With technology permeating virtually every aspect of human life, the protection of personal data has become a paramount necessity to ensure our privacy and security. Every day, we generate data by using our bank apps for transfers or salary deposits, interacting with HR platforms when seeking employment on public or private platforms, and searching for or purchasing properties through real estate websites. This data is collected, stored, and processed by both the public and private sectors, which can access this information for various purposes, such as offering services, conducting market analysis, or making governmental decisions on specific topics.
In Paraguay, this reality presents a significant challenge: there is no comprehensive regulation that controls and limits how data is collected, stored, and used. The current legislation is specific to the credit sector, leaving a substantial gap in the comprehensive protection of our personal data and, consequently, our rights.
Our new research, “Personal Data Protection in the Private Sector in Paraguay: An Exploratory Study” conducted with the support of INDELA, explores how certain private sector companies handle and protect their clients’ personal data. To conduct this exploration, we reviewed current national and international personal data protection legislation. As part of the process, we conducted interviews1 with qualified personnel from companies in three selected sectors: fintech, human resources, and real estate2, which handle personal data on various scales. From these interviews3, we evaluated whether these companies comply with the principles proposed in the personal data protection bill4, aiming to understand the most tangible and visible changes both in the short term and once the law is sanctioned and applied in Paraguay.
Challenges in implementing the comprehensive Personal Data Protection Bill
Our research reveals that the current practices of private sector companies in Paraguay do not fully comply with the personal data protection principles proposed in the comprehensive personal data protection bill. These principles include the legality of processing, data accuracy, purpose limitation, data minimization, fairness, transparency, retention, proactive responsibility, security, confidentiality, consent, as well as the rights of access, rectification, opposition, deletion, and data portability (ARCOP Rights).
Through interviews, we explored the level of awareness and compliance of these companies regarding these principles. Generally, the research shows that, although some companies make efforts to protect their clients’ data, many of their practices do not meet the necessary standards for effective data protection.
One of the main findings is the lack of informed consent for the use and processing of clients’ personal data. Most companies are reluctant to seek consent, fearing it will impede obtaining necessary information for their work. Additionally, many companies do not comply with the transparency principle, as they do not adequately inform data owners about the purpose and conditions of data processing.
We also identified issues with the principles of minimization, purpose limitation, and retention. These principles are not correctly applied. The minimization principle states that only strictly necessary data should be collected. The purpose limitation principle implies that data should only be used for the specific purpose for which it was collected. The retention principle dictates that data should not be stored longer than necessary. However, many companies keep data indefinitely, without fulfilling the need for a specific purpose for its processing.
In summary, companies process personal data without clear rules, guided only by good faith but also by particular interests. They do not see data protection as a fundamental right of individuals or as an obligation they must fulfill.
This highlights the importance and need to inform and educate companies about the benefits of having comprehensive legislation. Many company representatives believe the law could harm their relationship with clients. However, robust personal data protection legislation could offer more security, opening new business opportunities nationally and internationally. To achieve such robustness, it is imperative to ensure the law is applied fairly and equitably to all involved actors. It is important to enforce the law effectively from the start to prevent violations and ensure companies comply with data protection standards.
On the other hand, it is necessary to raise awareness among individuals about their right to personal data protection. People need to understand that this right protects their dignity, freedom, privacy, and security. It is important they know how to demand this protection and what resources are available if their data is compromised.
The current Law vs. the comprehensive Personal Data Protection Bill
In 2020, Law No. 6534 “On the Protection of Credit Personal Data” was published, aiming to guarantee the protection of credit data for everyone. However, this law has a limited scope in ensuring the protection of personal data in Paraguay. Firstly, because the scope of this legislation focuses exclusively on personal rights of a “credit” nature. Its approach is purely economic, regulating almost exclusively credit information systems in banking and financial entities, without covering a social and community approach to personal information. Besides its limited scope, another problem with the current legislation is the absence of an independent oversight authority.
In response to these limitations, the Personal Data Coalition, of which TEDIC is a founding organization, in close collaboration with the Science and Technology Commission of the Chamber of Deputies, presented in 2021 a bill that seeks to address these limitations by creating a set of clear rules to protect personal data, which would be mandatory for both the private and public sectors. The proposal includes comprehensive personal data protection, following international principles but adapting them to the national context. It also considers aspects such as the free flow of information, security, self-regulation mechanisms, and an enforcement authority with sufficient power to supervise and investigate, which is independent and subject to adequate judicial control.
The need for comprehensive Personal Data Protection Legislation
Our research shows that, although there are significant challenges, there is also a clear path forward. A joint effort is needed to educate companies and individuals about the importance of personal data and the need to protect it as a foundational step to ensure the new law is effectively approved and implemented. We invite everyone to join this effort and support the personal data protection bill in Paraguay through the #MisDatosMisDerechos campaign. Together, we can ensure that everyone’s personal data in Paraguay is protected and that the move towards digitalization is always responsible and secure, from a human rights perspective.
Read the full study in Spanish here!
1The sample selected for this study consisted of private sector companies that handle or process personal data to varying degrees and for various applications. Therefore, they can be considered representative of this sector to determine the context of current practices.
2The companies belong to the fintech, real estate, and human resources sectors and were chosen for their degree of representativeness in their respective fields, with an average employee count ranging from 1 to 20 people.
3 The interviews were conducted anonymously to ensure a trustworthy environment for the interviewees, thus gaining access to relevant information on the subject under study.
4The bill presented by the coalition in 2021 is currently pending consideration in the Chamber of Deputies (BILL #Expediente: D-2162170).