Ecuador's Personal Data Protection Law extends its applicability to data processing activities that utilize equipment located within Ecuador, even when the data controller or processor is not established in the country.

Text of Relevant Provisions

The Law Art.4(e):

"Without prejudice to the regulations established in the international conventions and treaties ratified by the Ecuadorian State that deal with this matter, this Organic Law shall apply when: [...] e) The controller or processor of personal data is not domiciled in the national territory and uses or has recourse to automated, partially automated or non-automated means located in Ecuador to process personal data, unless such means are used only for transit purposes."

Analysis of Provisions

The Personal Data Protection Law of Ecuador explicitly addresses the use of equipment within the jurisdiction as a factor for determining its applicability. Article 4(e) of the Law establishes that the legislation applies when a data controller or processor, not domiciled in Ecuador, "uses or has recourse to automated, partially automated or non-automated means located in Ecuador to process personal data".

This provision is significant as it extends the Law's reach beyond Ecuador's borders, capturing data processing activities that might otherwise fall outside the jurisdiction's scope. The law applies regardless of whether the data controller or processor is physically present in Ecuador, focusing instead on the location of the equipment used for processing.

It's important to note that the Law covers a wide range of processing methods, including "automated, partially automated or non-automated means". This broad definition ensures that the law applies to various types of data processing activities, from fully computerized systems to manual record-keeping.

However, the Law includes a crucial exception: it does not apply when such means are used "only for transit purposes". This exception likely aims to exclude scenarios where data merely passes through equipment in Ecuador without being processed or stored there.

Implications

The inclusion of this factor has several implications for businesses:

1. Foreign companies using servers or other data processing equipment in Ecuador will likely fall under the Law's jurisdiction, even if they have no physical presence in the country.
2. Cloud service providers with data centers in Ecuador may need to comply with the Law, potentially affecting their clients' data processing activities.
3. Companies must carefully consider the location of their data processing equipment, as using equipment in Ecuador could subject them to the Law's requirements.
4. The "transit purposes" exception may provide some flexibility for data that merely passes through Ecuador without being processed there, but the exact interpretation of this exception may require further clarification.
5. Businesses operating globally need to be aware that their data processing activities might be subject to Ecuadorian law, even if they don't directly target Ecuadorian customers or have a presence in the country.

This provision aligns Ecuador's data protection regime with international trends, where many jurisdictions extend their laws to cover data processing activities that occur within their borders, regardless of the controller's or processor's location. It reflects the increasingly global nature of data flows and the desire to protect citizens' data regardless of where the processing entity is based.