Argentina: Data Protection in the Automotive Sector
The Data Privacy Regime in Argentina is regulated under the Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act'), Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish here) ('the Regulatory Decree'), and the regulations issued by the Argentinian data protection authority ('AAIP'). These regulations set forth a strict data protection regime, aimed at regulating the collection, storage, use, and transmission of databases and personal information which is stored and/or processed, even on a temporary basis, in Argentina. In this context, the data collection and treatment implied in the automotive activity shall be carried out in compliance with these regulations.
In addition, Argentina has adopted and internalised into domestic law international instruments, for example the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'), approved by Argentina through Law No. 27483 (only available in Spanish here), and the Budapest Convention on Cybercrime, approved in Argentina by Law No. 27411 (only available in Spanish here).
In addition, geolocation data, even though it is not specifically mentioned, is still considered under Argentinian law as personal data, therefore it should be deemed as falling within the scope of the aforementioned regulations.
Argentina data privacy regime
In addition to the Act and the Regulatory Decree, it is worth mentioning that there are certain data privacy bills currently presented before the National Congress of Argentina, aiming to make adequate the Argentinian data privacy framework with the current global standards in this regard, as well as the reatification of the modernised Convention 108. In the same line, the AAIP has been issuing several resolutions for updating the data privacy framework and making it adequate with such current global standards.
Article 9 of the Act establishes cybersecurity obligations, stating that '[t]he responsible or user of the data file must adopt the technical and organizational measures that are necessary to ensure the security and confidentiality of personal data, so as to avoid its adulteration, loss, consultation or unauthorized processing, and that allow detecting deviations, intentional or not, of information, whether the risks come from human action or from the technical means used'.
Moreover, the AAIP has specified the minimum cybersecurity standards by issuing Resolution 47/2018 (only available in Spanish here).
Also, the Budapest Convention on Cybercrime establishes a series of provisions and offenses against the confidentiality, integrity, and availability of data and computer systems, which establishes mandatory guidelines that must be considered in conjunction with the specific offenses established in the Argentine Criminal Code (only available in Spanish here).
Regarding geolocation data, the AAIP has issued a nonbinding document providing certain guidelines on this data category's lawful processing (only available in Spanish here) ('the Geolocation Guidelines').
Guidelines for software and application's development
In 2015, the AAIP issued Resolution 18/2015 (only available in Spanish here) ('the App Guidelines'), providing guidelines for software and app development in alignment with the Privacy by Design principle. Also, the AAIP jointly with the Uruguayan data protection authority issued the Guide for Data Privacy Assessment (only available in Spanish here) ('the Assessment Guidelines').
Although there is no specific regulation on the automotive sector, there are additional regulations other than data privacy regulation which might be applicable, such as:
- National Traffic Act No. 24449 (only available in Spanish here) establishes mandatory driver's license and liability insurance for damages to third parties, and its related regulation (only available in Spanish here) ('the Traffic Regulation'), as well as related provincial laws;
- Regulation of the Transit Act: Decree No. 779/95 (only available in Spanish here);
- Act No. 26.994, National Civil and Commercial Code (only available in Spanish here) ('the Civil and Commercial Code');
- Consumer Protection Act No. 24.240 (only available in Spanish at here);
- Telecommunications Act No. 19798 (only available in Spanish at here); and
- Act No 27078 (only available in Spanish here) which establishes, in Article 5, provisions regarding the inviolability of communications that are carried out by ICT in any mechanism that induces the user to presume the privacy of the traffic data associated with them, carried out through telecommunication networks and services.
As discussed in the previous section there is no specific regulation for the automotive sector; however, the following guidelines issued by the AAIP are relevant for the data treatment carried out for their purposes:
- the Geolocation Guidelines;
- the App Guidelines; and
- the Assessment Guidelines.
2. Key Definitions
- Vehicle Information Number (sole or in combination with further identifiers): According to article 2 of the Act, information of any type referring to individuals or legal entities, determined or determinable, is considered personal data. The most important regulations related to the identification of vehicles in Argentina are listed below:
- Automotive Legal Regime No. 1114/97 (only available in Spanish here). It requires the registration of the domain in the National Registry of Motor Vehicle Property, as well as its transfer to third parties.
- Disposition No 106/2019 (only available in Spanish here). It requires the emission of the Unique Vehicle Identification Card, which enables the vehicle to circulate on all Argentine roads and to temporarily exit the country. It identifies its owner or holder, where the domain, make, model, chassis and engine numbers are shown. It is valid for a certain period of time. In addition, there is a specific identification card for those authorized to drive a vehicle owned by a third party.
- National Act Disassembly of Automotives and sale of auto parts No 25761 (only available in Spanish here) determines the obligation to engrave auto parts. Please note that the specific provisions regarding this topic are established by each local jurisdiction in particular.
- Geolocation data: Information collected by a network or service about where the user's device is or was located, commonly understood as the determination of a specific geographic location through technology or other resources or technical means. According to the definition of Section 2 of the Act, '[i]nformation of any kind referring to specific or determinable natural persons or legal entities'. Therefore, when geolocation refers to a specific or determinable person, it becomes personal data, and therefore is covered by the Act. In this sense, those data controllers or data processors that process personal geolocation data, must comply with the different legal basis set forth in the Act (Articles 5 and/or 11), principle of information (Article 6), proportionality and quality of the data (Article 4), and security (Articles 9 and 10), among others.In relation to this item, it is worth mentioning Provision No. 20/2015 (available only in Spanish here), which specifies that 'an unmanned aerial vehicle or drone equipped with cameras, microphones, GPS, or any other type of sensor, has the capacity to collect data from persons, such as images, videos, conversations, geolocation, among others...'.
- Telematic data: There is no specific definition of telematics data in Argentine privacy legislation. However, this should be considered as personal data according to the Law, since it allows the interpreting of information related to the driving habits and behaviour of vehicles in connection with persons, allowing data integration and predictive analysis. In this regard, it should be noted that insurance companies operating in the country could offer this type of technology to their customers and also take it into consideration in order to know the risk profile of the insured. Furthermore, it is common that, through the evaluation of this type of data, insurance companies could offer their clients the service of location and recovery, for example in case of robbery or theft. In this regard, Act No 17418 (only available in Spanish here) regulates the insurance contract in a consensual manner, being necessary to comply with the principle of information (Article 6 of the Act) regarding the general conditions of the contract that could imply the inclusion of devices in vehicles that allow this type of data processing. Finally, it is also important to note that the Resolution No 4/2019 issued by the AAIP (only available in Spanish here) establishes that in the event that the database controller makes decisions based solely on the automated processing of data, that produce pernicious legal effects on the person or affect the person in a negative manner, the data subject has the right to request from the database controller an explanation of the logic applied in that decision, in accordance with Article 15 of the Act.
- Biometric data: Resolution 4/2019 (only available in Spanish here) ('the Biometric Guidelines') issued by the AAIP defines biometric data personal as data obtained from a specific technical processing, related to the physical, physiological, or behavioural characteristics of a human person, which allows or confirms their unique identification. The Biometric Guidelines provides that biometric data shall be considered sensitive only when it may reveal additional data whose use may be potentially discriminatory for its owner (e.g. data revealing ethnic origin or health information).
- Metadata: The App Guidelines understand metadata as the labels which provide additional information regarding the data source.
- Voice data: Article 53 of the Civil and Commercial Code (only available in Spanish here) states that '[t]o capture or reproduce the image or voice of a person, in any way, the consent of that person is necessary, except in particular cases'. In this context, it could be interpreted that voice data collected, if it is related to an identifiable person, must be considered and thus processed, as personal information under the Argentinian Law.
- Video data (inside/outside the vehicle): Article 53 of the Civil and Commercial Code states that '[t]o capture or reproduce the image or voice of a person, in any way, the consent of that person is necessary, except in particular cases'. In this context, it could be interpreted that video data collected, as long it is related to an identifiable person, must be considered and thus processed, as personal information. Furthermore, the collection of images of individuals, if they are related to an identifiable person, shall be considered legal only when the data subject has previously consented the collection and processing of those images, in the terms provided by Articles 5° and 6° of the Act. Also, the data owner may request the right of access to such video recordings in accordance with Article 14 of the Act. In addition the DNPDP Provision 10/2015 (only available in Spanish here) regulates the conditions of lawfulness for the collection and subsequent processing of digital images of persons for security purposes.
- Anonymisation: There is no specific definition of anonymisation, however it is understood that anonymised data means the data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing. To the extent that no data subject is identifiable, anonymised data is not deemed as personal data subject to the Act. Resolution No 4/2019 issued by the AAIP (only available in Spanish here) establishes that a person shall not be considered an identifiable person, in the terms of Article 2 of the Act, when the procedure to be applied to achieve his identification requires the application of disproportionate or unfeasible measures or time periods.
- Pseudonymisation: Under App Guidelines, pseudonymisation is defined as operations carried out without identifying the data subject, identified only by a pseudonym. This data is considered personal data and thus, deemed subjected to the Act.
- Data processing: The Act defines data processing as any systematic operations and procedures, electronic or not, that allows for the collection, conservation, arrangement, storage, modification, relation, evaluation, blocking, destruction, and in general the processing of personal data, as well as its transfer to third parties through communications, consultations, interconnections, or transfers.
- Data controller: The natural or legal person, whether public or private, which is responsible for decisions concerning the processing of personal data (the Act, Section 2).
- Data processor: The natural or legal person, whether public or private which performs the processing of personal data on behalf of the controller (the Act, Section 2).
- Manufacturer: There is no specific definition under the Argentinian Law.
3. Supervisory Authority
The automotive sector is principally regulated under the Traffic Act and the Traffic Regulation, which sets forth certain requirements for vehicles and for manufactures that should be registered for the commercialisation of their products. Under the Traffic Law, it is required to file for certain technical licences issued by the National Road Safety Agency ('ASNV') such as the model configuration licence and the environmental configuration licence. The ANSV is supported by the National Institute of Industrial Technology, which develops testing services for the safety, development, and validation of vehicles, components, and auto parts.
Moreover, the Automotive Property Registry regulates all matters related to the ownership of vehicles and collateral credits, as well as organises the functioning of the Sectional Registries all over the country.
The identification documents for cars, motorcycles and those authorised to drive, driver's licenses, possession and ownership registrations, domain transfers, as well as the regime of auto parts and renewals, must be processed before the agency of the local jurisdiction where the vehicle is legally registered.
In relation to any data privacy matters, however, the AAIP is the relevant authority.
Lastly, depending on the technology involved other authorities such as the Argentine Telecommunication Agency ('ENACOM') should be considered.
Under the Argentinian law there is no specific regulation regarding the data protection in the automotive industry, however, like any other entity who processes personal data, an organisation that manages and processes the data of connected vehicles should comply with the Act and all related privacy applicable regulation. In this sense, data processors or controllers in the automotive industry are subject to such regime.
The transparency principle is construed under the quality principle provided under Section 4 of the Act, which states that personal data processing should not be conducted by fraudulent or misleading means. Following this principle, the data collection shall be performed in a clear, precise manner, and the information should be easily accessible to the data subject. In this sense, data controllers should inform data subjects about the data collection purposes and its details by legal notices, privacy icons, users guides, and adequate privacy policies.
Choice and consent
The Act provides the data subject's consent as the ground for lawful personal data processing (with some restrictive exceptions). A data subject's consent must be specifically and freely given, based on information provided to the data subject in advance, and expressed in writing or in an equivalent form. Data subjects shall be informed previously to their data collection in an express and clear manner, and in accordance with their social and cultural status, about (Section 6 of the Act):
- the purpose for which the data shall be processed, and who their addresses or type of addresses may be;
- the existence of the relevant data file, register, or bank, whether electronic or otherwise, and the identity and domicile of the person responsible therefore;
- the compulsory or discretionary character of the answers to the questionnaire the person is presented with, particularly, in relation to sensitive data;
- the consequences of providing the data, or of refusing to provide such data and the consequences of providing inaccurate data; and
- the possibility for the data subject to exercise their right of data access, rectification, and suppression.
Notwithstanding the aforementioned, there are strict exceptions to data subjects' consent such as when the data processing is derived from a contractual relationship with the data subject, provided that such data is necessary for the development and compliance of such relationship.
Lastly, the consent given by the data subject can be revoked at any time (Section 5 of the Regulatory Decree).
Section 9 of the Act provides that data treatment shall be conducted undertaking appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. Furthermore, the same section prohibits the recording of personal information in files, databases, or databanks that do not meet the minimum technical integrity and security requirements stated by the Act.
As internal components of connected cars are centrally coordinated and can be used, for example, by service providers, insurance companies, and repair services, and therefore may be more exposed to security breaches, it is crucial that data controllers or processors comply with the principle of proactive responsibility set forth by the enforcement authority in the Data Protection Impact Assessment guide, as well as with the security standards specified by Resolution AAIP 47/2018.
Automated data processing (Resolution AAIP 4/2019 follows mandatory enforcement for all those subjects reached by the Act) stipulates that '[i]f the database controller makes decisions based solely on automated data processing that produce to the data subject pernicious legal effects or significantly affect them in a negative way, the data subject shall have the right to request from the database controller an explanation of the logic applied in that decision, pursuant to Article 15, subsection 1 of The Act.'
Article 6 of Convention 108 establishes that '[p]ersonal data revealing racial origin, political opinions, religious or other convictions, as well as personal data concerning health or sex life, may not be processed automatically unless domestic law provides appropriate safeguards. The same rule applies to personal data relating to criminal convictions.'
The data minimisation principle is construed under the quality principle in Section 4 of the Act, which provides that personal data collected must be accurate, adequate, relevant, and not excessive in relation to the scope and purpose for which it was obtained. In this line, data controllers should only process data necessary to achieve their purposes and avoid collecting and processing data which is not strictly necessary.
The data quality principle provides that data shall not be retained and shall be destroyed when it is not further necessary or relevant to the purpose for which it has been collected. Therefore, once the purpose is fulfilled and there are no legal reasons for retaining the information (e.g. regulatory or legal retention requirements) data shall be destroyed.
Accountability and record of processing
There are several draft laws which expressly incorporate the accountability principle into Argentinian law. Under said principle, data controllers and processors shall undertake organisational and technical measures to grant an adequate, lawful, and safe personal data processing, and these measures must allow evidence of its effective implementation before the AAIP.
The general principle under Section 11 of the Act provides that data subjects shall previously consent to the data assignment and shall be informed about the purpose of the assignment and the recipient. Also, Section 11 of the Act states that data shall only be assigned to meet the purposes related to the legitimate interests of the data controller and the recipient.
Notwithstanding the aforementioned, pursuant to Section 25 of the Act, the data subject's consent shall not be necessary when the organisation outsources data processing services.
Therefore, following this principle, unless the data subject's personal data to be transmitted to a third party is limited to certain categories of data for which collection, storage, and processing under the Act does not require previous consent from data subjects (i.e. in such cases foreseen by Section 5, Paragraph 2 of the Act), express consent from such data subjects would be necessary in order to legally transfer such personal data to any third party.
International data transfers to countries not granting adequate levels of protection are in principle prohibited by Section 12 of the Act, therefore if it is intended to be transferred to a non-adequate jurisdiction, additional requirements shall be fulfilled such as specific consent, model clauses, or Binding Corporate Rules.
Although there is not a binding requirement, it is advisable that data controllers and processors undertake internal policies and procedures to comply with the Act.
The Act does not provide data portability but there are several draft laws which introduce and entitle data subjects with this right.
Privacy/Security by Design and by Default
Privacy by Design and Privacy by Default are principles provided under the App Guidelines. The first one of these principles refers to the approach under which privacy is considered from the very origin of the design of a system, application, or device. In this sense, privacy should be incorporated in all stages and phases of the data processing and application system or device.
Privacy by Default requires that privacy settings shall be enabled by default, so that data subjects are the ones that proactively decide to deactivate or share personal information. In this sense, information should not be shared unless the data subject configures the privacy settings to allow it.
Following these principles, and although there is no specific regulation set forth for the automotive sector, it is recommended, for instance, to obtain data subjects' consent for all data treatment and that no check box is previously fulfilled by default.
Under Section 14 of the Act, data subjects are entitled to request and obtain information on their personal data which is subjected to data processing, as well as the purpose and destination of the processing. In case third parties access personal information, data subjects should be informed, and consent to said accessing should be provided as, in principle, data assignment should be expressly consented to.
Upon expiration of the term without satisfying the data subject's request, or if the report is deemed insufficient, the action for the protection of personal data or habeas data provided for in this law shall be expedited.
The Act sets forth rules for processing personal data with the purpose of protecting the fundamental rights of honour, privacy, and right to access data. It is construed then, that data subjects are the owners of their own data.
Please refer to section 4 above as the same principles and considerations are applicable and there are no specific regulations or guidelines regarding autonomous driving from a data privacy perspective. However, it is worth noting that there is a Draft Bill in Buenos Aires Province Regulating Autonomous Vehicles Testing (only available in Spanish here).
Please refer to section 4 above, as the same principles and considerations are applicable and there are no specific regulations or guidelines on telematics.
Please refer to section 4 above, as the same principles and considerations are applicable. With respect to geolocation data, the Geolocation Guidelines, which sum up the principles described under section 4, are relevant.
Please refer to section 4 above, as the same principles and considerations are applicable. Additionally, it would be advisable for manufacturers to consider the App Guidelines regarding Privacy by Design.
In the event that automotive manufacturers and service providers cooperate in the processing of data, this may involve joint liability, which may have to be assessed on a case-by-case basis with regard to data security and data protection.
Regarding liability, Article 2 of the Act defines the person responsible for the database (data controller) as the individual or legal entity, public or private, owner of a file, which determines the purposes and means of the processing.
On the other hand, Article 25 of the Act regulates the provision of services such as the processing of personal data on behalf of third parties, which as a general rule may not be applied or used for a purpose other than that stated in the service contract with the data controller.