News
Ecuadorian Digital Transformation Policy: Data Protection implications
The current Ecuadorian government is about to issue a new digital transformation policy. Once the working tables have closed, the draft version of the policy brings some important issues that have relevant personal data protection implications as even the large-scale processing of sensitive data is being considered. This article addresses these challenges for the protection of personal data from a cross-cutting perspective to the policy and with emphasis on certain (vertical) points of the policy.
The Ministry of Telecommunications and Information Society, coordinating the efforts of the current Ecuadorian government, is leading the creation of a Digital Transformation Policy that is aligned with the already published Digital Transformation Agenda of Ecuador. A few days ago, the working tables for its elaboration were closed and a latest draft version is available. The execution of this policy necessarily brings challenges for the protection of personal data. In this article, these challenges are addressed from two perspectives: the protection of personal data as (A) a cross-cutting issue in all of politics and as (B) a thematic vertical within it.
As a starting point, the Digital Transformation Policy (hereinafter, "the policy") is made up of a series of principles, an approach, pillars and axes aimed at meeting certain objectives. This clarification is highly relevant because the principles and the approach have a transversal role in the policy, and it is precisely to them that the first commentary in this article will be linked. For its part, regarding one of the pillars and axes of the policy, another series of comments will be addressed.
A. THE TRANSVERSALITY OF PERSONAL DATA PROTECTION
In relation to the transversality of data protection, it is necessary to emphasize its role as a principle and approach, in addition to a reductionism contained in one of the policy specific objectives.
Data protection as a principle
The digital transformation policy includes a series of principles, among which are: "the person as the center of digital transformation" and "security, protection and empowerment, a secure digital environment". In both cases, the protection of personal data is a necessary element.
With regard to the centrality of the individual (human centric), this is not possible without respect for their fundamental rights, among which is the protection of personal data that is expressly recognized in articles 66.19 and 92 of the Ecuadorian Constitution. In the specific context of the digital transformation, an express reference to the protection of personal data would have been desirable, perhaps together with closely linked rights that play a key role in these contexts, such as the right to privacy.
On the other hand, personal data protection is also a necessary prerequisite for a "safe digital environment". In this case, the reference to data protection is imperative because the pertinent part of the policy provides: “security, protection and empowerment, a secure digital environment. Everyone should have access to digital technologies, products and services that are secure and protect privacy [intimidad] by design.” Regarding this sentence, it should be noted:
- The expression "by design" needs its complement: "and by default".
- The expression "Privacy [intimidad] by design" is an issue that does not properly mesh with Ecuadorian legislation, which in the Personal Data Protection Law does not refer to "privacy by design" but to "data protection by design and by default”.
- The previous point is relevant because the Ecuadorian Constitutional Court expressly stated in its Decision No. 2064-14-EP/21, that "privacy (intimidad)" and "personal data protection" are not the same right, but are two independent rights, although closely related (n. 184). As a footnote, in the Ecuadorian legal system uses the expression "intimacy" and not exactly "privacy".
Data protection as an approach
In any case, these omissions described in the previous section (not referring expressly to data protection and referring only to privacy) do not exempt the obligation of the policy to guarantee the fundamental right to personal data protection, since it is understood that this is part of what the policy describes as its approach:
“The center of this policy is digital transformation, which is based on the generation of economic and social value, through the use of Information and Communication Technologies (ICT). To achieve this goal, it is necessary, first, to respect and comply with human rights”
Furthermore, personal data protection, as noted above, was expressly recognized in the Ecuadorian Constitution in articles 66.19 and 92, so even if the policy had failed to expressly refer to this approach, the obligation to respect and guarantee this fundamental right would persist. This is because in the Ecuadorian legal regime, due to several constitutional provisions, both the public power and the actions of private individuals have fundamental rights as the limit (negative obligation – “not to do”) and constrain (positive obligation – “to do”) for their actions.
Reductionism in the specific objectives
As a third point, one of the specific objectives of the policy is: "Strengthen the Ecuadorian cyberspace, trying to guarantee the security of citizens' personal information". This is doubly reductionist.
On the one hand, it reduces personal data protection to the mere protection of its security (personal data confidentiality, integrity, and availability). On the other hand, it limits this "security" to cyberspace, which is also not correct because data protection is not restricted to this environment and, most importantly, because digital transformation is not reduced to "cyberspace" but involves processes, people, and technology.
This reductionism may have a transversal impact on the practical execution of the policy in general, so it is important that the final text is corrected. In any case, even if this reductionism is maintained, every public entity is still obliged to protect personal data, going beyond its security and the mere environment of cyberspace.
Synthesis
In summary, personal data protection must be guaranteed at all times and must be consider when specific actions are proposed to implement what is stated in the pillars and axes of the policy. Likewise, all projects and activities that are generated within the different public entities based on this policy must consider personal data protection, both by virtue of a constitutional obligation and by virtue of having an adequate approach that is aligned with the aforementioned policy.
Digital transformation cannot be human-centric or provide a secure environment without protecting personal data, and this protection always encompasses more than just the security of personal data in cyberspace.
B. DATA PROTECTION AS A “VERTICAL”
Data analytics in the infrastructure axis
Notwithstanding the transversal role described above, it is necessary to highlight the role played by personal data protection within one of the axes of the policy: Infrastructure. The aforementioned axis contains various guidelines, among which are two that specifically correspond to “Interoperability and data processing”.
"3. Process data from the National System of Public Records or from any other source, to perform data analysis processes, in order to provide services to the public sector, the private sector and people in general, as well as generate products, reports, or studies, among others.
4. Implement a new technological architecture that leverages the interaction of state entities, optimizing the processing, analysis and exchange of information and services, oriented to public and private entities and the citizen, as the basis of digital transformation in Ecuador.”
A first point to note is that the policy, in this matter, is not exactly oriented to data protection per se, but rather to a (legitimate) use of certain data (some of them personal) that appear in public records.
However, the fact that the center of this axis is not expressly oriented to data protection but to the use of these, does not exempt them from the obligation to protect the existing personal data, since this protection is a requirement of the Constitution, the Personal Data Protection Law and of the policy itself (in its approach, principles, and specific objectives, as already noted). Special emphasis should be placed on the express reference to "data analytics" as this tells us about a processing activity that undoubtedly falls within the assumption established in article 42 of the Data Protection Law: the obligation to carry out, prior to the start processing, a personal data processing impact assessment.
Other projects with an impact on personal data protection
In addition to what is described in the previous section, there are other projects that must be considered with respect to their personal data protection implications. Two of these projects are: the single medical record (historia clínica única) and the program "Infancia con Futuro" (Childhood with future). In both there is a large-scale sensitive data processing, for which is imperative to carry out an impact assessment.
Regarding the unique clinical history, it should also be added that the use of Blockchain technology has even been expressly referred to, which adds even more complexity to the treatment. On the other hand, regarding "Infancia con Futuro", the scope of this program, as described in the launch of the Digital Transformation Agenda, is extremely extensive, since it wishes as part of its program to collect data from the gestation and throughout the development of the individual after his birth, centralizing this information in a single database.
Both cases merit extensive examination. In any case, it is necessary to highlight the important role of personal data protection in the work that the government and the public sector have been doing. Although the Ecuadorian government has made efforts to comply with personal data protection, there is still a lot of work to be done in all the areas that the policy presents.
CONCLUSION
The new digital transformation policy that Ecuador will publish must address personal data protection both transversally and “vertically”. Regarding the former, there are several adjustments that must be made in relation to the express reference to personal data protection and the adequacy of concepts to properly cover the personal data protection fundamental right. The latter in order not to reduce it to the personal data security (or to cyberspace) or confuse it with the right to privacy. Regarding the protection of data as "vertical", there is a clear indication that the entities headed by the National Directorate of Public Registries must carry out a processing impact assessment for the case of data analytics. This project is a complex matter, and it must analyze the scope of the objectives that the government sets with it. Along with the above, there are projects that require attention to data protection, even with data processing impact assessments: the single medical record and the database that is to be generated within the “Infancia con Futuro” program.
Article provided by INPLP member: Pablo Arteaga (Dentons Paz Horowitz, Ecuador)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010