State of Privacy Paraguay

Paraguay

Table of contents

Introduction

Acknowledgement

The State of Privacy in Paraguay is the result of an ongoing collaboration by Privacy International and TEDIC in Paraguay.

Key privacy facts

1. Constitutional privacy protection: The constitution does not mention the word privacy but protects private life under the "right to intimacy."

2. Data protection law: Paraguay has a data protection law, Law 1682/01, amended by Law 1969/02

3. Data protection agency: Paraguay does not have a data protection agency.

4. Recent scandal: in 2016 a school refused to register a child because of the parent's credit score.

5. ID regime: Paraguay has an ID card system issued by the National Police.

__________________________

From 1954-1989, Paraguay was the longest-lasting authoritarian regime to ever occur in South America, unceasing for 35 years. During that time, communications were intercepted and recorded systematically and illegally by the State and stored in the databases of intelligence agencies. One such example are the "Terror Files," a database belonging to the police that was discovered in 1992.

Twenty-seven years after the fall of the regime, the country has become a democracy. However, the democratic institutions that have been in place since the 1992 Magna Carta are still weak.

In this context, over the past few years emergency bills have been introduced through legal exceptions that have resulted in a criminal system that protects against real or alleged criminal acts. These types of regulations are legal tools used to relieve a society that has been shaken by violence, crime, terrorism or any kind or political turmoil.

These real or alleged criminal acts, or "critical" situations, provoke a type of legal inflation often due to the belief that violence, crime, terrorism of any kind, and political turmoil can only be solved through penalty increases, the criminalization of new behaviors, restrictions on the right to defense, dismissal of judicial guarantees, or invasions on people's private lives.

Right to Privacy

The constitution

The Paraguayan constitution does not mention the word "privacy" itself. The article that regulates private life is article 33 "Right to intimacy" (Intimidad): "Personal and family intimacy, as well as the respect of private life, is inviolable. The behavior of persons, that does not affect the public order established by the law or the rights of third parties[,] is exempted from the public authority. The right to the protection of intimacy, of dignity, and of the private image of persons is guaranteed".

Article 36: Of the Right to the Inviolability of Documental Patrimony [Patrimonio Documental] and Private Communication
The documental patrimony of individuals is inviolable. The records, regardless of the technique used, the printed matter, the correspondence, the writings, the telephonic, telegraphic, cable graphic or any other kind of communication, the collections or the reproductions, the testimonies and the objects of testimonial value, as well as their respective copies, may not be examined, reproduced, intercepted, or seized [secuestrados] except by a judicial order for cases specifically provided for in the law, and when they would be indispensable for [the] clearing up of matters of the competence of the corresponding authorities. The law will determine the special modalities for the examination of commercial accounting and of obligatory legal records. The documental evidence obtained in violation of what has been prescribed above lacks validity in trial. In every case, strict reservation will be observed regarding every thing that is not related to the [person] investigated.

Article 30 of the Constitution further establishes that: Of Electromagnetic Communications Signals: "The emission and propagation of electromagnetic communication signals are in the State's public domain, which, in the exercise of its national sovereignty, shall promote their implementation according to the rights of the Republic and pursuant to the international conventions ratified on this
subject. The law shall guarantee, on a level playing field, full access to the use of the electromagnetic spectrum, as well as to the electronic tools for the collection and processing of public information, with no further limits than those imposed by international regulations and technical norms. The authorities shall make sure that these elements are not used to infringe
upon personal or family privacy and the other rights established in this Constitution"
.

Article 135 of the Constitution enshrines the right to data protection (Habeas data): All persons may access the information and the data about themselves, or about their assets, [that] is [obren] in official or private registries of a public character, as well as to know the use made of the same and of their end. [All persons] may request before the competent magistrate the updating, the rectification or the destruction of such information, if it were wrong or illegitimately affected their rights.

The Martín Almada case of 1992 was the most iconic case of habeas data the country had ever seen. Almada, a victim of Alfredo Stroessner's military dictatorship, was able to unveil the secret stronista police database called "the Terror Files" by requesting personal data about himself through a habeas data constitutional remedy. These files have been recognized by UNESCO as part of the Intangible Heritage of Mankind. While these files include thousands of documents that reveal police practices, it should be noted that other
important files such as the military files or those belonging to the Ministry of Foreign Affairs have not been published yet.
Nowadays, if an individual wants to file a writ of habeas data, they need to do so before a trial judge. However, if the sought-after information could be contained in the "Terror Files," they simply need to submit a request. Such request must be submitted to the Documentation and Archives Center [Centro de Documentación y Archivo] which relies on the Supreme Court of Justice—where the aforementioned files can be found.

Regional and International conventions

Paraguay has ratified a number of international human rights treaties with privacy implications. These include:

Communication Surveillance

Introduction

Paraguay has approximately 7 million population, of which 40% of the total is rural. The only country in Latin America that is bilingual, has two official languages: Spanish and Guaraní. The internet penetration rate in 2017 was 90 % of the population, according to publications of the National Secretariat of Technology and Communication (SENATICs).

Surveillance laws

Criminal Code
The Criminal Code (hereinafter CP), Law No 1160/97 24 regulates infringements upon the right to communications and to self image. In particular, it indicates that those who, without the subject's consent: (i) listen using technical instruments; (ii) record or store communications; or (iii) make, through technical means, an individual's communications that were not said publicly immediately available to a third party, shall face imprisonment of up to two years or be fined.

The same regulation is applied to those who, without the consent of the affected, produce or transmit images: (i) of another person on his or her private property; (ii) of another person's private property; (iii) of another person outside his or her property, in violation of
the right to private life. The same punishment shall apply to those who share a recording, as described above, with third parties.
Article 146: Violation of the Secrecy of Communications:

1o) Those who, without the consent of the subject: open a closed letter not addressed to them;

  • Those who open a letter, as described in article 14, point 3, that is closed or inside a closed package or specially destined not to be opened by them, or those who learn or communicate to a third party the content of a letter; or those who through technical means and managing to keep it closed learn its content or communicate it to third parties,
  • shall be punished with imprisonment for up to one year or with a fine.

2o) Criminal prosecution shall depend on the basis of the charges brought by the victim. The provisions set out in article 144, subsection 5, last section shall be applied.

Criminal Procedure Code

Law No 1286 of July 8, 1998 establishes the following:

Article 198 — Interception and seizure of correspondence: Whenever it is useful in order to find out the truth, the judge shall order, by a sustained judicial order, and under penalty of invalidity, the interception and seizure of postal, telegraphic or any other kind of correspondence, sent by or to the accused, even when the accused went by a false name or alias. The limitations to the seizure of documents and objects shall apply also in this case.
Article 199 — Opening and inspection of correspondence: Once correspondence or objects are intercepted, the judge shall open them,
placing the procedures on record. The judge shall examine the objects and read the contents of such correspondence to himself. If they are related to the procedure, he shall order the seizure of the elements; otherwise, he shall keep the confidentiality of their content and order their delivery to the addressee.
Article 200 — Communications Interception: The judge shall order, by a sustained judicial order, and under penalty of invalidity, the interception of the communications of the accused, irrespective of the technical means used to learn them. The result may only be delivered to the judged that ordered the interception, who shall proceed according to the provisions of the previous article; he shall order the written version of recordings or of those parts he deems useful, and order the destruction of the recording or the parts of it that do not relate to the procedure, with the prior access to it of the Public Ministry, the accused and his or her defense counsel. Communications interception shall be exceptional. (...).
Article 228 — Reports: The Judge and the Public Ministry may request reports from any person or public or private entities. Such reports shall be requested orally or in written, and they shall indicate the procedure to be followed, the name of the accused, the place where the report must be handed over, the deadline for submission and the consequences provided for when failing to report.

From this, we gather four rules:
• When it comes to the interception of any type of correspondence, including e-mails, it is only the judge who may order the interception;
• A lack of judicial authorization would make the procedure invalid;
• The judge is in charge of the content of the intercepted information, communicating it to the Public Ministry, and subsequently destroying the evidence;

The interception of private communications is exceptional. In short, neither criminal procedural law nor criminal law allow for, in criminal
investigations, violations to the right to privacy by the body of the criminal prosecution (Public Ministry).

National Intelligence System

Articles 6, 24, 25, 26, and 27 of Law No 5241/14, which creates the National Intelligence System (SINAI, in Spanish) set out the right to the inviolability of documentary heritage by stating that:

Article 6. — Inviolability of Documental Patrimony. Telephone, postal, fax or any other system of communication to deliver objects or transmit images, audio, data packets or any other type of information, file, and/or private documents, or documents that are not meant to be read or accessed by the public shall not be examined, reproduced, intercepted or seized, except with a judicial order, as long as they are indispensable for the specific objectives efined by this law (...)
Title III — Procedures for the Collection of Information
Article 24. — Exceptionality. The procedures to obtain information established in this Title are only applicable when the bodies or institutions of the National Intelligence System (SINAI) are not able to obtain such information from open sources. The information to be obtained must be strictly necessary for the achievement of the State's objectives to protect peace, national security, institutional stability and prevent terrorist threats, organized crime and drug trafficking while defending the constitutional and democratic system.
Article 25. — Classification. The procedures described in the previous article are the following:
1. Interception of telephone, computer, radio communications and of any kind of correspondence;
2. Interception of computer systems and networks;
3. Wiretaps and electronic audiovisual recording; and,
4. Interception of any other technology system for the transmission, storage or processing of communications and information.
Article 26. — Judicial Authorization. It is the Secretary of National Intelligence who requests the judicial authorization in order to conduct the proceedings described in the previous article. The request shall be submitted to the Supervisory Criminal Judge on duty in the place in which the proceedings are to be conducted. The judge may order, by a sustained decision and under penalty of invalidity, to conduct the procedures referred to in the article above, within 24 (twenty-four) hours, without further proceedings. The resolution ordering this must specify the means to be used, the individualization of the person(s) to which the measures apply and their duration, which may not
be longer than 90 (ninety) days, which might be extended for 90 days more.
Article 27. — Examination. The Secretary of National Intelligence must hand over the result of the procedure to the judge that ordered it, who shall listen to the content by himself. He may also ask for a written version of the recording or of parts of it that he deems useful, and order the destruction of the recording or a part of it when they do not relate to the procedure, having previously accessed them.

The interception of communications and the intrusion on privacy by intelligence institutions have five specific features to take into account:
1. The interception of the communications in question must be exceptional and indispensable;
2. Interception is only conducted in cases related to legal rights or State interests established by the law;
3. A judicial authorization is required, otherwise the procedures are invalid;
4. The investigated individual(s) must be specified. (Massive or unidentified interception is prohibited);
5. Intelligence investigations have limited duration.

Special Law on Combating Drug Trafficking

The National Anti-drug Department (SENAD, in Spanish) is an institution that falls under the executive power. 30 According to the law that established it, "it will coordinate the actions or government agencies that work on programs against drug trafficking and drug addiction." But without constitutional and legal provisions, it essentially acts as a security agency. The law provides the agency with the following responsibilities:

Article 88. — The judge may order—when appropriate and for a limited period of time—upon the request of the SENAD or the prosecutor, that they or their duly identified agents take pictures or videotape the suspects and their actions and intercept, record, tape or reproduce their verbal, cable or electronic communications. The request shall contain the types of situations that are supposed to be photographed or filmed or the types of communications that are supposed to be intercepted, recorded, taped or reproduced, together with the technical means that are going to be used, and the aims pursued by the implementation of such procedures. The judge may demand that the requester hand over additional elements supporting the request. Only the collected documents that are related to the investigated acts shall be placed on record or preserved.

Article 89. — The judge authorizing the measure and the Public Ministry shall follow up and supervise each operation and investigation, thus being able to give instructions when they are in progress. The judge and the Public Ministry shall constantly be informed about the
course of the operations and investigations, and the evidence obtained shall be made available for them.(...).

Article 91. — Those who authorize, control or intervene in undercover operations or controlled deliveries must strictly keep the confidentiality of such operations and are compelled to respect the personal and family privacy of individuals.

Law on Electronic Commerce

Law 4868/13 on Electronic Commerce also poses a risk to the privacy of communications in Paraguay. Article 10 compels Paraguayan Internet service providers and data brokers to store traffic data or data "relative to electronic communications" for at least six months. This law does not include minimum safeguards that would protect private information, nor does it include criteria to justify company data collection. This article limits judicial power and the police by only giving them access to data stored by companies.

Further Provisions related to Mandatory Data Retention

Paraguay does not have a specific law compelling telephone or Internet service providers to retain the communications data of its entire population for criminal prosecution purposes. However, it does provide for voluntary data retention for commercial purposes. In 2014, a bill, dubbed "Pyrawebs," (an allusion to the police espionage that was conducted during the military dictatorship) that would have compelled Internet service providers to store their users' metadata for 12 months for alleged criminal investigation purposes was nearly approved in by congress. After a grassroots campaign against the bill, it was rejected in the senate.

Resolution of the regulatory body

Conatel's Resolution 1350/2002 goes against Law 642/95 on Telecommunications. This resolution gives telephone service providers the power to store a detailed call log of all Paraguayan users for a period of six months: Article. 1. — A time period of six (6) months shall be established as the obligatory duration for the preservation of call logs—either incoming or outgoing—to all the lines that make up the client list of different mobile phone service providers (STMC, in Spanish) and/or he System of Personal Communication (PCS). Call logs, text messages, and location data are now stored for six months as established by Conatel's Resolution, a resolution that was crafted during the same year in which there were several kidnappings for ransom that shocked the Paraguayan society. 27 This pre-investigation measure for any type of offense is disproportionate in relation to the pursued aim. It clearly ignores the State's ideal of minimal intervention when it comes to criminal law, characteristic of "minimum criminal law."

Surveillance actors

Organizational chart of the bodies involved in communications surveillance:

1. Judicial Branch—Supervisory Judge (Authorizing Judge)

2. Public Ministry (Prosecutors)

3. National Police / SENAD (National Anti-Drug Department)

Procedure for communications interception:

1. Prosecutor's Investigation, Police Investigation and Criminal Report
2. Interception is Requested by the Public Prosecutor's Office
3. Interception is Ordered by the Supervisory Judicial Authority
4. The National Police and the SENAD conduct the interception
5. Supervisory Judge and Public Prosecutor's Office examine the interception

Intelligence system in Paraguay

  1. Judicial Branch (Supervisory Judge)
  2. Secretary of National Intelligence
  3. Department of Criminal Intelligence
  4. Military Intelligence — SENAD (National Anti-drug Department) — Police Intelligence

Procedures that intelligence bodies follow to conduct communications surveillance:

  1. Investigation. Secretary of National Intelligence — Department of Criminal Intelligence
  2. Secretary of National Intelligence Submits Request to Obtain Information
  3. Supervisory Judicial Authority Orders to Obtain Information
  4. Supervisory Judicial Authority Oversees the Interception

Surveillance capabilities

Surveillance tech:

The government acquired FinFisher malware in 2012, according to an investigation by Citizen Lab of Toronto University. Follow-up research by TEDIC gathered purchase receipts and delivery/reception acts implicating the anti-drugs agency (SENAD) in the acquisition of FinFisher. According to a 2013 investigation by the newspaper ABC Color, Finfisher was acquired by SENAD in November 2012 under the direction of Francisco de Vargas, then head of the said portfolio and with Luis Rojas as the Anti-Drug General Director. Beyond accusations of corruption, in the publications an invoice for the sale of the Televox company to the SENAD and a record of delivery and reception of communication equipment which includes the purchase of "a Finfisher computer tactical instruction system" can be found. It is worth mentioning that the reception certificate is signed by the current minister of SENAD.

The evidence appears in several publications by ABC Color newspaper. Galileo software — Remote Control System (RCS): Wikileaks cables revealed exchanges between the Public Ministry and the firm Hacking Team over the potential purchase of the software. In October 2014, Hacking Team's local partner requested an additional item, showing evidence that the paraguayan authorities followed-up on the offer.

Wiretapping technology: Wikileaks cables show the exchanges of the Interior Ministry over this purchase in 2010. In 2012, the government of former president Federico Franco also acquired wiretapping technology valued at US$ 2,5 millions. Mysteriously, the system was not found at the Interior Ministry offices, according to a government's audit in 2013.

Surveillance oversight, checks and balances

The role of the Legislative Power through its chambers (deputies and senators) are the only ones that can request explanations to the Ministers of the Executive Power, question and sanction for this type of cases.

Surveillance case law

There is an emblematic case from the highest court involving communications surveillance in Paraguay. In ruling No 674/10 [1], the Supreme Court rejected an extraordinary appeal in a case involving Cecilia Cubas, the daughter of former President Raúl Cubas Grau (August 1998 — March 1999) who was kidnapped on September 21, 2004 when a criminal group encircled her car meters away from her house on the outskirts of Asunción. Cecilia Cubas was found dead on February 16, 2005.

The Supreme Court stated that all the procedural guarantees were met and that the Public Prosecutor's Office did not violate the suspects' communications privacy by requesting and obtaining—without a judicial order—the metadata of phone calls made by the kidnapping and murder suspects. The response given by the Court of Appeals was specific and satisfactory. Pursuant to article 228 of the CPP, the Public Ministry may request reports from any person or public o private entity. Article 316 of the CPP, in relation to the powers of the Public Ministry, reaffirms that "it may demand information from any official or government employee, in accordance with the circumstances of the case. All public authorities are obliged to collaborate with the investigation, depending on their respective competences, and to comply with the requests for reports made in conformity with the law."

Moreover, the fact that the Public Ministry has had access to the reports and subsequently processed them did not represent any violation, neither constitutional nor legal. As shown, the information provided data about the subjects as regards phone line, date, time, phone numbers of incoming and outgoing calls, and the geolocation from where they were made. It had access to the details on the crossreferencing of calls, but not to their content, in which case the legal right being violated would have been the inviolability of communications and the right to privacy.

In short, the Supreme Court's stance on the inviolability of communications is as follows:

• Article 36 of the National Constitution on the right to the inviolability of documental heritage and private communications protects communications per se the words that may have been said by the accused on a phone, but not the data associated to these communications (with whom, when, the frequency, among others).

• In the expert opinion on cross-referencing calls, it makes clear that the data in question is the telephone companies' records that consist of the investigated telephone number, the incoming and outgoing calls of such number, the date and time such calls were made; none of these represents the content of a telephone communication—what a person says and what the other person hears by using a telephone.

• In the expert opinion on cross-referencing calls, the examination is based on the data of phone calls that remain after the communication has ceased, and not on the communications that such data generated; the communication is protected by our constitution, but the object of examination is not.

• In the expert evaluation in which the communication data (also known as metadata) was subject to examination, a judicial order was not obligatory, since the witness expert's work did not affect the constitutional protection of metadata, and because there was an actual judicial order as per the Public Ministry's job. The fact that the Court has taken these considerations into account without evaluating the criteria on metadata being discussed internationally nowadays is troublesome and demands attention.

From the perspective of the application of human rights to communications surveillance, the Public Ministry does not have the power to request such reports, much less without a judicial order, since it violates privacy. Neither does the Court take into account the InterAmerican Court of Human Rights' decision in the case where Brazil was sentenced for illegal wiretaps in a criminal process.

The Court itself believes the right to privacy protects both the content of the electronic communication and any other data associated with the technical process of a communication, such as metadata or traffic data. This is understood as "the destination of outgoing calls and the origin of the incoming ones, the identity of the interlocutors, the frequency, time and duration of the calls, which are aspects that may be observed without the need to register the content of the call through the recording of conversations."

[1] Acuerdo y Sentencia No 674/10 "Recurso Extraordinario De Casación Interpuesto Por La Defensora Pública Sandra Rodríguez Samudio En La Causa Anastacio Mieres Burgos Y Otros S/ Secuestro Y Otros ". Expte. No 773, Folio 245".

Examples of surveillance

A major newspaper in Paraguay has revealed that top members of the military spied on one of its journalists. According to them, the journalist was the object of unlawful espionage due to her work on corruption inside the military. The Public Ministry has acknowledged the issue and it has had access to evidence provided by an ISP confirming the claim of the newspaper. Meanwhile, the head of the Interior Ministry rejects the term espionage to qualify the activities of the military, on the grounds that no surveillance technology is needed to have access to "a registry of calls".

Data Protection

Data protection laws

Law 1682/01, amended by Law 1969/02 regulates the treatment of private data. According to Article 1: This law is designed to regulate the collection, storage, distribution, publication, modification, destruction, duration and overall, the processing of personal data in files, registers, data banks or other technical means of treatment of public or private data intended to provide reports, in order to ensure the full exercise of the rights of the owners. This Act shall not apply in any case to databases or to sources of journalistic information nor freedoms to express opinions and to inform.

The dissemination or disclosure of "sensitive" personal data is prohibited. However, it is legal to collect, store, process, and publish personal data or characteristics in the context of scientific or statistical investigations, polls and surveys about public opinion, or market studies. Personal data revealing, describing or judging an individual's private property, financial solvency, or compliance with commercial obligations may only be published if explicit authorization is given by the data subject, or if the data are taken from public sources, or when State or private entities are required to disclose such information in accordance with specific legal provisions. Alternatively, the law authorizes the publication and dissemination of personal data that is considered public, such as an individual's name, ID number, address, age, date and place of birth, marital status, occupation or profession, work place, and work phone number.

Other laws

The law "Prohibiting advertising not authorized by mobile phone owners" was created based on popular disgust for being constantly and invasively receiving unsolicited advertising. The means used by spammers to besiege potential consumers are varied: telephone calls, SMS or messages from WhatsApp, Facebook, etc. On the other hand, there is the Law 4868/13 of Electronic Commerce on regulation of unauthorized advertising, which is in force and has a specific section on unwanted advertising in its articles 20 to 23.

Accountability mechanisms

Paraguay does not have mechanisms of accountability in matters of personal data. The only action falls on the person, holder of the personal data through the Habeas Data resource.

Data breaches: case law

Ricardo Canese vs. Paraguay (Funds, Reparations and Court Fees)

Inter-American Court of Human Rights Case Ricardo Canese Vs. Paraguay, Sentence 31 August 2004 (Funds, Reparations and Court Fees). The present case refers to the international responsibility of the State for the conviction in a process of defamation and slander, and the restrictions to leave the country imposed in detrimental to Ricardo Nicolas Canese Krivoshein.

The facts of the present case started in August 1992 during the debate on the electoral dispute for the Presidential elections in Paraguay. Mr. Ricardo Canese, who was a presidential candidate, testified against Juan Carlos Wasmosy, also a candidate, for alleged illegal actions when he was president of a consortium. On 23 October 1992, the directors of that consortium filed a criminal complaint before the Criminal Court of First Instance against Mr. Ricardo Canese for the crimes of defamation and slander. On 22 March 1994, he was convicted in the first instance, and on 4 November 1997 he was convicted in second instance to two months of imprisonment and a fine of 2.909.000 guaranies. As a result of the criminal procedures against him, Mr. Canese was subjected to a permanent restriction to leave the country. On 11 December 2002, the Criminal Division of the Supreme Court of Justice in Paraguay annulled the convictions against Mr. Canese, issued in 1994 and 1997.

It is important to mention that this litigation is transcendental to reaffirm the right to access to public information and the limits of protection of personal data for the public interest. The sentence emphasizes the need for citizens to know the information of the candidates for public posts in order for them to make the right decision when it comes to voting in the national elections, without restrictions and thus respecting the freedom of expression as an essential tool for the formation of public opinion.

Examples of data breaches

The official web https://www.documentos.gov.py allows users to consult and download information and documents with personal information, such as identification data, name, surname, marital status, tax compliance certificate, RUC data, among others. In the first stage, the website did not have minimum protection mechanisms against automated data extraction (captcha, security questions, etc.). Without these precautions, the indiscriminate access and massive downloading of these personal data was allowed.

On the other hand, continuous complaints in the press about the sale of databases in the black market of identity cards, police records, registration bases for lawyers, medical insurance, debt in Inforcomf (equifax), credit card holders, databases of cell numbers. Consequently, state and private abuses are expressed in extortion, surveillance and profit with personal data, many of which are sensitive.

In February 2016, a school refused to register a child for the school year because parents are listed in Informconf (Equifax). Although
The Ministry of Education described the event as discrimination, there is no sanction whatsoever for the school.

Companies such as supermarket chains, bakeries, pharmacies, soft drink companies, mineral water or telephony, fast food restaurants and luxury hotels, but also an association of employees of a state institution and the laboratory of a private university, were denounced for employment discrimination when applying for HIV / AIDS tests to applicants or their employees, which violates Law 3940/09. From 2012 to 2016, it was reported that these companies oblige their employees to carry out the HIV / AIDS analysis. In some cases, the HIV test was carried out even in an unauthorized manner, through blood sampling for a routine analysis, which once in the laboratory was subjected to the Elisa test without the workers' permission. In addition, if the result of the test revealed the presence of antibodies to the virus in the blood, the laboratory communicated the information to the company instead of the employee, violating their right to confidentiality. In other cases, as a result of knowing the result of the test, the employee suffered discrimination, for example when forced to use a bathroom separated from the rest of the workers, or was even fired.

Identification Schemes

ID cards and databases

The National Police is responsible for issuing ID Cards. Law 222/93, "Organic Law of the National Police" and Article 6, numeral 11 establishes as attributions of the Institution, issuing the Civil Identity Card, Passport and Certificate of Police Background.

Voter registration

In 2003 and 2006, Paraguay partially implemented electronic ballot boxes officially in collaboration with the TSE of Brazil. however it did not have enough acceptance and was discontinued since then and it was returned to the traditional system due to lack of consensus between the politics parties since the 2008 elections.

Currently, the idea of implementing electronic voting in Paraguay came up again. Some congressmen in the Chamber of Deputies have publicly rejected, claiming that "despite being an interesting project, citizens are conservative and prefer ballots because they feel more secure".

SIM card registration

Paraguay does not have a mandatory SIM card registration until today.

But in 2017, the congress had approved a bill "That regulates the activation of mobile phone service". The project aimed to collect biometric data from all telephony clients. The president of the republic vetoed the legislative proposal with the following arguments:
"1) It would constitute a barrier to access to telecommunications for citizens, considering that this service is of mass use reaching 90% of households in the country. 2) There is no unified official biometric database that certifies the correspondence or not of the fingerprint printed on the form. Nor does the standard provide for minimum security measures for the database to be created. 3) There are contradictions in the same legislative proposal, Article 11 of the project raises a contradiction with Article 13 of the aforementioned regulatory body, by establishing for a part the period of twelve months from the effective date of the Law for the aforementioned registration, and then, in Article 13, it states that it will be regulated within 90 days of the validity of the Law. 4) The regime on the sanctions and responsibilities of the Directors, Managers or Administrators, contemplates a matter not minor, since the natural persons that act as representatives of the companies (Directors, Managers or Administrators) will have personal responsibility for the commission infractions because more than the responsibilities that are inherent in his own acts, he intends to add that of other people's acts, such as those of the sales agents, adds the report of Legal Advice of the Presidency of the Republic. "(sic). More info.

Policies and Sectoral Initiatives

Cybersecurity Policy

Decree 7052/2017 approves the Cybersecurity Plan in Paraguay. It has a duration of 3 years from its validity and is divided into the following 6 sections: Diagnosis on Cybersecurity, Guiding Principles, Axes and Objectives of the Plan, National Cybersecurity System, Monitoring and Evaluation and Review of the Plan.

The Plan was coordinated by the Center for Responses to Cybernetic Incidents (CERT) of SENATICs with the support of the Cybersecurity Program of the Secretariat of the Inter-American Committee against Terrorism (CICTE) of the Organization of American States (OAS).

Cybercrime

The Convention on Cybercrime is in the last stage of the congress for approval. The Law No. 4439 modifies several Articles of Law No. 1160/97 "Criminal Code" - On Computer Crimes and incluides:

  • Unlawfully accessing to data. Article 146b;
  • Interceptance of data. Article 146c;
  • Preparation of undue access and interception of data. Article 146d;
  • Unlawfully access to computer systems. Article 174b;
  • Sabotage of computer systems. Article 175;
  • Scam through computer systems. Article 188;
  • Falsification of debit or credit cards and other electronic means of payment. Article 248b;

Encryption

We are not aware of any privacy issues related to Encryption in Paraguay. Please send any tips or information to: research@privacyinternational.org

Licensing of industry

The telecommunications regulatory body in Paraguay is the National Telecommunications Commission (CONATEL). Law No. 642/95 from 1995 that created the National Commission on Telecommunications explicitly protects the inviolability of communications:

Article 89 — The correspondence sent through telecommunications and documental patrimony services is inviolable, except by a judicial order. This provision is applicable to the staff of telecommunications services, as well as to any individual or user with knowledge about the existence of such correspondence or about its content.

Article 90 — The inviolability of the secrecy of correspondence transmitted via telecommunications encompasses the prohibition of opening, subtracting, interfering, altering, diverting, publishing, using, learning or facilitating to third parties the existence or content of communications entrusted to service providers and the prohibition of setting the conditions to commit such actions.

Executive Decree 14135/96 25 (Annex): Article 9: The inviolability and secrecy of communications are attacked when a person who is not the issuer nor the addressee of a communication deliberately takes, intercepts, interferes with, changes or alters the text, diverts, publishes, uses, learns or facilitates to third parties the existence or content of any communication. The individuals who, due to their responsibilities, have access to the content of a communication held via telecommunications services, are obliged to preserve and guarantee the inviolability and secrecy of such communication. Telecommunications service providers are compelled to adopt the most adequate measure to guarantee the inviolability and secrecy of communications held via such services.

Also In the same law are the criteria for the licensing and the Regulatory Norms of the Telecommunications Law approved by Decree No. 14.135 / 96, of July 15, 1996 and its amendments.

According to data from CONATEL as of June 2016 Paraguay has 7,445,061 mobile Internet subscribers (5,855,382 prepaid and 1,589,679 with plans) and 185,125 fixed Internet subscribers, with a total of 437,243 subscriptions. Within the broadband plans, those with the most subscribers are those ranging from 1 to 2 megabytes, accounting for a total of 174,231 subscriptions. According to official sources, there are 382,446 active Internet accounts equivalent to 5.4% of the total population of the country. It is worth mentioning that the Internet service payments vary according to the months of the year and that different service plans may correspond to the same user. On the other hand, if we observe access to broadband in relation to GDP per capita, we see that in 2010 it was necessary to allocate 22% of income to access an Internet service, while in 2014 it decreased to 15% approximately. On the other hand, the minimum rate of mobile broadband prepaid data bags is US $ 0.2.

On the other hand, mobile Internet has a wide coverage for 2G / 3G / 4G networks with 3G being the most used. As for mobile telephone lines, the country has 7,412,303 active lines, which shows that there are more mobile devices than inhabitants.

About punishable acts, all Internet providers collaborate with the Public Ministry providing relevant information for the prosecution of crimes and crimes. The requests must be made through a court order that argues and has the minimum information of the case investigated. However that the Public Prosecutor's Office accesses the call metadata through simple requests addressed to the ISPs.

Internet provider companies: TIGO (Millicom International Cellular S.A.) 52% participation in the country; Personal with 32% subscriptions; COPACO (State company with shares of public-private capital since 2001) occupying the third place in this sector with 17% of the market, CLARO (American Movil) It currently ranks third in the mobile telephony market which corresponds to 11% of the national market and ranks fourth in Internet provider; and VOX (State company of public-private capital that depends on the state telephone company Compañía Paraguaya de Comunicaciones (Copaco), It occupies the last place in the national market with 5%.

E-governance/digital agenda

The National Secretariat of Technology and Communication (SENATICs) is responsible for generating the Digital Agenda policies in Paraguay. Currently, the Digital Agenda project is in the design stage and has the support of the Inter-American Bank for its implementation. It has three components that relate to the management of connectivity in Paraguay, the Electronic Government and the creation of jobs.

Paraguay is part of the Open Government Agenda (GA) since 2014. The main thrust of GA's plans is access to public information, transparency and accountability. One of the GA program is the publication of public information in open data format in public institutions, this program is funded by USAID / CEAMSO funds.

Health sector and e-health

The resolution of the Board of Directors of the Social Security Institute No. 003-050 / 16, the pharmacy of the Central Hospital implemented the procedure of fingerprint registration with the withdrawal of high-cost oncological drugs.

The Social Security Institute (IPS in Spanish) by Resolution C.A. No. 099-022 / 16 approved the regulation that establishes the presentation of the admission medical examination of the workers in charge of the employers. This measure only affects new enrollees to the social insurance of the IPS that will be in effect from June 1, 2017. All employers will have access to the health status of their workers before entering the IPS system.

Smart policing

We are not aware of any privacy issues related to Smart policing in Paraguay. Please send any tips or information to: research@privacyinternational.org

Transport

The Vice Ministry of Transport is in charge and responsible for the regulation of "Billetaje Electrónico" (electronic ticketing). Since 2015 they are looking for the implementation of the system, however due to political problems to date has not been installed in the transport system of the city of Asunción. It is assumed that its implementation will be gradual and is expected to begin in 2018.

The Executive issued Decree No. 6,912/17 by which the law that establishes the electronic collection of the passage of public transport of passengers is regulated. The mentioned decree includes several chapters of definitions, implementation terms, scope of application, characteristics of the service, mandatory interoperability, process of authorization of service provider companies, control authority, infractions and sanctions.

Migration

Since 2016, the PIRS MIDAS biometric system was implemented in the 3 main border crossings of the country and airports. All the implementation in Paraguay is with the support of the International Organization for Migration (IOM), through the program called: "Interconnected System of Registration and Identification of Persons (PIRS / MIDAS)".

The General Directo of Migration said: "Several of the best airports in the region do not have the biometric system that Paraguay has, with which within three seconds we are interconnected with INTERPOL, in France, having access to the complete information of the person arriving to our country, that contributes enormously to international security, the fight against terrorism, money laundering, human trafficking ... We want to take this same system to land transit, with Encarnación as its first objective, where we will greatly speed up the entry and exit through This step, avoiding the long lines".

Emergency responses

We are not aware of any privacy issues related to emergency response in Paraguay. Please send any tips or information to: research@privacyinternational.org

Humanitarian and develpment programmes

We are not aware of any privacy issues related to Humanitarian and develpment programmes in Paraguay. Please send any tips or information to: research@privacyinternational.org

Social media

The bill "That requires application and social network providers to suspend and withdraw publications that are offensive or defamatory" is in the national congress. This proposal generates legislative redundancy, given that punishable acts against honor and reputation are regulated in the Paraguayan Penal Code: slander (Art 150), Defamation (Article 151), Injury (Article 152).

The present legal draft, in its first article, expresses the obligation of the providers of "content to suspend and immediately withdraw offensive or defamatory comments written anonymously in its web pages against parties, movements or electoral candidates before complaints of those affected, until be identified with full name, identification and social security number." And requires identification and blockades that constitute a serious threat to the exercise of citizenship.

Finance

Resolution 77/16 of the Ministry of Finance seeks to improve the verification of information of taxpayers through technology, and thus avoid fraudulent operations. The Secretaría de Estado de Tributación (SET) collects biometric data from all the taxpayers of the State. Some of these fraudulent operations that are intended to combat are large evasions through RUC registrations without consent and that lead to the issuance of false invoices.