Who Needs GDPR When You Have Emergency Powers?

In June 2025, Ecuador stunned legal observers by passing a sweeping Intelligence Law (Ley Orgánica de Inteligencia) that redefines the boundaries between state surveillance and individual privacy. On June 10, President Daniel Noboa submitted the draft bill. By June 11, it was law. No substantive debate. No public hearings. No judicial review. The legislation advanced through the National Assembly via an expedited procedure typically reserved for extraordinary emergencies—justified by the country’s protracted state of violence and organized crime (keeping in mind that proclaimed state of emergency is now entering its second consecutive year).

The move marks a clear legal backslide: after cautious steps toward modern data protection with the 2021 The Organic Law on Personal Data Protection (Ley Orgánica de Protección de Datos Personales en Ecuador LOPDP), Ecuador now risks undoing that progress with a sweeping surveillance law passed in record time. In other words, one step forward, ten steps back.

The law’s rapid approval reveals not only political expediency, but also structural and institutional blind spots. Many lawmakers lacked expertise in data governance, surveillance law, or cybersecurity—raising valid concerns about their ability to evaluate the long-term consequences of such sweeping reforms. No input was sought from civil society, technical experts, or—perhaps most critically—the national Data Protection Authority. That body, which should have played a key role in reviewing and advising on legislation with profound implications for privacy, remains inactive and under-resourced. Even if operational, it would lack the kind of independence and enforcement powers granted to EU regulators like the Information Commissioner’s Office (ICO). Its absence at the legislative table underscores a broader failure to embed checks and balances into the process. More troubling still is the lack of public debate or widespread concern. The quiet approval suggests that many Ecuadorians may not yet understand how this law reshapes the digital boundaries of state power—or how quickly rights can be rewritten when scrutiny is sidelined.

The new Intelligence Law:

• Creates a centralized intelligence system under direct executive control.

• Allows surveillance without judicial oversight: including data interception, telecom and internet data (calls, texts, GPS, browsing history).

• Permits data requests from private entities, bypassing prior consent or court orders.

• Dismantles meaningful oversight: intelligence reports reviewed by the Comptroller General must be destroyed post-review, eliminating an audit trail.

• Legalizes covert activities, including infiltration of social media using false identities and permits collaboration with private intelligence contractors.

• The finances for operations are classified and all expenses reports are to be destroyed.

In effect, the state gains access to Ecuadorians’ private information—without transparency or accountability.

A Betrayal of GDPR Principles

This move is especially jarring given Ecuador’s 2021 adoption of LOPDP, heavily inspired by the EU General Data Protection Regulation (GDPR). The LOPDP enshrines the principles of purpose limitation, minimization, transparency, and consent. But the Intelligence Law tramples these principles. In the EU, surveillance activities must be proportional, necessary, and judicially authorized. In Ecuador, none of these safeguards remain. Recently, I explored Ecuador’s legislative ambition to align with the EU’s GDPR in this article. That vision now stands in sharp contrast with recent developments. The contradiction is stark—and it may jeopardize Ecuador’s ability to engage in future international data-sharing agreements or meet adequacy requirements under EU frameworks.

Lessons from Abroad

To put Ecuador’s shift into perspective, consider the Pegasus spyware scandal. Originally marketed as a tool to combat terrorism and serious crime, Pegasus—developed by Israeli firm NSO Group—was revealed to have been used by governments to surveil journalists, activists, and opposition figures across more than 50 countries. The spyware’s capabilities are chilling: it can remotely access a phone’s messages, camera, microphone, and location without the user ever clicking a link. As reported by the Business & Human Rights Resource Centre, this level of intrusion not only threatens civil liberties but also poses serious cybersecurity risks. Experts warn that once such tools are developed, they often fall into criminal hands, turning state surveillance into a global vulnerability. This triggered an official EU investigation and highlighted a sobering truth: even in jurisdictions with strong data protection laws, the absence of rigorous oversight and judicial control can invite abuse.

Ecuador may not be an EU member, but it is walking a parallel path—with far fewer institutional safeguards and even greater legal ambiguity. The Pegasus case illustrates exactly how vague exceptions and a lack of expert-led scrutiny can erode privacy from within, regardless of what the law says on paper. And let’s not forget the Snowden revelations in the United States. The exposure of sweeping surveillance programs by the NSA showed how even established democracies can systematically compromise personal privacy in the name of security. These events serve as a warning: we shouldn’t wait for a scandal or whistleblower to trigger reform. Proactive, transparent, and rights-based safeguards must be built into the system from the start.

Understanding the Impact

The passage of Ecuador’s Intelligence Law signals more than just a policy shift — it’s a test of the country’s constitutional resilience. By granting surveillance powers without independent oversight or judicial review, the law exposes gaps in institutional strength and democratic safeguards. Rather than reinforcing Ecuador’s emerging privacy framework, this move undermines it from within. It shows how gains in data protection can be quietly reversed when urgency replaces scrutiny, and when legislative velocity outpaces expertise. Surveillance without checks isn’t just a legal loophole. It’s a democratic time bomb, neatly gift-wrapped in national colours.

For policymakers, legal professionals, and digital rights advocates, this is a moment that calls for clarity, not complacency. Quiet panels and procedural formalities can no longer substitute for meaningful scrutiny. It’s time to demand transparency, press for accountability, and insist that urgency never replace oversight. For Ecuadorians, this is more than a technical adjustment to national security policy. It’s a crossroads for digital rights, where the decisions made today will shape whether constitutional protections evolve with the times—or quietly erode beneath them.

What can be done?

1. Turn the Data Authority from Ghost to Guardian   

   The Superintendency of Personal Data Protection must become more than a name dropped in speeches. Fund it. Staff it. Give it teeth—and jurisdiction over intelligence operations.

2. Reinstate Judicial Oversight Like It’s a Fire Code   

   Spying without a judge is like building skyscrapers without architects. Pretty soon, things collapse on people. Surveillance must be subject to prior impartial judicial review, no exceptions.

3. Bring Experts into the Room (Before the Vote, Not After) 

   Surveillance laws are complex by nature—and their consequences long-lasting. The government should establish advisory panels of legal, technical, and human rights specialists to guide policy formulation and legislative review. This isn’t just a matter of good governance; it’s how democratic systems ensure laws are more than reactions to crisis—they’re rooted in informed, rights-based foresight.

4. Add Expiry Dates to Emergency Powers  

   Legal powers granted in chaos should not live forever. Introduce sunset clauses and mandatory legislative reviews before temporary powers become permanent policy.

5. Let Whistleblowers Breathe   

   Journalists, civil servants, and watchdogs must be protected—they’re the alarm system, not the problem. Without legal safeguards, the next Snowden may never speak, and the next Pegasus scandal will arrive with a shrug instead of accountability.

You can rewrite laws overnight—but rebuilding trust takes years. If this chapter isn’t amended soon, the sequel may read less like a resolution and more like a cautionary tale.

It’s time for public institutions to remember their mandates, for the press to rediscover its backbone, and for the public to look up from trending reels long enough to notice what’s being signed into law behind their scroll. Rights don’t disappear all at once—they fade when no one’s watching.