Event | Data Rights and Enforcement through Community Trust (DIRECT) | Governance and Regulation

DIRECT Learning Series: Building and shaping a data protection legal framework

The 7th workshop took place on December 4th, 2024, in the context of the Data Rights and Enforcement through Community Trust (DIRECT) Learning Series, an ongoing thematic series of workshops with members of the DIRECT consortium, supported by Internews.

The main goal of the series is to address topics related to the protection of personal data from three guiding axes: i) capacity-building for civil society organizations to address challenges related to the development of personal data protection legislations; ii) responsiveness and direction of civil society organizations in defending data protection rights in different legislative contexts; and iii) enhancement of the resilience and sustainability of civil society organizations through the strengthening of networks and resources led and provided by partner organizations.

This session was presented by TEDIC, from Paraguay, based on its expertise on the topic of building and advocating for a data protection legal framework in its country. This workshop was divided into three moments:

1. A presentation given by a representative of the Data Protection Coalition;
2. A practical activity;
3. Collective sharing of the insights of the activity.

The presentation given by Giuliana Galli was based on the research developed by the Data Protection Coalition, in Paraguay, called “Protección de datos personales en el sector privado en Paraguay: Un estudio exploratorio”. This research aimed to investigate the current data protection practices used by different businesses within the private sector. The presentation covered three main points: i) the legal framework that underpins the right of data protection in Paraguay; ii) the methodology employed by the research and the principles analyzed; iii) the key findings, highlighting the gaps and challenges in implementing a robust personal data protection system in Paraguay.

During the presentation, Giuliana stressed the lack of constitutional recognition of the data protection right, despite the explicit mention of the right of Habeas Data. Additionally, it was mentioned that Paraguay has one sectoral legislation that addresses the right to personal data protection in credit services. This landscape, according to Giuliana, represents a fragile legal framework to cover the general aspects of data protection in other and broader contexts, because of the absence of a comprehensive legislation on personal data protection and of an authority to enforce compliance on data protection. Currently, in Paraguay, there is a data protection bill under analysis by the Congress, which was proposed by a coalition of local civil society organizations. 

The main objective of this research was to identify if the Paraguayan companies are compliant with the international principles of data protection, which are also present in the proposed bill. One of the key findings of the research was the lack of awareness among citizens about their right to data protection, and comprehension about the risks associated with undue personal data processing. Also, among businessmen, it was identified a misconception about the implications of data protection rights. Furthermore, regarding the gaps, the research identified that there is potential non-compliance with the principles of data minimization, purpose limitation and transparency. 

Challenges and strategies for building a data protection culture and legal framework

After the presentation, TEDIC facilitated a group exercise, in which each group would discuss for a certain period a few questions regarding the role of the private sector in safeguarding the protection of personal data; the role of data protection coalitions in helping shape local data protection policies; and how a multistakeholder collaboration could help building data protection safeguards. 

In general, the answers to these questions pointed to the fact that both countries that have data protection legal frameworks and the ones which do not have face challenges related to the private sector compliance with data protection laws and principles; it was also mentioned that the companies should follow human rights standards and conduct regular Data Protection Impact Assessments to guarantee the protection of personal data. Regarding the formation of data protection coalitions, the answers unanimously recognized the importance of such coalitions in shaping and building a data protection coalition, whether by developing capacity building and public awareness campaigns or by mobilizing resources and best practices. At last, with regards to the role of multistakeholder collaboration, the answers identified that this is a fundamental approach to build data protection legal frameworks or to develop a data protection culture in the countries. 

Conclusion

In summary, this session addressed the challenges of not having a data protection legal framework, and stressed the difficulties of the process of building a public policy on this topic, based on the Paraguayan experience. However, the collective knowledge sharing was a powerful tool to better understand the different contexts and strategies adopted in different countries to build a legal framework for data protection and, ultimately, guarantee citizens’ rights.