Argentina’s data protection authority, the Agency of Access to Public Information, controlling authority of Data Protection Law No. 25,326, recently published its Annual Report 2019 regarding the protection of personal data.

The AAPI highlighted that it has become an autarchic entity, which guarantees both the stability of its hierarchical officials and its own budget, something that was mentioned by the European Commission when incorporating Argentina into the list of adequate countries regarding data protection.

Further, the annual report states that the AAPI has worked on reviewing and updating a number of different regulations, including the following:

  • Resolution No. 4/2019 on guidelines, recommendations and best practices for the application of the Data Protection Law.
  • Resolution No. 34/2019 on the incorporation of the United Kingdom of Great Britain and Northern Ireland as a region providing an adequate level of protection for the purposes of international data transfer.
  • Resolution No. 86/2019 providing a guide for the Processing of Personal Data for Electoral Purposes.
  • Entry into force of Convention 108 and signing of Convention 108+ for Argentina.
  • Resolution No. 159/2019 setting the basic guidelines and content of binding corporate rules.
  • Draft Data Protection Bill. The agency indicated that it continued to promote the process and that the agency has made itself available to the commissions of the Argentine Congress that must deal with the bill.

In addition, the report indicates that the following projects and/or proceedings are in the process of being modified:

  • New inspection procedure.
  • Binational Guide on Data Protection Impact Assessment (mechanism devised together with the data protection authority of Uruguay).
  • Review of the Decision on the Adequacy of Argentina by the European Commission regarding the international transfer of data.

Regarding administrative files processed and prosecuted during 2019, the report provides the following:

  • 95 judicial communications were replied.
  • 11,017 documents were incorporated into the Registry of Questioned Identity Documents.
  • 41,952 complaints of the “Do Not Call” National Registry (which resulted in the initiation of 21 new files) were received.
  • 3,672 databases were registered, as well as 3,275 private and 162 public databases.
  • 214 administrative files were opened for complaints based on the Data Protection Law, with 11 fines/penalties totaling ARS 1,050,600.
  • Seven spontaneous investigations were conducted.
  • Several investigations of first division football clubs were conducted to determine the type of personal data they handle, its impact on privacy, and their compliance with regard to the registration of their databases.

Moreover, during this period the agency imposed monetary sanctions for ARS 63,356,460 (approximately USD 800,000), the telecommunications and audiovisual industries being the most reported and sanctioned ones.

Finally, and in conjunction with the recently published Management Report 2017/2019 in which the AAPI evaluates its first two years of activity (the document is in Spanish), it indicates that it is currently working on two “levels” simultaneously: the local level, ensuring compliance with the Access to Public Information Law and the Data Protection Law No. 25,326; and the international level, as a member of the Convention 108.

Photo by Fernando Tavora on Unsplash