Uruguay has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Uruguay has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

It is reported that self-declaration of conformity (SDoC) is not allowed for foreign companies for any radio transmitting devices, such as cellular exchanges, radio alarm devices, wireless remote controls, wireless microphones, cellular phones, cordless phones, radio communications transceiver equipment, wireless network cards, wifi/bluetooth transmitter devices, drone transceivers, among others. The approvals in Uruguay are regulated by the Regulatory Unit of Communications Service (URSEC). The approvals, once obtained, are valid for 15 years. Typically, approvals can be obtained in less than 10 weeks without the need for in-country testing.

Decree No. 356/014 sets some rules regarding the de minimis threshold, which is the minimum value of goods below which customs do not charge duties. According to Arts. 3-4 of the Decree, the de minimis threshold applied to purchases by non-express mail is equal to USD 50, while for purchases by express mail, it is equal to USD 200. Moreover, the de minimis applies under certain conditions: only up to 3 purchases per year, for non-commercial purposes, by a natural person of legal age with a valid Uruguayan identity card, and when the gross weight of the items does not exceed 20 kilograms.

In accordance with Art. 9 of the Technical Instructions: Registration of Names under the ".UY" Domain, the applicant for a domain name registration must communicate the registered address of the holder(s) and the address in Uruguay for contractual and extra-contractual purposes of these instructions.

According to Art. 23 of Law No. 18.331 - Personal Data Protection Law, the transfer of personal data to countries or international organisations that do not provide adequate levels of protection is prohibited. The prohibition shall not apply in the case of:
- International judicial cooperation, in accordance with the respective international instrument, whether Treaty or Convention, takes into account the case's circumstances;
- Exchange of medical data when so required by the affected person's treatment for public health or hygiene reasons;
- Banking or stock exchange transfers in relation to the respective transactions and in accordance with the applicable legislation;
- Agreements within the framework of international treaties to which the Oriental Republic of Uruguay is a party;
- International cooperation between intelligence agencies in the fight against organised crime, terrorism fight against organised crime, terrorism, and drug trafficking.

Uruguay has joined two agreements with binding commitments to open transfers of data across borders. Art. 8.10 of the Chile-Uruguay Free Trade Agreement provides that each Party shall permit the cross-border transfer of information by electronic means, including personal information, where this activity is for the conduct of the business of a person of a Party. In addition, Art. 8.11 states that a Party may not require a person of the other Party to use or locate computer facilities in the territory of that Party as a condition for doing business in that territory. Similar requirements are found in Arts. 7 and 8 of the Mercosur Agreement on Electronic Commerce, ratified by Uruguay in September 2022 and in force between Paraguay and Uruguay since August 2023.

Uruguay has a data protection framework established in Law No. 18.331 - Personal Data Protection Law.

According to the Art. 40 of Law No 19,670, the appointment of a Data Protection Officer (DPO) is mandatory in the following cases: (i) public state or non-state entities, (ii) private or partially state-owned entities, (iii) private entities which process sensitive data as a core activity, and (iv) private entities which process large scales of data (Art. 10 of Decree 64/2020 establishes that large scales of data mean the data processing of more than 35,000 data subjects).

The appointment of a DPO must be submitted for approval by the Regulatory Unit for the Control of Personal Data (URCDP). If the legal and technical requirements are not met, the Regulator is empowered to refuse or revoke (as the case may be) the submission/authorisation to the appointed DPO, as set forth in Resolution No. 32/20. The delegate is responsible for advising the organisations they represent on compliance with the rules set forth in Law No. 18,331 on Personal Data Protection. In addition to this, they are also responsible for serving as the main point of contact with the URCDP, along with several other functions.

According to Art. 6 of Decree 64/2020, prior to the start of the processing, the controller and the processor shall carry out an assessment of the impact on the protection of personal data (DPIA) in certain circumstances.
According to Art. 10, the controller and the processor shall carry out an assessment of the DPIA when the processing operations may:
- Use sensitive data as a core business.
- Project permanent or stable processing of the specially protected data referred to in Chapter IV of Law No. 18.331 of August 11, 2008, or data related to the commission of criminal, civil, or administrative offences.
- Involve an evaluation of personal aspects of the data subjects to create or use personal profiles, in particular by analysing or predicting aspects related to their work performance, economic situation, health, personal preferences or interests, behavioural reliability, behavioural reliability, financial solvency, and location.
- To process data of groups of persons in a situation of special vulnerability and, in particular, of minors or persons with disabilities.
- Processing of large volumes of personal data.
- Transfer of personal data to other States or international organisations for which there is no adequate level of protection.
- Others determined by the Regulatory and Control Unit of Personal Data.

It is reported that a basic legal framework on intermediary liability for copyright infringement is absent in Uruguay's law and jurisprudence.

It is reported that a basic legal framework on intermediary liability beyond copyright infringement is absent in Uruguay's law and jurisprudence.

According to Arts. 1 and 2 of Decree No. 274/014, mobile service providers must maintain an up-to-date register of individuals or legal entities contracting prepaid or postpaid services. Additionally, individuals or legal entities wishing to contract these services are required to provide the identification data specified in Art. 4, which includes the subscriber's name, legal identification document, and address.

Pursuant to Art. 1 of Law 14,235, the National Telecommunications Administration of Uruguay (ANTEL) is a decentralised public service, and the company is fully state-owned.

Uruguay does not impose a requirement for functional separation on operators with significant market power (SMP) in the telecommunications sector. However, since 2003, operators have been subject to an obligation of accounting separation. Art. 15 of the Telecommunications Licensing Regulation specifies that among the responsibilities of licensees concerning service provision is the requirement to maintain separate accounts by service, should the Regulatory Unit for Communications Services (Unidad Reguladora de Servicios de Comunicaciones, or URSEC) issue a general mandate for specific services or categories of licences. In addition, Art. 16 provides that any licensee whose corporate purpose permits activities beyond the provision of telecommunications services must implement a system of account separation and cost accounting for these additional activities, in compliance with the guidelines and criteria periodically determined by URSEC.