New Preliminary Draft for Replacing the Argentine Data Protection Law

Among the main modifications to the current data protection regime, the Preliminary Draft:
 

• Incorporates new definitions such as "anonymization", "informational self-determination", "profiling", "biometric data", and "genetic data".
• Eliminates legal entities as data subjects.
• Changes the definition of sensitive data by including as reference only the current categories of sensitive data -as identified in the Personal Data Protection Law- and defining it as any information that may cause discrimination. Biometric and genetic data are included.
• Regulates the extraterritorial application of the law.
• Introduces the concept of accountability. 
• Recognizes new legal basis on top of consent for processing personal data, including legitimate interest.
• Specifically, regulates the processing of minors’ personal data.
• Introduces the obligation of data controllers to report security incidents to the data protection authority and, under certain circumstances, to the data subjects.
• Introduces new rights such as the right to object to the personal data processing (not limited to marketing, as before), the right to data portability, and the right to not be subject to decisions based solely or partially on automated data processing.
• Establishes the obligation, under certain circumstances, to carry out data impact assessments, and sets the minimum contents of these assessment.
• Introduces the role of the data protection officer and the obligation to appoint one in certain cases. 
• Introduces the need to appoint a representative in Argentina when the data controller or data processor is bound by the preliminary draft and is not settled in the country.
• Creates the National Registry for Data Protection in which data controllers and data processors required to appoint a DPO and/or a Representative must be registered.
• Provides certain regulations regarding profiling and scoring of data subjects.
• Establishes that the data protection authority may impose the following sanctions, among others: (a) suspension of the activities related to personal data processing, (b) closure of operations involving processing sensitive data and minors’ data.

The data protection authority may impose fines from 5 to 1,000,000 adjustable units (approximately USD 70,000,000 at the current exchange rate) or from 2% to 4% of the total worldwide annual turnover of the preceding financial year. The initial value of the adjustable unit will be ARS 10,000 (approximately USD 70 at the current exchange rate) and will be updated annually according to INDEC's Customer Price Index. 
 

The preliminary draft was open for public consultation until October 11, 2022. The Agency for Access to Public Information will now consider all the comments received and probably publish an updated version of the preliminary draft.