Ethics and Legality in Artificial
Intelligence-Based Applications: A Review and Commentary on European Data
Protection Regulations
Ética y
legalidad en Aplicaciones Basadas en Inteligencia Artificial. Revisión y
comentarios de la normativa europea sobre la protección de datos
|
Fabian Marcelo Salinas Professor, Catholic
University of Cuenca, Law Program Fabiansalinas@ucc.edu.ec https://orcid.org/0009-0007-2958-0474 |
![]()
ABSTRACT
This research analyzes the tension between the development of Artificial
Intelligence and the protection of personal data, comparing the European
Union’s regulatory framework with Ecuador’s legal system. The results highlight
the consolidation of “informational self-determination,” which grants users
absolute control over their data, including rights of access, rectification,
and erasure. However, a critical technical conflict is identified due to the
opacity of machine learning algorithms, which function as “black boxes” that
are difficult to interpret and carry discriminatory biases inherited from
historical data. Given this, data governance in sensitive sectors such as
healthcare and education requires oversight by specialized delegates and
bioethics committees. Finally, it is concluded that Ecuadorian legislation
exhibits institutional shortcomings and legal fragmentation, making it
insufficient to standardize its technologies in the international markets of
Europe and the United States.
RESUMEN
Esta
investigación analiza la tensión entre el desarrollo de la Inteligencia
Artificial y la protección de datos personales, comparando el marco normativo
de la Unión Europea con el ordenamiento jurídico de Ecuador. Los resultados
destacan la consolidación de la "autodeterminación informativa", que
otorga al usuario el control absoluto sobre sus datos, incluyendo derechos de
acceso, rectificación y supresión. Sin embargo, se identifica un conflicto
técnico crítico debido a la opacidad de los algoritmos de aprendizaje
automático, que funcionan como "cajas negras" difíciles de
interpretar y arrastran sesgos discriminatorios heredados de datos históricos.
Ante esto, la gobernanza de datos en sectores sensibles como la salud y la
docencia exige la supervisión de delegados especializados y comités de
bioética. Finalmente, se concluye que la legislación ecuatoriana presenta
falencias institucionales y dispersión jurídica, resultando insuficiente para
homologar sus tecnologías en los mercados internacionales de Europa y Estados
Unidos.
Keywords / Palabras
clave
Informational self-determination, Algorithmic bias, Data governance
Autodeterminación
informativa, Sesgo algorítmico, Gobernanza de datos
Introduction
The Spanish
Constitution was a pioneer in recognizing the fundamental right to personal
data protection when it stipulated that “the law shall limit the use of
information technology to guarantee the honor and personal and family privacy
of citizens and the full exercise of their rights,” demonstrating a visionary
stance on the current challenges facing a society based on data analysis. This
law aims to establish the fundamental right of individuals to the protection of
personal data; it applies to any partially or fully automated processing of
personal data, as well as to the non-automated processing of personal data
contained in or intended to be included in a file. The data protection
principles include regulations on data accuracy, confidentiality, data
processing based on the data subject’s consent, consent of minors, processing
required by law, public interest, criminal data, and—within the special
categories—it makes specific mention of data processing in the field of health.
Across all these areas, the law emphasizes that users must be aware of what
their data will be used for and how it will be used; consent must be obtained
from the data subject for its use; and the data subject may request that the
data be corrected to ensure its accuracy (Office of the President, 2018).
Under this
law, the user to whom this information refers has full control over what can be
done with their data; all procedures must be completely transparent. Since the
individual is aware of the purpose for which their information is being used,
they may access the study being conducted with their data at any time to verify
that it is being used correctly, exercising their right of access,
rectification, erasure, restriction of processing, data portability, and
objection. Users may decide to have their data completely deleted from any file
or database of their choosing, or to suspend the use of their data, among other
options. It is a significant achievement that the individuals to whom this
information pertains are given a fundamental role in decisions regarding their
data, thereby curbing the business of data trading and demanding the respect
users of this information deserve—namely, the right to know and be aware of how
their information will be used (from the Office of the President, 2018).
For those
who work with this information, there are strictly restrictive guidelines;
therefore, data analysts must thoroughly review the law to avoid committing
serious violations. This law places a very heavy burden of responsibility on
data analysts, so they must undergo special preparation and training to perform
their work properly. This may, to some extent, limit the freedom previously
enjoyed in analyzing and processing data, potentially prohibiting the use of
certain algorithms that have been widely used, particularly in the profiling of
individuals. This law highlights the importance of human interpretability in
algorithm design (from the Office of the President, 2018; Goodman and Flaxman,
2017).
This law
enshrines the right to non-discrimination for users, and this poses a serious
problem, since the use of algorithmic profiling is inherently discriminatory,
categorizing individuals according to certain variables; and since the data
contains information on inequality, exclusion, and other traces of
discrimination, algorithms trained on this data will evidently also exhibit
this bias. As for data transparency, it is currently extremely difficult to
comply with this regulation, since some supervised machine learning algorithms
use correlations or associations that go beyond statistical significance and lack
an explanation that can be understood by a human (Goodman and Flaxman, 2017).
The
creation of this law can be likened to the implementation of bioethics
committees for research involving human subjects, which require researchers to
conduct their work with patients in mind and in accordance with the principles
of beneficence, non-maleficence, autonomy, and justice (Office of the
President, 2018; Lolas, 2008; UNESCO, 2009).
In addition
to the special care that data analysts must exercise when working with personal
information, it is considered necessary to appoint a data protection officer
when the study is conducted by certain institutions, notably educational
institutions offering instruction at any level. In the field of health, while
healthcare facilities are required to maintain patients’ medical records,
healthcare professionals are exempt from this requirement, although they are
legally obligated to maintain their own patients’ medical records. Data
processing in health research may utilize tools such as informed consent,
provided that research involving patient data has been previously approved by a
bioethics committee for research involving human subjects (Presidency of the
Republic, 2018; He et al., 2019).
Challenges
in Artificial Intelligence Regarding Compliance with Legislation
There is a
clear need to redesign algorithms and data processing systems to ensure
interpretability by those involved in data collection, from the analyst to the
individual from whom the information originates. This opens up a new potential
field of study within Artificial Intelligence, enabling the translation of
information that has thus far been treated as “black boxes”—where it is neither
relevant nor necessary to understand what is happening as long as the necessary
connections are made to produce a successful output— all the way to “open”
systems specifically designed for machine learning tasks involving personal
data.
The
processing of personal information presents a significant challenge if it is to
be carried out by automated or semi-automated information-selection systems.
The goal is to find a way to analyze attributes and their correlations that can
eliminate attributes that may lead to discrimination against individuals based
on race, gender, etc., as well as any information correlated with these
attributes or from which a sensitive factor about the individual might be
inferred. This information processing is similar to what is required for data
anonymization; this process must be carried out automatically and reviewed by a
data protection officer, who examines the entire dataset before analysts or
other relevant parties work with it and ensures compliance with established
regulations.
The
application of European data protection regulations is of global importance, as
it requires individuals who develop applications using personal data—and who
wish to market their product in Europe, conduct business with the European
Union, or access data from individuals residing within the European Union—to
comply with all guidelines established by this law, regardless of the
regulations in their country of origin. Therefore, from a legal standpoint,
countries must establish new data regulations to ensure compliance with the
most important global standards (Europe, the United States, China), thereby
eliminating any risk of noncompliance.
Ecuador’s Legal Framework on Personal Data Protection
Following
the massive personal data breach in September 2019, the Ministry of
Telecommunications submitted a draft data protection law, the “Organic Law on
the Protection of Personal Data,” adapting the law to the current reality of a
society based on the consumption and generation of personal data. To this end,
Ecuador proposes the adaptation and adoption of the proposed declaration of
principles on privacy and personal data protection in the Americas, along with
accompanying legal regulations that govern and regulate the collection and
processing of personal data. The points addressed in the proposed law include
the legitimacy and lawfulness of data, an analysis of the purpose for which the
data will be used, the relevance and minimization of personal data, the
proportionality of processing, consent, confidentiality, quality, retention,
security, and accountability regarding the data (Presidency of the Republic of
Ecuador, 2019).
The
Ecuadorian bill was an important step forward in data protection, but it has
legal—rather than technical—shortcomings that affect its applicability within
Ecuador’s legal framework and render it insufficient for AI and Big Data
projects to be commercialized or implemented in the European Union or the
United States, as it does not adequately comply with all the regulations
established by those jurisdictions (Enriquez Alvarez, 2017).
A
foundation must be established to clarify how data is processed. Thus, the
Organic Law on Transparency and Access to Public Information (LOTAIP), in
Article 1, establishes that “Access to public information is a right of
individuals guaranteed by the State.” The provisions enshrined in this organic
law enable several things, including: safeguarding personal information and
promoting the democratization of society. Compliance with international
conventions, among other elements that facilitate the transparency of processes
regarding the handling of public data (National Congress, 2004) .
Furthermore,
Article 6 of the LOTAIP establishes guidelines regarding confidential
information. This is defined as information derived from the most personal and
fundamental rights, as set forth in Articles 23 and 24 of the Constitution of
Ecuador.
In addition
to these provisions, Articles 5 and 6 of the LOTAIP define what constitutes
public information and what constitutes private or confidential information. In
the first case, information is considered public when any document, in any
format, is held by public institutions and legal entities covered by this Law.
As for confidential information, private information is defined as public
information that is not subject to the principle of disclosure. The misuse of
this information will result in appropriate legal action (National Congress, 2004) .
On the
other hand, private information or information subject to the regulations of
the Ecuadorian Institute of Intellectual Property (IEPI) shall be governed by
the provisions set forth in the Organic Code on the Social Economy of
Knowledge, Creativity, and Innovation. This Code emphasizes the creation of
knowledge and how it will be transmitted and managed, with the aim of making
efficient use of these resources. Article 39 of this law establishes universal,
free, and secure access to knowledge in digital environments. This will be
achieved through digital platforms and information technologies, prior to the
declaration of copyright, and through the use of Creative Commons licenses that
restrict its use and application (National Assembly of Ecuador, 2016) .
Similarly,
based on the regulations set forth by the IEPI and specifically Article 81
thereof, the process for technology transfer is outlined. This process will be
carried out to transfer knowledge, techniques, or technological processes that
enable the development of products and services (National Assembly of Ecuador, 2016) . To this end, contractual arrangements will be
utilized, such as proof of concept, technological validation, and licensing,
among others. From a legal standpoint, these must be properly substantiated.
It should
also be noted that certain content will not be publicly accessible in a
database. Intellectual property rights constitute an exception to the public
domain; thus, to promote culture, artistic development, and technological
advancement, one must adhere to principles of social responsibility, ethics,
and morality, as well as to the laws established by both the Constitution and
the Intellectual Property Law regarding data classified as private,
state-owned, community-owned, or mixed.
However, it
is important to note the moral rights that must be present in every project or
work; these stem from Article 118 of the Intellectual Property Law. This
article stipulates that unpublished works must be preserved and made public,
with an emphasis on the creation of artificial intelligence, which will be
closely linked to the moral principles established by the Constitution and the
law. It should be noted that, although there is no explicit provision within
Ecuador regarding the creation of artificial intelligence, this will be subject
to the interpretation and scrutiny of the entities responsible for enforcing
the law (National Assembly of Ecuador, 2016) .
Among other
elements outlined in the law, issues such as data ownership and how such data
is regulated under Ecuadorian law are clarified. Compared to the European
Union’s approach, there are still gaps in the development of information
infrastructure, raising questions such as how, in the 21st century, data can be
managed without compromising the integrity of a country, a region, a
municipality, or an individual. To this end, the creation of Creative
Commons—which is already being implemented on the internet—bases its structure
on the legal framework provided by each country, region, and the global
community (Vera, 2013) .
Judicial Safeguards
Art.
91.—The purpose of an action for access to public information is to guarantee
access to such information when it has been expressly or tacitly denied, or
when the information provided is incomplete or unreliable. Such an action may
be filed even if the denial is based on the information’s classification as
secret, restricted, confidential, or any other classification. The restricted
nature of the information must be declared prior to the request by a competent
authority and in accordance with the law. (VERBATIM).
Art.
92.—Every person, in their own right or as a representative authorized for that
purpose, shall have the right to be informed of the existence of and to access
documents, genetic data, databases or files containing personal information,
and reports concerning themselves or their property that are held by public or
private entities, whether in physical or electronic form. Likewise, they shall
have the right to know how such information is used, its purpose, the origin
and destination of personal information, and the retention period of the file
or database. Those responsible for personal data banks or files may disclose
the archived information with the authorization of the data subject or as
authorized by law. The data subject may request from the data controller free
access to the file, as well as the updating, correction, deletion, or erasure
of the data. In the case of sensitive data—the storage of which must be
authorized by law or by the data subject—the adoption of necessary security
measures will be required. If your request is not addressed, you may bring the
matter before a judge. The affected individual may file a lawsuit for damages
incurred. (VERBATIM).
In
accordance with our Constitution, these two articles constitute the legal
framework governing the use of data and the right of all Ecuadorian citizens
and foreign residents to access their data and publicly available information.
To provide context for this issue, we will refer to JUDGMENT 001-14-PJO-CC,
which is a (BINDING JUDICIAL PRECEDENT). This ruling serves as the basis when a
natural or legal person asserts these constitutional rights through the courts.
In
accordance with the eighth paragraph of Article 9 of the Law on Electronic
Commerce, Signatures, and Data Messages, published in the Official Register,
Supplement No. 557, dated April 17, 2002, “Personal data” refers to “data or
information of a personal or intimate nature that is subject to protection
under this law.”
In other legislation and in legal doctrine,
access to public information is referred to as “improper habeas data.” Bruno
Gaiero and Ignacio Soba, *La Regulación Procesal del Habeas Data* (The Procedural Regulation of
Habeas Data), Editorial B de F, Buenos Aires, 2010, p. 48, describe the legal
concept as follows: “Currently, there is a marked tendency to establish a
special framework to facilitate this claim (access to public information),
generally referred to as ‘improper habeas data.’ Although habeas data was
originally conceived as a guarantee of access to personal data, over time it
began to be applied, by extension, to data held by the government for the
purpose of clarifying the activities carried out by those in power. This is the
crystallization of what came to be known as “improper habeas data.” It is clear
that, due to the similarity of the subject matter—as well as, , because of how
blurred the line between what constitutes public information and what
constitutes personal information can become—the two guarantees can be confused.
However, the prerogatives or “legal positions” that can be derived from each
right are undoubtedly distinct. While the right to public information is
limited to mere access, the scope of action regarding personal information
expands significantly.”
Art.
66.—The following rights of individuals are recognized and guaranteed:
paragraph 19. The right to the protection of personal data, which includes
access to and control over such information and data, as well as their
corresponding protection. The collection, storage, processing, distribution, or
dissemination of such data or information shall require the authorization of
the data subject or a statutory mandate.
The right to the protection of personal data
is complex in nature and encompasses various dimensions related to “personal”
information. This concept is articulated in legal doctrine by Óscar Puccinelli,
who states the following: “The ‘right to data protection’ is understood as the
sum of principles, rights, and guarantees established in favor of individuals
who may be harmed by the processing of personal data pertaining to them.”
As the
author rightly notes, the right to data protection—and specifically, its
element known as “informational self-determination”—is instrumental in nature,
subordinate to the protection of other constitutional rights that may be
affected when personal data is used, such as privacy, honor, psychological
integrity, etc.,
Oscar Puccinelli, *Habeas Data in
Indo-Ibero-America*, Temis, Bogotá, 1999, p. 68.
Informational self-determination entails the right of
every person to exercise control over personal information concerning them,
vis-à-vis any public or private entity. This right was first invoked by the
Federal Constitutional Court of Germany in its ruling on the Census Act of
December 15, 1983, which empowers individuals to decide and consent, freely and
with full knowledge of the facts, to the use of their personal data by third
parties in the context of automated data processing.
Sustainable
urban planning has established itself as a fundamental strategy in Latin
America to address challenges associated with the accelerated growth of cities,
disorderly urban sprawl, territorial inequality, and increasing exposure to
natural hazards (UN-Habitat, 2022). In this context, territorial planning is a
key tool for promoting balanced development, improving the population’s quality
of life, and ensuring the efficient and sustainable use of available resources.
Sustainable
urban planning has established itself as a fundamental strategy in Latin
America, a region where over 80% of the population resides in urban centers. However,
implementing these frameworks requires navigating a complex reality marked by
deep socioeconomic inequalities and rapid, often informal, peripheral growth.
Traditional
planning models frequently clash with the spontaneous expansion of informal
settlements, where vulnerable communities lack critical access to clean water,
basic sanitation, and reliable public transit. Additionally, Latin American
cities face escalating climate vulnerabilities—ranging from landslides in steep
Andean terrain to severe flooding in coastal hubs—making urban resilience a
matter of immediate survival rather than a theoretical ideal.
To address
these pressing challenges, current regional strategies are increasingly
incorporating contemporary models such as Transit-Oriented Development (TOD)
and nature-based solutions to mitigate urban sprawl and protect endangered
ecosystems. Local governments are working to align municipal master plans with
global mandates, such as the New Urban Agenda and SDG 11.
Yet, a
persistent implementation gap remains. While many countries have highly
progressive national land-use legislation, local municipalities often lack the
administrative, financial, and enforcement capabilities needed to curb
aggressive real estate speculation and regulate land use effectively.
Ultimately, sustainable urban planning in Latin America is evolving beyond
simple aesthetic zoning toward a model of participatory governance, aiming to
bridge the stark divide between the formal and informal city.
In Ecuador,
territorial planning is regulated by the Constitution of the Republic of
Ecuador (2008), the Organic Code of Territorial Organization, Autonomy, and
Decentralization (COOTAD, 2010), and the Organic Law on Territorial Planning,
Land Use, and Management (LOOTUGS, 2016). These instruments establish the
powers of the Decentralized Autonomous Governments and the necessary mechanisms
for the planning, management, and regulation of land use through tools such as
the Development and Territorial Planning Plan (PDOT) and the Land Use and
Management Plan (PUGS) (Constitution of the Republic of Ecuador, 2008; COOTAD,
2010; LOOTUGS, 2016).
Within this
framework, the canton of Latacunga is a relevant case study due to its
importance as an urban center in the province of Cotopaxi and its historical
exposure to volcanic threats associated with the Cotopaxi volcano. This
situation poses significant challenges for territorial planning and risk
management. Therefore, this paper analyzes the relationship between the current
regulatory framework and the application of land-use planning instruments in
Latacunga, with the aim of identifying their contribution to sustainable
development and the reduction of territorial vulnerability.
Materials and Methods
This
research is framed within a qualitative, documentary-analytical design. It is
based on the systematic review, critical interpretation, and comparison of
regulatory frameworks, constitutional texts, draft legislation, and specialized
scientific literature addressing the intersection between ethics, legality, and
the development of technologies based on Artificial Intelligence (AI) and big
data. The methodological approach adopted does not seek to quantify variables,
but rather to gain a deep understanding of the phenomenon of “informational
self-determination” and the technical and legal limitations faced by
contemporary legislation, with a comparative emphasis on the regulatory
framework of the European Union and the legal system of the Republic of Ecuador.
To ensure
the validity and rigor of the findings, the units of analysis were strictly
defined and categorized as follows:
A. International and European Regulations
European
Union Regulations: Analysis of guidelines regarding the protection of personal
data in automated environments, aimed at ensuring algorithmic transparency and
the right to an explanation.
Universal
Declarations: Incorporation of the principles of UNESCO’s Universal Declaration
on Bioethics and Human Rights, used as a regulatory analogy for data
governance.
B. Ecuadorian Regulations and Case Law
Constitution
of the Republic of Ecuador: Specifically, Article 66, paragraph 19, which
recognizes the fundamental right to the protection of personal data; as well as
Articles 91 and 92 on the judicial guarantees of Access to Public Information
and Habeas Data.
Organic
Laws and Codes: Review of the Organic Law on Transparency and Access to Public
Information (LOTAIP), the Organic Code on the Social Economy of Knowledge,
Creativity, and Innovation, and the Law on Electronic Commerce, Signatures, and
Data Messages.
Bills and
Judicial Doctrine: Evaluation of the Draft Organic Law on Personal Data
Protection submitted by the Ministry of Telecommunications in September 2019,
and analysis of the binding precedent established by Ruling 001-14-PJO-CC of
the Constitutional Court of Ecuador.
Heuristics
and Document Selection. An exhaustive search and selection of official
documents and indexed articles was conducted using key descriptors such as
“ethics in AI,” “data protection,” “habeas data,” “algorithmic profiling,” and
“informational self-determination.” Priority was given to sources that linked
the limitations of machine learning algorithms to the fulfillment of
fundamental rights.
Legal
Hermeneutics and Interpretation. In this stage, the hermeneutic method was
applied to unravel the meaning and scope of written norms. The fundamental
principles of data protection under European law (accuracy, confidentiality,
explicit consent, processing limitation, and portability) were analyzed in
light of the realities of “black box” technologies that hinder human
interpretability. Likewise, the doctrinal construct of informational
self-determination—which originated in German case law (the 1983 Census Act
ruling)—and its reception in Latin American legal doctrine were analyzed.
Comparative
and Technical Analysis. The robustness of global regulatory frameworks was
compared with the Ecuadorian legal ecosystem. The legal shortcomings of
the 2019 Ecuadorian proposal were critically examined in light of the
requirements of the European and U.S. markets. In turn, the concepts of public,
confidential, and private information defined in the LOTAIP were contrasted
with the rights of exclusion derived from intellectual property and the use of
open licenses such as Creative Commons.
Critical
Synthesis and Categorization. Finally, the information was processed, coded,
and structured into three essential thematic areas that guide the research
discussion:
The role of
the data analyst and the challenges of algorithmic bias: Assessment of the
legal liability of data scientists and the dilemma of indirect discrimination
introduced by training data that reflects historical inequities.
Procedural
safeguards against automated processing: Operational distinction between the
right of access to public information (improper habeas data) and the right to
personal data protection (pure habeas data).
Data
governance in specialized fields: Ethical and methodological implications of
using sensitive data in the fields of health, medical research, and education.
Since the
research addresses the legal framework of ethics and privacy, the
methodological design strictly adheres to principles of scientific
integrity. Direct informed consent from human subjects was not required
due to the strictly documentary nature of the primary data. The validity of the
study is ensured through the triangulation of sources: the direct comparison of
constitutional texts, current organic laws, and publications by experts in
information and computer law.
Results
The
documentary analysis and hermeneutic interpretation of regulatory and doctrinal
texts made it possible to structure the findings around the tension between
technological innovation driven by Artificial Intelligence (AI) and the
ethical-legal frameworks designed to safeguard individuals’ fundamental rights.
The results have been organized according to regulatory asymmetries, the
challenges of algorithmic opacity, and the state of legislation in the
Ecuadorian context compared to European standards.
The New Paradigm of Informational Self-Determination and User Control
One of the
most significant findings concerns the evolution of the right to personal data
protection, whose modern legal origins can be traced to the Spanish
Constitution, which was a pioneer in recognizing the need to restrict the use
of information technology to protect honor and family and personal
privacy. This approach has evolved conceptually toward “informational
self-determination,” a doctrinal construct established through the case law of
the German Federal Constitutional Court in its ruling on the 1983 Census Act.
The
research demonstrates that informational self-determination is not a static
right, but rather an instrumental and complex power that grants individuals
full control over their personal data vis-à-vis public or private entities.
This control is exercised through a set of procedural rights that transform the
relationship between citizens and the entities that process their information:
Explicit
Consent and Awareness of Purpose: The user must be fully aware of what data is
being collected and for what specific purposes it will be processed. Any
collection, processing, or distribution of data requires the explicit
authorization of the data subject or a direct mandate from the law.
Right to
Rectification and Maintenance of Accuracy: Users have the unequivocal right to
demand that their data be corrected or updated to ensure its accuracy within
any storage system.
Right to
erasure and portability: The regulations under review empower individuals to
autonomously decide to completely delete their information from specific
databases or to revoke the previously granted permission to use such data.
This
paradigm shift represents a structural milestone in the contemporary digital
economy, as it directly impacts the market and trade in big data. By
transferring decision-making power to the data subject, corporations and
developers are compelled to establish fully transparent processes.
Technical and Liability Challenges for Analysts in AI Environments
The results
reveal a critical gap between the requirements imposed by the regulatory
framework and the technical feasibility of implementing them in advanced
machine learning models. The legislation introduces restrictive guidelines and
an unprecedented burden of legal and ethical responsibility on data scientists
and analysts. This legal pressure requires professionals to undergo continuous
specialized training to avoid committing serious legal violations during the
design of automated systems.
However,
this regulatory rigidity imposes substantial barriers to free technical
development, limiting the analytical flexibility that existed before these
regulations took effect. The analysis identifies three critical technical
problems in the use of contemporary algorithms:
The Problem of Inherently Discriminatory Profiling
Legal
frameworks explicitly prohibit discrimination in automated processing. However,
the analysis shows that algorithmic profiling algorithms are inherently
discriminatory due to their very functional nature, which consists of
categorizing and segmenting individuals based on specific variables. Since
the historical datasets used to train AI contain deep-rooted biases,
inequities, and patterns of social exclusion, the resulting algorithms
mathematically reproduce and amplify these discriminatory biases.
The Opacity of “Black Boxes” vs. the Right to an Explanation
Regulations
require that algorithmic co-design take into account human interpretability and
users’ right to receive a comprehensible explanation of the automated decisions
that affect them. The study demonstrates the extreme technical complexity of
meeting this requirement with current supervised machine learning
models. These models operate through complex associations and correlations
that defy traditional statistical understanding, lacking a linear logic that
can be translated into language comprehensible to a human being. The common
practice in AI of prioritizing successful data outputs without understanding
the internal processing (black boxes) directly conflicts with legal
transparency requirements.
The Need for Automated Mitigation Systems
Given these
limitations, the results suggest that the future development of AI must be
reoriented toward the creation of “open” systems and the co-design of
algorithms capable of processing data ethically. This involves developing
automation tools that detect and remove from training datasets those sensitive
attributes (race, gender, etc.) or correlated variables from which any factor
of discrimination or vulnerability might be inferred. This process of
automated filtering and anonymization must be complemented by human oversight
exercised by a Data Protection Officer before analysts are granted access to
the final dataset. To provide a structured overview of the findings, the
following table summarizes the operational characteristics, protected rights,
shortcomings, and ethical implications identified in the various legal
instruments and frameworks analyzed.
Table 1. Analysis of Results.
|
Regulatory Framework / Instrument |
Main Approach and Guaranteed Rights |
Technical or Legal Limitations and Shortcomings |
Impact on AI Development and Applied Ethics |
|
European Data Protection Regulations (General Data Protection
Regulation) |
Guarantees the
user’s absolute control over their data. Recognizes
the rights of access, rectification, erasure, restriction of processing, data
portability, and objection. Requires
algorithmic transparency and the right to receive a clear explanation of
automated decisions. |
It presents a significant challenge for practical application when
dealing with supervised machine learning models featuring “black box”
structures that lack direct human interpretability. |
It restricts the prior freedom to process data. It potentially prohibits
the use of traditional mass profiling algorithms due to their inherently
discriminatory bias. It functions in a manner
analogous to medical bioethics committees. |
|
Constitution of the Republic of Ecuador (Arts. 66, no. 19, 91, and 92) |
It recognizes the fundamental right to personal data protection. It establishes the
judicial safeguards of pure Habeas Data (to access, update, correct,
or delete personal information) and Access to
Public Information (improper Habeas Data). |
It creates procedural confusion within the judicial framework due to
the fine line between information that is public in nature and that which is
strictly confidential or personal. |
It makes the use of big data subject to the express authorization of
the data subject or a legal mandate. It provides a solid legal basis for claims
for damages arising from unlawful processing. |
|
Draft Organic Law on Personal Data Protection (Ecuador, 2019) |
Adaptation of international principles following massive data breaches. It regulates the
principles of legitimacy, lawfulness, specified purpose, relevance, data
minimization, proportionality, confidentiality, and security. |
It has legal and institutional shortcomings rather than technical
ones, which limits its practical applicability within the national legal
system and prevents its international recognition. |
It is insufficient to allow local developments in AI and Big Data
to be exported, commercialized, or formally validated in the markets of the
European Union or the United States. |
|
Organic Code on the Social Economy of Knowledge (Ecuador - IEPI) |
It regulates technology transfer and the efficient management of
knowledge through contractual agreements. It guarantees universal and secure access
in digital environments through the use of open licenses such as Creative
Commons. |
Intellectual property rights serve as an exception to the public
domain. There are no explicit guidelines regarding authorship or
moral rights for works generated autonomously by artificial intelligence. |
It subjects technological developments and algorithms to the
restrictive interpretation of intellectual property regulators, under
constitutional principles of morality and social responsibility. |
The Ecuadorian Context: Limited Progress and International Discrepancies
A detailed
analysis of Ecuador’s legal situation reveals a scenario of regulatory reaction
to information security crises, characterized by the existence of scattered and
disjointed regulations compared to unified global frameworks. The proposed
Organic Law on Personal Data Protection, spearheaded by the Ministry of
Telecommunications in September 2019 following a massive data breach in the
country, sought to adapt the local legal framework to a consumer society and
the massive generation of personal data. To this end, it proposed adopting
the privacy principles set forth in the Declaration of the Americas,
structuring key pillars around proportionality, confidentiality, and the
minimization of collected data.
However,
the results conclusively demonstrate that this regulatory effort suffers from
structural legal shortcomings that drastically limit its applicability and
impact. When compared to robust foreign regulations (such as those in Europe or
the United States), Ecuadorian legislation exhibits technical gaps and
operational loopholes that prevent local technology- and AI-based companies
from competing globally. Software products and big data architectures
developed under this local framework fail to reliably meet the standards
required for international trade or cross-border data exchange with the
European Union. This creates an urgent need to overhaul domestic
regulations to align them with the world’s three major regulatory blocs—Europe,
the United States, and China—thereby mitigating the risk of technological trade
exclusion.
Furthermore,
Ecuador’s legal ecosystem is characterized by fragmented criteria regarding the
management of technical knowledge. The Organic Law on Transparency and
Access to Public Information (LOTAIP) draws the formal boundaries between the
right to access documents held by state institutions (public information) and
data derived from strictly personal rights that are not subject to the
principle of public disclosure (confidential information).
However,
when the analyzed information or the developed algorithm falls within the scope
of intellectual property, the legal framework shifts to the Organic Code on the
Social Economy of Knowledge, Creativity, and Innovation. This body of law
introduces essential concepts such as “proof of concept” and “technological
validation” to contractually regulate the transfer of technological processes
aimed at creating commercial products and services. It also promotes open
access on digital platforms by using Creative Commons licenses to define
creators’ rights regarding restrictions and usage.
Despite
these tools, the findings reveal that Ecuadorian law does not include explicit
regulations governing intellectual products generated automatically by
artificial intelligence. This complete lack of positive law leaves the
resolution of conflicts to the exclusive interpretation and judgment of the
judges and administrative bodies that administer the country’s laws, which
introduces a high degree of legal uncertainty for investments and research in
the field of data science.
Sectoral Data Governance and Ethical Analogies
A
cross-cutting methodological finding of this research is the identification of
an operational convergence between data governance in Artificial Intelligence
and the historical structuring of medical bioethics and human research
committees. The introduction of strict regulations on the processing of
personal data mirrors the logic of the principles of beneficence,
non-maleficence, autonomy, and justice, forcing software designers to structure
their algorithms with the rights of users and data subjects as a top priority.
This
bioethical approach takes on critical importance in data governance within
sectors of high social sensitivity, such as education and public health:
Educational
Environments and Delegation of Responsibilities: Research reveals that data
analysis within educational institutions and schools at any level requires the
formal appointment of a Data Protection Officer. This role is indispensable due
to the risks posed by automated profiling of student performance or the
behavior of minors on learning platforms.
Healthcare
Management and Medical Research: In the healthcare sector, the findings reveal
a duality in information archiving responsibilities. While healthcare
institutions and facilities are strictly required by law to securely maintain
their patients’ medical records, individual medical professionals enjoy certain
operational exceptions regarding the direct management of such records, without
prejudice to their general obligation of confidentiality.
Surgical
Use of AI in Medicine: For the practical implementation of machine learning and
AI tools applied to predictive or diagnostic medicine, the research highlights
the need to employ strict informed consent mechanisms. Such consent, along
with the technical protocols for clinical data collection, must receive prior
and explicit approval from a duly accredited bioethics committee for research
involving human subjects before any computational processing of patient data is
authorized.
Finally,
the results demonstrate that the two legal safeguards enshrined in the
Ecuadorian Constitution—Access to Public Information and Habeas Data—exhibit
profound operational differences that are often conflated in judicial practice
due to the similarity of the subject matter. While Access to Public
Information (improper habeas data) is strictly limited to allowing mere access
to information held by the State to ensure transparency in the actions of
government officials, pure Habeas Data (regulated by Article 92 of the
Constitution) significantly expands the scope of citizens’ rights. The
latter entitles the data subject not only to learn of the existence of their
data or the use, origin, destination, and validity of their personal
information in public or private records, but also to demand the updating,
correction, or free deletion of such information, or the adoption of advanced
security measures in the case of sensitive data, thereby strengthening the
legal foundation for informational self-determination in the region.
Conclusions
A detailed
analysis of the regulatory, ethical, and technical frameworks addressed in this
literature review allows us to draw the following conclusions:
The
fundamental right to personal data protection has evolved from a traditional
guarantee of privacy to the complex concept of informational
self-determination, which grants citizens absolute, informed, and transparent
control over the purpose, access, correction, and complete deletion of their
personal information in any analytical environment.
There is a
critical and insurmountable gap between the regulatory requirements of
international law (particularly European law) and the current technical
feasibility of Artificial Intelligence; advanced supervised machine learning
models operate as inherently discriminatory and opaque “black boxes,” which
hinders the effective fulfillment of the user’s right to receive an
understandable and unbiased explanation.
The design,
co-design, and implementation of Artificial Intelligence and Big Data systems
necessitate a shift in the analytical paradigm, moving away from the
traditional approach— —that focuses solely on the success of outputs toward
open systems that automate the anonymization and removal of sensitive
attributes under the strict oversight of a Data Protection Officer.
The
governance of mass data processing shares an essential functional parallel with
medical bioethics committees, demonstrating that in sectors of high social
vulnerability—such as healthcare and education—the application of algorithms
and the use of medical records must be subject to the principles of autonomy,
justice, beneficence, and the rigorous use of duly monitored informed consent.
In the
Ecuadorian context, the current regulatory ecosystem exhibits serious technical
gaps and institutional shortcomings that limit its applicability and prevent
the standardization of its technological developments in international markets
such as the European or U.S. markets; Furthermore, the lack of explicit
guidelines on AI-driven automated creation within the Organic Code of the
Social Economy of Knowledge subjects this field to latent legal uncertainty and
discretionary interpretation.
The
jurisdictional guarantees enshrined in the Ecuadorian Constitution make a clear
distinction between Access to Public Information (improper habeas data), which
focuses on the transparency of government administration, and Habeas Data (in
the strict sense), which stands as the ideal instrument for exercising
cost-free control over the use, validity, updating, and deletion of personal
and sensitive data.
References
National Assembly of Ecuador. (2016). Organic Code on the Social Economy
of Knowledge, Creativity, and Innovation. Official
Register, IV(899), 113. [suspicious link removed]
National Congress. (2004). Organic Law on Transparency and Access to
Public Information. LOTAIP, 1–10.
https://doi.org/10.1111/jfr3.12162
Office of the President, M. (2018). Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights ( Technical Information). https://www.boe.es/buscar/pdf/2018/BOE-A-2018-16673-consolidado.pdf
Enriquez Alvarez, L.
(2017). Paradigms of
Personal Data Protection in Ecuador. Analysis of the Draft Organic Law on the
Protection of the Rights to Privacy and Confidentiality Regarding Personal
Data. Law Review, 43–61. http://www.fundamedios.org/wp-content/uploads/2016/09/proyecto-ley-de-datos.pdf
Goodman, B., and Flaxman, S. (2017). European Union Regulations on
Algorithmic Decision-Making and the Right to Explanation. AI Magazine, 38(3), 50–57.
https://doi.org/10.1609/aimag.v38i3.2741
He, J., Baxter, S. L., Xu, J., Xu, J., Zhou, X., and Zhang, K. (2019). The
practical implementation of artificial intelligence technologies in medicine. *Nature Medicine*, 25(1), 30–36. https://doi.org/10.1038/s41591-018-0307-0
Lolas, F. (2008). Bioethics and animal research. A personal perspective and a note on the contribution of
Fritz Jahr (Vol. 41; Technical Report).
Presidency of the Republic of Ecuador. (2019). Organic Law on the Protection of Personal Data (Technical Information). https://www.nmslaw.com.ec/
Puccinelli, O. (1999). Habeas Data in Indo-Ibero-America. Temis.
UNESCO. (2009). Universal Declaration on Bioethics and Human Rights. Bioètica & debat: Open Forum of the
Borja Institute of Bioethics, 15(55), 8–14.
http://portal.unesco.org/es/ev.php-URL_ID=31058&URL_DO=DO_TOPIC&URL_SECTION=201.html
Vera, A. (2013). Practical Guide to Creative Commons Licenses. CENT-UJI.
http://cent.uji.es/pub/sites/cent/files/Guia-Creative-Commons-by-Alejandro-Vera-Palencia-by-nc-sa-es-3.0.pdf