Octopus Cybercrime Community

The main piece of legislation is the Criminal Code along with other cybercrime related laws such as Law No. 16.736, Law No. 18.600, Law No. 17815, Law No. 19.580, Law No. 9.739 and Law No. 18331.

A draft law on cybercrime is in preparation since 2017, inspired from the substantive provisions of the Budapest Convention. In 2021, Bill No. 1734 on the criminalization of cybercrime was introduced but has not yet been adopted.

Several laws provide for limited implementation of substantive law offences.

Law Nº 17.514 ‘Domestic Violence Law’ (2002)

Law Nº 17.815 Sexual, commercial or non-commercial violence committed against

children, youth or the disabled (2004)

Law Nº 18.561 Sexual harassment (2009)

Law Nº 18.250 on Migration (Art. 45º paragraph c establishes the grounds for denial of

entry into the country to those convicted for crimes related to human trafficking.

Uruguay does not currently have legislation on procedural powers related to cybercrime and electronic evidence.

As per the Constitution, Article 7, the inhabitants of the Republic have the right to be protected in the enjoyment of their life, honor, liberty, security, work and property. No one may be deprived of these rights except in accordance with laws established for reasons of general interest. Article 12 provides that no one may be punished or confined without legal process and sentence.

According to Article 17, in case of undue imprisonment, the interested party or any person may file before the competent Judge the recourse of "habeas corpus", so that the apprehending authority immediately explains and justifies the legal reason for the apprehension, being subject to the decision of the indicated Judge. Article 23 sets forth that all the judges are responsible before the law, for the smallest aggression against the rights of the people, as well as for separating from the order of proceeding that is established in it.

In matters related to Data Protection, Article 28 provides that the papers of private persons and their correspondence, whether epistolary, telegraphic, or of any other kind, are inviolable, and may never be searched, examined, or intercepted except in accordance with laws established for reasons of general interest.

Data Protection

On 21 February 2020, the Council of Ministers adopted Decree No.64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018 and Article 12 of Law No. 18.331 of 8 November 2008.

The Decree regulates new personal data protection obligations with major changes, including requiring all database owners and data controllers to report security incidents involving personal data to the Uruguayan data protection authority within a maximum of 72 hours. Reports must contain relevant information relating to the security incident, including the actual or estimated date of the breach, the nature of the personal data affected and possible impacts of the breach.

The Decree establishes the obligation to assess the impact of a breach when data processing involves specially protected data, large volumes of personal data (i.e., data of over 35,000 persons) and international data transfers to countries not offering an adequate level of protection. The Decree obliges public entities, and private entities that focus on the processing of sensitive personal data or of large volumes of data, to appoint a data protection officer.

Data protection in Uruguay is regulated by Law No. 18.331 on the Protection of Personal Data and Habeas Data Action and Decree No. 414/009 Regulating Law 18.331.

Resolution No. 32/020 provides clarification on the requirements for the appointment of a data protection officer ('DPO'). Jointly with the Argentinian data protection authority, the Uruguayan data protection authority ('URCDP') approved the Guide on Data Protection Impact Assessments ('DPIA's).