Evento | Aplicação das leis de proteção de dados a partir da confiança da comunidade (DIRECT) | Governança e Regulação

DIRECT Learning Series: Advocating for Independent Regulators

The 6th workshop took place on November 6th, 2024, in the context of the Data Rights and Enforcement through Community Trust (DIRECT) Learning Series, an ongoing thematic series of workshops with members of the DIRECT consortium, supported by Internews.

The main goal of the series is to address topics related to the protection of personal data from three guiding axes: i) capacity-building for civil society organizations to address challenges related to the development of personal data protection legislations; ii) responsiveness and direction of civil society organizations in defending data protection rights in different legislative contexts; and iii) enhancement of the resilience and sustainability of civil society organizations through the strengthening of networks and resources led and provided by partner organizations.

This session was presented by Fundación Ciudadania y Desarrollo (FCD), from Ecuador, based on its expertise, on the topic of building and advocating for an independent Data Protection Authority (DPA). This workshop was divided into three moments:

1. A general presentation conducted by FCD;
2. A practical activity;
3. Collective sharing of the insights of the activity.

The presentation started with a conceptual approach for a DPA, which consists of an independent public entity responsible for overseeing compliance with data protection legislation, and has as its main purpose to protect fundamental rights and freedoms concerning the processing of personal data. During the presentation, it was highlighted by FCD that a DPA has, fundamentally, four key functions: supervision; investigation; corrective actions; and public guidance.

Moving forward, FCD briefly presented the context of data protection in Ecuador. It was highlighted that the first mention of personal data in Ecuador’s legal framework occurred with the promulgation of its constitution in 1998. However, it was only in 2021, through a multistakeholder effort, that a law specifically addressing the issue of personal data protection was approved –  Ley Orgánica de Protección de Datos Personales (LOPDP). Two years after its enactment, regulations for this law were established. Finally, in 2024, a data protection authority was created in Ecuador – the Data Protection Superintendence.

It was also stated that the guiding principle for Ecuador’s Data Protection Superintendence is the independence of control, established in the LOPDP’s article 10, which states that the Data Protection Authority must exercise independent, impartial and autonomous control.

In order to provide a more comprehensive view of other countries regarding the different ways that DPAs operate in their respective regions, FCD made a brief comparison between Ecuador’s case with the Paraguayan, Bolivian, Brazilian and Nigerian contexts.

Independent regulator as a goal for a data protection culture: limitations; challenges and lessons learned

After the presentation, the participants were divided into three groups to carry out a practical activity, which followed the following axes:

• Effective strategies for advocating an independent regulator;
• Adaptability and regional challenges;
• Lessons learned and replicability.

Following the group activity, the rapporteur of each group was invited to share their insights. In general, it was mentioned that in the Brazilian context, collective actions organized by civil society organizations and coalitions, such as the Rights in Network Coalition, were essential to achieve an independent DPA in Brazil; it was also mentioned that a multistakeholder effort was necessary to build the consensus across sectors about the need for an autonomous and independent DPA. As a general limitation, it was pointed out that financial autonomy and lack of human resources and capacity building are three of the main challenges to establishing an independent regulator. Another challenge highlighted, especially in the Latin American region, is related to the absence of data protection legislation, which is characterized as an a priori limitation for advocating for an independent regulator. Furthermore, it was mentioned that when there is a lack of political will and institutional resistance, one alternative is to raise public awareness about the importance of data protection and rights; this can help position the establishment of an independent and autonomous DPA as a logical step to ensure the protection of these rights.

Conclusion

In summary, this workshop addressed the importance of establishing an autonomous and independent regulator capable of fulfilling its duties to ensure, first and foremost, the protection of personal data, and ultimately, the individual and their fundamental rights. To this end, FCD used the Ecuadorian case as a starting point to develop a broader discussion on data protection authorities in other regions of the Global South, such as Africa and Asia, as well as the challenges and lessons learned during the process of establishing an independent data protection regulatory body.