Verify any claim · lenz.io
Claim analyzed
Legal“Between 2020 and 2023, the protection of personal data in digital applications in Peru has been linked to violations of fundamental rights.”
The conclusion
Evidence from Peru's constitutional jurisprudence and data-protection enforcement indicates that, during 2020–2023, failures to protect personal data in digital contexts were treated as implicating fundamental rights such as privacy and personal dignity. Still, several cited materials are general or conditional, and enforcement statistics do not necessarily equal proven rights violations in specific apps. The claim is directionally accurate but somewhat overstates specificity to “digital applications” and the degree of confirmed violations.
Caveats
- Low confidence conclusion.
- Several cited sources describe potential impacts (“can affect rights”) or general legal principles, not necessarily documented, adjudicated violations tied to specific apps in 2020–2023.
- Regulatory fines/resolutions show compliance enforcement and remedies, but they do not automatically establish judicially confirmed “fundamental rights violations.”
- The term “digital applications” is narrower than much of the evidence, which often concerns broader digital systems, platforms, or public-sector data handling.
Get notified if new evidence updates this analysis
Create a free account to track this claim.
Sources
Sources used in the analysis
Recent posts of potential breaches involving EsSalud, Movistar Perú, and Sunarp serve as a stark reminder of these risks, highlighting the critical vulnerabilities within our digital infrastructure. This breach disclosed a vast array of personal data, encompassing vehicle identification numbers (VINs), owners' full names, vehicle descriptions, brands, and fabrication dates, thus highlighting the extensive range of personal information that's vulnerable. According to another threat actor who got access to Movistar Perú, 5 million records including phone numbers, email, national ids, and full names were exposed in a different channel. EsSalud, a key player in healthcare, potentially saw 3.3 million records exposed, revealing sensitive information such as sex, age, date of birth, address, national ID, and phone number.
Inadequate security practices not only increase the risk of data breaches but also expose organisations to enforcement action for failing to meet their legal obligations. Deficient consent practices remain one of the most common compliance gaps in Peru. The ANPDP has the authority to investigate complaints, conduct inspections, issue corrective orders, and impose administrative fines. Enforcement activities have increased in recent years, with the authority focusing on data bank registration compliance, consent practices, security measures, and response to data subject rights requests.
The NAPPD imposed fines for more than S/. 7.6 million during 2023, as well as supervised 336 entities, initiated 132 sanctioning procedures and registered 2,670 personal data banks. The primary industries sanctioned are financial, banking, technology, retail, travel, and education.
A data breach can expose sensitive information, affecting fundamental rights such as privacy and identity, and this can result in fines from the National Authority for Personal Data Protection (ANPDP).
Hiperderecho, a Peruvian non-profit, proposed 15 measures to improve the COVID-19 app that the Peruvian Government was rolling out in April 2020. Their work also highlights concerns like 'Data exploitation in reproductive healthcare in Peru' and 'Public-Private Partnerships on Technology in Peru: A Government without horizon' where who has access to the data is unclear.
Article 2 of the Political Constitution of Peru sets forth certain fundamental rights that every person has, including a right to privacy regarding information that affects personal and family privacy, which was the basis for the creation of a law that specifically protects the use of personal data of any natural person and applies to both private and state entities. The Personal Data Protection Law No. 29733 ('PDPL') was enacted in June 2011.
Derechos Digitales launched a guide for digital safety during protests, noting that in Peru, 'more than 50 social activists and leaders... woke up to find their mobile phones blocked' and that internet signals were being blocked in some regions, limiting communication and reporting.
The Peruvian State is undergoing a digital transformation of its Public Administration, which poses challenges for personal data protection; the Political Constitution of Peru guarantees the fundamental right to privacy and informational self-determination (art. 2.6). This article critically analyzes the current regulatory framework, considering constitutional principles and relevant jurisprudence, such as STC N.° 238/2022 (habeas data), where the Tribunal ordered the State to encrypt and delete a citizen's data after an improper leak, linking the 'right to be forgotten' with personal dignity. It also reflects on the risks of digital expansion of the State, including potential security breaches, use of biometric and geolocation data, and lack of staff training.
The National Authority for Personal Data Protection (ANPD) imposed fines exceeding S/ 7.6 million during 2023. In the same period, 272 resolutions were issued in trilateral protection procedures aimed at safeguarding the rights of individuals to access, rectify, cancel, or oppose certain treatments of their personal data, leading many to achieve satisfaction regarding information published about them.
The analysis of the right to be forgotten in Peru reveals limited progress and significant challenges. Although Law N°. 29733 establishes a general basis for data protection, it does not specifically regulate this right, making its application difficult in digital platforms. Furthermore, the lack of resources in the ANPDP, technological gaps, and inequalities in rural areas limit its effective exercise.
Peru adopted a comprehensive data protection law in 2011. It applies to personal data contained in databases held by public and private bodies, whose processing is carried out in the national territory. Peru's Constitution states that private communications can only be opened, seized, intercepted, or intervened by a reasoned judicial order, issued in accordance with legal rules and safeguards.
On September 25, 2020, Edward Antonio Muñoz Salazar filed a habeas data lawsuit seeking information about who provided his personal, intimate, reserved, and confidential information, which was revealed and disclosed on a Facebook social media account. The court declared the demand unfounded, stating that the habeas data process is not suitable for protecting claims related to the alleged affectation of the plaintiff's personal sphere due to the use of personal data without consent, leaving other legal actions available.
What do you think of the claim?
Your challenge will appear immediately.
Challenge submitted!
Expert review
How each expert evaluated the evidence and arguments
Expert 1 — The Logic Examiner
The logical chain from evidence to claim is broadly sound but contains inferential gaps: Source 4 (EY) uses conditional language ("can expose... affecting fundamental rights"), Source 8 (Sapere) documents a real Constitutional Tribunal ruling (STC N.° 238/2022) directly linking an improper digital data leak to violations of privacy and personal dignity within the 2020–2023 window, Source 5 (Privacy International/Hiperderecho) flags concrete data exploitation concerns in Peru's COVID-19 digital app from April 2020, Source 9 (RIPD) confirms 272 trilateral protection resolutions in 2023 aimed at safeguarding fundamental rights against unlawful data processing, and Source 12 (Tribunal Constitucional) — while rejecting habeas data as the procedural vehicle — confirms that unauthorized personal data disclosure on a digital platform was litigated as a fundamental rights issue in 2020. The opponent correctly identifies that some evidence is conditional or lacks precise "digital applications" specificity, and that the one concrete judicial ruling (Source 12) rejected the habeas data claim on procedural grounds; however, the proponent correctly counters that procedural rejection does not negate the underlying rights violation, and the cumulative weight of Sources 5, 8, and 9 does establish a documented, not merely hypothetical, linkage between personal data protection failures in digital contexts and fundamental rights violations in Peru during 2020–2023. The claim is broadly true — the evidence establishes a real, documented linkage — but the inferential chain is not perfectly tight because some sources are conditional, some lack precise date-and-application specificity, and the strongest judicial example (Source 12) is procedurally ambiguous, warranting a "Mostly True" verdict rather than an unqualified "True."
Expert 2 — The Context Analyst
The claim asserts a causal/associative link between failures in personal data protection in digital applications in Peru and violations of fundamental rights during 2020–2023. The evidence broadly supports this framing: Source 8 documents a Constitutional Tribunal ruling (STC N.° 238/2022) directly linking an improper digital data leak to violations of privacy and personal dignity; Source 5 flags data exploitation concerns in Peru's COVID-19 digital app from April 2020; Source 4 (EY) explicitly connects data breaches to impacts on fundamental rights like privacy and identity; and Source 9 confirms 272 trilateral protection resolutions in 2023 aimed at safeguarding individuals' data rights. However, important context is missing: the claim's framing implies a systematic, established pattern of proven rights violations tied specifically to "digital applications," whereas much of the evidence is conditional or general (EY says breaches "can" affect rights), enforcement actions address compliance gaps rather than confirmed fundamental rights violations, and the only concrete judicial ruling within the window (Source 12) actually rejected the habeas data claim on procedural grounds. The claim is broadly true in that data protection failures in Peru's digital sphere have been repeatedly and credibly linked to fundamental rights concerns during 2020–2023, but the framing slightly overstates the directness and certainty of the linkage without acknowledging that many documented cases involve potential or procedurally unresolved violations rather than judicially confirmed ones.
Expert 3 — The Source Auditor
The most authoritative sources in this pool include Source 6 (DLA Piper, a high-authority legal reference confirming Peru's constitutional right to privacy as the basis for data protection law), Source 12 (Tribunal Constitucional, a primary legal source showing a 2020-filed habeas data case over unauthorized digital disclosure of personal data — though the court found habeas data procedurally unsuitable, the case itself confirms the rights-violation linkage was litigated), Source 8 (Sapere/academic journal documenting STC N.° 238/2022 where the Constitutional Tribunal ordered data encryption and deletion after an improper leak, directly linking data protection failures to personal dignity), Source 9 (RIPD reporting 272 trilateral protection resolutions in 2023 by ANPDP safeguarding fundamental rights), and Source 4 (EY, a major professional services firm, explicitly stating data breaches in Peru "can expose sensitive information, affecting fundamental rights such as privacy and identity"). Collectively, these credible sources confirm that within the 2020–2023 window, failures in personal data protection in Peru's digital environment were repeatedly and concretely linked to fundamental rights concerns — through constitutional litigation, regulatory enforcement, and documented breaches — though the claim's specific framing around "digital applications" is only partially and indirectly supported, and the sole concrete judicial ruling (Source 12) found the habeas data remedy procedurally inapplicable in that specific case, introducing a meaningful caveat. The claim is broadly substantiated by reliable, independent sources as mostly true, with the nuance that the linkage is well-established in principle and through enforcement/jurisprudence, even if not every source ties breaches exclusively to "digital applications" with a confirmed rights-violation finding.
Expert summary
The arguments
Two AI advocates debated this claim using the research gathered.
Argument for
The claim is firmly supported by a convergence of authoritative legal, institutional, and civil society evidence: Source 4 (EY) explicitly states that data breaches in Peru "can expose sensitive information, affecting fundamental rights such as privacy and identity," while Source 8 (Sapere) documents a landmark Constitutional Tribunal ruling (STC N.° 238/2022) directly linking improper data leaks to violations of privacy and personal dignity — a habeas data case arising precisely within the 2020–2023 window. Further corroborating this, Source 1 (Constella Intelligence) details massive breaches of EsSalud and Movistar Perú exposing millions of sensitive personal records, Source 5 (Privacy International/Hiperderecho) flags data exploitation concerns in Peru's COVID-19 digital app launched in April 2020, and Source 9 (RIPD) confirms that by 2023 Peru's ANPDP had issued 272 resolutions in trilateral protection procedures specifically aimed at safeguarding individuals' fundamental rights against unlawful personal data processing — collectively demonstrating that throughout 2020–2023, failures in the protection of personal data in digital applications in Peru were concretely and repeatedly linked to violations of fundamental rights.
The Proponent's case equivocates between generalized risk statements and the motion's required 2020–2023, “digital applications” linkage: EY is explicitly conditional (“can affect” rights) rather than evidencing actual rights violations in that period (Source 4, EY), while the breach reporting likewise lacks a demonstrated, rights-violation finding tied to specific applications and dates within 2020–2023 (Source 1, Constella Intelligence; Source 5, privacyinternational.org). More importantly, the Proponent's attempt to treat enforcement volume and an uncited “STC N.° 238/2022” reference as dispositive is a non sequitur—RIPD describes procedures and resolutions aimed at safeguarding access/rectification/cancellation/opposition rights, not established fundamental-rights violations caused by digital apps (Source 9, RIPD), and the only concrete Tribunal Constitucional decision in the brief for the window rejects habeas data as the proper vehicle for the alleged Facebook disclosure, cutting against the asserted linkage (Source 12, Tribunal Constitucional).
Argument against
The motion claims a 2020–2023 linkage between personal-data protection in digital applications and violations of fundamental rights, but the only concrete 2020–2023 judicial example provided cuts the other way: the Tribunal Constitucional held habeas data was not an appropriate route for an alleged Facebook disclosure and rejected the claim (Source 12, Tribunal Constitucional), undermining the asserted rights-violation linkage in that period. Most other cited materials either generalize about potential impacts or report breaches/enforcement without tying them specifically to “digital applications” in Peru during 2020–2023 (e.g., Source 4, EY; Source 1, Constella Intelligence), so the brief does not substantiate the motion's specific timeframe-and-causation claim.
The Opponent commits a clear non sequitur by citing Source 12 (Tribunal Constitucional) as evidence against the claim: a court ruling that habeas data was procedurally unsuitable for a particular Facebook disclosure case does not negate that the underlying violation of personal data rights occurred — it merely redirects the legal remedy, and in fact confirms that unauthorized disclosure of personal data on a digital platform was litigated as a fundamental rights issue within the 2020–2023 window. Furthermore, the Opponent's assertion that the evidence fails to tie breaches to "digital applications" specifically ignores Source 5 (Privacy International/Hiperderecho), which explicitly flags data exploitation concerns in Peru's COVID-19 digital application launched in April 2020, Source 8 (Sapere), which documents a Constitutional Tribunal ruling ordering the State to encrypt and delete data after an improper digital leak and directly linking this to personal dignity, and Source 9 (RIPD), which confirms 272 trilateral protection resolutions in 2023 aimed at safeguarding individuals' fundamental rights against unlawful data processing — all of which are squarely within the claimed timeframe and context.