After a long debate in which most relevant players from both the public and private sectors in data protection participated, the Argentine Congress has a data protection bill to review.

Recently, Argentine President Mauricio Macri submitted to National Congress Bill No. MEN-2018-147-APN-PTE, aiming to replace in its entirety the Personal Data Protection Law No. 25,326, in force since 2000, which together with the Argentine Constitution sets forth general principles regarding data protection and habeas data.

The bill is part of the efforts of the National Directorate of Personal Data Protection, the former data protection authority, which during mid-2016 came up with a first draft that was shared with the public and private sectors for comments (including tech companies, law firms, and multiple NGOs). Based on the feedback received, the National Directorate of Personal Data Protection prepared a second draft during May 2017.

The bill comes in a context in which international legislations, and more particularly those in Latin-American countries, are being revisited. The digital era we are living in together with the experience gathered by the National Directorate of Personal Data Protection, fostered the need for new legislation. At the same time, the existence of a new international framework, particularly the European General Data Protection Regulation, was also determinant.

The bill includes several relevant aspects. In particular, it:

  • Limits the concept of data subject to natural persons and excludes legal entities (in line with GDPR).
  • Revisits general concepts included in the current DPL such as data base, personal data and sensitive data, and it incorporates new ones.
  • Includes accountability obligations and eliminates the requirement of the registration of databases containing personal data.
  • Establishes that the legal basis for the processing of personal is still the data subject’s express consent (although under the draft bill and under specific circumstances, consent can be given implicitly), with the addition of the data processor’s legitimate interest as a new legal basis.
  • It also acknowledges for the first time the right to be forgotten and the right to data portability.
  • Incorporates new regulations in connection with sensitive data (the definition of which is now more extensive), background checks and minors’ consent.
  • Includes an obligation to notify data breaches (in line with the GDPR provisions).
  • Provides for the mandatory need of an impact analysis in cases in which the data processor intends to treat personal data in such a way that – based on its nature, scope, context or purpose – entails a high risk of affecting the fundamental rights of the data subject.
  • Includes the obligation to appoint a data protection officer in the case of:
    • Public agencies.
    • Processing of sensitive data as a principal activity.
    • Big data activities.

If the bill is passed into law, there will be a two-year transitional period during which the Personal Data Protection Law No. 25,326 and its complementary regulations will still apply. 

The Senate will now decide which internal committees will intervene in the analysis of the bill. In turn, those committees will prepare a report suggesting the debate of the bill in the floor, or not. Based on the fact that the bill was drafted by the DPA and that there existed considerable support from the public and private sectors, it is expected that the bill will be considered positively by the Senate.