Zero Sanctions in Ecuador Due to a Weak Personal Data Protection Law

The country woke up to a scandal. The personal data of all Ecuadorians was stored on an international server, unprotected and accessible to anyone. The database included full names, ID numbers, dates of birth, home addresses, phone numbers, email addresses, family relations, employment history, salaries, vehicle license plates, and more. It even contained information on minors and deceased people.

This became known as the Novaestrat case and led to the drafting of the Organic Law on Personal Data Protection. Six years have passed since that scandal and, although there is now both a law and its regulations, vulnerability in Ecuador remains almost unchanged. This was confirmed by the Superintendent of Personal Data Protection, Fabrizio Peralta Díaz, the official in charge of enforcing the law.

He stated that if a massive privacy breach affecting Ecuadorians were to occur today, he still would not have the legal tools to immediately sanction those responsible. The law stipulates that, in the case of serious violations, the Superintendency must first impose corrective measures on the offenders and only sanction them if they fail to comply. “The law sometimes gives the Superintendency the role of a mother,” Peralta remarked ironically.

Another obstacle is the difficulty in taking action against giants such as Facebook, Google, or TikTok. The law requires foreign platforms to appoint a legal representative in Ecuador, but as of September 2025, only nine companies had complied: two insurance companies, two gaming and betting firms, four small businesses, and Oracle Colombia (see full list here). None of the so-called Big Tech companies are included.

So far, no one has been sanctioned, despite the law coming into force in 2021, its regulations in 2023, and the Superintendency beginning operations in October of last year.

According to the Superintendent, the way the law was drafted was not accidental. “I understand that many actors were involved in the process…” he said, without naming names. He believes the law must be reformed.

The investigative alliance The Invisible Hand of Big Tech, led by the Latin American Center for Investigative Journalism (CLIP) and Brazil’s Agência Pública, with contributions from Primicias, found that organizations allied with tech giants have been involved in shaping nine Ecuadorian laws regulating the digital sphere, including the Personal Data Protection Law.

Of these, four laws are in force, two were shelved, one awaits its second congressional debate, and two more are under development.

The organizations are the Latin American Internet Association (ALAI), the Ecuadorian Chamber of Innovation and Technology (Citec), and the Peruvian law firm Niubox.

ALAI brings together giants such as Google, TikTok, Meta, and others. Its manifesto states that one of its goals is to promote “collaborative models of public policy development that integrate dialogue between the private sector and governments from the earliest stages.” (See report: Big Tech’s Cross-Border Lobbying)

In a statement to this journalistic alliance, ALAI said it “does not represent the interests of specific companies nor lobby on behalf of specific companies, but rather, like any other business association, represents the interests of the sector as a whole.” The association did not respond to questions about which laws it had influenced in Ecuador or about its role in shaping the personal data protection regulations.

It added that it fosters public, open, and participatory debate as a democratic exercise, which includes organizing events, participating in committees and other congressional bodies across the region, and holding meetings with lawmakers and government officials, among other activities.

The investigative alliance The Invisible Hand of Big Tech, led by the Latin American Center for Investigative Journalism (CLIP) and Brazil’s Agência Pública, with contributions from Primicias, found that organizations allied with tech giants have been involved in shaping nine Ecuadorian laws regulating the digital sphere, including the Personal Data Protection Law.

Of these, four laws are in force, two were shelved, one awaits its second congressional debate, and two more are under development.

The organizations are the Latin American Internet Association (ALAI), the Ecuadorian Chamber of Innovation and Technology (Citec), and the Peruvian law firm Niubox.

ALAI brings together giants such as Google, TikTok, Meta, and others. Its manifesto states that one of its goals is to promote “collaborative models of public policy development that integrate dialogue between the private sector and governments from the earliest stages.” (See report: Big Tech’s Cross-Border Lobbying)

In a statement to this journalistic alliance, ALAI said it “does not represent the interests of specific companies nor lobby on behalf of specific companies, but rather, like any other business association, represents the interests of the sector as a whole.” The association did not respond to questions about which laws it had influenced in Ecuador or about its role in shaping the personal data protection regulations.

It added that it fosters public, open, and participatory debate as a democratic exercise, which includes organizing events, participating in committees and other congressional bodies across the region, and holding meetings with lawmakers and government officials, among other activities.

Citec brings together 290 Ecuadorian and foreign tech companies of all sizes, including giants like Google, Amazon, and Uber. It is also a signatory of ALAI’s manifesto.

It was founded in 2002 under the name Ecuadorian Software Association (Aesoft), with 16 founding members, among them IBM, Microsoft, and Oracle.

Its bylaws state that one of its purposes is “to support the modernization of Ecuadorian legislation.” They also establish that Citec is funded by member contributions and fees, while also being able to receive donations and contributions from both public and private institutions.

Regarding this, the Director of Regulatory Affairs at Citec, Andrés Vega, told this journalistic alliance: “Our work, as an industry group, is to influence regulation or at least know in advance what is being cooked up in terms of technology regulation.”

The law firm Niubox was founded in Peru in 2018. It opened offices in Ecuador in 2020 and in Colombia in 2022. In all three countries, it claims to have around one hundred clients, including Google, IBM, and Mercado Libre. This investigation found that Niubox has participated in the drafting of five Ecuadorian laws. The firm did not respond to questions sent by Primicias.

In Colombia, it has been involved in artificial intelligence regulation and has organized academic events on technology regulation. Its country manager, Daniel Felipe Valencia Quintero, met with a senator in December 2024 to discuss the regulation of labor in digital platforms.

Since establishing itself in Ecuador, Niubox’s legal representative has been Diego Álvarez Mejía. Until August of last year, he was also president of the Ecuadorian Association for Data Protection, an organization that has presented itself as a defender of citizens’ rights while seeking to influence digital legislation.

First Round: The Draft Bill

The Personal Data Protection Law was a pending obligation the Ecuadorian State had carried since January 2017 under the Free Trade Agreement with the European Union, which promotes e-commerce.

The law is crucial because it protects citizens from two vulnerabilities, said specialist Milena Mora. First, it forces platforms to use personal data strictly for the purposes to which the user consented. Second, it requires protocols and security measures to prevent data theft.

“There is no system, no software, nothing that is infallible or risk-free. Handing over information means you are entrusting your identity to an institution. (…) We give away so much information that identity theft becomes an easy possibility. (…) And the more sensitive the information, the greater the risk,” Mora argued.

The law was originally designed by the National Directorate of Public Data Registry (Dinardap, under the Ministry of Telecommunications), which at the time was headed by academic Lorena Naranjo.

Dinardap began drafting the bill at the end of 2017 and shared the draft between 2018 and 2019 through working groups with civil organizations, private companies, public institutions, and universities.

Several points raised red flags for the tech industry and Big Tech. One was the regulation of foreign companies handling Ecuadorians’ personal data. Another was the heavy sanctions for serious offenses, such as using data for undeclared purposes or failing to adopt adequate security measures. Fines could reach 17% of annual business turnover, meaning sales minus VAT and other minor taxes.

Another contentious issue was the obligation for platforms to obtain the consent of adolescents’ legal guardians before collecting their personal data.

Companies argued that Dinardap ignored their concerns. In early September 2019, Citec met with representatives from the U.S. Embassy in Quito and American experts to analyze the bill. In a statement, they said that “a law is needed to support SMEs, knowing that the current proposal could affect foreign investment and hinder the sector’s growth.”

That same September, the so-called Novaestrat case came to light. This gave the initiative new urgency and led then-President Lenín Moreno to send the bill to the National Assembly.

On September 16, the tech outlet ZDNet revealed the existence of a database stored on a Miami server with insufficient access security, containing personal information on 20.8 million Ecuadorians—more than the country’s total population, since it also included data from deceased individuals.

The investigation indicated that the database belonged to the Ecuadorian company Novaestrat, which marketed itself as a specialist in market analysis. The Prosecutor’s Office launched an investigation for alleged violation of privacy, raided the home of the company’s legal representative, and took statements from its executives. However, five years later, in 2024, prosecutors requested the case be closed, arguing there was insufficient evidence to bring charges.

The same day ZDNet revealed the massive leak, Telecommunications Minister Andrés Michelena and Dinardap Director Lorena Naranjo assured at a press conference that the breach was under control and announced that the government would present the Organic Law on Personal Data Protection to the Legislature. The proposal was submitted on September 19.

Second Round: Changes in the Assembly

Once the bill was introduced, public debate began. One of the most intense exchanges took place in a televised interview in January 2020 between Andrés Burbano de Lara, of Citec, and Lorena Naranjo. That was when the battle lines became clear.

Burbano de Lara was concerned about the creation of a National Data Protection Authority under the executive branch, which would have the power to impose astronomical fines on companies. “They haven’t explained why the fine is 17%… It really doesn’t make sense, because the idea isn’t to bankrupt companies,” he argued. He warned that this would drive away investment.

Naranjo presented the other side. She argued that the illegal trafficking of personal data is a highly profitable business. “Personal data is the new oil,” she said.

She invoked the Novaestrat case to insist that authorities should stop such activities by imposing heavy fines and compensation for those affected. “If a company has generated income fraudulently, that wealth is illicit,” she stressed.

The positions of the interviewees proved irreconcilable. The dialogue ended in shouting. Naranjo accused Burbano de Lara of being a “representative of Google,” while he accused her of being a “representative of Senain,” Correa’s political police. The technicians had to cut off their microphones, and journalist Francisco Rocha closed the program.

In a statement sent to this journalistic alliance, Google said: “Like many companies, we regularly engage with policymakers and other stakeholders on a wide range of issues, including how policies may affect the people who use our products.”

The bill passed its first debate in the plenary of the National Assembly in February 2021 and returned to the Comprehensive Security Committee, which was tasked with incorporating feedback and preparing a new report for the second and final debate.

Here a major change took place. The Committee, chaired by Fernando Flores Vásquez (of the CREO political movement), added a provision stating that the Superintendency must impose corrective measures before applying fines for serious violations.

But the report contained contradictions. In its introduction, the document stated that, after taking observations into account, “corrective measures apply to violations considered minor. Therefore, the sanctioning regime applies automatically to violations considered serious.”

However, in the articles themselves, the opposite was written: direct sanctions for minor infractions, and corrective measures for serious ones. That was the text distributed to stakeholders in March 2021.

During the debate, the only one to address corrective measures was sociologist Valeria Betancourt, representative of the Association for Progressive Communications. She argued that if the law stipulated that fines would only be imposed on offenders who failed to comply with corrective measures, then the sanctions should be severe. However, her proposal did not advance.

The fines were also reduced. Minor infractions, which at first carried penalties of 3% to 9% of annual business turnover, were lowered to between 0.1% and 0.7%. Serious infractions, initially set between 10% and 17%, were cut to between 0.7% and 1%.

The penalties ended up far below what is established by European Union standards: 4% of annual turnover.

During these debates, a new actor emerged defending the arguments of tech platforms: the Ecuadorian Association for Data Protection.

This association had been created in January 2019 by a group of experts. Interestingly, among them were Lorena Naranjo, who at the time was already leading Dinardap; Luis Enríquez Álvarez, an academic and now Superintendent of Personal Data Protection; and Diego Álvarez, who later became president of the Association and is now legal representative and shareholder of Niubox.

Its first president, lawyer Pablo Solines Moreno, appeared before the Committee to present his observations. He opposed applying the law to foreign platforms that collect Ecuadorians’ personal data—what is known as the principle of extraterritoriality.

He also questioned why the media were not included among the regulated entities. In addition, he criticized the requirement for companies to notify authorities in the event of a cyberattack, arguing that this would mean the company “would be alerting the authority so it could sanction it.”

After Solines’ intervention, ALAI’s executive director Raúl Echeberría took the floor. On several points, he echoed arguments already presented by Solines, whom he praised.

He referred to children and adolescents. The bill stated that platforms had to obtain authorization from legal guardians before collecting and processing their personal data. Echeberría proposed that adolescents be excluded from this requirement, applying it only to children under 13. “This could cause harm to adolescents (…) there could be the unintended consequence of reducing their ability to participate in the digital world.”

In the end, the Assembly approved the law, which entered into force in May 2021. It created the Superintendency of Personal Data Protection as a regulatory body independent from all branches of government. It also eliminated the right to digital erasure (“right to be forgotten”) and excluded the media from its application.

On the other hand, the law included the principle of extraterritoriality, as well as the obligation for companies to notify authorities in the event of a security breach, and the requirement for parental consent to handle adolescents’ personal data up to age 15.

Third Round: The General Regulation

The law came into effect in May 2021, coinciding with a change in government, as President Guillermo Lasso took office that same month. A transitional provision prevented the regulator from imposing sanctions for two years, until May 2023. This allowed regulated entities time to adapt, and gave authorities time to draft the General Regulation.

The drafting of the regulation fell to Dinardap, which was renamed the National Directorate of Public Registries (Dinarp). Under the new government, the institution was led by lawyer Angie Jijón Mancheno, who had built her career in the financial sector.

Dinarp convened working groups in August 2021. These dialogues lasted several months, involving representatives from private companies such as Citec, as well as civil society organizations.

However, while Dinarp was finalizing the text to present to the government, Citec released a statement announcing that its representatives had met with the legal secretary of the presidency, Fabián Pozo, to discuss their comments on the final draft of the regulation.

Andrés Vega of Citec said that meeting was private and obtained through a direct request. “It wasn’t a public consultation process, nor was the draft regulation opened to a multi-stakeholder forum,” he clarified.

That meeting also included executives from Niubox, Amazon Web Services, and other companies, according to the statement. The meeting took place on January 21, and Dinarp presented the text five days later.

From then on, the general regulation went into a deep freeze. By May 2023, they still had not been published.

The deadline expired amid a serious national crisis. President Lasso had faced impeachment proceedings in the National Assembly that left him cornered. To avoid being removed from office, he invoked the “cross-death” mechanism that same month—a constitutional tool allowing him to dissolve the legislature temporarily and call for early general elections.

After the elections, on October 15, 2023, Daniel Noboa Azín emerged as the winner, with his inauguration scheduled for November 23. Two weeks before leaving power, Lasso issued the General Regulation of the Personal Data Protection Law, on November 6. Amid the political upheaval, the move went largely unnoticed.

For César Ricaurte, executive director of Fundamedios, the regulation “came out of nowhere.” He had participated in the drafting of the law since 2019 and in the first round of dialogues after its approval in 2021. After that, he was never invited again—until, more than two years later, the regulation was suddenly published. For this reason, he believes there was insufficient citizen participation in the process.

Fourth Round: The Superintendency

Although the law entered into force in 2021 and its General Regulation in 2023, certain additional regulations still need to be implemented, which fall under the responsibility of the Superintendency.

This institution began operating last year. President Daniel Noboa submitted a shortlist for the selection of the first Superintendent in January 2024. At the top of the list was Fabrizio Peralta, a lawyer who had advised business chambers, worked at one of Guayaquil’s largest and most prestigious law firms, taught at several universities, and served as a judicial arbitrator in technology matters. He officially took office in April.

The Superintendency began operations in October. One of Peralta’s first meetings was with Colombian Pablo Nieto, ALAI’s manager for the Andean region, where they discussed the regulatory process for the Personal Data Protection Law, according to the Superintendency’s transparency portal.

At the same time, the institution began issuing new regulations. It published preliminary drafts on its website for public comment, with the possibility of adopting or rejecting the suggestions received.

This year, the Superintendency has issued nine regulations. For example, it promulgated rules to calculate penalties, establishing parameters to precisely determine the fines violators must pay.

The Superintendency reported that ALAI submitted comments on five of those nine regulations, all of which were accepted. Citec submitted comments on seven, of which five were accepted. “We have a fluid relationship,” Superintendent Peralta acknowledged, while clarifying that this does not mean the Superintendency is bound to adopt all recommendations.

In April, Peralta traveled to Mexico to attend ALAI’s annual event promoting its vision of internet governance, the Regional Digital Economy Meeting (DigiEcon). Authorities and lawmakers from other countries also participated. Among the guests was Citec director Gisela Montalvo.

The program lasted three days. Peralta declared the trip in his institution’s transparency platform, reporting travel expenses of just $52.48. When questioned about the financing, he stated that ALAI had covered the costs.

“If the question is meant to determine whether this in any way affects my role as the institution’s top authority, it does not affect it at all. I believe these spaces should be used to promote the institution, especially one that only began operating last year,” Peralta said.

A month after the Mexico event, news broke of an agreement signed between the Superintendency and Citec—though the official document is dated January 2025, without specifying the day. Its purpose is to create dialogue and technical collaboration spaces for knowledge-sharing, training, and promoting debate on data protection.

The Superintendency has signed 24 agreements to promote pending regulations and raise awareness about personal data protection, mainly with universities, public institutions, and international organizations. None has been with citizen organizations.

The agency plans to issue six more regulations this year, including one to define, regulate, and limit large-scale personal data processing, and another to establish standards for international data transfers. These are issues that directly affect Big Tech and their users.

Meanwhile, enforcement remains stalled. Of the 191 complaints received, 106 are backlogged, 65 are in process, and 20 have been closed.

The vast majority of complaints involve debt collection through unauthorized messages and calls. A smaller portion concerns advertising harassment. The minority are more serious, including fraud, defamation, forgery of signatures, and data hacking.

Peralta admitted there are also operational challenges. The institution has 34 staff members, only two of whom handle complaints.

Peralta has requested an increased budget. This year it received $1.54 million and requested $3 million for the next year to hire 107 more employees and invest in service improvements, but he says the Ministry of Economy and Finance has not responded.

The difficulties in enforcing the law are clear. “We are stumbling because passing a law is one thing and applying it is another,” said Lorena Naranjo, now head of the Data Protection Association. She argues that Ecuador is still far from being a digital nation, as data protection is just one piece of a larger puzzle that also includes data governance and utilization.

Meanwhile, Big Tech’s influence on public policy has accelerated. Citec not only has the agreement with the Superintendency to help shape regulations for the law, but it has also gained ground in foreign policy. Citec’s executive director, Gisela Montalvo, was part of the official delegation that accompanied President Noboa on his state visit to the United Arab Emirates in May of this year.

In a statement, the Chamber celebrated: “We work for the internationalization of Ecuador’s tech ecosystem, representing our companies before global actors who today see Ecuador as a safe destination with high investment potential.”