The State of Communication and Privacy Law in Peru (2020)

  1. Is there a data protection law?
    yes iconyes

    Peru adopted a comprehensive data protection law in 2011. It applies to personal data contained in databases held by public and private bodies, whose processing is carried out in the national territory. The law also subjects sensitive data to a special level of protection.

    See more
  2. Is there a data protection authority?
    yes iconyes

    Article 32 of the data protection law created the National Authority for the Protection of Personal Data. The entity responsible for exercising such authority is the General Directorate of Transparency, Access to Public Information, and Protection of Personal Data.

    See more
  3. Does the data protection law apply to law enforcement activities?

    Article 3 of the data protection law provides specific exemptions from the application of the law: when the databases are administered by public entities when their processing is necessary for them to comply with their powers, and for reasons of national defense or public safety.

    See more
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?

    Article 15 of the data protection law states that the transfer of personal data to third countries can only be carried out if the recipient country maintains adequate levels of protection in accordance with Peruvian data protection law.

    Article 11 of the data protection law establishes that Peru must guarantee a sufficient level of protection for the personal data to be processed or, at least, a level comparable to the provisions of the data protection law or international standards in the subject.

  5. Peru’s Constitution states that private communications can only be opened, seized, intercepted, or intervened by a reasoned judicial order, issued in accordance with legal rules and safeguards. Law 27697, Criminal Code, Criminal Procedure Code, and the protocol of joint action, implemented by Ministerial Order Nº 0243-2014-JUS, regulate the interception of telephone or other forms of communication.

    Interception of communication - Prior judicial order is required.

    Access to the content of communications - Prior judicial order is required.

    Access to metadata - Prior judicial order is required.

    Access to subscriber data - No specific rule, treated like metadata.

    Location data - Prior judicial order is required, except for “flagrante delicto” cases.

    See more
  6. What’s the factual basis to access communications data?

    The factual basis for accessing communications data in Peru includes:

    Articles 1 and 2 of the Law 27697

    Articles 226 and 230 of the Criminal Procedure Code

    Legislative Decree 1182

    For details on the above articles,

    See more
  7. Intervention of communications can only be requested by criminal prosecutors, attorneys general, and the national prosecutor.

    Access to cell phone or electronic device location data in flagrante delicto cases can be requested by the Peruvian National Police.

    See more
  8. Does the country have provisions about access to data in cases of emergency?
    yes iconyes

    Location tracking in “flagrante delicto"cases - Legislative Decree 1182 grants the specialized police investigation unit the power to request from telecom operators access to real-time location data without a warrant when three requirements are met: when there is a blatant crime, when the punishment for the crime under investigation is greater than four years of imprisonment, and when access to this information is necessary to the investigation.

    Interception in emergency cases - The Criminal Procedure Code allows for an emergency mechanism applicable exclusively when there is an acknowledgment of new subjects or telephone numbers requiring interception in order to prevent imminent terrorism, drug trafficking, or kidnapping offenses.

    See more
  9. Is there any data retention mandate?
    yes iconyes

    Legislative Decree 1182 compels telecom companies to keep metadata for 12 months and disclose the data upon judicial authorization in real time. After 12 months, telecom companies are still required to retain such data for an additional 24 months, but can hand over it within seven days upon judicial authorization.

    See more
  10. Are there any rules that authorize the use of malware?

    There are currently no laws that explicitly authorize the use of malware.

  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?

    Article 230 of the Criminal Procedure Code establishes that telecom service providers must provide, immediately, cell phone location data, wiretapping, or recording of communications that have been ordered by a court in real time and continuously, upon liability in case of non-compliance. It further compels telecom providers to enable access, compatibility, and connection between the telecom companies’ technology and the Peruvian National Police System of Interception and Monitoring of Communications.

    See more
  12. Does the law compel companies to assist law enforcement agencies in their investigations?

    Legislative Decree 1182 makes telecom companies liable if they fail to comply with the data retention obligations established by the Decree. Similar obligations on companies are detailed in article 230 of the Criminal Procedure Code described above (see question 11).

  13. Does the State report on the number of requests to access communications data?

    The Law of Transparency and Access to Public Information compels the State to make public the information that it creates or that is in its possession, with certain exceptions. However, in practice, the information on the details of the requests (quantity, percentage of acceptance or rejection, cases resolved, cases pending resolution, closed cases, etc.) can only be accessed through FOIA requests if that report has already been produced.

    See more
  14. Is there any legal limitation that prohibits companies from publishing transparency reports?

    To the best of our knowledge, no normative framework prohibits companies from publishing statistical data on the number of data requests made by the State in criminal or national security matters. That said, the Transparency Law does prohibit the publication of protocols that have been labeled as secret, such as the protocol to access geolocation in real time by the Police currently in force.

  15. Do telecommunication companies publish transparency reports?

    Telefónica-Movistar- YES

    Claro- NO

    Entel- NO

    Olo- NO

    Bitel- NO

    Telefonica-Movistar provides yearly transparency reports. Claro, Entel, Olo, and Bitel do not publish transparency reports.

    See more
  16. Can companies notify users about States’ data requests?

    The Criminal Procedure Code states that once a judicial intervention measure has been carried out and immediate investigations have been carried out considering the result, the affected party must be informed of the measure whenever the investigation scope allows it and as long as it does not endanger the life or bodily integrity of third parties. When the investigation has finished, the individual being surveilled must be notified about the procedures conducted.

    See more