Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Uruguay: Unpacking the changes to the Uruguayan data protection system
On 3 November 2022, the Official Information Center of Uruguay published Law No. 20075 of 20 October 2022 ('Law No. 20075/2022')1, which was enacted on the same day and which reforms the Uruguayan data protection system in place. Dr. Ana Brian Nougrères, Alejandra Saiz, Ignacio Martinez, and Magdalena Quintana, from Estudio Juridico Briann y Asociados, break down the changes introduced by Law No. 20075/2022, focussing on updated information provision obligations and new powers and functions of the Uruguayan data protection authority ('URCDP').
Background
Uruguay is one of the two countries in Latin America that offers an adequate level of data protection, according to the regulations of the EU. This means that the European Commission has recognised only two countries in Latin America, namely Uruguay1 and Argentina2, as providing adequate protection for free international data transfers with the EU. This is not, however, a fixed decision, as these countries must constantly adapt their regulation to the EU standards on data protection to maintain their position.
On a global scale, there is an increasing necessity to regulate the use of automated decision-making in data processing, as artificial intelligence ('AI') is seen as the main source of human rights violations regarding data protection nowadays.
This is one of the reasons why Uruguay passed Law No. 20075/2022, which approves the budget balance of the previous year, changing Articles 13 and 34 of Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 ('the Law')3. This is a special kind of law that can only be proposed by the Executive Branch and is intended to contain only monetary and budget issues. In practice, it usually includes precepts modifying other legal dispositions ranging from a wide variety of topics.
As already mentioned, Law No. 20075/2022 was passed on 20 October 2022. Nevertheless, it entered into force on 1 January 2023, which is the reason why neither social nor expert reactions have been heard on the topic.
Articles 62 and 63 of Law No. 20075/2022 include some dispositions that modify the Uruguayan data protection system which will be discussed in greater detail below.
Updated information provision obligations
The first modification is in Article 62 of Law No. 20075/2022, which modifies Article 13 of the Law, adding information that is mandatory to provide to the data subject, at the moment of the data collection.
In its previous version, Article 13 of the Law stated which information must be provided to the data subject prior to the data collection. This information must be provided expressly, accurately, and unmistakably. The information required to be shared with the data subject, according to the previous version of Article 13 of the Law, is the following:
- the purpose for which the data will be processed and who may be its recipients, or the category of recipients (Article 13A);
- the existence of the database, electronic or of any other kind, and the identity and address of the controller (Article 13B);
- the mandatory or optional nature of the responses given by the data subject, especially when collecting sensitive data (Article 13C);
- the consequences of providing the data, of refusing to do so, or providing inaccurate date (Article 13D); and
- the possibility of the data subject to exercise their rights of access, rectification, and deletion (Article 13E).
The referred information that must be provided to the data subject, additionally to the information previously stated in Article 13 of the Law, is the following:
1. The possibility of the data subject to exercise the right of updating, inclusion, and not to be subject to a decision based solely on automated processing. This decision must be intended to evaluate certain aspects of the personality of the data subject, and must produce legal effects that - in a significant way - affect them (Article 13 E).
The possibility to exercise the rights of access, rectification, and deletion were already included in the previous version of Article 13E of the Law.
2. Whether there are international data transfers of not (Article 13F).
Article 14 of Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data already established that, in case of data transfers, the data subject had to be informed of the recipient of the transfer and the activity they undertake, as well as the purpose of the transfer. As international data transfers are a specific type of data transfers, it was already necessary to provide this information described above.
3. In the case of automated processing of personal data, intended to evaluate certain aspects of the personality of the data subject, which produce decisions with legal effects that significantly affect them, as indicated in Article 16 of the Law, data subjects have the right to be informed about the evaluation criteria, the processes applied to this criteria, and the technological solution applied or the software used to do so (Article 13G).
Article 16 of the Law included the right to obtain, from the controller, information regarding the evaluation criteria and the software used in the processing of personal data to adopt the decision with legal effects that significantly affects them.
This subsection of Article 16 of the Law loses importance when Article 13G of the Law entered into force, as this information should be provided to the data subject prior to the collection of personal data. If the data subject complies with this obligation, the right stated in Article 16 of the Law will not be necessary.
The information stated on Article 13 of the Law should be provided to the data subject prior to the collection of their personal data. In the event that the data is not collected directly from the data subject, the information should be provided to the data subject within five working days.
Finally, Article 13 of the Law states that the Uruguayan data protection authority ('URCDP') might establish specific conditions for the publication of the information indicated above. When the technical conditions and the type of processing make it possible, the publicity of the information shall be permanent.
Uruguayan law already had a solution for the unfair personal assessment originated by employing an AI system or any kind of computer program in Article 16 of the Law. Article 16 states that any person has the right not to be subject to a decision based solely on automated processing, that produces legal effects that significantly affect the data subject, intended to evaluate certain aspects of the personality, such as their work performance, credit record, reliability, and personal conduct, among others.
The affected party can challenge any public or private decision that implies an assessment of their behaviour, whose sole basis is the processing of personal data that defines their characteristics or personality.
In case the abovementioned occurs, the affected person has the right to obtain information from the database's controller on both the evaluation criteria and on the computer program used to reach the assessment.
The rationale of the authorities behind the new addition to the right to be informed is that the general population is not fully aware of their rights regarding privacy and personal data protection, as there are not many habeas data actions regarding unlawful personality assessment by automatic decision-making systems or computer programs.
Powers and functions of the URCDP
The second modification to the Uruguayan data protection system is Article 63 of Law No. 20075/2022, which modifies Article 34 of the Law. It adds to the list of the URCDP's powers and functions to establish criteria and procedures for controllers and processors in the automated processing of personal data, aimed at evaluating certain aspects of the personality of the data subject, that result in decisions with legal effects that significantly affect them, as indicated in Article 16 of the Law.
This disposition also responds to a growing necessity to regulate automated decision-making, which the URCDP has not regulated it yet.
Concluding thoughts
In conclusion, Law No. 20075/2022 modified two articles of the Law; first, it added to Article 13 of the Law some information that must be provided to the data subject, namely the possibility of the data subject to exercise all the rights of Articles 14 to 16 of the Law, whether there are international data transfers or not, and the evaluation criteria, the applied processes, and the technological solution applied or the software used to do so in cases of automated processing of personal data.
Secondly, it added to Article 34 of the Law, which refers to the list of powers and functions of the URCDP, that the latter should establish criteria and procedures for controllers and processors in the automated processing of personal data.
This means that new obligations for the responsible of the database emerge from the new legal text, as they must inform the data subject of the following:
- the possibility of the data subject to exercise the right of updating, inclusion, and not to be subject to a decision based solely on automated processing (as well as the rights of access, rectification, and deletion which were already included in the previous version of the article);
- the existence or not of international data transfers; and
- in cases of automated processing of personal data, the evaluation criteria, the applied processes, and the technological solution applied or the software used to do so.
As a consequence, in what concerns the rights of the data subject, the data subject has the right to receive the abovementioned information. In case they do not receive it, Article 16 of the Law states that the data subject has the right to obtain, in cases of automated processing of personal data, the evaluation criteria and the software used to adopt the decision. Administrative sanctions, including fines, can be imposed by the URCDP. An habeas data action can be filed before the judiciary.
Further, new obligations for the URCDP were created which now is responsible for establishing criteria and procedures, for controllers and processors, in the automated processing of personal data.
The modifications introduced by Law No. 20075/2022 to Articles 13 and 34 of the Law constitute a response to the increasing concern of the country to keep its norms up to international standards on data protection, as well as to maintain the level of international data exchange that attracts foreign companies to invest in the country as a regional hub.
Dr. Ana Brian Nougrères Director and Principal Consultant
[email protected]
Alejandra Saiz Senior Associate and Expert
[email protected]
Ignacio Martinez Legal Assistant
[email protected]
Magdalena Quintana Notary Public
[email protected]
Estudio Juridico Briann y Asociados, Montevideo
1. Available at: https://www.impo.com.uy/bases/leyes/20075-2022 (only available in Spanish)
2. See at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32012D0484
3. See at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32003D0490
4. Available at: https://www.impo.com.uy/bases/leyes/18331-2008 (only available in Spanish)
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
