Uruguay has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

It is reported that self-declaration of conformity (SDoC) is not allowed for foreign companies for any radio transmitting devices, such as cellular exchanges, radio alarm devices, wireless remote controls, wireless microphones, cellular phones, cordless phones, radio communications transceiver equipment, wireless network cards, wifi/bluetooth transmitter devices, drone transceivers, among others. The approvals in Uruguay are regulated by the Regulatory Unit of Communications Service (URSEC). The approvals, once obtained, are valid for 15 years. Typically, approvals can be obtained in less than 10 weeks without in-country testing.

Uruguay has joined two agreements with binding commitments to open transfers of data across borders. Art. 8.10 of the Chile-Uruguay Free Trade Agreement provides that each Party shall permit the cross-border transfer of information by electronic means, including personal information, where this activity is for the conduct of the business of a person of a Party. In addition, Art. 8.11 states that a Party may not require a person of the other Party to use or locate computer facilities in the territory of that Party as a condition for doing business in that territory. Similar requirements are found in Arts. 7 and 8 of the Mercosur Agreement on Electronic Commerce, ratified by Uruguay in September 2022 and in force between Paraguay and Uruguay since August 2023.

Uruguay has a data protection framework established in Law No. 18.331 - Personal Data Protection Law.

According to the Art. 40 of Law No 19,670, the appointment of a Data Protection Officer (DPO) is mandatory in the following cases: (i) public state or non-state entities, (ii) private or partially state-owned entities, (iii) private entities which process sensitive data as a core activity, and (iv) private entities which process large scales of data (Art. 10 of Decree 64/2020 establishes that large scales of data mean the data processing of more than 35,000 data subjects).
The appointment of a DPO must be submitted to the Regulatory Unit for the Control of Personal Data (URCDP) for approval. If the legal and technical requirements are not met, the Regulator is empowered to refuse or revoke (as the case may be) the submission/authorisation to the appointed DPO, as set forth in Resolution No. 32/20. The delegate is responsible for advising the organisations they represent on compliance with the rules set forth in Law No. 18,331 on Personal Data Protection. In addition, they serve as the main point of contact with the URCDP, among other functions.

According to Art. 6 of Decree 64/2020, prior to the start of processing, the controller and the processor shall, in certain circumstances, carry out an assessment of the impact on the protection of personal data (DPIA).
According to Art. 10, the controller and the processor shall assess the DPIA when the processing operations may:
- Use sensitive data as a core business.
- Project permanent or stable processing of the specially protected data referred to in Chapter IV of Law No. 18.331 of August 11, 2008, or data related to the commission of criminal, civil, or administrative offences.
- Involve an evaluation of personal aspects of the data subjects to create or use personal profiles, in particular by analysing or predicting aspects related to their work performance, economic situation, health, personal preferences or interests, behavioural reliability, financial solvency, and location.
- To process data of groups of persons in a situation of special vulnerability and, in particular, of minors or persons with disabilities.
- Processing of large volumes of personal data.
- Transfer of personal data to other States or international organisations for which there is no adequate level of protection.
- Others determined by the Regulatory and Control Unit of Personal Data.

It is reported that a basic legal framework on intermediary liability for copyright infringement is absent in Uruguay's law and jurisprudence.

It is reported that a basic legal framework on intermediary liability beyond copyright infringement is absent in Uruguay's law and jurisprudence.

According to Arts. 1 and 2 of Decree No. 274/014, mobile service providers must maintain an up-to-date register of individuals or legal entities contracting prepaid or postpaid services. Additionally, individuals or legal entities wishing to contract for these services are required to provide the identification data specified in Art. 4, including the subscriber's name, legal identification document, and address.

Pursuant to Art. 3 of Decree No. 92/014, the computer systems of the Central Administration are required to be housed within secure data centres located in Uruguay, except in instances where the associated public entity is not exposed to risk, as determined by specific guidelines outlined in the aforementioned Decree. Accordingly, unless such risk is absent, public entities forming part of the Central Administration must retain their data within the national territory. The guidelines in question establish general requirements pertaining to infrastructure and operational standards, including telecommunications systems, architectural design, electrical and mechanical systems, access control and security measures, system monitoring, service availability, and service level provisions.

Several regulations implement limits to the storage of data abroad by financial institutions regulated by the Central Bank of Uruguay (BCU). In particular, prior authorisation from the BCU may be required if the storage of such information is deemed, under banking law, to constitute data processing. In this regard, the BCU has maintained that cloud computing services may be classified as a form of data processing outsourcing. Consequently, in order for a financial services institution to engage the services of a foreign cloud computing provider, it must first submit a formal request for authorisation to the BCU. This request must include details of the proposed contract, information about the service provider, and an impact assessment outlining the risks associated with the outsourcing arrangement. In addition, the financial institution is obliged to establish a local data backup or maintain a unified access point on its premises.

Art. 23 of Law No. 18.331 stipulates that international transfers of personal data are permissible only where the recipient country or international organisation ensures a level of protection deemed adequate by the Uruguayan Data Protection Authority (URCDP). Transfers to jurisdictions lacking such adequacy may proceed solely under the statutory exceptions or with prior authorisation from the URCDP. The law provides the following exceptions:
- international judicial cooperation under an applicable treaty or convention;
- exchange of medical data where necessary for the treatment of the data subject or for public health purposes;
- banking or stock exchange transfers relating to the relevant transactions and in compliance with applicable legislation;
- agreements concluded within the framework of international treaties to which Uruguay is a party;
- cooperation between intelligence agencies to combat organised crime, terrorism, and drug trafficking;
- where the data subject has given unequivocal consent to the transfer;
- where the transfer is necessary for the performance of a contract with the data subject or for pre-contractual measures at their request;
- where the transfer is necessary for the conclusion or performance of a contract in the data subject’s interest between the controller and a third party;
- where the transfer is necessary or legally required to safeguard an important public interest or for the establishment, exercise, or defence of legal claims;
- where the transfer is necessary to protect the vital interests of the data subject; and
- where the transfer originates from a public register established by law for public consultation, provided the legal conditions for such consultation are met.
The URCDP maintains a list of jurisdictions and organisations recognised as providing adequate protection. These include: the Member States of the European Union and the European Economic Area; Andorra; Argentina; the Canadian private sector; Guernsey; the Isle of Man; the Faroe Islands; Israel; Japan; Jersey; New Zealand; the United Kingdom; Switzerland; organisations listed under the U.S. Department of Commerce Data Privacy Framework; and entities subject to the Republic of Korea’s Personal Information Protection Act.

It is reported that passive sharing of infrastructure in the telecom market is not mandated, though it is practised in the mobile sector based on commercial agreements. In contrast, in the fixed sector, passive sharing is neither mandated nor practised.

Pursuant to Art. 1 of Law 14,235, the National Telecommunications Administration of Uruguay (ANTEL) is a decentralised public service, and the company is fully state-owned.

Uruguay does not impose a requirement for functional separation on operators with significant market power (SMP) in the telecommunications sector. However, since 2003, operators have been subject to an obligation of accounting separation. Art. 15 of the Telecommunications Licensing Regulation provides that, as part of their service-related obligations, licensees may be required to maintain separate accounts by service where the Regulatory Unit for Communications Services (Unidad Reguladora de Servicios de Comunicaciones, URSEC) issues a general mandate for specific services or categories of licences. In addition, Art. 16 requires any licensee whose corporate purpose includes activities beyond the provision of telecommunications services to implement a system of accounting separation and cost accounting for those additional activities, in accordance with the guidelines and criteria periodically determined by URSEC.