The Argentinian data protection authority (‘AAIP’) announced, on 20 September 2018, that the President of the Argentine Republic, Mauricio Macri, had sent a draft data protection bill (‘the Bill’), which seeks to reform the current law on the protection of personal data, to the National Congress of Argentina (‘Congress’) for consideration.
Diego Fernández, Partner at Marval, O’Farrell & Mairal, told DataGuidance, “The need to revisit the current legislation is primarily based on the technological advances that have been made since the Personal Data Protection Act, Act No. 25.326 of 2000 (‘the Act’) was passed, [as well as] the experience the data protection authority has gathered in that time, and the existence of a new international context, particularly with the approval of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). The Bill is inspired by the GDPR and aims to replace the Act in its entirety. We expect a fruitful debate in Congress, which may take some time.”
The Bill includes several relevant aspects […] it acknowledges for the first time the right to be forgotten and the right to data portability
The Bill was the result of a two-stage process undertaken as part of the Government’s Justice 2020 programme. The first stage consisted of roundtable discussions taking place from August to November 2016, during which the main strands and challenges currently presented by the protection of personal data were debated, resulting in a document being published on suggestions and contributions regarding the need to reform the personal data protection law in Argentina. As part of the second stage, the former Argentinian data protection authority (‘PDP’) published the first two drafts of the Bill in February and May 2017, and conducted a public consultation on the same.
Fernández highlighted, “The Bill includes several relevant aspects. In particular, it includes accountability obligations and eliminates the requirement of the registration of databases containing personal data, [as well as introduces] the data processor’s legitimate interest as a new legal basis. It also acknowledges for the first time the right to be forgotten and the right to data portability. [In addition, it] incorporates new regulations in connection with sensitive data (the definition of which is now more extensive), background checks and minors’ consent, includes an obligation to notify data breaches (in line with the GDPR provisions), provides for the mandatory need of a Privacy Impact Assessment in cases where the data processor intends to treat personal data in such a way that it entails a high risk of affecting the fundamental rights of the data subject, and includes the obligation to appoint a data protection officer in the case of public agencies, the processing of sensitive data as a principal activity, or big data activities. If the Bill is passed into law, there will be a two-year transitional period.”
PASCALE ARGUINARENA Privacy Analyst