Monthly Archives: November 2023

Under Resolution No. ARCERNNR-031/2023, effective since November 1, 2023, the Agency for Regulation and Control of Energy and Non-Renewable Natural Resources (“ARCERNNR”) issued Regulation No. ARCERNNR-008/23 containing the “Framework for Distributed Generation Enabling Self-Sufficiency Among Regulated Electric Energy Consumers” (“Regulation”).

This framework establishes the requirements and procedure to install and operate a distributed generation system for self-sufficiency (“SGDA”). An SGDA comprises equipment generating electrical power for the self-sufficiency of individuals or entities with supply contracts with an electricity distribution company (“Regulated Consumers.”)

The procedure to install and operate an SGDA is carried out before the electric distribution and commercialization company (the “Distributor”) in whose service area the Regulated Consumer is located.

Key features of an SGDA, as per the Regulation, include:

• Nominal power limitations are based on whether it injects electrical energy into the distribution network. If it does, the nominal power is limited to 2MW. In cases where it does not inject electrical energy, the nominal power is determined by both the maximum power demand registered by the associated Regulated Consumer with the SGDA and the approved connection capacity by the Distributor.
• It is possible to use energy storage equipment.
• It can operate under the following self-supply modalities:

Individual Multiple The SGDA and the Regulated Consumer are in the same property. The SGDA and the Regulated Consumers are in the same property (in a condominium or under a horizontal property regime). The SGDA and the Regulated Consumer are in different properties. The property where the Regulated Consumer is located must not be a condominium or declared under a horizontal property regime. The SGDA is in a property, and the Regulated Consumers are concentrated in another property constituted in a condominium or declared under the horizontal property regime. The SGDA and the Regulated Consumers are in different properties; the latter belong to the same legal entity.

The term during which a Regulated Consumer may operate an SGDA depends on the useful life of the generation technology used, which is limited as detailed below:

Technology Useful life (years) Photovoltaic 25 Wind 25 Biomass 20 Biogas 20 Hydraulic 30

Mario Fernández, Associate at CorralRosales
mfernandez@corralrosales.com
+593 2 2544144

The Constitutional Court, by means of a judgment in Case 51-23-IN, dated November 9, 2023, notified on November 17, 2023, declared Presidential Decree 754 unconstitutional, considering that it violates the constitutional rule of reserve of law.

The effects of the ruling will be deferred until the National Assembly issues the corresponding law. Therefore, Decree 754 may be applied to carry out the Citizen Participation Processes for Environmental Consultation, provided that the guidelines and standards determined by the Court in paragraphs 196 to 205 of the decision are applied in such processes.

Among the guidelines and standards, the following stand out:

Regarding the subjects consulted, Decree 754 determines that they are the community or communities, regardless of their ethnicity, whose environment may be affected by any decision or permit in environmental matters, which will be determined according to the area of direct social influence of the decision or permit. Those people who can demonstrate, in a technical and/or legal manner, the environmental impact that could be caused to them, may also be considered as consulted subjects. The subject consulted must be determined in a broad and representative manner, so that any person who considers, in a substantiated manner, that the measure affects them must be included in the process.  The direct impact analysis should not demand technical requirements that are difficult to comply with for a community to be considered potentially affected.

With respect to financing, although Decree 754 determines that the costs or values demanded by the citizen participation process for the environmental consultation will be assumed by the operator of the project, work or activity, and that the latter will provide the necessary facilities and resources for the execution of such process, the Court determines that the State may not delegate the environmental consultation process, in any aspect (i.e. provision of inputs or financing) to the operator of the project, work or activity to be carried out.

The Ombudsman’s Office is obliged to promote the bills on environmental consultation that it has presented and that are being processed in the Assembly or, failing that, to draft a bill regulating the matter. It also establishes that the National Assembly must approve, within a period of one year, counted as of the moment of the impulse or presentation of the new project.

Finally, the Court emphasizes that the process of environmental consultation should not be confused with that of prior, free, and informed consultation, and therefore the content of Decree 754 should not be applied to communes, communities, indigenous people, and nationalities.

Carlos Torres, Senior Associate at CorralRosales
ctorres@corralrosales.com
+593 2 2544144

On January 12th, 2020, the Constitutional Court of Ecuador issued the ruling 58-11-IN/22, by which the Law for Environmental Promotion and Optimization of State Revenue was declared unconstitutional for infringing the unity of subject matter principle.

The Constitutional Court ordered the delay of the effects derived from the ruling until December 31, 2023, aiming to avoid the creation of a severe regulatory gap related to tax matters and to guarantee legal certainty. However, neither the Executive, nor the National Assembly submitted to the Constitutional Court any information regarding the progress of the amendments needed to avoid such legal void.

Therefore, the Constitutional Court issued the verification order 58-11-IN/23 on November 1st, 2023, by which it extended the enforcement deadline for the Law of Environmental Promotion and Optimization of State Revenues until December 31, 2024. The deadline extension is only applicable to those norms that have not been amended, repealed, or replaced by other laws.

Among the articles that remain enforceable, we highlight the following:

1. Article 10, clause 18 of the Internal Tax Regimen Law which regulates the deduction of expenses related to the acquisition, use or ownership of vehicles engaged in revenue-generating commercial activities.
2. Unnumbered article added below the article 162 of the Equity Tax Law which regulates the right to use as tax credit for the payment of income tax, the Outflow Tax (ISD) paid on imports of raw material, supplies and goods employed in productive processes.

 

Andrea Moya, partner at CorralRosales
amoya@corralrosales.com
+593 2 2544144

On November 6, 2023, the President of the Republic signed the Executive Decree 904, through which the Regulation of the Law on Personal Data Protection is issued (hereinafter the “Regulation“).

Below, we highlight the key points:

I. Definitions:

The Regulation includes relevant definitions for the application of the Law on Personal Data Protection (hereinafter “LOPDP“). One of the most important definitions is the term “large-scale processing” which includes the processing of data affecting a large number of data subjects. To determine “large-scale processing” the following factors must be considered: the number of data subjects, volume and variety of data, duration or permanence of the processing activities, and the geographical scope.

Specifically, the Regulation considers the following as “large-scale processing”:

1. 1. Patient data from hospitals and healthcare institutions.
   2. Data on the movement of individuals using public transportation.
   3. Real-time geolocation data.
   4. Data from customers from insurance companies or financial institutions.
   5. Data for behavioral advertising by a search engine.
   6. Data of content, traffic, and location data by telecommunications or internet service providers.

II. Obligations of data controllers and processors located outside of Ecuador:

Controllers and processors of personal data not established in Ecuador but processing data of residents in Ecuador must appoint a special representative in the country.

III. Impact assessment of personal data processing:

LOPDP establishes the obligation to evaluate the impact of personal data processing when it is identified that such processing may generate a high risk to the rights and freedoms of the data subject.

The Regulation describes an impact assessment as a preventive analysis in which the data controller evaluates the actual impact of the data processing.

The impact assessment must be submitted to the Data Protection Authority and should include the following elements:

1. 1. Description of the operations and purposes of processing.
   2. Reasoning for the necessity to carry out the processing.
   3. Risk assessment to the rights of the data subjects; and,
   4. Security measures to address the risks.

IV. Record of Processing Activities:

The following are required to maintain a Record of Processing Activities: Controllers of personal data processing with 100 or more employees, controllers processing special categories of personal data, and any processors if the controller has the obligation to maintain such record.

The Record must include:

1. 1. Name and contact details of the controller,
   2. Purposes of the processing,
   3. Categories of recipients to whom the data has been communicated,
   4. Categories of personal data of the subjects,
   5. Use of profiles,
   6. International transfers,
   7. Legitimating basis;
   8. Data retention periods, and
   9. General description of technical, legal, administrative, and organizational measures.

V. Data Protection Officer:

Individuals with a third-level degree in Law, Information Systems, Communication, or Technologies, and a minimum of 5 years of professional experience, may be appointed as Data Protection Officers (hereinafter “DPO“).

The DPO may perform other data protection-related activities that do not conflict with the inherent responsibilities of their role.

The DPO can be hired as an employee or through a service provision contract.

Controllers or processor that are not required to appoint a DPO may do so voluntarily as a good practice and proof of compliance with the principle of proactive responsibility.

VI. Joint Responsibility:

Controllers jointly responsible for data processing with the same purposes and means will be considered as joint controllers. These joint controllers will establish their tasks and responsibilities regarding data protection through a contract, which data subjects can access if required.

VII. International Data Transfers:

The Data Protection Authority will establish the countries or organizations with an adequate level of data protection for international data transfers.

If the country or organization to which the international data transfer is made has not been qualified by the Authority, the transfer will only be permissible if certain legal instruments support the transfer.

The Regulation establishes the following criteria to establish if a country or organization has an adequate level of data protection:

1. 1. Legislation and sectoral regulations in the country on data protection.
   2. Subsequent regulations on personal data by authorities.
   3. Judicial rulings on data protection.
   4. Recognition of rights and mechanisms for their exercise in favor of data subjects.
   5. Establishment of rights and duties of data controllers and processors.
   6. Independent and autonomous authority.
   7. International commitments assumed by the country or organization regarding personal data protection.
   8. Legislation related to national security, public security, and any laws pertaining to the defense and security of the State.

The National Data Protection Registry will record:

1. 1. The country where the data recipient is located.
   2. The categories subject to the transfer.
   3. The purposes of the transfer.
   4. The identification data of the recipient.
   5. The authorization mechanism or exemption criteria for the transfer.

VIII. Security Breaches:

The Regulation establishes that security breaches must be reported to the Data Protection Authority and the Telecommunications Regulation and Control Agency in the following cases:

1. 1. When personal data has been destroyed, no longer exists, or is no longer available to the data controller,
   2. When personal data has been altered, corrupted, or is no longer intact,
   3. When the data controller has lost control or access, or personal data is no longer in their possession,
   4. When the processing has not been authorized or is unlawful, including unauthorized disclosure or access by recipients.

The Regulation will enter into force upon its publication in the Official Registry.

   

Rafael Serrano, associate at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

By Resolution No. SCVS-INC-DNCDN-2023-0022 dated October 26, 2023, published in the First Supplement of the Official Gazette No. 428 of October 31, 2023, the Superintendent of Companies, Securities and Insurance ordered the repeal of Resolution No. SCVS-INC-DNCDN-2023-0019 dated August 29, 2023, which established the “Guidelines of probity and civil capacity of companies or individuals which act as legal representatives or officers of companies subject to the control and supervision of the Superintendence of Companies, Securities and Insurance”: Therefore the following documents will NO longer be required for the recordation of appointments in the Commercial Registry or the Superintendence of Companies, as the case may be, and on an annual basis before said entity:

1. The certificate of not appearing in the Database of Persons with Convicted Ruling, issued by the Financial and Economic Analysis Unit (UAFE),
2. Proof of not appearing on the following public international lists: (i) Office of Foreign Assets Control (OFAC); and (ii) United Nation’s Security Council.

The repeal is based on the fact that the Financial and Economic Analysis Unit (UAFE), and not the Superintendence of Companies, Securities and Insurance, is in charge of elaborating policies and strategies on prevention of money laundering and crime financing, as well as requiring information from the regulated entities or individuals.

     

Sofía Rosales, associate at CorralRosales
srosales@corralrosales.com
+593 2 2544144