On February 2017, the Argentine Data Protection Agency (“DPA”) posted online the first draft bill for a new data protection act. Argentina current data protection was enacted in December 2000 and has been effective since then. Argentina was the first Latin American country to be recognized as an adequate country by the European Union.
The new bill was prepared taking into consideration several changes proposed in a public consultation during 2016. The bill is heavily based on the EU GDPR but with some changes and maintains the model of the old law in terms of structure.
The DPA shall be accepting comments on the draft bill from February 1 to 24, 2017 using the digital platform created by the Government for public participation in rulemaking. Comments are also accepted by paper and in English or Spanish.
Among the changes introduced by the draft bill is the elimination of the duty to register databases.
Also, the draft bill only recognizes individuals as data subject; the current data protection act covers both individuals and legal entities (e.g. companies). Moreover, the proposed bill adds several new definitions like biometric data and genetic data, among others.
The draft bill introduces new ways to determine whether an entity or certain data processing is subject to Argentine law, quite similar to the criteria found in the European General Data Processing Regulation. Also, and in connection with the European regulation, the proposed bill introduces new legal basis, besides consent, to allow data processing, like the legitimate interests of the data controller (with a test similar to the GDPR).
Among other changes, the draft bill makes an overhaul of the current section dealing with international transfers, including Binding corporate rules as a legal basis for data transfers.
The Bill also introduces sections on child consent (now processing under 13 allowed unless consent from parent), cloud computing, data breaches, accountability, privacy by design and by default, the duty to have a data protection officer and mandatory impact studies.
Credit reports, one of the main issues of the current data protection act, has received certain amendments, like the time limit to kept negative data as well as the introduction of a duty to inform an individual in the event that certain agreement or equivalent was not entered into due to negative information contained in a credit report. It should be noted that, considering the elimination of protection for legal entities, the data protection act will not apply to financial information of corporations.
Finally, one of last amendments proposed by the DNPDP in its draft bill is the independence of the DPA from any other governmental entity; currently, the DNPDP depends from the National Ministry of Justice and Human Rights. The bill seeks to remedy one of the observations made by the European Union when Argentina was deemed a jurisdiction with an adequate level of data protection.
We expect the DPA to send the Bill to the President later this year. The Bill will be discussed during 2018 in Congress.
Pablo A. Palazzi is a partner at Allende & Brea, a law firm based in Buenos Aires.
Andres Chomczyk is an associate Allende & Brea.
Text of the draft bill here.
Text of the Report of the DPA here.
Summary of the paper used to open the public consultation.