or the regulations in force of public international law”.

What are the requirements of data controllers and processors under the Personal Data Protection Law?

Much like the European Union’s General Data Protection Regulation or GDPR, Ecuador’s Personal Data Protection Law establishes a variety of principles that data controllers and processors within the country must abide by when engaging in data processing activities. These various principles include the following:

• Lawfulness– All personal data that is collected and processed must be in strict compliance with the rights, obligations, and principles established by the Constitution of the Republic of Ecuador 2008, other international instruments, and any other applicable rules or regulations within Ecuador.
• Fairness– The processing and collection of personal data must be conducted in a manner that is fair so that it is made clear to data subjects that their personal data will be collected, used, processed, or consulted, as well as the purposes for such actions.
• Transparency– The collection and processing of personal data must be done in a manner that is transparent, “so that any information or communication relating to this processing shall be easily accessible and easy to understand and shall use simple and clear language”.
• Purpose– The purposes for the collection and processing of personal data must be determined, explicit, and legitimate. These purposes must be communicated to data subjects, and any collection or processing of personal data that is done outside of these purposes is forbidden.
• Relevance and minimization of personal data– Personal data must be relevant, as well as limited to what is necessary to fulfill the intended purposes for processing.
• Proportionality of the processing– The processing of personal data must be relevant, necessary, timely, and not excessive in relation to the purposes for which it was collected.
• Confidentiality– The collection and processing of personal data must be done on the basis of confidentiality and secrecy, and must not be further processed or communicated for any reason other than the purposes for which it was collected and processed.
• Quality and accuracy– All personal data that is collected and processed must be complete, accurate, precise, clear, and verifiable, as well as duly updated if applicable, in a manner that alters the veracity of said data.
• Retention– Personal data may not be stored for any longer than is necessary to fulfill the purposes for which it was collected and processed.
• Security of personal data– Data controllers and processors are responsible for ensuring that any personal data in their possession remains secure through the implementation of appropriate security measures.
• Protective and proven responsibility– Individuals who data collectors or processors elect to be held responsible for the security of personal data must prove that they have implemented security mechanisms for the purposes of protecting personal data.
• Application favorable to the owner– “In case of doubt as to the scope of the provisions of the legal system or contractual provisions applicable to the protection of personal data, judicial and administrative officials shall interpret and apply them in the sense most favorable to the owner of such data”.
• Independence of control–  “For the effective exercise of the right to the protection of personal data, and in compliance with the State’s obligations to protect its rights, the Superintendency shall exercise an independent, impartial and autonomous control, as well as carry out the respective actions of prevention, investigation and sanction”.

What are the rights of Ecuadorian citizens under the Personal Data Protection Law?

Under the Personal Data Protection Law, Ecuadorian citizens are entitled to the following rights:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The right to object or opt-out.
• The right to data portability.
• The right to not be subjected to automated decision-making.
• The right to consultation.
• The right to digital education.

In terms of penalties that can be imposed against data controllers and processors who fail to comply with the law, the Personal Data Protection Law is enforced by the Data Protection Superintendency or the Superintendency for short. While the appointment of a person to this position is still pending, punishments under the law include the following:

• A “fine of 1 to 10 Minimum Legal Wage ($400 to $4000) for civil servants or public officials”.
• A “fine of between 0.1% and 0.7% calculated on its turnover corresponding to the fiscal year immediately prior to the imposition of the fine, for members of private or public company entities”.
• An “economic fine of 10 to 20 Minimum Legal Wage ($4000 to $8000) for public servants or civil servants”.
• A “fine of between 0.7% and 1% calculated on their turnover corresponding to the fiscal year immediately prior to the imposition of the fine, for members of private law entities or public companies”.

As many countries in South America have enacted comprehensive legislation related to data protection in privacy, such as Brazil’s General Data Protection Law or LGPD and Argentina’s Personal Data Protection Act, Ecuador’s Personal Data Protection Law is the latest to join such a trend. Furthermore, the Personal Data Protection Law provides Ecuadorian citizens with many other data privacy protection laws around the world, such as the right to digital education. In this way, Ecuador has truly set itself apart from the pact, as few laws with the breadth and depth of the Personal Data Protection Law currently exist.