What is AI regulation in Uruguay?
AI regulation: countries and regions
Uruguay does not currently have a single, dedicated AI Act. Instead, AI governance is built from a national AI strategy, digital government guidance and existing law, especially the personal data regime in Law No. 18.331 and related decrees. AGESIC leads policy and public sector governance, while the URCDP enforces data protection. In practice, organisations manage AI in Uruguay through privacy, transparency, impact assessment and risk based governance rather than one stand alone AI code.
What this means
Uruguay's AI framework is policy led, not code led. The country moved from a 2020 AI strategy focused on digital government to a 2024 to 2030 national AI strategy that covers a broader public policy agenda. AGESIC sits at the centre of that work and uses its digital government role to shape practical standards for the state.
The main binding rules for many AI systems still come from data protection law. If an AI tool uses personal data, Uruguay's privacy regime becomes central: legal basis, purpose limitation, security, data subject rights, cross border transfer rules and controls on certain automated decisions all matter.
For the public sector, transparency also matters. Uruguay has official guidance on algorithmic transparency, reporting AI use cases in the state observatory, documenting systems properly and carrying out impact assessments when AI projects affect people or involve personal data.
Why it matters
This matters because many AI projects in Uruguay will be governed by rules that do not mention AI by name. A credit model, hiring screen, fraud system, customer service bot, biometric system or public sector assistant can all trigger duties on personal data, transparency, documentation, human review and cross border transfers.
For founders, buyers and governance leads, the real compliance risk is not only a future AI statute. It is getting today's privacy and governance architecture wrong. Uruguay can be attractive because it offers a relatively mature privacy environment for the region, including EU adequacy, but that also means more scrutiny for systems that affect rights, services or significant decisions.
How it works
Uruguay uses a layered model
Uruguay's official framework does not yet resemble a single all purpose AI code. Article 74 of Law No. 20.212 gave AGESIC the task of designing and developing a national data and AI strategy based on international standards, with joint work with the URCDP on personal data matters. The National AI Strategy 2024 to 2030 then sets the public policy architecture: principles, governance lines, capacity building and sustainable development.
That matters because the strategy itself points toward further regulatory development. It expressly speaks about future risk based measures, sector specific frameworks, transparency duties, audit models, procurement rules and other instruments. So the current picture is partly binding law already in force, and partly a roadmap for future rulemaking.
AGESIC sits at the centre of governance
AGESIC is Uruguay's digital government agency, and AI policy has grown out of that institutional role. Uruguay first framed AI for public administration in its 2020 strategy for digital government, then broadened that work into a national strategy built through participation by public bodies, private firms, academia, civil society and citizens.
AGESIC also issues practical governance tools for the state. These include the AI Observatory in the State, transparency guidance and impact assessment tools. So AGESIC is not a single all purpose AI regulator, but it is the main coordinating body for strategy, standards, public sector practice and future policy design.
Data protection law does most of the hard legal work
For organisations using AI with personal data, the main binding rules come from Law No. 18.331 and its later updates. The regime applies across public and private sectors and now reaches some foreign controllers and processors that target people in Uruguay or use means located there. Core duties include lawful processing, purpose limitation, data quality, security, confidentiality and consent or another recognised legal basis.
Uruguay's newer privacy architecture is especially relevant for AI. It includes proactive accountability, privacy by design, privacy by default, security incident handling, breach notification to the URCDP within 72 hours once a relevant breach is known, and mandatory data protection impact assessments in specified cases. It also requires data protection delegates in some circumstances, especially where the scale or sensitivity of processing justifies stronger internal control. The URCDP can investigate and sanction non compliance.
People also have rights that matter directly for AI systems. They can access, correct and delete data. They can also challenge decisions based solely on automated personal evaluations that significantly affect them. In those cases, they are entitled to information about the valuation criteria and the program used.
Public sector AI must also answer to transparency rules
In the state, AI governance is not only about privacy. AGESIC and the UAIP have issued algorithmic transparency recommendations so public bodies report AI use cases to the AI Observatory in the State, publish basic information proactively, keep detailed documentation and handle access to information requests case by case rather than by blanket secrecy.
The same guidance links transparency to impact assessment. If personal data is involved, bodies should carry out the data protection impact assessment required by the privacy regime. AGESIC also recommends an algorithmic impact study so teams think through automation level, affected groups, risks, controls and human supervision before deployment and during operation.
Cross border data flows shape AI operations
Uruguay's privacy regime also matters when AI systems move data abroad for hosting, model development or cloud processing. The law restricts transfers to countries or international organisations without adequate protection, unless an exception applies or the URCDP authorises adequate safeguards such as contractual clauses.
At the same time, Uruguay stands out in the region because the European Commission has recognised it as providing an adequate level of protection for personal data transferred from the EU. That does not make Uruguay a copy of the EU AI Act, but it does place Uruguay's AI debate inside a rights based and internationally aligned governance tradition, not a pure self regulation model.
Examples
A foreign hotel, delivery company or AI enabled service that markets to residents of Uruguay specifically is not automatically outside the legal frame just because it sits abroad. Uruguay's official data protection guidance gives the example of a foreign service directed at people in Uruguay, with local language and local currency features, as a case that can fall within the territorial scope of the law. If that service then transfers personal data to a non adequate jurisdiction, it must analyse transfer conditions and, where needed, put safeguards in place before moving the data.
A public body introducing an AI system for a citizen facing service should not treat it as only an internal technology project. AGESIC and UAIP guidance expects the organisation to report the case in the state AI Observatory, publish core information proactively, keep documentation on the system and assess whether personal data triggers a data protection impact assessment. AGESIC also recommends an algorithmic impact study so the team can test explainability, automation level and human supervision before wider use.
A lender, employer, insurer or similar organisation using an automated personal evaluation must remember that Uruguay's privacy regime protects the individual against significant decisions based solely on automated profiling. The person can challenge that valuation and ask for information about the criteria and the program used. If the system uses biometric data, the need for a prior impact assessment becomes even more important because Uruguay treats biometric data as specially protected.
Common misunderstandings
"Uruguay already has an AI Act like the EU AI Act." No. Uruguay's framework is still layered and mostly built from strategy, privacy law, transparency law and guidance.
"Only public agencies need to think about AI governance." No. Private organisations, including some foreign firms targeting people in Uruguay, can also fall within the privacy regime.
"If an AI tool only assists a human, legal duties disappear." No. Documentation, transparency, privacy and human rights issues can still arise where the system shapes a significant decision.
"Data protection is only about consent." No. Uruguay uses consent heavily, but it also imposes broader duties such as security, purpose limitation, accountability and transfer controls.
"EU adequacy means Uruguay can ignore its own local rules." No. Adequacy helps with some inbound data flows from Europe, but local law, URCDP supervision and transfer conditions still apply.
Risks and boundaries
Uruguay's framework is more developed than a policy vacuum, but it is not yet a finished, comprehensive AI code. The 2024 strategy and the 2024 recommendations report both point toward future regulatory development, including risk based measures, sector rules, procurement rules, audit models and possible prohibitions or moratoria for uses society may regard as unacceptable. Those directions are important, but they are not the same thing as enacted, general obligations across the board.
That means legal certainty still depends on context. Personal data, biometrics, children, public services, employment, credit, health, security uses and cross border transfers all raise different issues. Public sector guidance on transparency and impact assessment is influential and practically important, but it does not automatically convert every recommendation into a binding rule for every private actor. If an AI system can materially affect rights, benefits, pricing, access or reputation, organisations should treat it as a high scrutiny project even if no statute uses that exact label.
What to do next
Map every AI use case already in production, procurement or pilot.
Mark where personal, sensitive, biometric or children's data appears.
Identify any system that materially influences employment, credit, insurance, access to services, fraud detection, eligibility or another significant decision.
Run a data protection impact assessment where the law requires it, and use an algorithmic impact study more broadly for systems with meaningful automation.
Give one senior owner responsibility for documentation, vendor terms, human review, incident handling and public disclosures.
Check transfer routes, hosting locations and contractual safeguards before moving training, user or operational data abroad.
Monitor AGESIC, URCDP and legislative developments for the next phase of risk based and sector specific rulemaking.
FAQs
Does Uruguay have a dedicated AI law?
Not yet as a single general statute. Uruguay currently governs AI through a mix of strategy, data protection law, transparency rules and public sector guidance.
Who regulates AI in Uruguay?
There is no single all purpose AI regulator. AGESIC leads strategy and public sector governance, while the URCDP enforces data protection rules. Other sector bodies may also matter depending on the use case.
Does Uruguay's data protection law apply to foreign companies?
Yes, in some cases. The law can apply to foreign controllers or processors when they direct goods or services to people in Uruguay or use means located in Uruguay.
Are impact assessments required for AI?
Data protection impact assessments are mandatory in specified cases under Uruguay's privacy regime. AGESIC also recommends an algorithmic impact study, especially for public sector systems and systems with meaningful automation.
Can someone challenge an AI based decision in Uruguay?
Yes. A person can challenge certain decisions based solely on automated personal evaluations that significantly affect them and can ask for information about the valuation criteria and the program used.
How do cross border data transfers work?
Transfers from Uruguay to places without adequate protection are restricted unless an exception applies or adequate safeguards are used, and URCDP involvement may be needed. Transfers from the EU to Uruguay are helped by the EU's adequacy finding for Uruguay.
Is Uruguay close to the EU model?
On privacy, Uruguay is closer to European standards than many countries in the region, especially because of EU adequacy. But it does not yet have an AI specific framework equivalent to the EU AI Act.