New Data Protection Bill

On September 18, 2018, the Argentine Executive Brach introduced the bill MEN-2018-147-APN-PTE (the “Bill”). Such bill is intended to replace Personal Data Protection Law No. 25,326 (the “Law”), enacted in 2000.

The Bill is part of the efforts of the National Directorate of Personal Data Protection, formerly the Data Protection Authority, which in mid-2016 came up with a first draft which was shared with the public and private sectors for comments. Based on the feedback received, the National Directorate of Personal Data Protection prepared a second draft during May, 2017.

The Bill highlights the need to replace the current Law based on the fact that is has become outdated in comparison to the technological and legal developments, especially regarding the passing of the European General Data Protection Regulation (the “GDPR”).

The most significant changes include the following:

• The Bill introduces new definitions aligned with the EU regulations, such as the concept of data base, personal data and sensitive data. At the same time, the Bill introduces new concepts regarding genetic data, biometric data, economic group, security incidents and international transfer.
   
• The Bill limits the scope of the concept of data subjects to human persons. Therefore, legal entities are excluded from the scope of the Bill.
   
• The Bill introduces new grounds for the collection and processing of personal data different to consent, such as legitimate interest.
   
• The Bill widens the protection of data by stating that the purpose of the law will be the comprehensive protection of personal data, and not limiting it —as the Law currently does— to the personal data included in data base, either private or public, aimed at preparing reports,  so as to guarantee the full enjoyment of subject data’s rights.
   
• The Bill introduces the concept of accountability as a general principle for the fulfillment of the obligations that arise from the law in line with most international data protection laws.
   
• The Bill updates data subjects’ rights by including the right to oppose to the processing of their data, the right to oppose to be subject of a decision made being based on the automatized processing of their data, the right to data portability, by which the subject data is able to request to the data controller a copy of the personal data subject to the processing, and the right to request their data to be transferred to another company, if technically feasible.
   
• The Bill introduces the obligation to report to the controlling authority and data subjects any security incident.
   
• The Bill introduces the Data Protection Delegate, who will carry out specific functions.
   
• The Bill introduces new provisions regarding sensitive data so as to bring more clarity to those in charge of dealing with such category of data.
   
• Regarding the international transfer of personal data, the Bill introduces the cases when such transfer is legal.
   
• The Bill introduces the obligation of the data controller to conduct impact evaluations in those cases in which the nature, scope, context and purpose of the treatment of data may affect data subjects’ rights.
   
• The Bill introduces an increase in the penalties for infringement.
   

Additionally, the Bill includes the provisions of Law No. 26,951 regarding the National “Do Not Call registry” (Registro No Llame) (see “Draft Data Protection Bill”, “Personal Data Protection: Important Developments”, and “New regulation of the ‘Do Not Call Registry’”). The wording of such terms will be adapted in order to improve the proceeding aimed at evaluating possible infringements.

Finally, the Bill provides for a two-year transition period if the Bill is passed into law.