In less than a week, Paraguay experienced two massive leaks of personal data originating from public institutions. The first involved the Superior Tribunal of Electoral Justice (TSJE) and exposed information on more than 7 million people. The second affected the Ministry of Finance, the Central Bank of Paraguay, and Itaipú, where a file containing over 17,000 records was made public, including sensitive data such as payments to public officials, salaries, full names, and ID numbers.
But these leaks are not new in Paraguay. In 2023, a data breach from the National Police exposed documents and personal data of detained individuals, along with criminal records and photographs. At that time, TEDIC had already warned about the lack of institutional responses and the urgent need for prevention and sanction mechanisms. These incidents not only reveal the State’s serious vulnerability in protecting our information, but also the absence of a comprehensive data protection law—an unresolved and urgent debt in Paraguay that can no longer be delayed.
What happened?
In the case of the TSJE, the leak exposed detailed information from the Permanent Civic Registry, including full names, addresses, gender, political affiliation, and other elements that, according to international standards such as those established by the OECD and the UN, are considered sensitive personal data. In particular, political affiliation is a data point that deserves special protection, as it can be used for discrimination, persecution, or political manipulation.
Moreover, Paraguayan legislation already acknowledges the sensitivity of this data: Law No. 6534/2020 on the protection of credit data explicitly classifies political affiliation as sensitive data. However, this law has significant limitations: it does not establish accountability mechanisms for institutions that allow data leaks and focuses solely on providing guarantees to the data subject to take action. This shifts the burden of protection to affected individuals instead of demanding structural accountability.
At the same time, the leak involving the Ministry of Finance, the Central Bank of Paraguay, and Itaipú disclosed financial and employment information of more than 17,000 public officials. In both cases, there is no clear information about the source of the breach, nor have any official responses been issued to assume institutional responsibility.
What is failing?
At TEDIC, we have been warning for over 10 years about the fragility of Paraguay’s system for protecting personal data. What we are witnessing with these leaks is not an isolated incident, but rather the result of a structural lack of public policy, the absence of a comprehensive data protection law, insufficient investment in technological infrastructure, and a lack of training for specialized human resources. Moreover, Paraguay does not have an independent supervisory authority, nor an effective sanctions regime to hold institutions and individuals accountable for mismanaging (or exposing) our data.
On top of this, the country has yet to update its National Cybersecurity Strategy, which severely limits institutional —and private sector— governance and capacity to prevent data breaches and protect the information they manage. This gap prevents the establishment of clear protocols, regular audits, and minimum standards of digital security applicable at all levels of the State.
What does the current legal framework say?
Although Paraguay does not have a general data protection law, there are fragmented regulations in place. For example, Law No. 6534/2020 on the protection of credit data explicitly recognizes political affiliation as sensitive data. This underscores the urgent need for legislation that extends this protection across all sectors, not just the financial one.
The absence of a comprehensive law allows public institutions to manage large volumes of data without minimum security standards or transparency mechanisms. This creates a fertile ground for abuse, leaks, commercial exploitation, and a growing loss of public trust.
What now?
At TEDIC, we reaffirm that the protection of personal data is a human right, and as such, the State must guarantee its exercise through:
- A comprehensive data protection law with a human rights approach, incorporating principles such as data minimization, informed consent, and portability, and which also identifies and holds accountable the institutions and companies that fail to protect the personal data they process.
- The creation of an independent supervisory authority with real oversight and enforcement powers.
- Sustained investment in technological infrastructure, cybersecurity, and training of public officials.
- An institutional commitment to transparency and accountability in data governance.
These measures can no longer be postponed. We recall that on December 17, 2024, the Chamber of Deputies approved the general outline of the Personal Data Protection Bill—an important step forward. However, the path is far from clear.
On March 4, during the first session of the year, the bill was listed as item 4 on the agenda, but a lack of quorum prevented its discussion. In the context of massive data breaches and systematic violations, this absence is deeply concerning and reveals an unacceptable lack of institutional commitment to a problem that affects millions.
On April 1, deputies will have a new opportunity to continue the article-by-article analysis of the bill. At TEDIC, we will continue to monitor, report, and propose public policies that protect our digital rights. Because our data is not a commodity, and it should never be exposed due to State negligence.
The massive leaks that alarm us today could have irreparable consequences for the lives of millions of people—unless we act urgently.
Worrisome regulation on disinformation in times of COVID19 
[Research] Technology-facilitated gender-based violence against women politicians in Paraguay