New Personal Data Protection Bill
By Andrea Sanchez Vicentini, Josefina Piñeiro, Mariano Peruzzotti and Julieta Martinez Correa.
I. Current regime.
In 2000 Personal Data Protection Law No. 25,326 (“PDPL”) was passed, which was subsequently regulated by Decree No. 1558/2001 and several resolutions, provisions and other regulations issued by the Argentine Agency for Access to Public Information (“AAPI”). Although no substantial changes have been made to the PDPL since it was enacted, Argentina has acceded to the following international instruments:
– Convention No. 108 on the Protection of Persons with regard to the Automated Processing of Personal Data of the Council of Europe.
– Convention 108+ (the protocol modernizing Convention 108), also of the Council of Europe, which was ratified by Argentina in April this year.
II. Reform process of the current regime.
The PDPL reform process began with the AAPI initiative in August 2022. After several meetings held by the AAPI, a draft bill was released. Moreover, a public consultation was opened in September 2022.
In November 2022, the first version of the Bill was published after receiving more than 140 comments and observations. In February 2023 the AAPI published a new version of the Bill which was reviewed by the Legal and Technical Secretariat of the Chief of Cabinet Office within the structure of the Executive Branch. Finally, the President signed and introduced the Bill in Congress. The text of letter 87/2023 can be consulted in the following link. It is expected that the Bill will be discussed by the Constitutional Affairs, General Legislation and Budget and Finance committees soon.
According to the AAPI’s position, the update of the PDPL is necessary to strengthen state capacities for regulation and management of public policies in order to face the new challenges imposed by technological transformation and development in a globalized digital economy, and at the same time contribute with the harmonization of regional and international standards in the field of personal data protection of personal data taking a human rights approach and with a sovereign perspective.
III. Changes incorporated in the reform.
In many aspects the Bill follows the provisions of the EU General Data Protection Regulation (“GDPR”). The main changes introduced in the Bill considering the current PDPL are the following:
Definitions
New terms have been introduced in the catalogue of definitions, including:
- consent;
- international data transfer;
- genetic data;
- biometric data;
- anonymization;
- pseudonymization;
- profiling;
- controller;
- processor;
- representative (similar to article 27 of the GDPR);
- third parties; and
- Data Protection Officer.
Data subject
Unlike the PDPL, the Bill only covers the personal data of natural persons excluding the information of legal persons.
Territorial scope
Following the GDPR and other similar rules such as the Brazilian General Data Protection Law, the Bill will apply to organizations outside Argentina if they offer goods or services or monitor the behavior of people in Argentina, among others.
Principles
Data minimization and accountability are introduced as data processing principles.
Legal basis
The Bill provides for 6 legal basis to validate the collection and processing of personal data including the legitimate interest. According to the PDPL, the only legal basis is the consent (with a limited number of exceptions to the consent rule).
Sensitive data
Additional legal basis are introduced for the processing of sensitive personal data. The Bill includes the criteria of reinforced responsibility in the treatment of this type of information.
Children
The Bill provides special safeguards for children and includes specific rules to protect children’s personal data when processed in the context of information society services.
Data breaches
The Bill imposes an obligation to report data breaches to the AAPI without undue delay and within 72 hours of being aware that the breach is likely to pose a risk to the rights of data subjects. Data subjects should also be informed of the breach if it is likely to result in a high risk to their rights.
Cross-border data transfer
The Bill rules that the international data transfer will be permitted when:
- the third country ensures an adequate level of protection of personal data as determined by the AAPI;
- the exporter provides adequate safeguards on data processing conditions (such as model contractual clauses, binding corporate rules or certification mechanisms); o
- a transfer falls under one of the exceptions for specific situations (including consent).
Rights of the data subject
New rights are added to the current list of rights granted in the PDPL (i.e. the right to information, access, rectification, update, erasure, confidential treatment as well as to withdraw consent), namely:
- the data portability right;
- the right not to be subject to automated decision-making (or profiling); and
- the right to obtain the limitation of treatment.
The deadline for responding to a data subject’s request is 10 business days.
Data protection impact assessment
Where the controller is considering conducting a kind of data processing activity that –based on the nature, scope, context and purposes– is likely to result in risks to the rights of data subjects, an assessment of the impact of the envisaged processing must be carried out. Like the GDPR, the Bill lists the cases where such assessment is mandatory and sets forth the minimum content that it shall contain. Prior consultation with the AAPI is mandatory if the result of the assessment reveals a high risk to the data subjects’ rights.
Data Protection Officer
The appointment of a data protection officer is mandatory in certain situations and voluntary in other cases. The Bill describes the position, qualifications, requirements and tasks for this position. A group of undertakings may appoint a single data protection officer. The role may be covered by an employee of the controller or under a service contract.
Representative
In accordance with the GDPR, a representative must be appointed by foreign controllers and processors who are covered by the provisions of Argentine law considering the rules of territorial scope.
The Bill imposes the joint liability of representatives for breaches to the data protection law committed by the relevant controller or processor.
National registry
Controllers and processors who must appoint a data protection officer as well as those who must appoint a representative must be registered with the AAIP. It will no longer be necessary to register databases.
Fines
The Bill introduces substantial changes to the sanction regime. Fines will be calculated based on a mobile unit, which will be established at an initial value of Argentine Pesos 10,000 (USD 36,40 at the current official exchange rate) and will be updated annually using the variation of the consumer price index (CPI) published by the National Institute of Statistics and Census (INDEC) or the official indicator that could replace it in the future. Fines range from 5 mobile units up to 1,000,000 mobile units or from 2% to 4% of the total global annual turnover of the previous financial year.
IV. Changes made to the latest version.
The main changes introduced in the Bill filed in Congress considering the draft released in February are the following:
Treatment by the National State
The material scope of the law includes provisions on the processing of personal data by the public sector for the purpose of safeguarding public security, defending the nation, protecting public health and the freedoms of others.
The Bill also sets forth guidelines on the processing of personal data by the public sector, including transfers of personal data.
On the other hand, the specific references to the Army, security forces and intelligence agencies were removed.
Legitimate interest
The Bill includes guidelines to test and validate the existence of legitimate interest as legal basis to process personal data. The controller must conduct a detailed, prior and documented assessment, which shall consider the context and circumstances in which the treatment will be carried out and the level of risk involved. The principle of data minimization should be taken into account when relying on legitimate interest. Moreover, the use of this legal basis should be restricted following the criteria of proportionality and reasonableness.
Processing of minors’ personal data
The new version of the Bill modifies the rules applicable to the processing of personal data of minors by establishing the age of a valid consent at 16 years (instead of 13 years).
The Bill introduces a new exception to the prohibition of processing sensitive data of children and adolescents in cases where the data treatment is strictly necessary to safeguard their vital interests provided that their parents or guardian are unable to give consent.
Duty of confidentiality
The person responsible may only be exempted from the duty of confidentiality by means of a judicial decision or legal obligation. The previous version also included the AAPI’s order and the administrative act issued by competent authority based in reasons of public policy as additional exceptions to the confidentiality rule.
Federal competition in interconnected networks
The Bill establishes that federal jurisdiction will apply when databases are interconnected in interjurisdictional, national or international networks. Although this was not included in previous versions of the Bill, a similar provision can be found in the PDPL.
Coming into force
The new law would enter into force 180 days after its publication in the Official Gazette. Unlike the previous versions of the Bill, no grace period to adjust practices, policies and proceedings is granted.
New sanctions applicable to the PDPL
Until the new law enters into force, any infringement to the PDPL will be sanctioned following the rules of the Bill. Thus, the new sanction regime will apply once the law is published in the Official Gazette. That means that the new sanctions created by the Bill will be applicable to any infringement to the current PDPL.
V. Final remarks.
The Bill must make a long drive to final enactment. The Bill will have to overcome the elections running this year so the discussion of the legislative initiative in Congress might be delayed. However, it is crucial to initiate a debate towards updating a legal framework that dates back more than 20 years and needs to refresh. In that sense, there is another draft submitted by Congresswoman Banfi, which also is pending to be considered in Congress.
For further information please contact: mperuzzotti@ojambf.com, asanchezvicentini@ojambf.com and/or jpineiro@ojambf.com.
