How is biometric data collected, stored, and protected in Paraguay's digital ID system?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Paraguay enacted Law No. 7177/2023 to recognize government-issued digital identity credentials, and NGOs warn its regulatory framework and privacy protections lag behind the law’s ambitions [1]. Civil-society group TEDIC says biometric collection and storage rules are not yet detailed, urging limits on biometric collection, stronger safeguards against unauthorized access, correction/deletion procedures, and alignment with international standards [1] [2].
1. What the law establishes — a legal trigger, not a technical blueprint
Law No. 7177/2023 provides the legal basis for government-recognized digital credentials in Paraguay, but available reporting indicates the statute is not accompanied by the detailed operational regulations that would define how biometric data must be collected, stored and protected [1]. TEDIC’s analysis frames the law as a starting point that requires concrete regulation, risk assessments and public participation to translate legal recognition into secure technical practice [1] [2].
2. How biometric data is reportedly being used or planned
Public discussion and coverage point to fingerprints, facial biometrics and other modalities being considered or already in use across Latin American identity systems — and Paraguay is exploring mobile digital versions of physical documents like other countries in the region [3] [4]. TEDIC explicitly raises concern about the potential inclusion of biometric records for functions such as voting and other public services, though specifics of what Paraguay is currently collecting are not laid out in the sources [2] [1].
3. Collection practices: gaps and NGO demands
Civil-society reporting stresses that Paraguay lacks clearly defined limits on the collection of biometric data: TEDIC calls for explicit legal limits on what biometrics can be collected, under what conditions they may be required, and guarantees for marginalized groups who face disproportionate risk from mandatory enrollment [2] [1]. The reporting documents risks of coerced enrollment and discriminatory effects for refugees, transgender people and other vulnerable populations if safeguards are not enacted [2].
4. Storage and technical safeguards: tokenization and international approaches
Regional reporting notes that biometric data can be handled a range of ways — centralized databases, tokenized or stored on-device — but the Paraguay-specific coverage does not describe the country’s chosen technical architecture [3]. TEDIC recommends alignment with international standards and robust protections, implying that current documentation does not yet establish whether biometrics will be centralized, encrypted, tokenized or held locally on user devices [1] [2]. Available sources do not mention a definitive Paraguayan technical design for storage or tokenization [3].
5. Data protection law progress and regulatory outlook
Paraguay advanced a Personal Data Protection bill through a significant legislative step in 2025, with the Chamber of Deputies approving the proposal article by article — a move civil-society groups called vital for establishing a framework for privacy rights and data protection [5]. TEDIC and allied organizations view this development as promising but note the need for regulations specific to digital ID and biometrics to operationalize protections urged by NGOs [5] [1].
6. Risks: access, correction, deletion and misuse
TEDIC highlights concrete gaps: e-government platforms haven’t updated privacy policies to reflect digital IDs, citizens lack clear procedures to correct or delete personal data, and references in privacy documents sometimes cite repealed laws — all red flags for governance and accountability [1]. TEDIC explicitly recommends processes to correct or erase data, protections against unauthorized access, and public participation in rulemaking [1] [2].
7. Regional context and interoperability pressures
Paraguay’s digital ID plans sit within a regional push toward mobile IDs and cross‑border initiatives such as the Mercosur Digital Citizen program; such projects can increase pressure to make biometric systems interoperable — a source of both convenience and additional privacy risk if standards and safeguards differ across countries [3] [4]. Biometric interoperability raises technical and governance questions that Paraguay has not publicly resolved in the reporting available [3].
8. What reporting does not say — notable absences
Available sources do not provide specifics about which biometric modalities Paraguay is currently storing, whether biometrics are centralized or tokenized, what encryption or access-control measures are in place, nor the exact administrative or judicial oversight mechanisms for biometric use [1] [2]. They do not describe vendor contracts, database locations, retention periods or independent audit arrangements for Paraguay’s digital ID program [1] [2].
9. Bottom line — law in place, safeguards still unfinished
Paraguay has moved from concept to legal recognition for digital IDs, but civil-society monitors conclude the necessary regulatory and technical details governing biometric collection, storage and protection remain incomplete; NGOs call for explicit collection limits, stronger privacy policies, correction/deletion rights and alignment with international standards before large-scale deployment proceeds [1] [2].