Trends in the Antipyrawebs Observatory 2025
The year 2025 showed that discussions on technology and rights in Paraguay cannot be understood in isolation. They unfolded in a context shaped by legislative debates, digital security incidents, and emerging tensions surrounding citizens’ rights. In this scenario, the Antipyrawebs Observatory consolidated itself as a key tool for identifying trends, recording relevant milestones, and understanding how public debates around technology took shape.
During the year, the Observatory analyzed 376 news articles. The most prominent category was personal data (87 articles, 21.48%), largely driven by the enactment of the Personal Data Protection Law, a milestone that concentrated much of the public debate on the protection of citizens’ information. The cybersecurity category (63 articles, 15.56%) was closely linked to personal data, highlighting the importance of digital security and its impact on everyday life.
Other topics (56 articles, 13.83%) reflected the diversity of debates surrounding these issues, while innovation (54 articles, 13.33%) addressed how new technologies—from artificial intelligence to digitalization processes—interact with data protection and digital security.
The categories of privacy (43 articles, 10.62%), gender (21 articles, 5.19%), freedom of expression and regulation (17 articles each, 4.20%) illustrate how these tensions played out in the digital sphere, including debates on citizen participation and state control. In particular, discussions around the Anti-NGO Law showed that debates on digital rights are also embedded within a broader political framework, with direct implications for civil society and democracy.
The remaining content was distributed across electronic voting (14 articles, 3.46%), democracy (13 articles, 3.21%), connectivity (11 articles, 2.72%), education (8 articles, 1.98%), and public-private partnerships (1 article, 0.25%). Meanwhile, COVID-19 and copyright registered no entries during the year, reflecting a shift in the agenda toward more urgent issues directly linked to technology and digital governance.
This overview shows how debates on personal data, cybersecurity, innovation, and privacy not only reflected technical concerns but were deeply intertwined with broader political and social processes. Throughout the year, technology consolidated itself as a central axis of the national public agenda, cutting across legislative discussions, institutional decisions, and everyday challenges. In the following sections, this report further explores the main trends and milestones that shaped the year, as well as providing a concise overview of the growing relevance of these discussions in public debate and national priorities.
Personal Data Protection at the Center of Public Debate
The enactment of the Personal Data Protection Law in November 2025 represented one of the most significant milestones and explains why this category concentrated the highest number of publications in the Antipyrawebs Observatory. This long-delayed regulation finally moved forward in a context of heightened public sensitivity regarding the use, storage, and protection of personal information.
The approval of the law is the result of more than four years of sustained work by the Personal Data Coalition, a plural space composed of civil society organizations, academia, and specialists, of which TEDIC is a member. This process was characterized by dialogue with different stakeholders and the promotion of international standards on data protection in a country that, until now, lacked a comprehensive regulatory framework on the matter. While this achievement marks a turning point in the recognition of the right to personal data protection, the path toward its effective implementation poses new challenges.
The legislative and media debate surrounding the law, which unfolded from February until its enactment, was deeply shaped by a climate of public concern regarding the handling of personal information. Throughout the year, various incidents related to the indiscriminate use of data, as well as the exposure of sensitive information, strongly raised questions about who collects data, for what purposes, and under what safeguards. In this context, cases such as the request for biometric data to access mass events—such as what occurred at the Mariano Roque Alonso Expo in July of that year—sparked public criticism regarding proportionality, necessity, and the lack of transparency in the processing of such information.
This context contributed to the discussion of the law extending beyond legislative chambers into the public sphere, where media outlets, experts, and organizations joined the debate. During the parliamentary process, various sectors expressed concerns about articles introduced in the later versions of the bill, warning that some provisions could weaken access to public information or create ambiguities in their application. In July, TEDIC and the Personal Data Coalition contributed to this debate by providing legal analysis of the articles under discussion, highlighting the need for clearer definitions to avoid broad interpretations that could enable secrecy or state discretion, as well as potential negative impacts on freedom of expression and access to information.
Despite these concerns, the law was ultimately passed. In a context of political urgency, it emerged as a necessary response to the challenges of the contemporary digital environment.
Thus, 2025 closed with an ambivalent scenario: on one hand, the enactment of a law that formally recognizes the right to personal data protection, and on the other, uncertainty surrounding its regulation and implementation, which remain pending. The way in which mechanisms for enforcement, oversight, and supervision are defined will be decisive in determining whether this regulatory advancement translates into stronger guarantees for citizens or, on the contrary, reproduces longstanding practices of opacity and lack of protection.
Data breaches and cyberattacks exposing digital vulnerability
Although by the end of 2024 there had already been warnings related to the security of state information systems, 2025 was marked from its early months by incidents that revealed the fragility of personal data protection and public digital infrastructure. Massive leaks of sensitive information and repeated attacks on state platforms combined to create a scenario that placed the State’s responsibility for safeguarding citizens’ data at the center of public debate.
One of the first incidents that marked the year occurred in March, when journalistic investigations warned about the alleged leak of personal data of more than seven million Paraguayans, including names, ID numbers, and other sensitive information. Various reports pointed to the Superior Tribunal of Electoral Justice (TSJE) as a possible source of the exposed database, raising serious concerns given its role as a key institution in the administration of citizens’ data.
As the weeks went by, these leaks began to be linked to the circulation of Paraguayan citizens’ databases on deep web forums and marketplaces, further increasing the severity of the situation. Cybersecurity experts warned that the exposure of this information heightened the risks of fraud, identity theft, and other crimes, while also highlighting the lack of effective mechanisms for control and response to incidents of this magnitude.
In parallel to the data leaks, starting in May there was a sustained escalation of hacks targeting government websites, affecting ministries, autonomous agencies, judicial institutions, and municipalities. Official and journalistic reports documented attacks on platforms belonging to the Jury for the Prosecution of Magistrates (JEM), PRONASIDA, the Senate, the Comptroller General’s Office, the National Traffic Agency, among other public entities. Although figures varied depending on the source, there were reports of more than 27 attacks on state websites, with some estimates counting dozens of affected portals throughout the year.
Several of these attacks were publicly attributed to the hacker group Cyber Team, which claimed responsibility as a way to expose vulnerabilities in state systems and send warnings to the government. The incidents went beyond website defacement; in some cases, they resulted in disruptions to public services and the potential exposure of internal information, reinforcing perceptions of limited institutional preparedness to face such threats.
Later, in July and August, the focus expanded with cases involving private sector actors handling large volumes of personal data. The breach linked to Ueno Bank and attacks on services associated with Informconf reignited debates about the protection of information held by private companies and the role of regulatory bodies, showing that the risks associated with poor data management are not limited to the public sector.
These breaches and attacks also facilitated fraud attempts targeting citizens, including the hijacking of WhatsApp accounts and other forms of digital identity theft. The incidents demonstrated how the exposure of personal data and system vulnerabilities enable criminals to exploit sensitive information to harm individuals.
Notably, these events occurred after the State had announced, at the beginning of the year, actions aimed at strengthening its cybersecurity capacities. In January, authorities reported the donation of equipment and training sessions funded by the United States for Armed Forces personnel, and in February, MITIC announced progress in international cooperation through technical exchanges and agreements to improve responses to digital incidents. These initiatives, presented as steps toward greater institutional preparedness, preceded the wave of leaks and cyberattacks that began in March. The contrast between these announcements and the events that followed exposed the limitations of a strategy based primarily on external support and isolated actions, and once again highlighted the need for sustained public policies, structural investment, and genuine strengthening of local capacities to protect citizens’ systems and information.
Structural Investment and Strengthening Local Capacities
In response to this context, TEDIC remained active throughout 2025 in monitoring and analyzing data breaches and cyberattacks, providing alerts, legal opinions, and systematically documenting incidents. Additionally, we facilitated public workshops and shared digital security resources, aiming to enable individuals to protect their personal data and accounts in a scenario marked by massive leaks and cyberattacks. These actions helped raise awareness of the risks, strengthen citizen consciousness, and foster debate about the need for clear and effective privacy and cybersecurity policies.
Cybersecurity Norms and Strategic Frameworks
The crisis of data breaches and cyberattacks experienced in the country during the year also prompted renewed discussions about cybersecurity regulatory frameworks and strategies. In this context, relevant initiatives emerged seeking to consolidate a more structured approach to digital threats.
In June, a group of legislators introduced a Cybersecurity Law project in the Chamber of Deputies, aimed at establishing a specific legal framework to prevent, investigate, and sanction cybercrimes, and to provide greater tools for institutions responsible for digital security. TEDIC critically analyzed this project, noting in a public document that while the initiative addressed an urgent need for regulation, it lacked clear technical definitions and mechanisms to ensure the protection of rights. In particular, we emphasized the importance of building such a law on solid technical foundations, pluralistic participation, and coherence with other digital rights frameworks, to avoid it becoming a tool of control or regulatory ambiguity instead of providing security.
Beyond legislative debate, the Executive Branch officially launched in May the National Cybersecurity Strategy 2025–2028, a roadmap intended to coordinate short-, medium-, and long-term government actions to strengthen the protection of critical infrastructure, foster inter-institutional cooperation, and promote technical capacities across the public administration. While presented as a step toward a more integrated vision of digital defense, its impact will largely depend on resource allocation, actor coordination, and ongoing updates to face rapidly evolving threats.
These regulatory and strategic initiatives represent efforts to respond to an increasing threat landscape and demonstrate the complexity of articulating robust public policies that translate into sustainable practices for protecting both systems and human rights. Cybersecurity in Paraguay requires more than frameworks; it demands investment in capacities, pluralistic participation, and clear mechanisms that link regulations with the operational reality of institutions and real protection for citizens.
AI, Regulation, and Infrastructure
Artificial intelligence emerged as one of the most visible axes of the technology debate, driven by the rapid expansion of generative text and image platforms and their incorporation into daily practices. These tools, widely used to create content, edit photos, or automate tasks, raised discussions about privacy, security, and responsible use—particularly concerning models like DeepSeek, which sparked international alerts for potential risks regarding data protection and safeguarding personal information.
The AI debate also reached academic and training spheres. In January, the Faculty of Engineering at the National University of Asunción launched a master’s program in Artificial Intelligence with support from CONACYT, reflecting institutional recognition of the need to build technical capacities in the country to face rapidly advancing technology that poses complex challenges for development, employment, and education.
This context of rapid growth and AI expansion led to initiatives aimed at establishing a regulatory framework. In May, a draft Artificial Intelligence Law was officially introduced in the Senate, aiming to regulate and promote the development, implementation, and innovation of AI systems in Paraguay. TEDIC engaged with this process, providing critical analyses and technical observations, emphasizing the importance of evidence-based regulation, plural participation, and a human rights approach. We also highlighted that any legal framework should consider the social impacts of AI, including data protection, non-discrimination, and accountability in automated systems, to prevent innovation from advancing without clear safeguards for the population.
The Energy Cost of the Digital Future
In May 2025, figures such as U.S. Senator Marco Rubio highlighted Paraguay’s energy potential in the context of artificial intelligence, framing energy availability as a strategic factor for the United States. Following this, authorities and business sectors promoted the idea that the country could attract investments in high-energy-consuming data centers, leveraging its energy surplus, particularly from Itaipú. In July 2025, the upcoming MERCOSUR–European Union Association Agreement was presented by official sectors as an opportunity for technological investment and related infrastructure, adding a geopolitical dimension to discussions on energy use and high-consumption projects.
While these proposals can be interpreted as an opportunity for “economic development,” it is important to consider how such projects fit within resource management and the protection—or lack thereof—of citizens’ rights over the long term; for example, water consumption, air pollution, and energy demand, especially in Paraguay, where power outages remain frequent. The intersection of energy and digital infrastructure debates illustrates that technology is not merely a technical matter but a central element for sustainable and sovereign policies that safeguard citizens’ rights.
Other Relevant Aspects
The national panorama also highlighted other areas of interest. Paraguay’s strong relationship with Taiwan, including technology and innovation cooperation, was presented as a platform to strengthen AI capacities and other knowledge economy sectors, with emphasis on talent development and strategic science and technology partnerships.
In November, the Ministry of Information and Communication Technologies (MITIC) advanced an international public tender for a modular Tier III state data center, designed to host critical services in a secure and controlled environment for public agencies. This project, financed with support from the Inter-American Development Bank, was intended to consolidate an infrastructure base that reduces dispersion of state digital services and enhances operational resilience.
“Anti-NGO” Law: Setbacks for Democratic Participation
In October 2025, President Santiago Peña enacted the controversial Law No. 7363/24, popularly known as the “Anti-NGO” or “Garrote” Law, establishing mechanisms of control, transparency, and accountability for nonprofit organizations. The law requires detailed reporting on activities, funding, personnel, and beneficiaries within strict deadlines, as well as registration updates, with possible sanctions and activity suspension for noncompliance.
The approval and subsequent regulation of this law raised concerns among civil society sectors, organizations, and opposition voices, who argued that it could be used to limit freedom of expression and democratic participation, particularly regarding activities critical of the government.
TEDIC, as part of the Coordinadora de Derechos Humanos del Paraguay (CODEHUPY) and other social organizations, took a critical stance on the Anti-NGO Law, stressing that the stated intention of “transparency” must be balanced with the protection of constitutional rights such as freedom of association, expression, and political participation. These liberties are pillars of a democratic society, enabling community, cultural, social, or human rights organizations to operate without fear of arbitrary sanctions.
In December 2025, more than 30 civil society organizations within CODEHUPY, including TEDIC, filed an Unconstitutionality Action before the Supreme Court against Law No. 7363 and its regulation. The action argued that the law and its rules introduce excessive, discretionary, and punitive controls that violate fundamental constitutional rights, including freedom of association (Art. 42), freedom of expression and participation (Arts. 26 and 40), and the principle of legality (Art. 9). The organizations also highlighted contradictions with international obligations to protect civic space, warning that its application could generate fear and uncertainty affecting solidarity initiatives, educational, cultural, and community projects nationwide.
This judicial and political process reveals a profound tension between demands for accountability and the protection of civil and political rights that enable organized citizen participation. Beyond numbers or administrative procedures, what is at stake is the capacity of communities to organize, express themselves, and defend rights without fear of arbitrary sanctions—an essential aspect of any pluralistic democracy.
Freedom of Expression, Surveillance, and Z Protest
At the end of September 2025, the self-named youth protest movement “Generación Z Paraguay” emerged, organized mainly through digital platforms like TikTok and Instagram. The mobilization occurred amid a global context where youth protests had already gained relevance, particularly the events in Nepal, which inspired subsequent demonstrations. Various information, including false reports, circulated through national media, fueling risk narratives about mass youth protests.
In Paraguay, several days before the protest, the National Police deployed security operations including monitoring group chats and reviewing the profiles of organizers. In response, TEDIC provided clear guidance for participants, emphasizing that peaceful protest is a constitutional right and sharing recommendations on protecting freedom of expression and communications in monitored contexts, including our Free Protest Guide.
On September 28, the day of the march, the government deployed over 3,000 police officers ostensibly “to ensure safety,” a measure widely criticized as disproportionate relative to the expected number of participants. The protest, which carried anti-corruption messages, was interrupted by the police, and participants faced repression, arbitrary detentions, and barriers limiting the exercise of fundamental rights such as assembly and free expression.
Following these events, both citizens and human rights organizations issued statements denouncing clear violations of the right to assembly, highlighting concerns about surveillance and intelligence practices targeting young protesters. In response, TEDIC conducted a workshop on Free Protests, aimed at Generation Z youth and civil society organizations, covering legal aspects of peaceful protest and appropriate digital protection strategies.
These events highlighted tensions between freedom of expression, the use of surveillance technologies without transparency, and social control practices, reminding that in a democratic environment, the exercise of fundamental rights should not be conditioned by state monitoring or repression.
Electronic Voting and Electoral Technologies
During the first half of 2025, the discussion on the incorporation of electronic voting machines returned to the public agenda. Suspended tenders and technical concerns reignited debates on the security and reliability of these systems. While the Superior Tribunal of Electoral Justice (TSJE) claimed the machines were secure, various voices warned of a lack of transparency, absence of open audits, and risks associated with incorporating closed technologies in electoral processes.
In this context, computer and cybersecurity specialists, including local technical communities, requested independent audits to evaluate machine functionality and security as a positive contribution to institutional strengthening. However, these requests received no effective response, and audits were not carried out. These discussions are particularly relevant in light of the municipal elections scheduled for 2026, where the TSJE is responsible for ensuring technologies that strengthen transparency, auditability, and public trust, essential pillars of any democratic process.
International Context, Espionage, and Technological Cooperation
In January 2025, Paraguay and its security institutions announced the use of drones and boats in border areas as part of efforts against smuggling and other cross-border crimes. This measure sparked discussions about surveillance and the use of aerial capture technologies within national security policies.
At the end of March, the international landscape shifted when Brazilian media reported that the Brazilian Intelligence Agency (ABIN) had hacked Paraguayan authorities to obtain information regarding negotiations on Annex C of the Itaipú Treaty, which governs the binational hydroelectric energy. According to allegations, the operation occurred during Jair Bolsonaro’s presidency and partially continued under Luiz Inácio Lula da Silva’s government, an act considered a serious violation of Paraguay’s sovereignty and privacy.
In response, the Paraguayan government summoned the Brazilian ambassador in Asunción, demanded explanations, and suspended negotiations on Annex C of Itaipú until the case was clarified—a matter essential to the country’s energy policy. These tensions affected not only energy issues but also bilateral trust relations that influence regional cooperation and ongoing agreements.
On the other hand, within the technological cooperation agenda, Paraguay and Taiwan strengthened their ties in 2025. These efforts were manifested, among other things, in the presentation of the Taiwan–Paraguay Smart Technology Park in July, intended to become a hub for strategic cooperation in emerging technologies, advanced manufacturing, energy, and artificial intelligence.
Finally, in December 2025, Paraguay and the United States signed a military agreement, a significant element of the international agenda which, although formally focused on defense cooperation, falls within a broader strategic relations framework. Such agreements typically reinforce security logics that expand state surveillance capabilities, enable increasingly intrusive technologies, and consolidate power asymmetries, especially when state actors with greater geopolitical weight are involved.
Together, these episodes show how international dynamics—from state espionage to technological and military cooperation agreements—directly affect digital sovereignty, data protection, and human rights, highlighting the need for critical debate on which technological development model is being promoted and who controls these infrastructures and decisions.
Children and Technology
Throughout 2025, the technology debate in Paraguay repeatedly intersected with the protection of children and adolescents, in a context where many state responses sought to address issues through punitive and control measures rather than comprehensive rights-based approaches.
From January, discussions about regulating cellphone use in classrooms gained traction, promoted by Congress and later taken up by the Executive Branch. The initiative was justified by concerns over “harmful content” and low academic performance but quickly raised alerts from educational and digital rights sectors: banning or restricting without digital literacy policies and teacher support shifts the problem without solving it.
In June, the Anti-Grooming Law also progressed, a process in which TEDIC played an active role, emphasizing that protecting children in digital environments should not involve prior censorship, excessive criminalization, or permanent monitoring of communications.
Finally, in October, Congress approved the new Law against Child Pornography, which includes the obligation to retain communication traffic data. Although presented as a protective tool, the law sparked a deep debate on privacy, proportionality, and mass surveillance.
Overall, these discussions reveal a trend: the protection of children is often used as a legitimate argument to implement control measures without a comprehensive approach or evaluation of impacts on human rights. In this context, these measures raise a key question: how can we care without surveilling, and protect without curtailing rights?
Gender and Technology
2025 was marked by setbacks in rights for women and diverse gender identities in Paraguay. In January, the Ministry of Education and Culture (MEC) announced it would only recognize binary genders in the educational system, and in November, that the word “gender” would be removed from all educational materials. In May, a public hearing was held to prevent the merger of the Ministry of Women, Ministry of Childhood, and Secretariat for Youth into a single body called the “Ministry of Family.” TEDIC joined this collective demand with other women’s organizations to defend and uphold acquired rights and prevent the dissolution of specialized ministries under the pretext of resource optimization, which are essential for addressing various forms of violence and inequality.
Additionally, in March, the use of electronic ankle monitors in domestic violence cases was announced—a measure presented as progress but still limited in scope and real application.
Significant judicial precedents regarding digital violence were also consolidated, such as the ratification of the doxing sentence against Juan Vera for sharing journalist Menchi Barriocanal’s phone number. This confirms that digital violence is real and requires authorities to take preventive and reparative measures for victims.
Other Key Issues
Facial Recognition and the Expansion of Biometric Surveillance
The use of facial recognition and biometric surveillance technologies expanded in both public and private spaces, without clear regulatory frameworks or guarantees for citizens. Cases such as a young man being expelled from a store after being mistakenly identified by a facial recognition system exposed risks of discrimination, stigmatization, and lack of due process. Amid this debate, TEDIC’s investigation revealed opaque public spending on the acquisition of biometric technologies. Meanwhile, municipalities like Ciudad del Este inaugurated monitoring centers with cameras for street surveillance, and the Police announced the expansion of body cameras for the Lince team. Presented as security and efficiency measures, these developments deepen a mass surveillance model that is advancing faster than public debate on privacy and democratic limits.
Precarization of Platform Work and Legislative Disputes
Throughout 2025, platform work in transport and delivery returned to the public discussion, intersecting with precarious labor conditions, everyday insecurity, and persistent regulatory gaps. Complaints about police raids without warrants, high-risk areas, shared helmets for motorcycle delivery, and security complaints to the Prosecutor’s Office highlighted a scenario where technology organizes work but does not guarantee rights or protection.
Two key bills were introduced in Congress: one requiring the inclusion of a panic button connected to 911, prompted by violence against delivery workers, and another regulating the safety of service providers and users of mobility and delivery platforms. Both initiatives represent a contemporary challenge built on old structures. While the state and platforms debate regulations, workers continue demanding immediate solutions.
Digital Infrastructure, Agreements, and Technological Expansion
In parallel, the state promoted a technological and institutional expansion agenda. In February 2025, MITIC and the Ministry of Defense signed a cooperation agreement to strengthen coordination between technology, security, and defense. In November, Paraguay also joined global infrastructures such as Google Street View, expanding territorial data capture and circulation.
The country hosted large-scale technological events, including the Paraguay Blockchain Summit in August and the 7th Ibero-American ID Forum Summit in November, consolidating its regional positioning in digital innovation. Procurement and design processes for the MITIC Digital District also began—a project concentrating state technological infrastructure, including data centers, digital services, and data management capabilities. The district will cover six hectares near Parque Ñu Guasu within the Armed Forces grounds.
Simultaneously, initiatives directly impacting citizens advanced. For example, free electronic fare cards were distributed in the education system through public-private partnerships, benefiting 11,000 students. Similarly, the digital identity card surpassed one million registered users and began to be used for various procedures without needing a physical ID.
In January, electronic vehicle registration was implemented in several municipalities, consolidating this identification model. The state also celebrated the growth of the Paraguayan video game industry as an export and creative sector. Together, these processes reflect accelerated digitalization combining innovation, market expansion, and institutional management.
Extractivism and Control Technologies
Decisions related to technological infrastructure revealed the social, environmental, and political costs of accelerated digitalization. In a context where cryptocurrencies are not authorized by the Central Bank of Paraguay and prior noise pollution complaints exist, the January explosion in a cryptocurrency mining facility in Villarrica highlighted the labor, energy, and regulatory risks of an industry operating at the margins of state control. In parallel, technical studies for lithium prospecting in the Chaco reactivated debates on extractivism, natural resource use, and the impacts of new technological chains on historically vulnerable territories.
Towards the end of the year, key decisions regarding connectivity and surveillance emerged: in December, processes related to 5G network bidding were unblocked amid transparency concerns, while municipalities like Asunción announced intentions to use drones to monitor tax collection, expanding the use of control technologies over citizens. These developments show how technological expansion advances without a thorough debate on limits, accountability, and rights.
Technology and Power: A Year That Redefined Priorities
2025 demonstrated how technology is a central arena of political, economic, and social dispute in contemporary Paraguay. The promulgation of the Personal Data Protection Law marked a historic milestone but coexisted with massive data leaks, hacks, the expansion of biometric surveillance, and setbacks in individual and collective freedoms. Simultaneously, artificial intelligence, energy infrastructure, electronic voting, and state digitalization highlighted that technological decisions are deeply intertwined with sovereignty, democracy, and the development model.
From TEDIC, the challenge remains the same: to accompany these processes with a critical perspective, advocacy, and commitment to human rights. Looking ahead to 2026, with municipal elections on the horizon and new decisions regarding infrastructure and regulation, it will be crucial to sustain an informed public debate centered on transparency, participation, and the effective protection of individuals in digital environments.
This publication has been funded by the European Union. Its content is the sole responsibility of TEDIC and does not necessarily reflect the views of the European Union.