Uruguay has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce.

Uruguay has not adopted national legislation based on or influenced by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures.

It is reported that self-declaration of conformity (SDoC) is not allowed for foreign companies for any radio transmitting devices, such as cellular exchanges, radio alarm devices, wireless remote controls, wireless microphones, cellular phones, cordless phones, radio communications transceiver equipment, wireless network cards, wifi/bluetooth transmitter devices, drone transceivers, among others. The approvals in Uruguay are regulated by the Regulatory Unit of Communications Service (URSEC). The approvals, once obtained, are valid for 15 years. Typically, approvals can be obtained in less than 10 weeks without in-country testing.

Uruguay has joined two agreements with binding commitments to open transfers of data across borders. Art. 8.10 of the Chile-Uruguay Free Trade Agreement provides that each Party shall permit the cross-border transfer of information by electronic means, including personal information, where this activity is for the conduct of the business of a person of a Party. In addition, Art. 8.11 states that a Party may not require a person of the other Party to use or locate computer facilities in the territory of that Party as a condition for doing business in that territory. Similar requirements are found in Arts. 7 and 8 of the Mercosur Agreement on Electronic Commerce, ratified by Uruguay in September 2022 and in force between Paraguay and Uruguay since August 2023.

Uruguay has a data protection framework established in Law No. 18.331 - Personal Data Protection Law.

According to the Art. 40 of Law No 19,670, the appointment of a Data Protection Officer (DPO) is mandatory in the following cases: (i) public state or non-state entities, (ii) private or partially state-owned entities, (iii) private entities which process sensitive data as a core activity, and (iv) private entities which process large scales of data (Art. 10 of Decree 64/2020 establishes that large scales of data mean the data processing of more than 35,000 data subjects).
The appointment of a DPO must be submitted to the Regulatory Unit for the Control of Personal Data (URCDP) for approval. If the legal and technical requirements are not met, the Regulator is empowered to refuse or revoke (as the case may be) the submission/authorisation to the appointed DPO, as set forth in Resolution No. 32/20. The delegate is responsible for advising the organisations they represent on compliance with the rules set forth in Law No. 18,331 on Personal Data Protection. In addition, they serve as the main point of contact with the URCDP, among other functions.

According to Art. 6 of Decree 64/2020, prior to the start of processing, the controller and the processor shall, in certain circumstances, carry out an assessment of the impact on the protection of personal data (DPIA).
According to Art. 10, the controller and the processor shall assess the DPIA when the processing operations may:
- Use sensitive data as a core business.
- Project permanent or stable processing of the specially protected data referred to in Chapter IV of Law No. 18.331 of August 11, 2008, or data related to the commission of criminal, civil, or administrative offences.
- Involve an evaluation of personal aspects of the data subjects to create or use personal profiles, in particular by analysing or predicting aspects related to their work performance, economic situation, health, personal preferences or interests, behavioural reliability, financial solvency, and location.
- To process data of groups of persons in a situation of special vulnerability and, in particular, of minors or persons with disabilities.
- Processing of large volumes of personal data.
- Transfer of personal data to other States or international organisations for which there is no adequate level of protection.
- Others determined by the Regulatory and Control Unit of Personal Data.

It is reported that a basic legal framework on intermediary liability for copyright infringement is absent in Uruguay's law and jurisprudence.

It is reported that a basic legal framework on intermediary liability beyond copyright infringement is absent in Uruguay's law and jurisprudence.

According to Arts. 1 and 2 of Decree No. 274/014, mobile service providers must maintain an up-to-date register of individuals or legal entities contracting prepaid or postpaid services. Additionally, individuals or legal entities wishing to contract for these services are required to provide the identification data specified in Art. 4, including the subscriber's name, legal identification document, and address.

It is reported that passive sharing of infrastructure in the telecom market is not mandated, though it is practised in the mobile sector based on commercial agreements. In contrast, in the fixed sector, passive sharing is neither mandated nor practised.

Pursuant to Art. 1 of Law 14,235, the National Telecommunications Administration of Uruguay (ANTEL) is a decentralised public service, and the company is fully state-owned.

Uruguay does not impose a requirement for functional separation on operators with significant market power (SMP) in the telecommunications sector. However, since 2003, operators have been subject to an obligation of accounting separation. Art. 15 of the Telecommunications Licensing Regulation provides that, as part of their service-related obligations, licensees may be required to maintain separate accounts by service where the Regulatory Unit for Communications Services (Unidad Reguladora de Servicios de Comunicaciones, URSEC) issues a general mandate for specific services or categories of licences. In addition, Art. 16 requires any licensee whose corporate purpose includes activities beyond the provision of telecommunications services to implement a system of accounting separation and cost accounting for those additional activities, in accordance with the guidelines and criteria periodically determined by URSEC.

Uruguay has not appended the WTO Telecom Reference Paper to its schedule of commitments.

It is reported that the Communications Services Regulatory Unit (URSEC), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process. In accordance with national legislation (Law 17.296), the URSEC has been established as a decentralised and autonomous public entity.