What is AI regulation in Paraguay?
AI regulation: countries and regions
As of mid-2026, Paraguay has no dedicated, enacted artificial intelligence law. A risk-based AI bill reached the Senate in May 2025 but remained in committee. AI is instead governed indirectly: by Law No. 7593/2025, the country's first comprehensive data protection law (promulgated in November 2025 and fully enforceable from November 2027), plus narrow sectoral rules for the judiciary and the health regulator, and non-binding UNESCO ethics commitments. The ICT ministry, MITIC, coordinates digital policy.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
Paraguay does not yet regulate artificial intelligence through a single, binding statute. There is no AI act, no AI regulator, and no enforceable national AI strategy. What exists instead is a patchwork: a brand new general data protection law, a much older credit-data law, a handful of institution-specific rules, and a set of voluntary international commitments. Anyone looking for a Paraguayan equivalent of the EU AI Act will not find one.
The most important recent development is not an AI law at all but a privacy law. On 27 November 2025, after four years of sustained advocacy since a 2021 draft, President Santiago Pena promulgated Law No. 7593/2025 on the Protection of Personal Data, Paraguay's first comprehensive data protection framework. Because almost every AI system processes personal data, this law will become the practical backbone of AI governance once it is fully enforceable, even though it does not mention AI as its main subject.
Meanwhile, a dedicated AI bill is working its way through Congress, the courts and the health regulator have issued their own internal AI rules, and the government is pursuing a large data-centre and computing partnership with Taiwan. None of these is a general, cross-sector AI law. Paraguay is therefore best described as an early-stage jurisdiction that is building the foundations for AI governance rather than one that already regulates AI directly.
Why it matters
For organisations deploying or governing AI in Paraguay, the practical message is that compliance currently runs through data protection law, sector rules and contract, not through a bespoke AI statute. The 24-month vacatio legis attached to Law No. 7593/2025 means that the central obligations (lawful basis, transparency, security, data subject rights and impact assessments for high-risk processing such as biometrics and large-scale monitoring) become fully enforceable in November 2027. That window is the real compliance clock for AI builders, because it is the rulebook that will catch most automated decision-making.
It also matters that Paraguay is positioning itself as a regional computing hub. In May 2026 President Pena announced, during a visit to Taiwan, a 50/50-financed sovereign AI computing centre, framed around the country's vast surplus of clean energy: Paraguay's half of the 14,000 MW Itaipu dam alone could power the nation roughly three times over. That surplus has drawn high-profile interest; the Industry and Commerce minister, Marco Riquelme, met executives from companies including OpenAI, Nvidia, Crusoe and Lambda in Silicon Valley in March 2026, and the Inter-American Development Bank is financing 130 million US dollars of digital infrastructure, including a Tier III government data centre. A country that wants to host AI workloads but lacks a settled AI rulebook creates both opportunity and uncertainty: early movers gain advantage, but the legal ground may shift once the pending AI bill or future regulations land. Leaders should plan for a framework that is incomplete and changing, not static.
How it works
No dedicated AI law yet
Paraguay has not enacted a general AI statute. A regulatory bill titled "Que regula y promueve la creacion, desarrollo, innovacion e implementacion de Sistemas de Inteligencia Artificial" was filed in the Senate on 8 May 2025 by Senate President Basilio "Bachi" Nunez and seven co-sponsors (expediente S-2502197). The Comision de Ciencias, Tecnologia, Innovacion y Futuro, chaired by Senator Patrick Kemper, held a public hearing on 26 June 2025. As of mid-2026 the bill had not received Senate approval (media sancion) and had not advanced to the Chamber of Deputies; it remained in committee. A separate, promotion-oriented AI bill exists in the Chamber of Deputies (expediente D-2584139). Neither has become law.
The draft Senate bill follows a risk-based design similar to the EU AI Act and Brazil's PL 2338/2023. It would prohibit AI uses of excessive risk (for example subliminal manipulation, exploitation of vulnerable groups, and state social scoring), classify high-risk systems and require an algorithmic impact assessment for them, grant affected persons rights to information, explanation, contestation and human review, and provide for civil liability, codes of good practice, serious-incident reporting and supervision. Notably, the draft refers to a generic "competent authority" rather than creating a dedicated independent AI regulator, a gap flagged at the hearing.
Data protection is the real backbone
The pivotal instrument is Law No. 7593/2025 on the Protection of Personal Data, promulgated on 27 November 2025. It is Paraguay's first comprehensive, cross-sector data protection law, applying to public and private bodies and to automated and non-automated processing. It is inspired by the EU General Data Protection Regulation and draws on Argentine and Mexican models. It establishes data subject rights (access, rectification, deletion, objection, portability), principles (lawfulness, transparency, minimisation, purpose limitation, security and accountability), rules on international transfers, and a sanctions regime. It creates a new regulator, the Agencia Nacional de Proteccion de Datos Personales (ANPDP), housed under MITIC. The law carries a 24-month vacatio legis, so full enforceability arrives in November 2027.
For AI specifically, two features matter. First, the law requires a data protection impact assessment in defined high-risk cases such as biometric systems and large-scale monitoring. Second, Article 59 amends the older credit-data regime so that the ANPDP takes exclusive competence over privacy and data subject rights, producing a "Twin Peaks" split in which the Central Bank keeps prudential oversight of credit bureaus while the ANPDP governs privacy.
The older credit-data law
Before 2025, Paraguay's only data-specific statute was Law No. 6534/2020 on the Protection of Personal Credit Data, in force since October 2020. It is narrow: it governs credit information held by credit bureaus, with the Central Bank of Paraguay (through the Superintendency of Banks) and the consumer protection agency SEDECO as enforcement authorities. It sets a five-year retention limit for credit data and, in Article 15, prohibits using credit data for employment decisions or to deny urgent medical care. It is relevant to AI-driven credit scoring but is not a general data or AI law.
Sectoral AI rules
Two binding rules apply AI principles in narrow domains. The Supreme Court of Justice approved Resolution No. 12.677, an institutional policy on the use of AI systems in the judiciary, developed with technical cooperation from UNESCO's Montevideo regional office under a December 2024 cooperation agreement. It treats AI as a support tool that cannot replace human judicial decision-making and requires disclosure when AI affects rights. Separately, the health regulator DINAVISA issued Resolution No. 047/2026 in February 2026, creating a Strategic Working Unit to guide ethical, transparent AI use in its regulatory processes, with human decision-making preserved; the unit was still being organised.
Digital governance and strategy
MITIC (Ministerio de Tecnologias de la Informacion y Comunicacion), created by Law No. 6207/2018, is the lead ICT authority and the de facto coordinator of AI policy. Its principal instrument is the Plan Nacional TIC 2022 to 2030 (PNTIC), approved by Decree No. 8942/2023, a broad digital-society vision covering infrastructure, digital government, the ICT ecosystem and cybersecurity. It is not a dedicated national AI strategy. Paraguay also has an Estrategia Nacional de Ciberseguridad 2024 to 2028.
International commitments
Paraguay endorsed UNESCO's 2021 Recommendation on the Ethics of Artificial Intelligence, which is non-binding. With MITIC and the science council CONACYT, it completed a UNESCO Readiness Assessment Methodology (RAM) exercise, with the national report presented in November 2025. The RAM recommendations included enacting a comprehensive data protection law (since done), adopting a multi-actor national AI strategy, and promoting digital inclusion in rural and indigenous communities, including in the Guarani language.
Examples
A bank in Asuncion using an AI credit-scoring model: today it must comply with Law No. 6534/2020 on credit data (Central Bank and SEDECO oversight, five-year retention, no use for employment decisions). From November 2027, Law No. 7593/2025 adds general privacy obligations enforced by the ANPDP, including transparency and rights for individuals subject to automated decisions, under the "Twin Peaks" split with the Central Bank.
A court using AI to manage information or draft documents: under Supreme Court Resolution No. 12.677, AI may assist but cannot replace human decisions, and its use must be disclosed where it affects rights or guarantees, with judges retaining responsibility.
A health-technology vendor selling an AI triage or analysis tool to the Paraguayan regulator: DINAVISA Resolution No. 047/2026 channels such use through its Strategic Working Unit, requiring ethical, transparent and traceable use aligned with data protection rules, with no autonomous regulatory decisions by the system.
Common misunderstandings
"Paraguay has passed an AI law." It has not. As of mid-2026 there is no enacted general AI statute; a risk-based bill is stalled in the Senate, and a separate promotion bill sits in the Chamber of Deputies.
"There is no data protection in Paraguay." Outdated. Paraguay passed its first comprehensive data protection law (No. 7593/2025) in November 2025, ending years of reliance on a narrow credit-data law and constitutional provisions.
"The new data protection law is already in force." Not fully. It carries a 24-month vacatio legis, so its core obligations become fully enforceable in November 2027.
"The Supreme Court's AI rules apply to everyone." No. Resolution No. 12.677 is an internal judicial policy; it binds magistrates and court staff, not private companies or other state bodies.
"The Taiwan AI computing deal is AI regulation." No. The sovereign computing centre and the proposed Yguazu Digital binational entity are infrastructure and economic policy, not a legal framework for AI use.
Risks and boundaries
This article describes an emerging, incomplete framework. The headline limit is that Paraguay has no binding, cross-sector AI law and no AI regulator; the Senate AI bill had not been approved as of mid-2026 and could change substantially or stall. Legislative status should be reverified against official congressional records, because secondary trackers have at times conflated Paraguay's bill with Bolivian and Chilean AI bills.
The data protection law is enacted but not yet fully enforceable, and much detail awaits implementing regulation and the practical stand-up of the ANPDP. The sectoral rules (judiciary, health regulator) are genuinely binding but narrow, applying only within those institutions. UNESCO commitments and the RAM report are influential but non-binding. Finally, exact promulgation dates and some figures reported in the press vary slightly between sources; where precision matters, consult the Gaceta Oficial and the BACN legal database.
What to do next
Treat data protection as the operative AI rulebook. Map where your AI systems process personal data and build a compliance programme around Law No. 7593/2025 now, using the transition period to November 2027 rather than waiting. Prioritise data protection impact assessments for biometric and large-scale monitoring use cases, because the law makes these mandatory.
For regulated sectors, check the institution-specific rules: credit and finance (Law No. 6534/2020 plus Central Bank resolutions), the judiciary (Resolution No. 12.677), and health (DINAVISA Resolution No. 047/2026). Maintain human oversight and disclosure as a default, since that is the common thread across every Paraguayan instrument.
Monitor the Senate AI bill and any implementing regulations for the ANPDP. If it advances, expect EU-style risk tiers, prohibited uses, high-risk obligations and an impact-assessment duty. Build governance that would already satisfy a risk-based regime, so that future enactment is an adjustment rather than a rebuild.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Does Paraguay have a dedicated AI law?
No. As of mid-2026 there is no enacted general AI statute. A risk-based AI bill was filed in the Senate in May 2025 but remained in committee without approval.
What law most affects AI in Paraguay today?
Law No. 7593/2025 on the Protection of Personal Data, promulgated on 27 November 2025. It is the first comprehensive data protection law and becomes fully enforceable in November 2027, governing the personal data that AI systems use.
Is there an AI regulator in Paraguay?
There is no dedicated AI regulator. The new data protection regulator, the Agencia Nacional de Proteccion de Datos Personales (ANPDP) under MITIC, will oversee privacy. MITIC coordinates digital and AI policy more broadly.
What does the pending AI bill propose?
A risk-based model resembling the EU AI Act and Brazil's PL 2338/2023: prohibited high-risk uses, obligations and impact assessments for high-risk systems, rights to explanation and contestation, civil liability and incident reporting.
How does Paraguay compare with Brazil and Chile?
Paraguay is behind both. Brazil's Federal Senate approved PL 2338/2023 on 10 December 2024 and forwarded it to the Chamber of Deputies on 17 March 2025, while Chile has an advanced risk-based AI bill in Congress. Paraguay only recently passed its first data protection law and has no enacted AI law.
Are there binding AI rules anywhere in Paraguay?
Yes, but only in narrow sectors: the Supreme Court's Resolution No. 12.677 for the judiciary and DINAVISA Resolution No. 047/2026 for health regulation. Both keep humans in control and require transparency.
Has Paraguay made international AI commitments?
Yes. It endorsed UNESCO's 2021 Recommendation on the Ethics of Artificial Intelligence and completed a UNESCO Readiness Assessment, but these are non-binding policy commitments rather than enforceable law.