09 Mar Ecuador Data Privacy Law Debated in Congress
Written by: Brett Lawrence, Esq.
Ecuador may soon be another country to enact general data privacy legislation. Introduced in September 2019, Ecuador’s Data Protection Bill (the “Bill”) nearly mirrors the European Union’s General Data Protection Regulation (“GDPR”). The Bill has 76 articles and 12 chapters; we summarize some of the fundamental provisions below.
Unlike other laws, the Bill governs over processors and controllers located in the country and those outside the country who market goods or services to Ecuador’s citizens. There is no requirement that controllers or processors have a representative within Ecuador like other countries, such as Indonesia.
Lawful Criteria for Processing Personal Data
Controllers may only process personal data under any of the following circumstances:
- Compliance with a legal order or rule;
- Fulfillment of contractual obligations;
- Express consent, following being informed in a fair and transparent manner, by the data owner for one or more specific purposes;
- Protection of the legitimate interests of the data owner or a third party.
Data Owner Rights
The Bill otherwise tracks the GDPR with respect to the rights afforded to the data owners, but for a few caveats. Like the GDPR, the Bill grants the data owner a right of access, rectification, deletion, restriction, and portability. However, the Bill adds a “right to be forgotten,” which only applies to digital content and requires the data owner to receive approval from a competent judge. The Bill fails to lay out how the data owner goes about getting the permission from the judge.
Exceptions to the effectuation of these rights include fulfillment of a legal or a contractual obligation, the legitimate interests of a third party would be affected, and protecting the vital interests of the data owner.
Also similar to the GDPR, the Bill stipulates that international transfers of data owner personal data are allowed if the receiving country ensures an adequate level of protection. The Ecuadorian data protection authority (“DPA”) would have a list of countries who do provide sufficient protection. In the event the receiving country is not on the DPA’s list, the processor or controller must take measures compensating for the lack of data protection.