Towards a Data Protection Law in Bolivia – Digital Progress, Cybersecurity, and the Constitutional Challenge

24.02.2026

Although Bolivia has yet to enact a comprehensive personal data protection law, it has made notable strides in electronic government, cybersecurity, and state interoperability. This article examines these developments and the constitutional challenges shaping the country’s evolving digital landscape.

1. A Country with a Solid Constitutional Foundation

Bolivia currently lacks a general personal data protection law comparable to the European GDPR or to recent Latin American reforms. However, this does not imply the absence of legal protection.

The 2009 Political Constitution of the State expressly recognizes:

• The right to privacy and intimacy.

• The confidentiality of communications.

• The right to informational self-determination.

• The constitutional action for the protection of privacy as a specific constitutional guarantee.

This constitutional framework elevates personal data protection to the status of a fundamental right directly enforceable, even in the absence of a specific statute. In practice, constitutional standards of consent, purpose limitation, proportionality, and security operate as mandatory constraints upon both public and private entities.

Nevertheless, the absence of an independent supervisory authority and of a specialized administrative sanctioning regime generates a fragmented regulatory environment, in which data protection relies primarily on judicial interpretation and constitutional review.

 

2. Electronic Government 2025–2028: Digitalization with a Sovereign Approach

A relevant structural development is reflected in the update of the Electronic Government Implementation Plan 2025–2028, approved through Supreme Decree No. 5468, a strategic instrument prepared by the Agency for Electronic Government and Information and Communication Technologies – AGETIC.

This plan is grounded in Law No. 164 and Supreme Decree No. 2514, which established AGETIC as the governing authority in matters of digital government.

The new PIGE is structured around three strategic pillars:

i) Sovereign Government

  1.  State data infrastructure.
  2. Interoperability among public entities.
  3. Digital Citizenship Platform.
  4. Cybersecurity and incident management.


ii) Efficient Government

  1. Administrative simplification.
  2. Single state portal.
  3. Interoperable public planning and management systems.
  4. Electronic commerce and payments.


iii) Open and Participatory Government

  1. Digital transparency.
  2. Open data.
  3. Electronic mechanisms for citizen participation.


From a privacy perspective, the most relevant pillar is the strategic line on cybersecurity and information security, which requires public entities to implement Institutional Security Plans and establishes the role of the Computer Incident Management Center (CGII).

This approach strengthens the technical dimension of data protection, even in the absence of a comprehensive framework law.

 

3. State Interoperability: Efficiency vs. Data Protection

The 2025–2028 Plan promotes a state interoperability platform enabling the automated exchange of data among public entities.

While this measure enhances administrative efficiency and reduces burdens on citizens, it also increases risks associated with the large-scale processing of personal data. The centralization of information requires:

  1. Robust technical standards.
  2. Clear access and traceability protocols.
  3. Principles of data minimization and purpose limitation.
  4. Permanent security audits.


In the absence of a data protection law expressly regulating inter-institutional transfers, the controlling parameter remains constitutional in nature. This implies that any data exchange must respect the original purpose of collection and the principle of proportionality.

 

4. Cybersecurity and Digital Sovereignty

One of the most noteworthy features of the Bolivian model is its emphasis on “technological sovereignty.” The State seeks to consolidate its own infrastructure, open standards, and centralized digital services.

The requirement that each public entity adopt an Institutional Information Security Plan constitutes a significant step toward a structured cybersecurity culture. Likewise, the CGII operates as the technical body responsible for managing computer-related incidents.

From a comparative perspective, Bolivia is strengthening the technical layer of information protection before consolidating a substantive framework of rights and obligations in the field of personal data.

 

5. Digitalization of the Executive Branch and Institutional Virtualization

A recent example of the State’s digital transformation process is Supreme Decree No. 5515, which authorizes the exercise of executive functions through digital mechanisms, including from outside the national territory.

This type of regulation reflects a transition toward a dematerialized model of public administration, where the validity of administrative acts may be supported by digital platforms, electronic authentication, and remote systems.

However, the digitalization of high-level state functions increases the importance of:

  1. System integrity.
  2. Robust authentication mechanisms.
  3. Protection against unauthorized access.
  4. Operational continuity protocols.


Cybersecurity ceases to be merely a technical matter and becomes an essential component of institutional stability.

 

6. The Pending Challenge: A Comprehensive Data Protection Law

Despite progress in electronic government and cybersecurity, Bolivia faces three structural challenges:

  1. The absence of a general data protection law.
  2. The lack of an independent supervisory authority.
  3. The need for harmonization with international standards.

The expansion of state digital platforms, large-scale interoperability, and electronic commerce exponentially increases the volume of processed data. Without an integral regulatory framework, protection depends almost exclusively on subsequent constitutional review.

In a regional context where multiple Latin American countries have adopted or updated their personal data laws, Bolivia faces a strategic opportunity: to enact modern legislation that integrates digital sovereignty, technological innovation, and effective protection of fundamental rights.

 

7. Conclusion

Bolivia is not a static country in the field of data protection; it is a country in transition.

While a comprehensive law has yet to be enacted, the State has made significant progress in digital infrastructure, interoperability, and cybersecurity. The current model prioritizes the technical construction of the state digital ecosystem, relying on the Constitution as the primary safeguard of rights.

The logical next step will be to transform this technological framework into a comprehensive regulatory system that consolidates principles, rights, and clear obligations.

For privacy and compliance professionals, Bolivia represents a particularly compelling scenario: an environment in which digitalization is advancing rapidly and where the future regulatory framework remains open to design.

The question is no longer whether Bolivia will adopt a data protection law, but when and under which regulatory model it will do so.

 

Article provided by INPLP members: Rodrigo Moreno (Moreno Baldivieso, Bolivia)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.