Draft Law on the Protection of Personal Data in Argentina

IP expert at the Latin America IP SME Helpdesk

If you are an SME in the European Union, you are surely familiar with the famous General Data Protection Regulation (also known as “GDPR” among friends). The GDPR is Europe’s data privacy and security law that establishes some of the most stringent rules and highest standards around the world concerning personal data. For this reason, the GDPR has served as an example to follow by many countries around the world and this is the case with Argentina.

The Personal Data Protection Act 25.326 (“PDPA”) (Ley de Protección de los Datos Personales) was enacted in 2000 to protect personal data, and at the time made Argentina one of the pioneering Latin American countries to legislate on data protection and the first to achieve “adequacy” qualification for data transfers from the EU.

However, the GDPR entered into force in the EU, and Argentina’s legislation became outdated. After several resolutions, rules, guidelines to complement the law, and a couple of failed draft bills, Argentina's Agency of Access to Public Information, their data protection authority (“DPA”), started a reform process in September 2022. Currently, the long-awaited Draft Law on the Protection of Personal Data (the “Draft Law”) is with the National Congress of Argentina pending approval. If approved, it will be the first major legislative reform in data protection in Argentina since 2000.

The Draft Law follows the provisions of the GDPR in many aspects and in this article, we will have a look at the main similarities and differences between the GDPR, the current and proposed data privacy law of Argentina.

Differences between the GDPR vs PDPA vs Draft Law

Other changes proposed by the Draft Law

The Draft Law introduces several other notable changes to the current data protection regime. These include:

·Processing of Personal Data: The Draft Law abandons the consent-based approach to data processing, replacing it with a system of justifications, including the legitimate interest of the data controller.

·Expanded Data Subject Rights: The Draft Law extends data subject rights, incorporating new rights such as limitation, portability, and objection, as well as rights related to automated decisions and profiling.

·Data Protection Delegate and Impact Assessment: The Draft Law introduces the figure of the Data Protection Delegate (“DPD”), responsible for data protection compliance, and mandates data protection impact assessments for certain data processing activities.

·Representative for Non-Resident Controllers: The Draft Law establishes the concept of a "representative" for data controllers and processors not established in Argentina but subject to the law's application.

·National Registry for Personal Data Protection: The Draft Law creates the National Registry for Personal Data Protection, where data controllers and processors must register to demonstrate compliance.

·Special Provisions for Credit Information: The Draft Law outlines specific rules for processing credit information, including the obligation to notify changes in a data subject's credit situation.

·Enhanced Enforcement Mechanisms: The Draft Law strengthens enforcement mechanisms with the introduction of a mobile unit for applying fines, subject to the Consumer Price Index, and the option of imposing fines up to 4% of an offender's total annual global turnover.

The Role of the National Data Protection Authority

In the evolving landscape of data protection in Argentina, the role of the DPA has become pivotal. The DPA will be tasked with overseeing the implementation of the new regulations and ensuring that businesses comply with the updated requirements.

One significant aspect is the Principle of Proactive and Demonstrated Responsibility (also known as the “accountability” principle). This principle requires controllers and processors to adopt necessary due diligence measures to ensure proper processing of personal data, demonstrating effective implementation of the Draft Law.

Implications for EU SMEs

For EU SMEs already acquainted with the GDPR, the alignment of Argentina's new data protection legislation brings a sense of familiarity and ease in international data transfers. The extraterritorial scope of application ensures that even if a business is not physically present in Argentina, if it processes data related to the offer of goods or services to persons located in Argentina, or is in a jurisdiction where Argentine laws apply, it must adhere to the regulations.

In addition, where EU SMEs are not established in Argentina but process personal data in Argentina, a local representative must be designated under the Draft Law, who will act on their behalf. The only exception to this rule is where the processing of data is only occasional. Other obligations and requirements for data controllers and processors that the Draft Law will introduce include the appointment of a DPD (in some cases), the registration in the national registry, the notification of security incidents, and the implementation of privacy by design and by default, among others, which will demand a higher level of responsibility and accountability from the data processing actors.

Furthermore, the incorporation of new rights for data subjects, such as the right to limitation, portability, and opposition, adds an extra layer of protection and control over personal data. For EU SMEs, understanding and adapting to these rights will contribute to building trust with Argentine consumers and adherence to the new law.

Here are some steps you can take as an EU SME to prepare for the Draft Law:

·Review Data Processing Activities: Thoroughly review all data processing activities to identify any potential non-compliance with the Draft Law.

·Update Privacy Policies: Update privacy policies to reflect the new data protection requirements and ensure clear and transparent communication with data subjects.

·Implement Technical and Organisational Measures: Implement appropriate technical and organisational measures to safeguard personal data, including data minimisation, anonymisation, and encryption.

·Appoint a DPD (if applicable): If required, appoint a DPD to oversee data protection compliance and collaborate with the DPA.

·Monitor Regulatory Changes: Closely monitor ongoing developments and ensure adherence to the final version of the Draft Law when enacted.

Conclusion

Argentina's Draft Law on the Protection of Personal Data means a significant step towards modernising and harmonising its data protection landscape with international standards, especially the GDPR. The proposed changes, from redefining the scope and rights of data subjects to introducing novel concepts like the Data Protection Delegate, reflect a commitment to robust data protection practices.

For EU SMEs operating in Argentina, understanding the proposed changes, and taking proactive steps to comply are crucial to navigating the evolving data protection landscape. By proactively addressing compliance requirements, EU SMEs can safeguard the privacy of their Argentinean customers, build trust, and foster long-lasting relationships in the Argentinian market.

As the Draft Law progresses through the legislative process, keeping a watchful eye on developments and proactively adjusting data protection practices will be key.