On March 9, a draft bill that would regulate data sovereignty in Argentina reached the House of Representatives.
The bill emphasizes the need for new regulation in response to the growing amount of data generated by the national public sector, and its increasing importance. It further refers to the growing number of data centers located outside of Argentina’s jurisdiction.
In this context, the bill stresses the need for certain data to be stored exclusively within the Argentine territory, in order to maintain sovereignty over the data and to ensure its security and accessibility, as well as compliance with Argentine regulations. To this end, it refers to the example of data centers located in the United States of America that are held to the USA Patriot Act, further stating that such access would not be in compliance with the rights guaranteed by the Argentine Data Protection Law No. 25,326.
Further, the bill clarifies that establishing data sovereignty is necessary to protect certain data from being accessed not only by foreign countries, but also by companies seeking to exploit them commercially.
The bill also incorporates certain definitions taken from the Budapest Convention on Cybercrime, as for example ”computer data,” which is understood as any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function. The bill further builds on this concept to define “state-owned computer data” as any computer data belonging to, generated by or kept by any entity belonging to the national public sector insofar as ownership of said data has not been transferred, or the data not been made public.
In addition, the bill adopts a partial version of the definition of “service provider” stating that a service provider is any public or private entity that provides to users of its service the ability to communicate by means of a computer system.
The main purpose of the bill is to protect digital information produced, generated or kept by the federal state, in order to defend Argentina’s data sovereignty. To this effect, it establishes the following:
- The provisions of the bill apply to the entire national public sector, as defined by Section 8 of Law No. 24,156, including i) the federal administration (including both centralized and decentralized agencies); ii) state-controlled corporations and companies (which includes any business organization where the federal government owns a majority shareholding or holds the majority decision-making power); iii) public entities expressly excluded from the federal administration (which extends to any governmental non-business organizations with financial autonomy, its own legal standing and its own assets, where the federal government owns a majority shareholding or holds the majority decision-making power, including any public non-governmental entities where the federal government has decision-making power); and iv) trust funds which are completely or mostly integrated with goods or funds belonging to the federal state.
- SCD is part of the public domain and the property of the federal state. Therefore, its ownership cannot be transferred, it cannot be seized and it is not subject to a statute of limitations (it is worth noting that the provision stating that SCD cannot be transferred would seem to contradict the definition of SCD the draft itself provides, which excludes data whose ownership has been transferred).
- SCD may only be stored in Argentina, and will be subject exclusively to its law and jurisdiction.
- Any service provider hired by the federal state must guarantee access to SCD at all times, regardless of any claims related to lack of payment or breach of contract. It must also ensure the confidentiality of the data.
- The federal state cannot contract the services of any private service provider which has agreements in place which would allow other countries, intelligence agencies, or any companies or organizations access to SCD. If such access is granted, any existing agreement with the federal state will be null.
- Granting access to, transferring, revealing or profiting from SCD will be considered a criminal offense.
- Unless they are authorized by the federal state, entities or individuals who wish to access SCD may only do so based on a decision from a competent authority.
- SCD must be stored in compliance with the Argentine Data Protection Law.
- The provisions of the bill must be completely implemented within two years of the law coming into effect.
It is also worth noting that the bill may have implications in connection with the right to access public information, since Decree No. 1172/03 establishes as a general principle the unrestricted access to public information unless one of the exceptions provided in Section 16 of Decree No. 1172/03 takes place. It seems that there could be some conflict between data sovereignty and access to public data, which could lead to discussions on how these rights may be reconciled.
If you want to comment on this post, you need to login.