New Bill to Replace the Current Personal Data Protection Law

The bill (text in Spanish available here) is heavily inspired by the “New Version of the Preliminary Bill of the Personal Data Protection Law,” published on the official website of the Argentine Data Protection Authority (the “Agency”) and it has great similarities with the Personal Data Protection Bill that the former administration submitted to Congress back in 2018 (more information available here).

The purpose of the new bill is to update the applicable legal regime ensuring the rights and guarantees set forth in the Argentine Constitution by adapting them to new technologies and to the regulatory changes that took place internationally in recent years. Since 2003, Argentina is considered by the European Union as an adequate country, but that status — as is the case with all other jurisdictions with the same status — is being assessed by the European Commission in light of the GDPR. Therefore, the reform is also seeking to maintain international standards.

The most significant changes introduced by the bill to current Data Protection Law No. 25,326 include:

• adding new definitions aligned with the GDPR (such as those of genetic data, biometric data, economic group, security incidents, and international transfer);
• limiting the scope of the concept of data subjects to human persons;
• adding new grounds for the collection and processing of personal data other than consent, such as legitimate interest;
• adding the concept of accountability;
• updating data subjects’ rights by including the right to oppose the processing of their data, the right to oppose subjection to a decision made on the basis of  automatically processed data, and the right to data portability;
• adding the obligation to report certain security incidents to the controlling authority — and, in some cases, the automated processing of data;
• creating a Data Protection Officer; and
• increasing monetary penalties in cases of breach.

Many of these changes were already in the 2018 bill. However, the new bill differs from the 2018 bill in that:

• it adds to the definition of “data anonymization” that “a person shall not be considered identifiable when the proceeding that must be applied to achieve their identification requires the application of disproportionate or unfeasible measures” (in line with Provision 4/2019 of the Data Protection Authority);
• it modifies the law’s scope of application by eliminating the possibility that data subjects cherry-pick which law (the most favorable) applies to them (imposing the application Argentine law instead);
• it removes legitimate interest as a permissible legal basis for the State;
• it adds the definition of adequate country as “a country or international or supranational organization that provides an adequate level of protection that directly results from the legal system in force”;
• it removes falsehood and error as enabling criteria for the data subject to request the right to rectify his/her data;
• it adds that in cases of automated decisions, where those decisions are made against the backdrop of a contract or with the express consent of the data subject, the controller must ensure human intervention in the decision (to express his/her point or view or to challenge it);
• it adds that the supervisory authority (i) must collect the fees that are set for the registration services and other services it provides; (ii) can draft proposals for legislative reforms; and, (ii) may enter into cooperation agreements with public or private entities, whether national or international, to fulfill its functions;
• it clarifies that in the event that the data subject does not receive an answer from the data controller within 10 business days, all the data subject needs for the data protection procedure to be initiated is to demonstrate to the supervisory authority when the request was made;
• it increases the maximum amount of monetary fine from 500 Minimum Vital and Mobile Wages to 5,925 Minimum Vital and Mobile Wages (which today would amount to AR$ 121.980.937,50) or, in the case of corporations, to an amount equivalent to 2% of the total annual turnover of the previous financial year, whichever is higher;
• it removes the obligation of both the supervisory authority and the sanctioned party to publish the sanctioning resolution on their website;
• it adds the data subject, the Ombudsman, sectorial associations, the supervisory authority (only as a third party collaborating with the processing) and the office of the prosecutor, as legitimate parties to initiate collective actions.

The bill has not made significant progress yet. It is expected to be discussed in Congress sometime next year.