Status regarding Budapest ConventionStatus : NA See legal profile
The government is committed to achieving a secure digital environment, as reflected in the Uruguay Digital Agenda 2025 which was adopted in 2021. The 2025 is centred around 5 key aspects: digital transformation of processes and services, strengthening of the Information Society, Innovation and emerging technologies and cybersecurity.
The Cybersecurity Strategy for the Internet of Things had as commitment start and end date: January 2019 to December 2019 having as institution or actor responsible for the implementation: the E-Government and Information Society Agency (AGESIC).
State of cybercrime legislation
The main piece of legislation is the Criminal Code along with other cybercrime related laws such as Law No. 16.736, Law No. 18.600, Law No. 17815, Law No. 19.580, Law No. 9.739 and Law No. 18331.
A draft law on cybercrime is in preparation since 2017, inspired from the substantive provisions of the Budapest Convention. In 2021, Bill No. 1734 on the criminalization of cybercrime was introduced but has not yet been adopted.
Several laws provide for limited implementation of substantive law offences.
Law Nº 17.514 ‘Domestic Violence Law’ (2002)
Law Nº 17.815 Sexual, commercial or non-commercial violence committed against
children, youth or the disabled (2004)
Law Nº 18.561 Sexual harassment (2009)
Law Nº 18.250 on Migration (Art. 45º paragraph c establishes the grounds for denial of
entry into the country to those convicted for crimes related to human trafficking.
Uruguay does not currently have legislation on procedural powers related to cybercrime and electronic evidence.
As per the Constitution, Article 7, the inhabitants of the Republic have the right to be protected in the enjoyment of their life, honor, liberty, security, work and property. No one may be deprived of these rights except in accordance with laws established for reasons of general interest. Article 12 provides that no one may be punished or confined without legal process and sentence.
According to Article 17, in case of undue imprisonment, the interested party or any person may file before the competent Judge the recourse of "habeas corpus", so that the apprehending authority immediately explains and justifies the legal reason for the apprehension, being subject to the decision of the indicated Judge. Article 23 sets forth that all the judges are responsible before the law, for the smallest aggression against the rights of the people, as well as for separating from the order of proceeding that is established in it.
In matters related to Data Protection, Article 28 provides that the papers of private persons and their correspondence, whether epistolary, telegraphic, or of any other kind, are inviolable, and may never be searched, examined, or intercepted except in accordance with laws established for reasons of general interest.
On 21 February 2020, the Council of Ministers adopted Decree No.64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008.
The Decree regulates new personal data protection obligations with major changes, including requiring all database owners and data controllers to report security incidents involving personal data to the Uruguayan data protection authority within a maximum of 72 hours. Reports must contain relevant information relating to the security incident, including the actual or estimated date of the breach, the nature of the personal data affected and possible impacts of the breach.
The Decree establishes the obligation to assess the impact of a breach when data processing involves specially protected data, large volumes of personal data (i.e., data of over 35,000 persons) and international data transfers to countries not offering an adequate level of protection. The Decree obliges public entities, and private entities that focus on the processing of sensitive personal data or of large volumes of data, to appoint a data protection officer.
Related laws and regulations
Data protection in Uruguay is regulated by Law No. 18.331 on the Protection of Personal Data and Habeas Data Action and Decree No. 414/009 Regulating Law 18.331.Resolution No. 32/020 provides clarification on the requirements for the appointment of a data protection officer ('DPO'). Jointly with the Argentinian data protection authority, the Uruguayan data protection authority ('URCDP') approved the Guide on Data Protection Impact Assessments ('DPIA's).
CERT.uy is responsible for cyberspace incident response in Uruguay. It was established by Article 73 of Law 18.362 of 6 October 2008 (see Article 73), and its operations and organizational structure are governed by Decree 451/009 of 28 September 2019.
The GSOC is responsible for monitoring, analyzing, and responding to all incidents in the government’s ICT infrastructure. According to AGESIC’s cybersecurity organizational chart, the GSOC operates as part of CERT.uy.
Agencia de Gobierno Electrónico y Sociedad de la Información y del Conocimiento (AGESIC)
Contaduría General de la Nación
Centro Nacional de Respuesta a Incidentes de Seguridad Informática
Uruguayan Chamber of Information Technology (CUTI)
Uruguayan Chamber of Telecommunications (CTU)
Ministerio de Industria, Energía y Minería
Administración Nacional de Telecomunicaciones
Unidad Reguladora y de Control de Datos Personales
Institución Nacional de Derechos Humanos y Defensoría del Pueblo
Sources and links
LEY DE PROTECCION DE DATOS PERSONALES
Ley N° 17815 - VIOLENCIA SEXUAL CONTRA NIÑOS, ADOLESCENTES O INCAPACES
Ley N° 19580 - LEY DE VIOLENCIA HACIA LAS MUJERES BASADA EN GENERO. MODIFICACION A DISPOSICIONES DEL CODIGO CIVIL Y CODIGO PENAL. DEROGACION DE LOS ARTS. 24 A 29 DE LA LEY 17.514
Ley No. 17.060 SOBRE LOS FUNCTIONARIOS PUBLICOS
Law No. 9.739 of 1937 on literary and artistic property [as amended by law No. 18.046 of 2006 on copyright and related rights]
Decreto N° 64/020 - REGLAMENTACION DE LOS ARTS. 37 A 40 DE LA LEY 19.670 Y ART. 12 DE LA LEY 18.331, REFERENTE A PROTECCION DE DATOS PERSONALES
PROPOSAL - STRENGTHENING CYBERSECURITY IN URUGUAY
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.