On April 9, 2021, the Commission on Sovereignty and International Relations of the National Assembly of Ecuador issued the final report of the Data Protection Bill for the second debate of the plenary session of the Assembly.
Several changes have been implemented to the Bill after receiving observations of some Assemblymen regarding certain controversial topics and having additional work meetings with various representatives of the private sector such as the Ecuadorian Association of Data Protection (AEPd), the Ecuadorian American Chamber of Commerce, the Ecuadorian Chamber of Innovation and Technology, among others.
Also, the National Directorate of the Public Data Registry ('DINARDAP'), who presented the first draft of the Bill, participated in this this work sessions with additional feedback, as well as several international experts that have been consulted by the Commission since the beginning.
Among the most relevant changes incorporated to the Bill are the following:
- Certifying Entities: the role of certifying entities has been amended as a mechanism of self-regulation but are no longer contemplated as an integral part of the data protection system and are not regulated by the Personal Data Protection Authority or the central Government.
This modification was insistently required by the private sector, since the original wording of the Bill contemplated these certifications as an additional requirement for providers and users which will make the system more burdensome for them. It also created an unnecessary operational load for the Personal Data Protection Authority, who was in charge of their regulation.
It is positive that this amendment was made, specially because Certifying Entities do not exist in most of international standards and in the cases that the have been contemplated, they have not been implemented or are in disuse.
- Consent: a clarification has been made in the sense that when data processing for a plurality of purposes is based on the consent of the data owner, it will be necessary for the data processor to record that the said consent is granted for all those purposes.
This small adjustment is pertinent since the original wording of the Bill could have mislead that a general consent could be sufficient for a range of purposes, affecting the data owner’s real will.
Also, the Commission appropriately gave way for teenagers from age 15 and up, to be able to grant by themselves consent to the processing of their personal data, provided that the purpose of such processing is clearly specified.
- Digital oblivion and annulation: the articles containing these rights were eliminated upon the request of the private sector claiming they are not applicable and could cause confusion. During the work sessions it was correctly demonstrated that the right to be forgotten and the annulation right are controversial on international level and are currently in disuse in many jurisdictions. Furthermore, legal practice has shown that rectification, elimination, and opposition rights are sufficient, hence its elimination was the appropriate way to go.
- Credit Data: a new limitation for processing credit data was correctly introduced by the Commission and now credit data will not be able to be communicated after five years have elapsed since the obligation to which they refer was enforceable. This makes the Bill consistent with other specific laws on financial matters.
- Fines: the original Bill established fines in case of infringements which were clearly excessive for a struggling Ecuadorian economy. By general request they have been significantly reduced.
For minor offenses, the fine is now of 0.1% to 0.7% of the amount of sales of the infringer prior to tax reduction, and in case of serious offenses 0.7% to 1%. It used to be 3% to 9% for minor offenses and 10% to 17% for serious offenses, so this amendment is clearly beneficial for all data processors, especially for startups and SMEs who were clearly threatened of bankruptcy situations in case of infringements.
- Personal Data Protection Authority: the amended Bill states no longer refers to it as a Superintendence. This is preoccupying because when the Authority is created it could be done in a form of a Secretary or Directorship, which would not guarantee its autonomy and independence from the central Government.
It is probable that during the second debate of the plenary Assembly, additional efforts are made to reinstate the figure of the Superintendence, since it is considered essential by the private sector to guarantee impartiality towards Public Institutions that process personal data.
- Person in charge of the Personal Data Protection Authority: Despite eliminating the figure of the Superintendence, the Bill still refers to the person in charge of the Personal Data Protection Authority as the Superintendent, which can create confusion in the future and affect the applicability of new article 89. Therefore, an amendment must be made during the second debate, either regarding this article or by reinstating the figure of the Superintendence of Personal Data Protection, which would be the best.
On the other hand, the amended Bill has accurately opened the possibility to other type of professionals to hold this position, it used to be limited to Lawyers, now they can also be persons specialized in Information, Communication or Technologies.
Now the Bill must be treated in second debate by the plenary session of the Assembly, during which some final minor modifications could be made and then it must be voted for approval.
The political environment is favorable towards the Bill, the Assembly considers this an essential regulation, so it is most likely to be approved. Furthermore, the current Assemblymen are interested in having the debate within this month to conclude their work on the matter prior to handing over their duties, since elections took place on February 7, 2021 and new Assemblymen will take over on May 24, 2021. Nevertheless, it is still uncertain when will the debate take place.
By: Jaime Mantilla Compte
Falconi Puig Abogados