The State of Communication and Privacy Law in Paraguay (2020)
Is there a data protection law?
Paraguay has different regulations that cover personal data processing in a scattered fashion, with separate rules regarding collection and processing. Law 1.682/2001, amended by Law 1969/02, is the main law regulating the processing of private information. It focuses on rules concerning credit information systems in banking and financial institutions, and does not define key concepts, such as personal data, data processing, and data subject.SEE MORE
Paraguay does not have a comprehensive data protection law, and Law 1.682/2001, which is still the main piece of legislation addressing the processing of private information, has not set an enforcement authority.SEE MORE
Does the data protection law apply to law enforcement activities?
Although Law 1.682/2001 does not stipulate an explicit exception of its application for law enforcement agencies, its scope is mainly to regulate the processing of personal data in credit information systems with a view on credit protection services.SEE MORE
What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?
Paraguay does not have a comprehensive data protection law and the norm regulating the processing of private information does not cover the transfer of personal data to third countries.
Article 36 of the Paraguayan Constitution ensures the inviolability of private documents and communications. As such, document records (whatever their format), correspondence, writings, and communications of any kind may not be examined, reproduced, intercepted, or seized except by a judicial order for cases specifically provided for in the law, and when it is indispensable for clarifying matters within the competence of the relevant authorities.
Interception of communication - Prior judicial order is required.
Access to the contents of communications - Prior judicial order is required.
Access to metadata - The Supreme Court of Justice ruled prosecutors can request it without a previous judicial order.
Access to subscriber data - No specific rule, but treated like metadata in the Supreme Court’s ruling.
Location data - Treated like metadata.SEE MORE
What’s the factual basis to access communications data?
The factual basis for accessing communications data in Paraguay includes:
Article 36 of the Constitution.
Article 200 of the Criminal Procedure Code.
Article 26 of the National Intelligence System Law.
Conatel Resolution n. 1350/2002.
Supreme Court of Justice ruling n. 674/2010.
For details on the above articles and cases,SEE MORE
Which authorities have the legal capacity to request access to communications data?
According to criminal law, the competent authorities to request access to communications data are: (i) public prosecutors, (ii) the National Anti-Drug Secretariat (SENAD), and (iii) the National Intelligence Secretary. In the intelligence sector, the Intelligence Direction under the authority of the Homeland Secretary.
For details on the above authorities,SEE MORE
Does the country have provisions about access to data in cases of emergency?
The Criminal Procedure Code sets out that, in extreme urgent cases, public prosecutors may verbally make requests for evidence-gathering procedures to the judge, who can authorize them without the regular service of process. However, the Code doesn’t define the meaning of “urgency” or “urgent cases.”
Is there any data retention mandate?
Law 2340/2016, which amends the country’s Consumer Protection Law, sets a retention obligation for subscriber data (name, surname, date of birth, and ID card number) applied to telecommunication services in general. Other retention mandates can be found in the E-Commerce Law and Conatel’s Resolution n. 1350/2002, but the former does not apply for criminal investigations purposes.SEE MORE
Are there any rules that authorize the use of malware?
To the best of our knowledge, Paraguay’s law does not have any specific reference to or authorization regarding the use of malware. However, the broad wording of communications intervention in the Criminal Procedure Code, covering “any technical means,” might be used by law enforcement as legal grounding for using malware in investigations.SEE MORE
Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?
To the best of our knowledge, nothing in Paraguay’s legislation explicitly compels companies to provide law enforcement agents direct access to their servers. To the contrary, Millicom’s Transparency Report states that Paraguayan authorities require the company to provide direct access to its mobile network.SEE MORE
Does the law compel companies to assist law enforcement agencies in their investigations?
The Criminal Procedure Code sets out that the judge and the public prosecutors may request information from any person or public or private entity. The requests must indicate, among others, the procedures, the accused’s name, and the consequences for a breach of this “duty to inform”. In addition, the Code states that the Public Prosecutor’s Office will carry out all the acts of the fact-finding phase that don’t require a judicial order or entail jurisdictional content. Within this legal competence, prosecutors may request information from any public official or employee.SEE MORE
Does the State report on the number of requests to access communications data?
To the best of our knowledge, the Paraguayan State does not publish reports on the number of requests to access personal data.
Is there any legal limitation that prohibits companies from publishing transparency reports?
To the best of our knowledge, no normative framework prohibits companies from publishing statistical data on the number of data requests made by the State. The Intelligence Law’s provision that documents and files relating to intelligence and counterintelligence must be kept confidential should not serve to halt the release of statistical data.SEE MORE
Do telecommunication companies publish transparency reports?
Tigo-Millicom publishes yearly transparency reports, but the data provided is aggregated per region, not detailed per country. Personal, Copaco, Claro, Vox do not publish transparency reports.SEE MORE
Can companies notify users about States’ data requests?
The Criminal Procedure Code provides, as a general rule, that parties should be notified the day after judges issue their decisions. Also as a general rule, the documents, objects, and other elements of conviction incorporated into the procedure are displayed to the accused. In the case of secrecy, the judge will examine them privately, assessing what is useful to be added to the procedure.SEE MORE