El Salvador’s cyber laws threaten media freedom and privacy, human rights experts warn

El Salvador’s new cybersecurity and data protection laws threaten media freedom and privacy rights, the U.S.-based nonprofit Human Rights Watch said in a statement on Thursday.

The laws, approved earlier in November, establish a state cybersecurity agency led by a presidential appointee and grant it “overly broad powers” to order the removal of online information about individuals, according to digital rights experts.

“These new laws could be used to delete online publications that are critical of the government under the guise of data protection,” said Juanita Goebertus, Americas director at Human Rights Watch. “This is a recipe for censorship and opacity.”

The Salvadoran government has previously been suspected of abusing its power to spy on the media and civil society. In 2022, digital rights researchers at the Citizen Lab and Access Now discovered that dozens of journalists and activists in El Salvador had their phones hacked with Pegasus spyware. Researchers said evidence pointed to government involvement in the attacks, but El Salvador denied the allegations.

The country’s new cyber and data protection laws pose additional challenges for the media, Human Rights Watch said. In particular, the law’s “right to be forgotten” allows individuals to request the removal of their data from the internet, including from search engines and media outlets, if the information is deemed “inadequate, inaccurate, irrelevant, outdated, or excessive.”

Media outlets and search engines that violate these data protection requirements could face fines of up to 40 minimum monthly salaries.

“This requirement could allow the government to pressure media outlets to delete information of public interest about officials or their allies by claiming the information is inaccurate or incomplete,” Human Rights Watch said.

The organization emphasized that the “right to be forgotten” should be strictly limited to de-listing content from search results rather than its removal. The provision should also include strong procedural safeguards, such as appeal rights, and should never override the public’s right to access information about government officials or matters of public interest.

El Salvador is not the only country whose cyber legislation has raised concerns among privacy experts recently. Earlier in November, India introduced new rules aimed at protecting the country’s critical infrastructure networks from cyberthreats. Some of the policies focus on data collection. For example, the regulations require telecom entities to share user traffic data with cybersecurity authorities.

Digital rights experts told Recorded Future News that India’s law lacks clear restrictions on the government’s authority to collect, share, or store such data without independent oversight. The vague phrasing of the legislation could also enable the government to misuse its data collection and sharing powers.