DPA of Argentina issues report about amendment of the law

On December 2016 the DPA of Argentina issued a report containing its full conclusions of the process of amendment of the data protection act of Argentina. The text of the report is a compilation with a summary of each proposal of academia, civil society, internet companies and chambers of companies, indexed by areas of the law. Still there is an interrogation mark with respect to the amendment of the Data Protection Act of Argentina, which in December 2016 turned 16 years old. Argentine’s statute was recognized as adequate by the EU Commission and the DPA opened a consultation process in early 2016.

The PDF is available below, with the letter that the DPA issued on December 19, 2016.

 

 

La DNPDP, la agencia de protección de datos de Argentina abre el proceso para modificar la ley 25.326 luego de 16 años de vigencia. Esta apertura ocurrió en marzo de 2016 y luego de varios meses la DNPDP compilo todas las presentaciones de académicos, empresas de internet, organizaciones de la sociedad civil y camaras empresariales. El siguiente es el texto en castellano en la web de la DNPDP.

El proceso de reflexión se desarrolló en el marco de los trabajos de la Dirección Nacional de Protección de Datos Personales y formó parte de la plataforma Justicia 2020 del Ministerio de Justicia y Derechos Humanos de la Nación.

La ley argentina sobre protección de los datos personales (Nº 25.326) fue sancionada en octubre del 2000. Sin duda, los cambios de la tecnología en los últimos quince años impactaron en la protección de la privacidad. Asimismo, presenciamos un nuevo contexto normativo internacional, particularmente por los recientes cambios ocurridos en Europa. Por estas razones, la DNPDP inició un proceso de reflexión sobre la necesidad de una reforma a la ley citada. Este proceso fue convocado dentro del programa de “Justicia 2020” del Ministerio de Justicia y Derechos Humanos de la Nación.

 

Para dar transparencia y publicidad a este proceso, se optó por compilarlo de manera estructurada y por temas en el documento Ley de Protección de los Datos Personales en Argentina (Sugerencias y aportes recibidos en el proceso de reflexión sobre la necesidad de su reforma. Agosto-Diciembre 2016). El documento refleja las sugerencias y opiniones de los distintos actores que acudieron a la convocatoria de la DNPDP y tiene como principal objeto el de constituirse en un insumo importante para una futura discusión sobre las reformas necesarias para mejorar la protección de los datos personales en Argentina.

 

Pablo Palazzi

 

Continue reading

Argentina – new regulation on international transfer of personal data

Argentina – New regulation on data transfers – See Spanish version here.

The Argentina data Protection Agency (DPA) has issues a new regulation on international transfers of personal data (DNPDP Disposition 60 – E/2016). Under the new regulation the DPA has:

  • Approved a model form for international transfers to a data controller and also another form for transfer to a data processor (for rendering services).
  • The model is party based in the EU model with some changes.
  • If the data controller is using a different model, then he needs to file its agreement with the DPA for approval within 30 days.
  • The new regulation list countries that are considered adequate (those recognized as adequate by the EU).

The Battle for Encryption in Brazil

This piece was written by Danilo Doneda and Joana Varon and originally appeared here.

The Facebook-owned messaging platform WhatsApp is the leader in the Brazilian mobile messaging market, surpassing 100 million users. Brazilians have long ceased to use SMS messaging as a means of daily communication. The strong presence of WhatsApp is favoured by some telecom companies delivering the service for ‘free’ in the zero-rating model, in which the app doesn’t use a person’s data.

Hence, the multiple recent bans on WhatsApp’ services ordered by Brazilian magistrates ignited widespread discussion. Currently, the platform has been ordered to suspend its services four times, with law enforcement authorities arguing that the company hasn’t released to law enforcement user data which was deemed fundamental for criminal investigations. The issue recently escalated with WhatsApp adopting end-to-end encryption by default to all its users, meaning that, in theory, the company will hold no user content data.

Throughout 2016, several court orders have demanded temporarily blockage of WhatsApp due to disputes over access to encrypted data, however, Brazilian Law does not prohibit or ban encryption. The most recent of these court orders occurred in October 2016. The third order occurred in July 2016 and the platform was subsequently banned in the country for hours. Unlike previous cases in which a magistrate required the company to produce users’ IDs and the content of conversations, in this case the magistrate asked WhatsApp to disable its encryption and allow for real time monitoring of conversations. The case in question was an investigation on criminal organizations.

Continue reading in original here.

Access to CCTV footage

I have discussed in this blog issues related to CCTV regulation  the past, specially in Argentina the CCTV resolution enacted in the year by the DPA that requires companies to register the database of CCTV footage, and to include visible signs indicating use of CCTV monitoring and an internal manual.

Now the DPA has issued a new legal report related to access to footage of CCTV. The report of the DPA is an answer to several financial entities that requested the DPA to explain how to grant access to CCTV footage at the request of access by an individual. The CCTV regulation generally mentions that the right of access exists but do not explain how this access should take place if there is a vague access request (e.g. the bank will have a huge expense in searching all the CCTV footage of several months).

In this report the DPA clarifies that the data subject may send as part of it request a photo so the data controller can identify the frames where the data subject was recorded.

In addition the DPA points out that the request may be subject to a fee if it is too onerous to a bank. The information can be provided in writing or recorded in a CD-ROM.

Text of the report.