The right of a citizen to obtain a copy of his personal data to transfer it to another provider, for example, one that offers better conditions, has been in force for a month. However, its effective application and the due protection of data owners are at risk due to the lack of a standard that requires its secure implementation.
In practice, complementary provisions serve to develop or facilitate the application of a main rule, ensuring its coherence, uniform interpretation and effective implementation. For this purpose, the Regulations of the Personal Data Protection Law, published in November 2024, were clear in establishing that “the National Authority for the Protection of Personal Data (ANPDP) issues the complementary provisions necessary for the correct application of the portability of personal data.”
Therefore, it is not a possibility, but an obligation. Despite this, after the six-month period scheduled for the entry into force of the right, the ANPDP has not yet issued the complementary provisions that guarantee its uniform and safe application.
Contradictions of the ANPDP
Asked about the omission, the ANPDP responded to Perú21 that “the Regulation does not require” the issuance of said provisions, but rather “provides for them based on an evaluation of necessity.” However, in the same letter, the entity admits that “it has considered it appropriate to do so” and that it is working on publishing them during the next year.
This double statement reveals an institutional contradiction: the need to dictate rules is recognized, but the obligation to do so is relativized. In practice, the right is already in force, but without a technical framework that defines how it should be exercised, in what format the data should be delivered, what security standards apply or how to resolve conflicts between companies and users.
Beyond legal interpretation, the lack of guidelines leaves citizens facing a formally recognized right, but difficult to exercise. And it places companies on uncertain ground: each data controller must decide on their own how to apply portability, which opens up space for disparate criteria, additional costs and possible violations of information protection.
Necessary condition
The lawyer and specialist in digital law, Erick Iriarte, denies, although in a technical and diplomatic manner, the interpretation of the ANPDP. In its reading, the complementary provisions are not an option or a future evaluation, but rather a necessary condition provided for in the regulation itself to make it fully applicable.
“The regulation has begun to come into effect in phases, as scheduled. To this extent, the provisions, protocols and complementary measures that the same regulation established were going to be taken to clarify it are necessary, for example being necessary to establish how much is a large volume of data, what complementary provisions must be understood for portability, or the complementary measures regarding impact evaluation,” he told Perú21.
Iriarte’s words suggest a reality: without clear guidelines, portability runs the risk of becoming a symbolic right. What should represent an advance in the citizen’s digital sovereignty is applied today with a regulatory vacuum that the authority itself recognizes, but does not correct.
The paradox is that the norm that was supposed to strengthen citizen control over their data was born without the basic guarantees to make it possible. Until the complementary provisions are issued, the portability of personal data will remain in an operational limbo, depending more on the will of the companies than on the action of the State.
In a context where the protection of personal information is increasingly sensitive, the absence of clear rules is not a technical delay: it is an omission that weakens citizen confidence in the system.
Receive your Perú21 by email or WhatsApp. Subscribe to our enriched digital newspaper. Take advantage of the discounts here.
RECOMMENDED VIDEO
