On Friday, July 4, 2025, TEDIC actively participated in the public hearing convened by the Senate’s Commission on Science, Technology, Innovation, and Future, held in the context of analyzing the proposed law “Protection of Personal Data in Paraguay”. This project —approved in both general and specific terms by the Chamber of Deputies in May of this year— represents a significant step forward in the legislative process initiated in 2021.
From TEDIC, in collaboration with other organizations forming part of the Personal Data Coalition, we’ve supported this process from the outset by providing technical analysis, comparative normative proposals, and alerts about the risks posed by a weak or incomplete law.
The bill, docket D2162170 was introduced on May 5, 2021. Over that period, 13 sessions were conducted to analyze the bill’s draft. On December 17, 2024, it was generally approved during a plenary session and referred to committees for detailed, article-by-article review. In the following months, the responsible committees conducted exhaustive study and introduced various amendments. Finally, on May 27, 2025, the bill was fully approved, completing the first constitutional stage toward enactment.
We firmly believe that Paraguay needs modern, comprehensive, and effective legislation on personal data protection. This law must recognize privacy as a fundamental human right and establish a normative framework that not only regulates data processing by the private sector, but also imposes limits and obligations on the State especially in activities involving sensitive data and surveillance.
Why is a personal data protection law necessary?
In the digital age, our personal data is a strategic resource. Its indiscriminate use can have serious consequences—from algorithmic discrimination and political persecution to identity theft, fraud, mass surveillance, restrictions on free expression, and violations of intimacy.
At the international level, the trend is clear: data protection frameworks must align with human rights standards such as the EU General Data Protection Regulation (GDPR) or Council of Europe Convention 108+. These standards recognize fundamental principles that must govern any processing of personal data: legality, purpose limitation, proportionality, data minimization, security, transparency, and proactive accountability.
In Latin America, countries like Uruguay, Argentina, Brazil, Mexico, and Chile have advanced toward more modern and coherent legislation. Paraguay, on the other hand, still lacks comprehensive law and remains lagging in global rankings for personal data protection.
The current bill: progress and challenges
We recognize that the project approved by the Chamber of Deputies represents an important and necessary step. However, we have identified substantial weaknesses that could compromise the law’s effectiveness and leave critical gaps.
1. Broad and unconstitutional exclusions from scope
Article 2 of the bill completely excludes data processing related to public security, national defense, immigration policy, and criminal prosecution. This absolute exclusion contradicts international standards such as Convention 108+ (which allows only proportionate and necessary restrictions) and weakens protections precisely where the most sensitive data are handled.
Proposal: Replace the absolute exclusion with a conditional exception that permits limitations of rights and obligations only when strictly necessary and proportionate—without excluding general data protection principles.
2. Absence of a data retention principle
A key pillar of modern data protection law is temporal limitation: personal data cannot be stored indefinitely and must be deleted once its purpose is fulfilled. This basic rule prevents abuse and unnecessary accumulation of information. In the current bill, this principle is not included among the general principles and appears only marginally in relation to proportionality, weakening its force.
Proposal: Include a standalone data retention principle that sets clear limits, differentiates between data types (personal, sensitive, financial, surveillance data, etc.), and allows for sector-specific technical regulations.
3. Lack of a proactive accountability principle
Proactive accountability means that data controllers must not only comply with the law but demonstrate their compliance. This requires active measures: audits, record‑keeping, impact assessments, appointment of Data Protection Officers, internal training, etc. The current bill replaces this concept with a vague “due diligence,” which lacks equivalent legal weight and institutional scope.
Proposal: Reinstate the principle of proactive accountability as articulated in the GDPR and Convention 108+, particularly for public sector obligations.
Other critical concerns
4. Erosion of public access to information rights
Article 24 introduces a complex procedure for accessing public information containing personal data, requiring notification to the data subject and a non‑binding ruling. This could become a systematic barrier to transparency and weaken access to public information—especially regarding contracts, officials, and use of public funds.
Proposal: Replace this procedure with a mechanism based on divisibility, harm test, and public interest test, following the model of Paraguay’s Law No. 5282/2014 on Access to Public Information.
5. Ambiguities in international data transfers
The bill states that in the absence of an adequate country, the controller must ensure legal compliance but fails to specify which mechanisms are acceptable (e.g., standard contractual clauses, binding corporate rules, codes of conduct), or who determines which countries offer adequate protection.
Proposal: Include a publicly available, up‑to‑date list of adequate countries (maintained by the supervisory authority) and specify acceptable safeguards for international transfers in line with international models.
6. Short mandate for leadership of the data protection authority
Article 40 sets a three-year term for the Director General of the future National Data Protection Agency. This duration is too short to ensure independence, strategic planning, or institutional continuity.
Proposal: Establish a five-year mandate with the possibility of a single reappointment, and a transparent, merit-based appointment process.
Data protection as a human rights tool, not merely a technical norm
At TEDIC, we view personal data processing not just as a technical or administrative matter but as deeply linked to democracy, accountability, access to justice, freedom of expression, and social equity.
A strong law can empower citizens, safeguard vulnerable groups, prevent arbitrary use of surveillance technologies, and foster a digital ecosystem built on trust and respect for human dignity. Conversely, a weak law can normalize abusive practices like surveillance without judicial oversight, discriminatory use of artificial intelligence, unchecked data collection by companies, and opacity in public administration.
The moment to strengthen is now
The legislative process is not over. The Senate now has the opportunity —and responsibility— to improve the text approved by the Deputies, incorporating these technical and legal adjustments.
TEDIC, together with the Coalition for Personal Data Protection, reiterates our willingness to collaborate with the National Congress, offering inputs, comparative proposals, and technical arguments to help strengthen this law. We will continue working with civil society and all people interested in defending digital rights to ensure Paraguay enacts a Personal Data Protection Law that meets current challenges and citizens’ expectations.
Because protecting our data is also protecting our freedom, privacy, and democracy.
Download the legal opinion of the Personal Data Coalition submitted to the Senate’s Science & Technology Commission on July 14.
References
Internet Bolivia (2025). Guia de Implementación de Protección de Datos y Uso Responsable de Inteligencia Artificial en Bolivia. En https://internetbolivia.org/wp-content/uploads/2025/05/guia_proteccion_datos_web.pdf
Federico Legal (2025) Opinión preliminar del experto en Acceso a la información pública. En https://x.com/federicolegal/status/1943048423302672822?s=48
[Research] Technology-facilitated gender-based violence against women politicians in Paraguay