Argentina incorporated the right to personal data protection in 1994 through Article 43 of the National Constitution. However, the Act was enacted in 2000, establishing the primary principles and regulations for the protection of personal data. Additionally, Decree No. 1558/2001 was implemented to introduce further rules, which have been complemented by dispositions and regulations issued by the data protection authority (DPA), currently the Agency for Access to Public Information (AAPI). This robust legal framework enabled Argentina to be recognized by the EU as a country that offers adequate levels of protection in 2003.

All these regulations made Argentina one of the pioneering Latin American countries to legislate on data protection. However, since the Data Protection Directive (Directive 95/46/EC) was replaced by the General Data Protection Regulation (GDPR), Argentine regulations became outdated.

Hence, in 2016, the former DPA began working on a draft bill (the First Bill) aimed at replacing the Act. The First Bill was submitted by the Executive Branch to Congress in September 2018 and incorporated key principles of the GDPR, although it was less specific in its provisions. However, the First Bill lost its parliamentary status in March 2020. Subsequently, three other bills, based on the First Bill, were introduced by different political parties in 2020 and also lost their parliamentary status.

In this context, in September 2022 the AAPI called upon various stakeholders from the public sector and civil society to collaborate in the development of the New Bill. The AAPI encouraged the use of comparative regulations, such as the GDPR, Conventions 108 and 108+, UNESCO's Artificial Intelligence Ethics Recommendations, the standards issued by the Ibero-American Data Protection Network, as well as the laws of Brazil and Ecuador, and draft laws of Chile, Paraguay, and Costa Rica, as references for the New Bill. Local considerations took into account the First Bill and the other bills, which, as anticipated, had also lost parliamentary status.

Some of the most relevant changes incorporated into the New Bill in comparison to the Act are discussed below.

New definitions

The New Bill introduces new definitions, including biometric data, genetic data, pseudonymization, and profiling. However, these definitions do not introduce significant changes compared to the current definitions.

Nevertheless, in the New Bill, the definition of 'data subject' is narrower compared to the one provided in the Act. It now only includes human individuals whose personal data is subject to processing, excluding the processing of data of legal entities.

Contrarily, the New Bill provides a broad definition of 'sensitive data' as data that refers to the intimate sphere of the data subject or whose misuse may result in discrimination or pose a significant risk to the data subject. Examples of sensitive data include racial or ethnic origin, religious, philosophical, and moral beliefs or convictions, union membership or political opinions, data related to health, disability, sexual preference, or orientation, genetic data, or biometric data aimed at uniquely identifying an individual. This open definition may result in diverse interpretations regarding the scope of sensitive data.

Territorial scope of application

Section 4 of the New Bill extends the territorial scope of application to:

• controllers or processors established in Argentina, even if the processing takes place outside the country; and
• controllers or processors who are not established in Argentina, as long as:
  • they process data in the territory of Argentina of individuals residing in Argentina;
  • they carry out processing activities related to the offer of goods or services to individuals residing in Argentina or the profiling, monitoring, or control of the acts, behaviors, or interests of said individuals; or
  • they are established in a jurisdiction where Argentine legislation is applicable based on international or contractual law.

This extraterritorial reach is not present in the Act.

Representative of the data controller or processor

According to Section 46 of the New Bill, when a data controller or processor is not established in Argentina, they must designate a representative within the country who will act on their behalf. This designation is not mandatory when the processing is occasional or when involving a foreign public body. The representative is responsible for addressing claims and requests from the enforcement authority and data subjects. In case of non-compliance by the controller or processor, the representative may be subject to a sanctioning procedure. If the controller or processor fails to respond, the representative will be held accountable for any sanctions imposed in the framework of such a procedure.

Legal basis for processing

The New Bill, through Section 13, expands the legal basis for processing, requiring compliance with at least one of the following conditions:

• Consent of the data subject: Unlike the Act, which establishes prior, express, and informed consent of the data subject as a general rule, the New Bill establishes that consent can be one of the legal bases as long as it is a manifestation of express, free, unequivocal, informed, and specific will by means of which the data subject or their representative accepts, through a declaration or a clear affirmative action, that their personal data will be processed. Specific consent refers to the data subject granting consent for each of the intended purposes of the processing, ensuring that there is no ambiguity regarding the extent of the authorization granted by the data subject. The New Bill expands on the duty of providing information to the data subjects, which is already outlined in the Act.
• Processing is carried out in the exercise of the powers of the State and is necessary for the strict fulfillment of its functions. This provision is already contemplated in the Act.
• Processing is necessary for the fulfillment of legal obligations applicable to the data controller or processor. This provision is already contemplated in the Act.
• Processing is necessary for the execution of a contract in which the data subject is a party or for the application of pre-contractual measures. While the Act includes contractual performance as a legal basis for processing, it does not contemplate pre-contractual measures.
• Processing is necessary to safeguard the vital interests of the data subjects or third parties, provided that the interests or rights of the data subjects do not prevail over said interests, and the data subjects are physically or legally unable to grant their consent. This legal basis is not included in the Act.
• Processing is necessary for the legitimate interests of the data controller, provided that the interests or rights of the data subjects do override those interests, especially when the data subject is a child or adolescent. This legal basis is not included in the Act.

Data of minors

While the Act does not address the age at which minors can give valid consent, the New Bill establishes in Section 19 that the consent of a minor who is at least 13 years old is valid when it is applied to the processing of data associated with the use of information society services specifically designed or suitable for them. If minors are under 13 years of age, consent must be granted by the holder of parental responsibility and only to the extent authorized. The data controller must make reasonable efforts to verify that consent has been granted by the holder of parental responsibility, considering their possibilities to do so.

Data breaches

Unlike the Act, which does not mention data breaches, the New Bill defines a security incident or data breach as the occurrence of one or more events in any phase of the processing that poses a threat to the confidentiality, integrity, and availability of personal data.

In the event of a data breach, the data controller must notify the enforcement authority within 48 hours of becoming aware of the breach, unless it is unlikely that the incident constitutes a risk to the rights of the data subjects. Additionally, when it is likely that the incident constitutes a high risk to the rights of the data subjects, the data controller must notify the affected individuals in clear and simple language, unless this would require a disproportionate effort. In such cases, the data controller may choose to make a public communication or adopt an equally effective measure.

Regarding the content of the notification, it must include, at least, the following information:

• the nature of the breach;
• the personal data compromised;
• the corrective actions carried out immediately;
• recommendations for the data subjects regarding the measures they can adopt; and
• means available to obtain more information in this regard, including the name and contact information of the data protection officer (DPO).

The New Bill also establishes the obligation to document the data breach.

The Act does not mandate the notification and documentation of data breaches. However, these measures are recommended and provided in Resolution 47/2018.

Privacy Impact Assessment

The obligation to carry out a prior Privacy Impact Assessment ('PIA') is established when there is a possibility of data processing that may pose a high risk to the rights of data subjects. However, the New Bill establishes that the PIA is mandatory in the following circumstances:

• when personal aspects are systematically and exhaustively evaluated based on automated and semi-automated data processing, such as profiling, which leads to legal effects or significantly impacts human individuals in a similar way;
• when sensitive data, data related to criminal, misdemeanor, or minor records is processed on a large scale; or
• when there is large-scale systematic observation of a publicly accessible area.

PIAs are not mandatory under the Act.

DPOs

The New Bill defines a DPO as an individual or legal entity responsible for informing the data controller or processor about their legal obligations in terms of data protection. The DPO also ensures and supervises compliance with the relevant regulations, and cooperates with the enforcement authority, serving as a point of contact between the authority and the data controller or processor. The designation of a DPO is mandatory in two cases:

• when the data controller is a public authority or body; and
• when the processing activities require permanent and systematized control due to their volume, nature, scope, or purposes.

The New Bill clarifies that an economic group can appoint a single DPO if it is in permanent contact with each establishment. The functions of the DPO may be performed by an employee of the controller or processor or within the framework of a service provision contract. Additionally, the DPO is allowed to perform other functions if they do not create conflicts of interest.

Designating a DPO is not mandatory under the Act.

National Registry for Data Protection

The New Bill creates a mandatory registry for all data controllers and processors that must have a DPO and/or must have a representative in Argentina.

This registry is not present in the Act.

Marketing

The New Bill does not contain a provision equivalent to Section 27 of the Act, which currently regulates the processing of personal data for advertising or direct marketing. As a result, it is unclear whether, under the New Bill, the data controller could rely on legitimate interest as a legal basis for the collection and processing of personal data for direct marketing purposes, as this specific scenario has not been expressly excluded or addressed.

Data subjects' rights

In addition to the rights of access, update, rectification, and suppression, which were already present in the Act, the New Bill also grants new rights for data subjects. These include the right of portability, the right to objection (previously limited to processing for marketing purposes), the right of limitation, and the right not to be subject to decisions based solely or partially on the automated processing of data. Furthermore, the New Bill explicitly recognizes the right of data subjects to claim damages suffered because of a breach of any of the obligations.

International transfer

The New Bill broadens the legal basis for international transfers of data compared to the Act, although it limits consent as a legal basis only to specific cases.

In relation to this, the Act and Resolution No. 60/2018 provide that international data transfers to countries without adequate data protection measures are considered legitimate under the following circumstances:

• when the data subject has provided express consent for such transfer;
• when the transfer is for outsourcing purposes, by means of executing the transferor and the transferee standard contractual clauses approved by the DPA; or
• when the transfer is between companies within the same economic group, based on binding corporate rules (BCRs) with the minimum content established by the DPA or approved by it.

The New Bill establishes as a general principle that international transfers may be made:

• when the destination provides adequate levels of data protection;
• when the exporter offers appropriate guarantees for the processing of personal data; or
• when exceptions provided for international transfers apply.

The exceptions for international transfers listed in the New Bill are as follows:

• consent of the data subjects;
• if the transfer is necessary for the execution of a contract between the data subjects and the data controller, or for the execution of pre-contractual measures adopted at the data subject's request; and/or
• if the transfer is necessary for reasons of public interest, for the recognition, exercise or defense of a right in a judicial process, or to protect the vital interests of the data subject or other persons when the data subject is physically or legally incapable of giving consent.

It should be noted that the exceptions listed in this section may not be used to make regular or large-scale international transfers.

Likewise, the New Bill provides for the possibility of making international transfers to countries considered adequate by the enforcement authority. In the absence of an adequacy decision, the New Bill establishes that guarantees may be provided through:

• a legally binding and enforceable instrument between authorities or public bodies of Argentina and other countries;
• a bilateral or multilateral international agreement between Argentina and other countries or international organizations that enable transfers from private and/or public entities established in Argentina to private and/or public entities established in other countries; or
• agreements or conventions such as standard contractual clauses previously approved by the enforcement authority, BCRs approved by the enforcement authority and that apply to all members of an economic group, or data protection certification mechanisms approved by the enforcement authority.

The agreement or mechanism that implements the transfer must recognize the jurisdiction of the enforcement authority and the competent courts of Argentina over the transferor. It should also ensure that the transferee is subject to the jurisdiction of one or more independent supervisory authorities, thereby granting data subjects effective legal actions to protect their rights.

Fines

The New Bill proposes a significant increase in fines, ranging from five to one million mobile units, or from 2 to 4% of the total annual global turnover of the previous financial year. This translates to a minimum fine amount of ARS 50,000 (approx. $500) and a maximum of ARS 10 billion (approx. $41 million).

Powers of the enforcement authority

The New Bill expands the powers of the enforcement authority, which include the following:

• implementing voluntary dispute resolution mechanisms to facilitate agreements between data subjects and data controllers or processors, ensuring proper processing of personal data and protection of data subjects' rights;
• filing collective habeas data actions; and
• developing strategies for the prevention of digital violence related to privacy defense and data processing.

None of these powers are included in the Act.

Habeas data actions

Regarding habeas data actions, which are also present in the Act, the New Bill introduces a new provision for standing, allowing for collective representation by the enforcement authority, the ombudsman, and associations or organizations with a legitimate interest. However, this provision is limited to challenging processing involving widespread violations.

Corrective measures

The New Bill stipulates that in case of non-compliance, the enforcement authority may impose corrective measures to prevent the violation from continuing and reoccurring, in addition to administrative sanctions. These corrective measures may include technical, legal, organizational, educational, or administrative measures as deemed appropriate by the enforcement authority, taking into consideration the specific circumstances of the case, to ensure proper processing of personal data.

These corrective measures are not present in the Act.

What can organizations do to prepare?

If the New Bill is ultimately discussed and approved by the National Congress, organizations will need to address several issues to comply with the obligations imposed by this new regulation.

Some of the key issues to consider may include, among others:

• Conducting an internal assessment of the types of personal data processing carried out by their organization. This assessment should include an evaluation of the level of compliance with respect to their data processing, such as whether the organization has a legal basis for processing, whether their databases are registered, whether they transfer personal data, and whether they process personal data of minors.
• Organizations that are not based in Argentina but have activities within the country should evaluate whether they fall within the territorial scope of application outlined in the New Bill.
• Organizations that offer services or develop products involving a significant amount of personal data processing, or that may pose a high risk to data subject's rights, or that process sensitive data, should consider the possibility of being subject to the obligation of conducting a Privacy Impact Assessment and/or appointing a DPO.

In any case, organizations should remain vigilant about whether the New Bill is ultimately approved by the National Congress. They should also monitor any potential modifications to its provisions as it progresses through the Chamber of Deputies and the Senate, which could significantly change its provisions. Proactively assessing and addressing potential compliance requirements can help organizations prepare for the potential implementation of the new regulation.

Florencia Rosati Partner
[email protected]
Martín Beccar Varela Associate
[email protected]
Estudio Beccar Varela, Argentina