Uruguay Law 18.331
Law 18.331 on the Protection of Personal Data and Habeas Data Action
Uruguay's comprehensive data protection law with EU adequacy status. Establishes automated decision-making rights and requires explicit consent for sensitive data.
Jurisdiction
Uruguay
UY
Enacted
Aug 11, 2008
Effective
Dec 1, 2008
Enforcement
Unidad Reguladora y de Control de Datos Personales (URCDP)
EU adequacy decision granted - first Latin American country
What It Requires
Who Must Comply
This law applies to:
- • Data controllers and processors in Uruguay
- • Entities processing data of Uruguayan residents
- • Automated decision-making systems
Capability triggers:
Who bears obligations:
Safety Provisions
- • Right to object to automated decision-making
- • Explicit consent required for sensitive data
- • Habeas Data constitutional remedy available
- • Data controller registration with URCDP
- • Cross-border transfer protections
Enforcement
Enforced by
Unidad Reguladora y de Control de Datos Personales (URCDP)
Penalties
Fines and sanctions for violations
Private Right of Action
Individuals can sue directly without waiting for regulatory action. This significantly increases liability exposure.
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- No
- Algorithmic Scope
- Yes
- Private Action
- Yes
Why It Matters
Uruguay's EU adequacy status creates compliance bridge between Latin American operations and European markets for AI chatbot platforms. Automated decision-making rights apply directly to AI risk assessments.
Recent Developments
EU adequacy decision makes Uruguay first Latin American country with streamlined EU data transfers
Cite This
APA
Uruguay. (2008). Law 18.331 on the Protection of Personal Data and Habeas Data Action. Retrieved from https://nope.net/regs/uy-law-18331
BibTeX
@misc{uy_law_18331,
title = {Law 18.331 on the Protection of Personal Data and Habeas Data Action},
author = {Uruguay},
year = {2008},
url = {https://nope.net/regs/uy-law-18331}
} Related Regulations
Dominican Republic Law 172-13
Dominican Republic's data protection law establishing Habeas Data remedy but lacking dedicated supervisory authority.
CARICOM CCSCAP 2025
CARICOM's 2025 regional cyber security framework establishing digital safety culture and coordinated incident response across 18 member states.
Chile Cybersecurity Law
First cybersecurity framework law in Latin America (Law 21,663 promulgated Mar 26, 2024; published Apr 8, 2024). Creates National Cybersecurity Agency (ANCI), mandatory incident reporting, and encryption rights.
Argentina AI Strategy
Non-binding AI governance guidelines establishing principles for responsible AI use. Argentina positioning as AI innovation hub with limited regulatory barriers. Emphasizes transparency, accountability, and human oversight. Multiple legislative proposals pending inspired by EU AI Act, aiming to establish formal regulatory authority.
AIDA
Would have regulated high-impact AI systems with potential penalties up to $25M or 5% global revenue. Part of Bill C-27 which died when Parliament ended.
Peru AI Regulations
Peru's first comprehensive AI regulatory framework, inspired by EU AI Act. Establishes three-tier risk-based approach: prohibited uses, high-risk systems (including healthcare), and low-risk/acceptable AI. First general AI regulation in Latin America. Requires human oversight, transparency, and risk assessments for high-risk AI including healthcare applications.