10. June 2021
Ecuador’s National Assembly unanimously approved a new data protection law on May 10, 2021. The new data protection law was already countersigned by the now former President Moreno on May 21, 2021.
The EU’s General Data Protection Regulation (GDPR) has served as the model for enacting the law. For example, it has imposed obligations on the controller to implement appropriate technical and organizational security measures in the company. Further, it has to appoint a data protection officer and inform individuals before processing certain personal data. Accordingly, the law not only contains obligations for the relevant processors, but also endows the data subjects with their own protection rights. Thus, data subjects have the right to request access to, modification and deletion of their personal data.
The Data Protection Law also provides for the establishment of a national data protection authority. It also contains regulations for international and cross-border data exchange.
In contrast to the GDPR, however, the Data Protection Act provides lower fines for violations. The level of penalties here has been set between 0.1% and 1% of a company’s annual turnover. The specific amount is also made dependent on the severity of the violation, among other factors. The GDPR’s catalog of fines, on the other hand, provides fines of up to 20 million euros. Fines of up to four percent of the annual turnover achieved worldwide in the last financial year are also possible.
The reason for passing the new law was a massive data breach that resulted in the personal data of up to 20 million people being made available online.
19. September 2019
On Monday, 16th of September, it has been revealed that the detailed information of potencially every citizen of Ecuador has been freely available online as part of a massive data breach resulting from an incorrectly configured database. The leak, detected by security researchers of vpnMentor during a routine large-scale web mapping project, exposed more than 20 million individuals, inclusing close to 7 million children, giving access to 18 GB of data.
In effect Ecuador counts close to 17 million citizens, making it possible that almost every citizen has had some data compromised. This also includes government officials, high profile persons like Julian Assange, and the Ecuadorian President.
In their report, vpnMentor designates that it was able to track the server back to its owner, an ecuadorian company named Novaestrat, which is a consulting company providing services in data analytics, strategic marketing and software development.
It also mentioned several examples of the entries it had found in the database, including the types of data that were leaked. Those came down to full names, gender and birth information, home and e-mail adresses, telephone numbers, financial information, family members and employment information.
Access to the data has been cut off by the ecuadorian Computer Emergency Response Team, but the highly private and sensitive nature of the leaked information could create long lasting privacy issues for the citizens of the country.
In a twitter post, Telecommunications Minister Andres Michelena announced that the data protection bill, which had been in the works for months, will be submitted to the National Assembly within 72 hours. On top of that, an investigation into the possibility of a violation of personal privacy by Novaestrat has been opened.
