Privacy & Information Security Law Blog

As previously published on the Data Privacy Laws blog, Pablo A. Palazzi, partner at Buenos Aires law firm Allende & Brea, provides the following report.

Earlier this month, the Argentine Data Protection Agency (“DPA”) posted the first draft of a new data protection bill (the “Draft Bill”) on its website. Argentina’s current data protection bill was enacted in December 2000. Argentina was the first Latin American country to be recognized as an adequate country by the European Union.

The Draft Bill will take into consideration several changes proposed in a public consultation during 2016. The Draft Bill is heavily based on the EU General Data Protection Regulation (“GDPR”) that will come into effect in 2018 and maintains the structure of Argentina’s current data protection bill.

The DPA will be accepting comments on the Draft Bill through February 24, 2017, using the digital platform created by the government for public participation in rule making. Comments are also accepted by paper and in English or Spanish.

Changes introduced in the Draft Bill include:

• the elimination of the duty to register databases;
• the recognition of only individuals as data subjects, whereas the current data protection bill covers both individuals and legal entities (e.g., companies);
• the addition of several new definitions, such as biometric data and genetic data, among others;
• the introduction of new ways to determine whether an entity or certain data processing is subject to Argentine law, quite similar to the criteria found in the GDPR;
• the introduction of new legal bases, other than consent, for data processing, including processing that is in the legitimate interests of the data controller (with a test similar to the GDPR);
• an overhaul of the current rules of international transfers of personal data, including allowing Binding Corporate Rules as a legal basis for data transfers; and
• an introduction to sections on child consent (processing personal data of children under 13 is now allowed with consent from a parent), cloud computing, data breaches, accountability, privacy by design and by default, the duty to have a data protection officer and mandatory privacy impact studies.

Credit reports, one of the main issues with the current data protection bill, have received certain amendments, such as the time limit on retaining negative data as well as the introduction of a duty to notify an individual in the event that certain agreements are not entered into as a result of negative information in a credit report. It should be noted that, because of the elimination of protections for legal entities, the Draft Bill will not apply to financial information of corporations.

Finally, one of the last amendments proposed in the Draft Bill is the independence of the DPA from any other governmental entity.

The DPA is expected to send the Draft Bill to the President later this year. The Draft Bill will be discussed by Congress in 2018.