The entry into force of the EU General Data Protection Regulation in May 2018 prompted the creation and adaptation of different regulations on personal data protection worldwide. Ecuador was no exception, and on 26 May 2021 the Organic Personal Data Protection Law, the first law in Ecuador focused exclusively on regulating and guaranteeing personal data protection, entered into force.

The first transitory provision of the PDPL provided that "the corrective measures and the sanctioning regime will enter into force in two years," which means the sanctioning regime will enter into force 26 May 2023.

Aiming for May, and since the publication of the PDPL, both public and private entities have been obliged to undertake adaptation processes that have meant significant challenges for them, which have deepened due to the lack of regulation for the application of the PDPL, as well as the lack of creation and designation of a data protection authority.

These difficulties, added to the technical, legal and procedural actions the regulated entities adopted, have undoubtedly generated great uncertainty regarding compliance with and application of the PDPL.

Main guidelines of the PDPL

The Ecuadorian Constitution, enacted in 2008, recognized the autonomous right to protect personal data. However, it took more than 12 years for this matter to be regulated by the National Assembly. The case known as Novaestrat was one of the most important events that prompted and demonstrated the need to regulate this matter in Ecuador. The Ministry of Telecommunications and Information Society, through the National Directorate of Public Data Registry, took the initiative to work on the PDPL project, which was discussed and approved by the National Assembly in 2021.

The PDPL followed the international trend and adopted GDPR guidelines, having among its main characteristics:

1. Extraterritorial scope of the PDPL.
2. Recognition of treatment principles (13 principles).
3. Creation of legitimate bases for processing personal data (eight legitimate bases).
4. Creation of new rights for processing personal data, including not being subject to automated processing, portability and "ARCO" rights – access, rectification, cancelation and opposition.
5. Recognition of special categories of data (minors, sensitive data, among others).
6. Obligation to adopt and implement security measures, including technical, organizational, legal, and physical.
7. Regulation of international data transfers.
8. Appointment of a data protection officer.
9. Creation of a new regulatory regime with a data protection superintendency, infringements and sanctions for noncompliance.

The essence of the GDPR is embodied in the PDPL, however Ecuador is a country with no experience in personal data protection, so most of the provisions in the PDPL generate significant challenges and concerns regarding compliance with the obligated individuals.

This uncertainty is intensified due to the lack of secondary regulations to clarify some uncertain or underdeveloped elements in the PDPL.

Lack of regulations in the PDPL

The lack of will, the complex political situation and the lack of knowledge on the subject have prevented, almost two years after the PDPL's enactment, the executive from implementing regulation that develops several aspects of the law. Among the main ones, the following are worth mentioning:

1. Extraterritorial scope: The PDPL does not establish how foreign companies that process data of Ecuadorian residents but are not domiciled in Ecuador will be regulated. Will they have to have an attorney-in-fact? Will they have to register an address for notifications?
2. Appointment of a DPO: The PDPL establishes the cases in which a DPO will be required and their functions, but does not mention the necessary requirements and skills. Some questions revolve around the possibility of having a DPO as an external service, the type of companies or activities that will make the role indispensable, and if there will be any limitation regarding the time in functions of the DPO.
3. Proactive responsibility: The PDPL recognizes the proactive responsibility principle as essential for compliance with the standard. However, there is no regulation regarding the processes to comply with the mentioned principle or any certification-related provisions.
4. International data transfer: The PDPL establishes a lax regime concerning international data transfers. It is necessary to issue resolutions and secondary regulations regarding this process, which should include the countries considered as having adequate levels of protection or standard model clauses.

These are some of the issues pending regulation in the PDPL. However, the exercise of rights, application of principles and notifications in case of violations also remain to be resolved. Although implementing the regulation will partially regulate them, the DPA will also have to develop them.

Lack of PDPL authority

A transcendental aspect of the correct functioning and implementation of the PDPL is the guidelines issued by the DPA. The DPA will be an autonomous entity controlling the private and public sectors. The Superintendence of Personal Data Protection will be the only competent body to apply the PDPL, meaning no other entity can take on the sanctioning power concerning personal data. However, when 26 May arrives, there will be no DPA to regulate and enforce the PDPL.

Both the budgetary issue and the political situation in Ecuador have hindered sending the short list of candidates for the position of Superintendent of Personal Data Protection by the Executive for the creation of the DPA, even though the Council of Citizen Participation and Social Control, the competent entity to appoint the DPA, has prepared the competition of merits and opposition to fill the position.

The lack of DPA is a lost opportunity and not an advantage. The two years before the sanctioning regime enters into force should have been the ideal opportunity to create guidelines and directives for applying the PDPL; however, this was not achieved. As Ecuador is a country with little experience in data protection, the DPA should have provided clarity on several issues, of which we can highlight:

1. Procedures for the exercise of rights. With the recognition of new rights, there must be clarity as to how they can be exercised.
2. Risk analysis and data impact assessments. These are two areas in which no entity in Ecuador has experience. A DPA must establish guidelines for risk analyses and data impact assessments.
3. Legitimate interest. As one of the legitimizing bases that give room for interpretation, the guidelines of a DPA are required to avoid its abuse.

Main activities to be carried out

Despite the problems mentioned above, regulated entities must adopt immediate actions to seek compliance with the PDPL. The activities, documents and policies to be implemented will be the first steps in a long and complex process that must be followed to comply with a regulation of this magnitude. Among the main aspects every company must consider are:

1. Data base collection: The PDPL establishes the obligation to register data processing. This means every institution must have mapped the data it treats, its processing and the databases to which it must report them.
2. Adaptation of contracts: Contracts involving personal data must be adapted, incorporating data protection clauses, confidentiality agreements and policies.
3. Control of suppliers: Greater control should be exercised over suppliers that handle personal data, including data processing agreements, request certifications, policies and documentation that demonstrate the implementation of the PDPL.
4. Implement technical security measures: A gap analysis program must be performed to understand the technical vulnerabilities and to adopt the necessary corrective actions.
5. Adoption of policies: Companies should consider data protection from their bases. For this, they should implement a series of policies related to data protection and seek the correct implementation of the same.

All these activities can be carried out without regulation and authority. These activities seem simple, but take time to implement. However, companies must change their way of thinking about data protection and make it an everyday activity, giving it the importance it requires.

Conclusions

On 26 May,  a new stage in protecting personal data in Ecuador will begin. The risks can be significant, as fines can reach up to 1% of the fiscal year's turnover immediately before the fine's imposition. A DPA and an implementing regulation may ensure the application of the sanctioning regime is completed on time. However, the risk derived from not complying with the PDPL will increase.

The PDPL generates a new regulatory regime that positions Ecuador at the international level because, even with all the risks mentioned above, it also presents great opportunities. Compliance with this regulation will improve processes and information systems, and help Ecuadorian companies strengthen their corporate images in the international market. In this sense, companies must begin to mitigate risk by implementing certain documents and security measures.