Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Argentina: Evolution of the data protection landscape

In 2018, the Argentine Executive Branch proposed a draft data privacy bill ('the Bill') which aimed to replace the current Personal Data Protection Act, Act No. 25.326 of 2000 ('the Data Protection Act'). The Bill was a result of a multistakeholder process lead by the Argentinian data protection authority ('AAIP'). The purpose of the Bill was to update the Data Protection Act, which was enacted in 2000, in line with the latest international standards. The Bill was also considered as an important tool for the country to maintain its adequacy standard1 ('Argentina Adequacy Decision') based on Article 45 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Gabriela Szlak and Lucia Suyai Mendiberri, Partner and Associate respectively at Lerman & Szlak, compare the current data protection laws and bills in Argentina in relation to various topics such as accountability, consent, and security breach reports, among others.

cokada / Signature collection / istockphoto.com

In 2020, the Bill lost its parliamentary status, and therefore, the Congress cannot discuss it. Despite this, the AAIP has been updating the practical application and interpretation of the Data Protection Act through several dispositions and resolutions. This practice has been successful so far in filling the gaps of the current Data Protection Act. Still, the shared view of local experts is that new, freshly updated Data Protection Law is preferable to improve the current situation. In said context, the Draft Law S-2986/2020 ('the Draft Law')2, presented by the Congressmen Dalmacio E. Mera, has incorporated most of the text of the Bill and the latest regulation issued by the AAIP, as well as the international standards on data privacy law. The purpose of the Draft Law is, on the one hand, to ensure data subjects' rights under the light of the technology evolution and the challenges that emerged over the past 21 years and, on the other hand, to maintain the Argentina Adequacy Decision3 after the adoption of the GDPR.

Argentine data privacy law jurisdiction

The Data Protection Act's scope of application has been the subject of extensive scholar and jurisprudence discussions, given that the Data Protection Act does not resolve this directly4. With regards to this, in 2009 the AAIP provided that the Data Protection Act was applicable to all private databases that were not intended to be for private use5. The Draft Law embraces this understanding and closed any possible debate by providing under Article 3 of the Draft Law, noting that the private use exception to the Data Protection Act's application6 and regulating under Article 4 the scope of its application.

The Draft Law adopts the extra-territorial jurisdiction principle, providing its application in the following cases: (i) the data controller is established in the Argentine territory, even if the personal data processing is performed outside this territory; (ii) the data controller is not established in a territory where the Argentine law does not apply by virtue of the international law; and (iii) the data subject is an Argentine resident, regardless of the location of the data controller, except when the law where the data controller is based results more favorable for the protection of the data subject's personal data, at the choice of the data subject.

Principles applicable to the data processing

As the Data Protection Act, the Draft Law sets forth several principles that should govern the processing of personal data. It could be noticed that the 'Loyalty and Transparency', 'Purpose', 'Minimisation,' and 'Accuracy' principles are already provided under the principle of 'Data Quality' of the current Data Privacy Act.

The principle of 'Loyalty and Transparency' states that personal data processing should not be conducted by fraudulent or misleading means, which is similar to the principle of 'Data Quality' which provides that the personal data should not be collected by disloyal, fraudulent or by any means contrary to the Data Protection Act provisions. However, the principle of Loyalty and Transparency incorporates the 'transparency' approach to be considered within the personal data processing and is related to the duty to provide clear and accessible information to the data subject.

The principle of 'Purpose' states that, 'Personal data must be collected for specified, legitimate and explicit purposes, and must be processed in an appropriate and targeted manner.' (Article 6 of the Draft Law), and the principle of 'Minimisation' states that, 'Personal data must be processed in a way that is adequate, relevant and limited to what is necessary in relation to the purposes for which it was collected.' (Article 7 of the Draft Law). Both wordings are similar to the principle of Data Quality, provided under the Article 4 of the Data Protection Act7. The same consideration is applicable to the principle of 'Accuracy': its language is analogous to Article 4.4 of the Data Protection Act which provides that 'personal data shall be exact and updated as applicable', as well as Article 4.5 of the Data Protection Act, which sets forth that inaccurate or incomplete personal data should be cancelled, substituted, or completed.

The Draft Law sets forth a principle related to 'Data Retention,' comparable once again to the existing principle of 'Data Quality,' which provides that personal data should not be retained and shall be destroyed when it is not further necessary or relevant to the purpose for which it has been collected. However, Article 9 of the Draft Law, as a novelty, enables to retain personal data even for longer periods of time, as long as this retention is due to archive purposes related to the public interest, scientific or historical research, or statistics.

Accountability

One of the highlights of the Draft Law is the 'Accountability' Principle provided under Article 10 and 37 of the Draft Law. In accordance with this principle, Data Controllers and Data Processors shall undertake organisational and technical measures to grant an adequate, lawful and safe personal data processing, and these measures must allow evidence of its effective implementation before the AAIP.

Article 37 of the Draft Law provides guidelines for the principle of 'Accountability,' foreseeing that measures should be appropriate to the methods and purposes of the personal data processing, its context, the categories of personal data processed, and the risk to the data subjects' rights inherent to the personal data processing8.

Consent and other legal basis for personal data processing

While the Data Protection Act foresees data subject's consent as the ground for lawful personal data processing (admitting restrictive exceptions), the Draft Law extends the basis for legal data processing by including the following cases: (i) the data processing derives from a legal relationship between the data subject and the data controller, and it is necessary to its development or fulfilment; (ii) the data processing is necessary to safeguard the vital interest of the data subject; (iii) the processing of the data is necessary to comply with a legal obligation of the data controller (i.e. data controller compliance with legal duties such as the ones provided under Labor Law); and (iv) data processing is carried out in the exercise of the Government functions, among others.

Another novel aspect of the Draft Law is that it foresees not only to the express consent but also the tacit consent, which can be used as a viable consent. This tacit consent will be evaluated according to the circumstances, and according to the data categories at stake and the data subject's reasonable expectations. It should be noted though, that an express consent must still be required with respect to special categories of data such as health-related data or sensitive data.

Lastly, the Draft Law specifically foresees the data subjects' right to withdraw their consent. In this regard, it shall be noticed that, although it is not expressly provided for under the Data Protection Act, following the principles of the Argentine Civil Law, data subjects were always entitled to revoke their given consent.

Minors' consent

While the Data Protection Act does not foresee cases of minors or adolescents9, Article 18 of the Draft Law does, by providing that the consent given by 16-year-old individuals shall be considered valid within services designed or adequate for them. In the case of children under 16, their personal data processing should be consented by, if the consent is granted by their tutors or parents. data controllers shall undertake reasonable measures to verify the tutors' or parents' consent for the processing of children personal data under 16.

Security breach reports

The Data Protection Act does not provide an explicit obligation for notifying security breaches. However, the AAIP has included this report as part of the guidelines applicable to comply with the security measures required by the Data Protection Act10. The Draft Law closes any possible debate in connection with the report obligation by expressly providing that security incidents compromising personal data shall be notified to the AAIP and to the data subjects within 72 hours of its discovery.

Data subjects right not to be subject to automatised decisions

The Data Protection Act only foresees the right not to be subject to automatised decisions in connection with judicial or administrative decisions, while Article 32 of the Draft Law, in accordance with international current trends, extends this right to any decisions11. Notwithstanding, the Draft Law admits certain exceptions to the exercise of this right, as it is the case of the consented data processing, or when the automatic processing is authorised by Law or when it is necessary for the fulfilment of the data controller's obligations pursuant to a contract with the data subject.

Right to data portability

Although there are admitted exceptions, the Draft Law entitles data subjects to request its personal data to the data controller, in a structured, commonly used, and machine-readable format, as well as to request its personal data to be transferred to another data controller.

Other best practices which the Draft Law enforces

Among others, the Draft Law incorporates, as binding principles, the principles of Privacy by Design and Privacy by Default12, which are currently provided under some dispositions, as recommendation or best practices. Following this principle, the Draft Law includes the obligation to conduct Data Privacy Impact Assessments, prescribing the issues to be addressed13, and the appointment of the data privacy officer for specific cases14.

Sanctions

If the Draft Law is passed, sanctions will be increased: the fines are established at 550 minimum wages15. Also, the Draft Law foresees suspensions and closures of the respective establishments. It is expected by most privacy law practitioners in the country that the reasonable increase and effective application of the fines, which are currently regarded as low, will improve compliance with the law in the benefit of data subjects.

Conclusion

The Draft Law would enter into force two years after it is approved. During said period, entities are expected adapt their practices to the new standards and principles regarding the processing of personal data if they are not yet in compliance with them.

Moreover, despite the Draft Law enactment, it is highly advisable for companies processing personal data to check their compliance with the data privacy law but also with international standards of compliance and best practices. These standards are crucial, the AAIP will most likely continue issuing regulations to update the Data Protection Law to international standards and best practices, even if this Draft Law is never passed. It is expected that some of the issues introduced by the Draft Law will be, nonetheless, binding in light of new agency dispositions.

This Article has addressed some of the highlights of the Draft Law but is not intended to be an exhaustive analysis. Moreover, the Draft Law could be modified within the congress discussions, and thus some of the aspects addressed herein would need to be subject of further consideration.

Gabriela Szlak Partner
[email protected]
Lucia Suyai Mendiberri Associate
[email protected]
Lerman & Szlak, Buenos Aires


1.The Argentine Adequacy Decision is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32003D0490
2. See: https://www.senado.gob.ar/parlamentario/comisiones/verExp/2986.20/S/PL
3. The fundamentals of the Draft Law indeed state that it has been based on the Bill passed by the Executive Branch in 2018 and has incorporated changes and additions to ensure a proper data protection. Also, it is recognized that the Draft Law has been inspired in several international sources such as the GDPR, the personal data protection standards for Ibero-American States dated June 20, 2017, and the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights of the Spain 3/2018. Lastly, is also declared that the initiative aims to maintain the adequacy decision of the European Commission. The Draft Law is available at: https://www.senado.gob.ar/parlamentario/comisiones/verExp/2986.20/S/PL
4. It was argued that the Data Protection Act was only applicable to the databases aimed to provide reports – as it is stated under section 1.
5. Furthermore, the AAIP set the standard that a database is not considered 'of private use' when its data is used to conduct evaluations that affect or impact data subjects’ rights. Personal Data Protection Directorate Note DNPDP Nº 816/2009-3471.
6. In principle the Draft Law would be applicable to any data processing other the one deemed 'private.' The private use of data that should not be subjected to the Draft Law is the one conducted by a human person for its or its family's private use.
7. Article 4.1 of the Data Protection Act, related to Data Quality Principle states, 'The personal data collected for the purpose of processing must be true, adequate, relevant and not excessive in relation to the scope and purpose for which they were obtained'; and Article 4.4 of the Data Protection Act states, 'The data being processed shall not be used for purposes other than or incompatible with those for which they were obtained.'
8. Also, Article 37 of the Draft Law sets forth the minimum aspects that should be addressed: (i) internal procedures to adopt the measures; (ii) procedures implementation of attending the data subjects' requests in connection with their rights; and (iii) it shall be foreseen internal and external audits to supervise the compliance with the measures undertaken. Moreover, it is specially provided that the referred measures should be adopted in a manner to evidence its compliance before the AAIP and that privacy policies or autoregulating systems shall be adopted as they will be considered by the AAIP to corroborate the compliance by the data controller.
9. The AAIP issued Disposition AAIP 4/2019 setting forth guidelines and best practices indicators for the Data Privacy Act application addressing the minors and adolescents' cases. Guideline Nº5 of this document states that minors and adolescents' consent shall be considered by applying the progressive autonomy principle. If the person is deemed uncapable of given its consent, parents or tutors should give their consent for their personal data processing.
10. Disposition AAIP 47/2019.
11. Article 20 of the Data Protection Act states: 'Judicial decisions or administrative acts involving the assessment or evaluation of human conduct may not be based solely on the result of the automated processing of personal data that provides a definition of the profile or personality of the data subject.'
12. Article 38 of the Draft Law.
13. Article 40, 41 and 42 of the Draft Law,.
14. Article 43 and 44 of the Draft Law,.
15. In January 2021, this amount is approximately 4.5 million pesos.