On november 27th of 2025, the Reublic of Paraguay encacted “Law 7593/2025” Ley 7593/2025 on the Protection of Personal Data. Although this law is not yet in effect, it is subject to a 24 month regulatory period and it points out the beggining of a legal framework aimed at aligning with international standards.

Thie text implies that the mandatory parties include both individuals and legal entities, whereas the protected parties are specifically individuals.

The competent authority shall be the National Agancy for the Protetcion of the Personal Date, as stipulated in Tittle IV. This entity will assume the role currently held by the Secretariat for Consumer and User Defense (SEDECO) regarding Law No. 6534/2020 on the Protection of Credit Data. Said law will remain in effect, with the exception of specific articles clearly stated for repeal. Furthermore, it is clarified that this law will aply supplementally to matters not adressed by Law No. 6534/2020. The Institution shall posses functional authonomy, and its establishment will be overseen by the Ministry of Information and Communication Technologies (MITIC). It must also be included in the National General Budget.

Upon reviewing the content, it is more then clear that the objective is to ensure the responsible use od citizens' data. This is constitutionally mandated, as privacy is considered a protected legal interest (Article 33 of the National Constitution of the Republic of Paraguay). Under this law, personal data is recognized as an integral part of the rights to privacy, dingnity, and honor.

Particular emphasis is placed on the fact that no company or entity whether it is private or public, domestic or foreign, is authorized to process personal data without a legally established protocol. This applies to manual or automated storage, as well as public and private records located both within and outside the country. Theses protections are further strengthened when the date involves children or adoledcents.

According the text, both public and private entities must ensure that data is processed with transparency and legality, comply with regulations regarding data retention, transfer, and documentation, as well as it takes rigorous precautions to ensure confidentially and security during data handling.

Article 4 establishes the governing principles for the processing of personal data, including: data accuracy, lawfulness, purpose, minimization or proportionality, storage limitation, fairness and transparency, the balancing of public transparency and protection, due diligence, security, and confidentiality."

The text further stipulates the conditions regarding both the processing of data and the provision of consent to be granted by the natural person, as set forth in Articles 5 and 6.

The data is categorized in Chapter IV of Title I, setting forth prohibitions, special treatments, conditions, and other relevant provisions.

The law clearly shoes off that date subjects shall be provided with mechanisms to gurantee their rights of acces, rectification, objection, portability, and erasure. Furthermore, the retain the auhtority to take out or revoke consent at any time. These rights may be exercised by the individuals themselves or through an authorized representative.

Chapter V of Title I is of particular interest, as it addresses access to information held in public sources that may be denied or restricted. It provides for specific exceptions to the right of access to public information and exhaustively enumerates the instances in which such exceptions shall not apply. Furthermore, it outlines a brief procedure, including statutory deadlines, regarding the exercise of the data subject's rights.

The entities depemding on this law shall appoint a Data Protection Officer (DPO), in addition to observing all other required safeguards and aligning their practices accordingly. Chapter II of Title II establishes the obligations concerning to the data controller and the data processor.

Title V, Chapter I of the Law characterizes the described conducts as minor and serious infractions; it provides for sanctions ranging from a formal warning to fines (which are quantified according to their classification), as well as the suspension of activities related to the processing of personal data. The proceeds from these fines shall be allocated to the enforcement authority.

Finally, it is important to note that the objective is to bring the country into alignment with the legal standards of jurisdictions where personal data protection is legislated; however, this requires the adaptation of numerous practices and mechanisms to ensure that such intended protection is neither misrepresented nor manipulated.

I. Thousands of Notifications; One Main Question"

The National Directorate of Tax Revenues (DNIT) has announced that it will notify thousands of taxpayers regarding "inconsistencies" detected in their tax returns. As for the method: automated data matching through big data analysis.big dataAs for the reaction: widespread alarm, confusion on how to proceed, and in many cases, a sense of vulnerability against a system that seems to have "found something wrong" in the records.

However, there is a essential element frequently overlooked amidst the sense of urgency: these notifications are not very final resolutions.They point out the beginning of an administrative procedure in which the taxpayer is backed by solid constitutional guarantees that require the Administration to respect their right to a defense.

The question we must ask ourselves goes deeper than "How do I respond in time?" The real question is: Can an algorithm replace human analysis in decisions that affect fundamental rights? What happens when administrative efficiency clashes with non-negotiable constitutional principles?

This article aims to highlight why the use of big data, no matter how sophisticated seems to be, does not eliminate the fundamental rights of taxpayers, the systemic risks presented by its current implementation, and above all, the defensive arguments available to them.

II. The Problem: When the Algorithm Replaces (or Claims to Replace) Human Analysis

A. What Exactly is the DNIT Doing?

The DNIT has implemented big data analysis systems that cross-reference information from multiple sources, specifically:

• Your tax returns vs. withholdings reported by third parties.
• Your reported purchases vs. sales reported by your suppliers.
• Your reported sales vs. purchases reported by your clients.
• Behavioral patterns compared against industry sector averages.
• Temporal inconsistencies between different periods.

In theory, this is an efficient tool for detecting tax evasion. In practice, it presents significant risks that we must understand.

B. The Three Risks of Automation Without Adequate Safeguards

1. False Positives: When the Algorithm "Sees" Problems Where None Exist

Automated systems detect statistical correlations; they do not understand economic reality. Let’s look at some concrete examples:

Hypothetical Case 1: The Construction Company

A construction firm declares 500 million Gs. in material purchases during the first quarter; however, its suppliers only reported withholdings totaling 400 million Gs. The system detects an "inconsistency," which triggers an automated notification.

The reality the algorithm fails to see:

• A major supplier made a mistake while reporting their sales (inputting the client's tax ID incorrectly).
• Another supplier filed their tax return late, occurring after the system’s cross-check had already run.
• A third supplier is a small-scale taxpayer who is not legally required to report certain transactions.

Is this tax evasion by the construction company? No. Did the system flag it as such? Yes.

In this scenario, the algorithm generates an automatic accusation that the taxpayer is then forced to disprove. This effectively shifts the burden of proof in practice (de facto), even if the law states otherwise (de jure).

2. Process Opacity: The Tax "Black Box"

When you receive a notification, you are typically informed of:

• The fact that an "inconsistency was detected"
• The disputed amount
• The affected fiscal period

What you are frequently NOT told:

• Which specific sources of information the system used.
• The exact methodology applied for the data cross-referencing.
• The precise data points used to compare against your tax filings.
• The thresholds, margins of error, or parameters used by the algorithm.
• Whether there was a human review prior to notification, or if the process was entirely automated.

This lack of transparency creates a fundamental information asymmetry: the Tax Administration "knows" (or believes it knows) something about you that it labels as an irregularity, yet you cannot verify if this "algorithmic truth" is actually accurate.

How can you effectively defend yourself against an accusation when you don't know exactly how it was reached?

3. Implicit Presumption of Guilt: The System has Already "Decided"

Although the notification formally only "initiates" a procedure, in practice, it delivers a clear message: the system has detected that you did something wrong; now, prove otherwise.

This subtly flips the logic of due process. Article 17, Item 1 of the National Constitution establishes "the presumption of innocence." In sanctioning procedures, this means the Administration must prove a violation occurred, rather than the taxpayer having to prove their innocence.

However, once an algorithm "detects" an issue and generates a formal notice, the psychological and practical dynamics shift: you are left in the position of having to "explain" or "justify" your actions, rather than the Administration proving its accusation.

There is an additional, even more systemic problem that deserves exclusive attention: what happens when administrative proceedings and potential lawsuits multiply exponentially?

Hay un problema adicional, más sistémico, que merece atención: ¿qué sucede cuando se multiplican exponencialmente los sumarios administrativos y potenciales juicios?

Mass implementation can lead to:

1. Administrative collapse within the DNIT itself:
   • Thousands of simultaneous proceedings.
   • Limited staff to analyze defenses with the necessary level of detail.
   • Pressure to resolve cases quickly rather than correctly.
   • Risk of administrative decisions lacking sufficient legal grounds.
2. Collapse of the judicial system:
   • Paraguay already faces endemic judicial delays.
   • The Court of Accounts (First Chamber) has limited resources.
   • If a significant percentage of notified taxpayers seek judicial recourse, the system may become congested.
   • This affects all litigants, not just those involved in tax matters.
3. Unnecessary mass litigation:
   • Cases that could be solved with more careful ex ante (preliminary) analysis end up in court.
   • Costs for the State (legal defense).
   • Costs for taxpayers (legal fees, time, resources).
   • Prolonged legal uncertainty.

We are not questioning the legitimacy of using technology for oversight. We are highlighting the need to implement safeguards to prevent efficiency in detection from becoming inefficiency in resolution.

A mass notification system without robust human review filters may ultimately create more problems (and costs) than it solves.

III. Constitutional Guarantees: Five Lines of Defense

The core message every taxpayer must understand is this: automation DOES NOT eliminate your fundamental guarantees. The Constitution protects you even against Artificial Intelligence systems.

Defense 1: The Right to Know How a Decision Was Made (Algorithmic Transparency)

Legal Basis:

• Article 17, Section 7 of the National Constitution: "Prior and detailed notification of the charges."
• Article 135 of the National Constitution (Habeas Data): The right to "know how [one's data] is being used and for what purpose."

Meaning: No basta que le digan «el sistema detectó una inconsistencia». Usted tiene derecho constitucional a saber:

• What specific data did the system use?
• What were the sources of that data?
• What methodology was applied to compare them?
• What rules or parameters were used to determine that an "inconsistency" exists?

Defense 2: The Right to Human Review of Automated Decisions

Legal Basis:

• Article 16 of the National Constitution: "Every person has the right to be judged by competent, independent, and impartial courts and judges."
• The Principle of Due Process: Requires an individualized evaluation of the case.

Meaning: An algorithm can detect patterns, but it cannot exercise judgment. Your specific case with all its unique circumstances must be reviewed by a competent human official who evaluates:

• The economic context of your operations.
• The specific characteristics of your industry.
• The explanations you provide.
• The overall reasonableness of your actions.

Defense 3: Right to Challenge Data Quality and Completeness

Legal Basis:

• Article 17, Subsection 8 of the National Constitution: "the right to offer, present, oversee, and contest evidence."

Meaning: The data used by the system to detect an "inconsistency" constitutes, in procedural terms, evidence against you. Like all evidence, you have a constitutional right to examine, oversee, and contest its validity.

Defense 4: Presumption of Innocence – The Burden of Proof Lies with the Administration

Legal Basis:

• Article 17, Subsection 1 of the National Constitution: "the right to be presumed innocent."
• Article 70, Subsection 3 of Law 6715/2021: "The innocence of individuals is presumed until the contrary is proven through proper administrative proceedings."

Meaning: The DNIT must PROBAR PROVE that an actual inconsistency exists and that it constitutes a tax violation. It is not enough for an algorithm to simply "detect" something. The Administration must:

• Verify that the data is accurate.
• Demonstrate that the comparison method used is valid.
• Prove that no legitimate explanation exists.
• Disprove your arguments in defense.

You are not required to prove your innocence. The Administration bears the burden of proving your liability.

Defense 5: Right to Dispute the Validity of "Algorithmic Evidence"

Legal Basis:

• Article 17, Subsection 9 of the National Constitution: "that evidence obtained or actions taken in violation of legal norms shall not be used against the person."

Meaning: If the algorithm applied an incorrect methodology, or if the data collection process violated legal standards (for example: using protected data, making unauthorized legal inferences, or selecting taxpayers in a way that violates the principle of equality), that "evidence" cannot be used against you.

IV. What Should I Do If I Receive a Notification?

Step 1: Do Not Panic. This is the Beginning, Not the End

Take a breath. A notification is not a conviction. It is the start of a procedure in which you have multiple opportunities to defend yourself and in which the Constitution grants you solid legal guarantees.

Step 2: Determine if the Inconsistency is Real or Apparent

Carefully review your records. Ask yourself the following:

• Is the flagged amount correct, or are there discrepancies?
• Do I have documentation to support what I declared?
• Is there a reasonable explanation for the detected difference?
• Is the issue on my end, or is it based on third-party information?

If the inconsistency is real (a genuine error on your part): (error genuino de su parte):

• Consider voluntarily amending your tax return.
• You may benefit from reduced late-payment interest.
• It demonstrates good faith to the authorities.

If the inconsistency is apparent or questionable:

• Begin preparing a structured defense.

Step 3: Structure Your Defense on Three Levels

Do not submit a generic response. Articulate your defense in layers:

Level 1: Challenge the methodology and data

• "The data used by the system is incorrect because..."
• "The comparison made by the system is invalid because..."
• "The system failed to consider [relevant factor], which explains the difference..."

Level 2: Demonstrate the economic reality

• Attach complete and organized documentation.
• Explain the context of your business operations.
• Show that there is a legitimate explanation for the figures.

Level 3: Invoke your constitutional guarantees

• Demand transparency regarding the analysis performed.
• Request a human review of the case.
• Claim the presumption of innocence.
• Request full access to the information used against you.

Note: A solid defense effectively combines all three levels.

V. Conclusion: The Necessary Balance

Let’s recognize the obvious: the use of big data is a legitimate and potentially valuable tool for combating tax evasion, improving administrative efficiency, and optimizing limited public resources. In a country with high levels of informality, technological tools that allow for broader oversight are welcome.

However, we must also admit what is concerning: efficiency cannot be achieved at the expense of the fundamental guarantees protected by our National Constitution. A system that generates thousands of automated accusations without robust safeguards for prior human review, without transparency regarding its methodology, and without considering the risk of collapsing the dispute resolution system, is not a system that has found the right balance.

Until that balance is reached, taxpayers must be aware of and actively exercise the constitutional guarantees afforded to them.

Nuestra socia Alejandra Olmedo y nuestra asociada Carolina Lebrón participarán del IBA M&A Latin America Conference 2026, uno de los encuentros internacionales más relevantes en materia de fusiones y adquisiciones.

Continue reading