The enactment of Law No. 7593/2025 on Personal Data Protection in Paraguay is a step forward in terms of human rights in the country. This law is the result of collective, diverse, and multisectoral work led by the Personal Data Coalition and various civil society organizations, academics, and experts from both the public and private sectors.
This article seeks to reconstruct the path taken since the draft bill was presented in 2021, analyzes the changes in the different versions of the bill, the contributions of public and private actors, and shows the relationship between the Coalition’s initial proposal and the final proposal that was approved.
A historic advance for digital rights
The approval of the Personal Data Protection Law is the culmination of four years of sustained advocacy. The Personal Data Coalition pointed out that Paraguay still lacked a regulatory framework to legally protect personal information and, therefore, it was necessary to introduce a law of “international stature” that would allow for comprehensive protection of personal data. TEDIC reports that the drafting of the proposed legislation included a process consisting of a series of talks and collaborative activities to determine the foundations of the legislation. This technical and pluralistic process allowed for the articulation of evidence, proposals, and strategic defense actions.
How did the legislative proposal for personal data protection come about?
In 2021, the Personal Data Coalition —which emerged in 2017 as a joint space for civil society organizations, specialists, academia, and the private sector, made up of the Paraguayan Association of Computer and Technology Law (APADIT), TEDIC, the Abente Stewart Law Firm, the Internet Society Paraguay Chapter, and Puente— was the driving force behind the proposal. and the private sector, comprising the Paraguayan Association of Computer and Technology Law (APADIT), TEDIC, the Abente Stewart Law Firm, the Internet Society Paraguay Chapter, and Puente—was the one that presented the first legislative proposal with the support of the Chamber of Deputies’ Science and Technology Commission. This coalition led the process of creating an initial draft bill that is inclusive, robust, and effectively addresses the lack of a modern personal data law that is aligned with regional and global legislation.
This process took several years. In 2020, a multi-stakeholder roundtable was formed to draft a comprehensive personal data protection bill in Paraguay, and the preliminary draft was officially presented to the Chamber of Deputies by the Personal Data Coalition. Audiovisual materials were also produced to document the history, motivations, and collective construction of the space.
The coordinated work of the Coalition paved the way for the creation of the first draft of the legal proposal, within a participatory framework that involved technical working groups, expert workshops, public consultation, and collaborative legal review. As the culmination of the process, the first draft was presented publicly and laid the conceptual foundations that were maintained throughout successive versions of the proposal.
The project incorporated key elements: an independent data protection authority, guiding principles aligned with international standards, broad ARCO rights, strict regulation of sensitive data, clear obligations for controllers and processors, and robust oversight mechanisms.
First constitutional stage
The bill was officially submitted to Congress in 2021 and referred to seven committees: Foreign Affairs; Industry, Trade, Tourism, and Cooperatives; Economic and Financial Affairs; Science and Technology; Constitutional Affairs; Legislation and Codification; Justice, Labor, and Social Security. Among these committees, it was in the Science and Technology (CyT) committee where it remained a recurring item on the agenda. TEDIC progressively documented the monitoring of this legislative process.
Between 2021 and 2024, the bill was included in its first stage on the agenda of the Chamber of Deputies on the following occasions:
This extensive track record demonstrates sustained political interest in the project, although progress was slow during this stage.
During this period, the Science and Technology Committee took on a central role in the political direction of the project. The Coalition continued to provide technical support, but parliamentary leadership fell to the committee. Its involvement made it possible to keep a complex and specialized issue on the agenda.
The aforementioned commission requested several institutional opinion reports on the bill, which were answered by both public and private institutions: Civil Registry; Ministry of Public Health and Social Welfare; MITIC; Ministry of Foreign Affairs; Association of Banks of Paraguay; Social Security Institute; National Securities Commission; DINAPI, Ministry of the Interior; CODEHUPY; Central Bank; Public Prosecutor’s Office; Ministry of Finance; SEDECO; TSJE, etc. In this first stage, the main comments received referred to better defining the scope of the terms, the procedures to be applied, the authority responsible for the application and scope of the law, and suggestions for referring entire chapters to regulations, such as those establishing the procedural part of the sanctions and the sanctions themselves, for greater administrative breadth. Concerns have also been raised about establishing an independent enforcement authority, as this would have a direct impact on the budget that had already been committed to the COVID health emergency.
The Personal Data Coalition undertook the task of drafting another version of the bill, as a technical specialist of the Science and Technology Commission, in which it gathered suggestions from various institutions and based on negotiations with the Executive Branch regarding the wording of the articles, it finally presented a document in which one of the main differences is in the enforcement authority, which is no longer an independent body with its own structure but becomes part of the Ministry of Information and Communication Technologies (MITIC), with the rank of a General Directorate.
Of the versions presented by the Coalition (88 articles in the first draft and 85 in the second version), the Chamber of Deputies approved and gave preliminary approval to the bill with 60 articles, leaving out several important points, among which Article 2 stands out: it establishes that, in relation to public security, national defense, immigration policy, and criminal prosecution, the processing of personal data is exempt from the law in its entirety. This exclusion, as it is worded, contradicts the provisions of Convention 108+ and, in turn, reduces data protection in areas where the most sensitive data are found.
Another point was the absence of the principle of data retention, which is the basis of modern data protection legislation, since data should not be retained indefinitely. Data must be deleted as soon as the purpose has been achieved. This basic rule prevents abuse and unnecessary data retention.
There was also a lack of inclusion of the principle of proactive responsibility. The principle of proactive responsibility means that data controllers are not only required to comply with the law, but also to demonstrate that they comply with it. This is an active commitment, such as audits, record keeping, impact assessment, appointment of data protection officers, internal training, etc. The draft replaced this principle with “due diligence,” which does not have the same legal weight or institutional scope.
One of the most critical points at this constitutional stage was the inclusion in Article 24 of a multi-layered process for public access to personal data, including notification to the data subject and a non-binding ruling. Such a formula could become a systematic obstacle to transparency, limiting access to information of public interest, particularly with regard to public procurement, public officials, and the expenditure of public funds.
The bill, which has been passed by the Chamber of Deputies, was discussed in general terms; there was no point-by-point discussion of each article. Neither its approval in general nor its specific provisions, which should have been studied in detail in plenary session, as it is a law closely linked to human rights.
Second, third, and fourth constitutional stages
In these subsequent stages, the process focused on political issues such as the interests of certain actors in the private and public sectors and pressure from the international agenda, because Bolivia and Argentina were the only countries in South America that did not have data protection laws.
The Senate receives the proposal on June 11, 2025, and refers it to the committees on Family, Children, Adolescents, and Youth; Legislation, Codification, Justice, and Labor; Science, Technology, Innovation, and the Future; Constitutional Affairs; National Defense and Public Security; and Human Rights, Equity, and Gender. Three of these committees issue opinions approving the bill with amendments. The Family, Children, Adolescents, and Youth Committee, on the one hand, and the Legislation, Codification; Justice and Labor; and Science, Technology, Innovation, and Future committees, on the other, issued a joint ruling that included most of the suggestions that the Coalition had argued in a technical report submitted to the Senate. In this document, the Coalition expresses its concern about certain aspects of the version approved by the Chamber of Deputies. Although the approved bill was a step forward, it had shortcomings in terms of the effective protection of personal data. The areas for improvement suggested by the Coalition, which are outlined in the report, were as follows: 1) unconstitutional and broad exclusions in Article 2 that exclude from the law processing operations that fall outside its scope, such as those related to public security and criminal prosecution; 2) lack of the principle of retention in the legal system, which is fundamental to the non-indefinite retention of data; 3) lack of proactive accountability, which is replaced by a rather lax concept of “due diligence”; 4) setbacks in access to public information by establishing procedures that are a real barrier to transparency; 5) lack of criteria and guarantees in the ambiguity of international transfers; and 6) short terms of office for the leadership of the supervisory authority, which affects its independence and continuity.
At its regular session on August 6, 2025, the Senate approved the Personal Data Protection Bill with amendments and returned it to the House of Representatives for further deliberation. Some of the relevant changes were as follows:
In the case of minors between the ages of 16 and 18, the joint consent of the minor and the holder of parental authority, exercising parental authority, is necessary for the processing of personal data.
In the case of international data transfers, the future National Data Protection Agency will have the power to determine whether another country has an adequate level of protection.
The sanctions mechanism is also strengthened: the law now establishes that any action or inaction that violates the framework of regulatory provisions issued by the Agency is a crime.
Regarding the right of access to public information, the amendment establishes that the authority has the right to deny access if the risk to the protected interest outweighs the public interest in obtaining the information.
The vast majority of the articles suggested by the Coalition were accepted, except for the elimination of Article 24 on access to public information held by public officials.
It returned to the Chamber of Deputies, where it was included in the sessions of August 19, 2025, and September 23, with its consideration being postponed, and finally on October 14, 2025, when the amendments made in the Senate were rejected. At the time of its discussion, there was not much debate, with only two deputies speaking: Rocío Abed, advocating for the rejection of the amendments introduced in the Senate, arguing that the bill had already been thoroughly studied in the Chamber of Deputies and that the amendments introduced by the Senate were irrelevant, and Representative Rocío Vallejo arguing for the need for President Peña to veto Article 24 because she considered it to be contrary to the law on access to public information and preferred the Senate version as the lesser evil, but that the solution was for the Executive Branch to veto that article.
In this final stage, it was included in three sessions of the Senate: on October 29, 2025, and November 5, 2025, being postponed on both occasions. Finally, the law was passed and sent to the Executive Branch for enactment in the extraordinary session on the same date. The bill was initially on the agenda of the regular session of November 5 as item 3, but then a special session was convened to deal solely with this item, due to the public commitment made by the President of Congress, Basilio Núñez.
The approved proposal retained much of the Coalition’s version
In 2024, given the lack of progress in the Chamber of Deputies, the Coalition prepared and presented an updated draft proposal once again based on participatory processes. This version consolidated the institutional design, rights, and modernization of principles, standards, and obligations. The full version is publicly available.
The 2024 version remained unchanged from its initial version to include an independent agency. It improved the articles for its creation, expanded ARCO rights, the obligation to conduct data protection impact assessments, mandatory incident reporting, strengthened regulation on sensitive data, a clear and proportional penalty regime, and transparency and oversight standards. This version also incorporated several of the suggestions made by the various institutions consulted on the bill.
These adjustments allowed for better contextualization of the proposal to the reality of Paraguay, on the path toward more robust regional regulatory frameworks.
The Executive Branch presented comments focused on transferring a large part of the articles to regulations, especially those related to administrative procedure, suggesting that the law only establish general criteria and guarantees, seeking greater administrative flexibility. The private sector also made specific contributions.
The Coalition’s bill included significantly more extensive text, with 88 articles in the first draft and 85 in the second version. The Chamber of Deputies approved and gave preliminary approval to the bill with 60 articles. The final text, approved by the National Congress and sent to the Executive Branch, in accordance with the merging of chapters or the transfer to regulations, contained 61 articles.
However, despite the modifications, much of the conceptual content introduced by the Coalition remains, such as the guiding principles, the recognition of rights, the obligations of those responsible and in charge, and the approach based on international standards. The core of the data protection system retained the identity that the Coalition had built.
It is essential to recognize that the changes included useful contributions from the private sector and the Executive Branch. The final product is a hybrid bill that maintains the conceptual core of the Coalition and incorporates contributions from various stakeholders.
In the final stage in the Senate (2025), the bill was introduced in three Senate sessions, as mentioned above. At that stage, the discussion of the Personal Data Protection Law was marked by the issue of privacy and transparency. Although the bill was approved by 24 votes —a close vote, as 23 votes were needed for approval— the session was characterized by several abstentions, which showed the doubts that existed within the blocs themselves. Some senators were concerned about the possible consequences of Article 24, which establishes new and restrictive access to public information containing personal data. The approved wording establishes that access to public information may be restricted if the “damage to the protected interest” outweighs the public interest; this provision was considered by the opposition to be an attack on Article 28 of the National Constitution, which establishes that public information is freely accessible.
Some critics have described this wording as a “Frankenstein version” because, in their opinion, it mixes contradictory parts, which creates margins of discretion that are contrary to public transparency. From this perspective, some legislators have publicly requested that President Santiago Peña exercise his veto because the law, as currently drafted, could severely weaken the mechanisms of citizen control that are key to understanding the obligation to be accountable for what is contracted, declared, or done with the nation’s assets. Despite this opposition, the plenary session moved forward with the approval, arguing that the version that had been passed was the “least regressive” of the alternatives that had been debated. With that vote, the bill was sent to the executive branch for enactment.
TEDIC, as a member of the Coalition, welcomed this progress, considering that although the law could still be improved, the fact that Paraguay now has a Personal Data Law is a major step toward recognizing that data belongs to individuals and that its use must be regulated based on consent, accountability, and transparency.
On Thursday, November 27, the Executive Branch finally enacted the Personal Data Protection Law, and the great challenge of regulating it over the next two years begins.
A collective achievement and a new starting point
The Personal Data Protection Law is an achievement that demonstrates the value of politically coordinated, evidence-based, and sustained advocacy. Although the final version of the law that was passed differs from the ideal draft version presented by the Coalition, most of the conceptualization of the law, its principles, the structure of rights, and its alignment are implicitly and largely inspired by the work that began ten years ago and officially in 2021 in the Legislative Branch.
At TEDIC, as a member of the Coalition, we recognize that this approved law is a perfectible norm and we reaffirm our commitment to the effective implementation of the law, participation in regulation, the defense of human rights in digital environments, and the future promotion of an independent authority.
Today we celebrate because Paraguay has a new right guaranteed by the Paraguayan State.
ABC of our community in 2023