In June, Argentina's executive branch filed a new bill to replace the current Personal Data Protection Law with the National Congress of Argentina.

The new bill, the Draft Law on the Protection of Personal Data, is based on the preliminary bill drafted by Argentina's data protection authority, the Agency for Access to Public Information, in Sept. 2022 and comments to the preliminary draft filed by members of the public and private sectors during a public consultation process.

If the proposed legislation is passed, the current personal data protection regime will be updated to reflect the following principles.

Under the proposed legislation, the definition of sensitive data would be updated to include any information referring to the private sphere of individuals, including gender identity, genetic information and biometric data, and use that might result in discrimination or entail a high risk to data subjects. It would also clarify the scope of the provisions of the law to indicate they cannot affect the duty of secrecy regarding a journalist's sources. However, they apply to any other processing of personal data carried out in the context of a journalist's activities.

Extraterritorial application of the law is included in the proposed bill and applies to those located in Argentina, even when the processing is performed in another country. It also applies to those not located in Argentina but who comply with other conditions, such as providing goods and services to those within the country.

Processing of personal data

The proposed legislation includes the accountability principle, which makes controllers and processors responsible for conducting due diligence measures to identify, prevent, be accountable for and mitigate the impacts of its processing activities.

Additionally, a new legal basis apart from consent will be recognized in the proposed draft, including the data controller's legitimate interest or execution of preliminary contractual measures. Data controllers must carry out a detailed, prior and documented analysis when relying on legitimate interest. It also provides that consent must be specifically and unequivocally given, in addition to the current characteristics required under the Data Protection Law.

The proposed legislation will expand the information provided to data subjects and include, among others, the legal basis for processing personal data and the length of time it will be retained. It also includes a new legal basis for processing sensitive data subject to reinforced accountability. Additional changes include:

  • The processing of minors' personal data will be specifically governed under the draft, and the minimum age for granting consent is 16 years. 
  • Data controllers must report security incidents to the DPA and data subjects within 72 hours of becoming aware of a potential breach.
  • Consent will only be permitted as a legal basis for the international transfer of personal data when it is exceptional or does not involve a huge number of individuals.

Rights of data subjects

Under the proposed draft, data subjects' right to object to processing personal data will be recognized, in addition to the right to access, rectify, update or suppress their personal data. Currently, this right is only recognized in cases of direct marketing. Data subjects will also have the right not to be subject to a decision based solely on automated or semiautomated processing of personal data when the decision could have discriminatory effects. They will have the right to data portability and the right to request the limitation of data processing. The term to answer data subjects' requests will be ten days for all cases.

When making decisions based solely on automated or semiautomated processing of personal data, data controllers must provide data subjects, upon request, information on the criteria and procedures used in the decision, considering trade and industrial secrets. If data controllers do not provide information based on trade and industrial secrets, the DPA may conduct audits to verify any discriminatory, wrong or biased content of the processing.

Under the proposed draft, data controllers will be allowed to audit data processors to verify compliance with the law. Data processors will be required to inform data controllers and the DPA about security incidents that entail a risk to the administration of personal data. Both data controllers and data processors will be required to implement privacy policies.

Data controllers will also be required to implement privacy by design and privacy by default measures and carry out data protection impact assessments under certain conditions. When the DPIA triggers high risk to data subjects, data controllers will have to file a report before the DPA and will not be allowed to start processing activities until it issues an opinion.

Data controllers and data processors will need to appoint either a data processing officer or a representative in Argentina to register before the National Registry of Persona Data Protection if certain conditions are met.

The draft includes specific rules on data subjects' profiling, and scoring will be introduced.

The DPA will be able to impose fines for a total and maximum amount of USD40 million (at the current exchange rate) or a fine of 2-4% of the total worldwide annual turnover of the data controller or data processor.

Finally, data processors are included as possible defendants of habeas data actions under the proposed draft.

If the bill is passed, provisions will enter into force after 180 days of its publication in the Official Gazette, except for Section 79 on administrative sanctions, which will enter into force once it has been published. The DPL will remain in force during the mentioned period, and infringements to the DPL will be sanctioned based on penalties outlined in Section 79.