Carlos Manzano says that during the month of April he received at least eight messages via WhatsApp from people identified with certain companies to offer him different services. Telephone companies, banks, dealerships, pharmaceutical companies and even universities wrote to him. Carlos assures that he has not given them his phone number and does not know how they got it.
“I replied to a message asking how they got my number and they only told me that they were workers and that they had given them a database. They even had my ID number,” she says. Added to these messages are the constant calls: “Sometimes they are recorders and other people. I just hang up and block the number. I don’t know who gave them my number.” To take care of sensitive user information, and avoid situations like Carlos’s, in May 2021 the National Assembly approved the Organic Law on Personal Data Protection (LOPDP).
However, this legal body in this year of validity has not been able to stop the filtration and use without consent of the personal data of users in Ecuador. The lack of information campaigns that make the existence of the norm known, a greater awareness of the importance of caring for personal data in both citizens and companies, and the lack of structuring of the Personal Data Protection Superintendency is part of the problem, analysts agree. consulted.
What does the Organic Law of Personal Data of Ecuador consist of?
For Cecilia Parra, an expert in personal data management and Country Manager of Pridatect in Ecuador, the two-year period given by the LOPDP to apply sanctioning procedures and for companies (both private and public) and the State to adapt to the regulations has created a kind of tacit moratorium.
“There are very few company managers who have begun to investigate data protection, to work on a data protection program where they include in their processes not to misuse information, but to work on building trust in their customers. I think that, with luck, 5% of companies in Ecuador are working on this“, He says.
He adds that there are companies that are aware of the LOPDP, but have made the decision to wait for the application of the sanctioning regime (May 2023) to only start working on the protection of their users’ data. However, the structuring of a program to take care of this information is not achieved “overnight”. “When they see sanctions on one or two companies there, the other companies will tremble. Although the sanctioning system will also depend on whether the users become empowered and begin to denounce the call centers, for instance. At the moment these call centers they will continue to insist“, it states.
The specialist indicates that the filtering of data can take place in various ways. One of the most recurrent is that employees who were fired or resigned take the database of their previous company to work with it in another company or sell them. This has been “normalized” and it is unknown that it is a crime. In addition, this can be done due to the fragility of data protection that companies have.
The LOPDP obliges companies to take care of this information from third parties, including their suppliers. Minor penalties range from 0.1% to 0.7% of turnover or serious penalties from 0.7% to 1% of turnover. In addition, public officials whose action or omission has incurred in an infraction will have sanctions ranging from a unified basic salary (SUB) to twenty SUB.
Another point that delves into the problem is the lack of data empowerment by users. For example, if a pharmacy requests the email to send the invoice, it should only be used for that, but then the user begins to receive advertising and sees this as normal when it is not. The person can not only demand that they not be contacted for sending advertising or offering services, but also demand that their information be deleted from the database.
There is also a carelessness on the part of the user who shares data without first knowing what they will use it for, says Daniel Tenorio, an expert in computer security. He says that, for example,People give their emails or cell phone numbers to companies that sell items by catalog or transactions through platforms such as WhatsApp, where even photos of credit or debit cards are sent.
The LOPDP provides for the creation of the Superintendence of Data Protection and the head of this institution must come from a list sent by the President of the Republic. However, to date, this control entity has not been structured and there is also “no date” for sending the list, according to Eduardo Bonilla, Secretary General of Communication of the Presidency. The Council for Citizen Participation and Social Control is the entity in charge of appointing him and has already approved the regulations for his election at the beginning of March.
Almost a year after the approval of the Data Protection Law, Ecuador still does not have its superintendent
For Tenorio, it is important that the creation of this entity be completed, since the entity could develop guiding frameworks and, especially, begin to demand compliance with the regulations. “This superintendency is in charge of putting the board on the table and starting to make the measurements.”
What has not been developed either is the LOPDP regulation that will allow further development of the regulations, says Diego Beltrán Bastidas, lawyer and founding member of the Ecuadorian Association for Data Protection. Although he clarifies that the law does not need the regulation to be perfectly applicable.
“This kind of two-year moratorium has been misunderstood, since this is only for the sanctioning administrative regime and does not mean that the law has entered a kind of freezer and that it is not applicable. There is a specific provision in the law itself that speaks about civil, constitutional and criminal mechanisms to demand compliance with rights from the entry into force of the law”, he maintains.
This is why, says the expert, that there is currently a kind of complacency on the part of users with the way in which personal data has been processed by public and private entities. He adds that there are no objections to sharing billing information, identity card or telephone numbers, which are recorded on security cameras in banks, hotels or tourist establishments.
“In the culture of the Ecuadorian, it is not questioned if all this is lawful and at the most, when it becomes uncomfortable, what we do is block the numbers when the calls or messages are insistent. They are reactive measures”, affirms Beltran.
Another problem observed by the expert is that the majority of Ecuadorian companies that are not technology or telecommunications companies consider that the LOPDP is more related to an issue of computer security than to an issue of the exercise of rights by the holders of the rights. data: “However, the rule absolutely impacts any company that has data on its customers or even on its own employees. This basically includes the entire productive sector.”
Specialists agree that the implementation of the LOPDP in companies is not only the acquisition of a software, but rather the realization of an entire data protection environment that even entails the signing of confidentiality agreements even with its own staff. “It is all a guideline for the manipulation of data in accordance with the line of business of the companies. It is a whole work architecture to safeguard this data”, says Tenorio. (YO)
Source: Eluniverso
Paul is a talented author and journalist with a passion for entertainment and general news. He currently works as a writer at the 247 News Agency, where he has established herself as a respected voice in the industry.
