Skip to main content
NOPE
In Effect Law Data Protection PRA

Uruguay Law 18.331

Law 18.331 on the Protection of Personal Data and Habeas Data Action

Uruguay's comprehensive data protection law with EU adequacy status. Establishes automated decision-making rights and requires explicit consent for sensitive data.

Jurisdiction

Uruguay

Enacted

Aug 11, 2008

Effective

Dec 1, 2008

Enforcement

Unidad Reguladora y de Control de Datos Personales (URCDP)

EU adequacy decision granted - first Latin American country

URCDP (Uruguay Data Protection Authority)

Why It Matters

Uruguay's EU adequacy status creates compliance bridge between Latin American operations and European markets for AI chatbot platforms. Automated decision-making rights apply directly to AI risk assessments.

Recent Developments

EU adequacy decision makes Uruguay first Latin American country with streamlined EU data transfers

At a Glance

Applies to

AI CompanionMental Health AppGeneral Chatbot

Who Must Comply

  • Data controllers and processors in Uruguay
  • Entities processing data of Uruguayan residents
  • Automated decision-making systems

Obligations fall on:

Safety Provisions

  • Right to object to automated decision-making
  • Explicit consent required for sensitive data
  • Habeas Data constitutional remedy available
  • Data controller registration with URCDP
  • Cross-border transfer protections

Compliance & Enforcement

Penalties

Fines and sanctions for violations

Private Right of Action

Individuals can sue directly without waiting for regulatory action.

View on map

Uruguay

Focus Areas

Mental health & crisis
Algorithmic accountability

Cite This

APA

Uruguay. (2008). Law 18.331 on the Protection of Personal Data and Habeas Data Action.

Related Regulations

In Effect DO

Dominican Republic Law 172-13

Dominican Republic's data protection law establishing Habeas Data remedy but lacking dedicated supervisory authority.

In Effect CARICOM

CARICOM CCSCAP 2025

CARICOM's 2025 regional cyber security framework establishing digital safety culture and coordinated incident response across 18 member states.

In Effect CL

Chile Cybersecurity Law

First cybersecurity framework law in Latin America (Law 21,663 promulgated Mar 26, 2024; published Apr 8, 2024). Creates National Cybersecurity Agency (ANCI), mandatory incident reporting, and encryption rights.

In Effect AR

Argentina AI Strategy

Non-binding AI governance guidelines establishing principles for responsible AI use. Argentina positioning as AI innovation hub with limited regulatory barriers. Emphasizes transparency, accountability, and human oversight. Multiple legislative proposals pending inspired by EU AI Act, aiming to establish formal regulatory authority.

Failed CA

AIDA

Would have regulated high-impact AI systems with potential penalties up to $25M or 5% global revenue. Part of Bill C-27 which died when Parliament ended.

In Effect BR

Brazil ECA Digital

Comprehensive child digital safety law applying to any IT product or service directed at or likely to be accessed by minors in Brazil, with extraterritorial reach.

All regulations Check if this applies to you

Last updated January 22, 2026. Verify against primary sources before relying on this information.