Cyber Law at Uruguay
Uruguay has been a leader in Latin America regarding the development of its digital agenda and cyber law framework. The country has made significant strides in establishing legal instruments for data protection and is rapidly strengthening its cybercrime legislation and cybersecurity framework.
Here's an overview of cyber law in Uruguay:
1. Data Protection and Privacy:
Uruguay has a robust data protection framework, notably with Law No. 18.331 on the Protection of Personal Data and Habeas Data Action (2008) and its various updates and regulatory decrees, including Decree No. 64/020 (2020) and Law No. 20075 (2022).
Key Principles: The law is aligned with international standards, particularly the GDPR, and includes principles such as:
Legality: All data processing must be lawful.
Truthfulness: Data must be accurate and up-to-date.
Purpose Limitation: Data can only be used for the purposes for which it was collected.
Prior Informed Consent: Processing generally requires the data subject's free, prior, express, and informed consent.
Data Security: Data controllers must adopt necessary measures to guarantee data security and confidentiality.
Transparency and Responsibility.
Supervisory Authority: The Personal Data Regulatory and Control Unit (URCDP) is the national data protection authority responsible for enforcing the law.
Database Registration: All databases processing personal data must be registered with the URCDP.
Data Breach Notification: Data controllers must notify the URCDP within a maximum of 72 hours of becoming aware of a security incident involving personal data. If the breach poses a significant risk to the rights and freedoms of data subjects, they must also be informed.
Data Protection Officer (DPO): Public entities and private entities that primarily process sensitive personal data or large volumes of data (over 35,000 persons) are required to appoint a DPO.
International Data Transfers: Regulations address international data transfers, particularly to countries not offering an adequate level of protection.
Adequacy Decision: Uruguay received an adequacy decision from the European Commission in 2012, recognizing its data protection framework as providing an adequate level of protection for personal data transferred from the EU. This facilitates data flows between Uruguay and the EU.
Convention 108+: Uruguay has ratified the modernised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+).
2. Cybercrime Laws:
Uruguay has significantly strengthened its cybercrime legislation.
Comprehensive Cybercrime Law (Passed in August 2024): Uruguay passed its first comprehensive cybercrime law on August 14, 2024. This law defines penalties for a wide range of offenses, including:
Online Harassment (Cyberbullying): Persistent stalking or monitoring using electronic means that seriously disrupts a person's life.
Data Breaches: Unauthorized access, appropriation, use, or modification of confidential information.
Identity Theft: Using electronic means to assume another person's identity.
Unauthorized Access to Computer Systems (Hacking).
Computer Fraud: Deceiving another person using electronic means to obtain financial benefit.
Computer Damage: Destroying, altering, or disabling computer systems (e.g., introducing viruses).
Unlawful Interception: Total or partial interception of communications in transit through networks.
Device Abuse: Creating, acquiring, selling, or providing programs, credentials, or passwords whose main objective is to facilitate a crime.
Previous Legislation: Prior to this comprehensive law, Uruguay relied on provisions in its Criminal Code and other specific laws (e.g., related to domestic violence, sexual violence against children) to address cyber-related offenses, but these were often inadequate for the complexities of modern cybercrime.
Budapest Convention: The new law positions Uruguay to comply with international standards and move closer to becoming a member of the Budapest Convention on Cybercrime, a key international treaty for combating cybercrime and facilitating international cooperation.
Cybercriminal Registry: The new law enables financial institutions to create records of individuals involved in illegal cyber activities and share these records with competent authorities to prevent and mitigate cybercrimes.
3. Cybersecurity Framework:
Uruguay is actively developing and implementing a robust cybersecurity strategy.
National Cybersecurity Strategy 2025: Uruguay is developing its National Cybersecurity Strategy 2025, which builds on existing frameworks and aims to enhance critical infrastructure protection, improve cybersecurity awareness, and promote international collaboration.
Marco de Ciberseguridad del Uruguay (MCU): This is Uruguay's national cybersecurity policy framework, developed by AGESIC (Agencia de Gobierno Electrónico y Sociedad de la Información y del Conocimiento). The MCU draws on global best practices and standards, including the NIST Cybersecurity Framework (CSF) and ISO 27001. It sets guidelines for how public and private sector organizations should manage cybersecurity risks.
Decree 66/025: This decree sets clear rules for public entities and strategic sectors, requiring them to comply with standards defined by AGESIC for digital risk management.
GSOC (Government Security Operations Center): Established to monitor, analyze, and respond to incidents in the government's ICT infrastructure.
Focus Areas: The strategy prioritizes critical infrastructure protection (energy, telecommunications, finance), cybersecurity awareness and education, and cross-sector collaboration.
4. Electronic Signatures and Documents:
Uruguay has a clear legal framework for electronic signatures and documents.
Electronic Document and Signature Act (2009) - Law 18.600: This law, along with its regulatory decrees, establishes the admissibility, validity, and legal effectiveness of electronic documents and signatures.
Tiered Model: Uruguay follows a tiered model for electronic signatures:
Simple Electronic Signature (SES): Data in electronic form used by the signer for identification. Valid if recognized by the parties or accepted by the recipient.
Advanced Electronic Signature (AES): Uniquely linked to the signatory, capable of identifying them, created under their sole control, and linked to data such that subsequent alterations are detectable. Requires more robust authentication.
Qualified Electronic Signature (QES): A specific type of AES that uses a secure signature creation device and is backed by a qualified digital certificate issued by an accredited trust service provider. QES has the same validity and effectiveness as a handwritten signature in public or private documents with certified signatures.
Use Cases: Electronic signatures are widely used for general business, commercial, consumer, and HR documents. However, certain documents still require handwritten signatures or notarization (e.g., real property transfers, family law contracts like marriage contracts, certain inheritance contracts, articles of incorporation).
Admissibility: Electronic records and signatures are admissible as evidence in court under the Uruguayan Civil Code.
Uruguay's commitment to developing its cyber law reflects its broader "Digital Agenda 2025" and its ambition to be a secure and reliable digital hub in Latin America.
RELATED Blog
0 comments