Data protection & privacy laws in Nicaragua (2026)

Law No. 787 (Ley de Protección de Datos Personales), in force since 29 March 2012, is the main data-protection statute. It is complemented by Decree No. 36-2012 (its implementing regulation). The constitutional basis is Article 26 of Nicaragua's 1987 Political Constitution, which enshrines the right to privacy.

Law 787 created DIPRODAP under the Ministry of Finance and Public Credit to supervise compliance and maintain a Data File Registry. As of 2025–2026, the directorate has never been formally constituted; no enforcement actions, interpretive decisions, or registry exist in practice.

The law grants data subjects rights of access, rectification, modification, erasure, supplementation, updating, and cancellation of personal data. These rights mirror, in broad structure, the ARCO rights found in Ibero-American data-protection frameworks, though enforcement mechanisms remain inoperative.

Controllers must obtain prior consent before processing personal data, apply purpose-limitation and proportionality principles, implement technical and organizational security measures, and register data files with DIPRODAP — a requirement that cannot be met in practice given DIPRODAP's non-existence.

Law 787 identifies special categories of sensitive data (health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life) which require heightened protection and, in most cases, explicit consent for processing.

The General Law on Convergent Telecommunications (Law 1223), published November 2024 and in force from November 2025, grants broad government authority over telecommunications and internet services. Civil-society and press-freedom organisations have flagged it as undermining communications privacy and freedom of expression.