Closing the Gap: Paraguay Advances Toward Comprehensive Data Protection

Over the past years, data protection has evolved into a key matter subject to regulation. Across Latin America, several countries have adopted comprehensive laws modeled on the European Union’s GDPR. Paraguay, however, has until now remained outside this trend. That situation is about to change with the imminent adoption of its first General Data Protection Law. This legislation aims to fill a historic gap and bring the country in line with international standards in this area.

Until now, Paraguay’s framework on privacy and data protection has been limited and fragmented through different norms. The Constitution recognizes the right to privacy, while the habeas data provides a procedural mechanism to defend individual rights in some instances. References also exist in the E-Commerce Law; however, the absence of comprehensive legislation has created legal uncertainty in an increasingly data-driven economy. This places Paraguay at a disadvantage compared to neighboring countries such as Brazil, Argentina, and Uruguay, which already have data protection laws in place.

The new bill introduces many elements inspired mainly by the European Union’s General Data Protection Regulation (GDPR), but with some adaptation to local rules. Among its main features are the guiding principles, such as lawfulness, purpose limitation, proportionality, and data minimization; the establishment of data subject rights, including but not limited to right of access, deletion, portability, and objection to automated decisions; and express obligations for data controllers and processors, like the implementation of technical and organizational security measures along the data processing. The bill also outlines a graduated system of sanctions, ranging from warnings to the suspension of data processing activities.

Another relevant aspect is the inclusion of international data transfers. As estipulated, these will only be permitted with adequate safeguards. This step is particularly considered crucial for facilitating cross-border data flows, aligning with global standards and consequently fostering an even more competitive digital economy.

Furthermore, a Supervisory Authority is established and will play a central role in monitoring compliance and promoting a culture of accountability among both public and private actors. Its independence, budgetary resources, and technical capacity will be essential to guarantee effective enforcement.

Once this law is enacted, it will definitely bring challenges to society as a whole. For individuals, the focus will be on understanding and exercising their new rights and thereby encouraging a culture of data control. For businesses and the public sector, it will be on adopting compliance practices that have been largely absent from their organizational culture, requiring further investment in training, awareness, and internal processes.

In conclusion, Paraguay is taking a decisive step toward modernizing its legal framework on privacy and data protection. While implementation will undoubtedly pose institutional, business, and cultural challenges, the country is finally joining a regional trend that seeks to strike a balance between technological innovation and the protection of fundamental rights. More than a legal milestone, it reflects a strategic choice to safeguard rights and promote competitiveness in today’s digital landscape.

Article provided by INPLP members: Cecilia Abente Stewart (Abente Stewart - Abogados, Paraguay)

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)