In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Pablo Palazzi and Andrés Chomczyk of Allende & Brea compare Argentina’s draft Data Protection Act with the GDPR.
The Argentine Data Protection Agency (Dirección Nacional de Protección de Datos Personales) presented an updated draft of a bill for a new data protection act. In December 2016, the DNPDP published a white paper summarizing the most relevant issues that were mentioned by the general public, academic institutions, companies, individuals and civil rights associations during the reflection period proposed by the DNPDP during 2016 regarding the need for an amendment to the current law on data protection. In January 2017, the DNPDP presented the first version of a draft bill and opened a suggestion period to make changes. This proposal made by the DNPDP follows several new issues introduced by the European General Data Protection Regulation.
Among the changes proposed by the draft bill is the elimination of the registration of databases. Also, the draft bill only recognizes individuals as data subjects; the current data protection act covers both individuals and legal entities. The updated proposed bill improved several existing definitions in the current law to include issues like biometric and genetic data, mirroring the updates included in the GDPR.
Moreover, the draft bill introduces new ways to determine whether an entity or certain data processing is subject to Argentine law, quite similar to the criteria found in the GDPR. Also, following this trend of adjusting the regulation to the European standards, the proposed bill introduces new legal basis, besides consent, to allow data processing, in particular, the “legitimate interest” basis, which was absent from the original Argentine data protection regulation.
Among other changes, the draft bill makes an overhaul of the current section dealing with international transfers, introduces sections on child consent, data breaches, accountability, privacy by design, the duty to have a data protection officer and mandatory impact studies. All these topics follow closely their European counterparts in the GDPR.
Credit reports, one of the main issues of the current data protection act, has received certain amendments, like the manner that terms are counted regarding the duties over debtors personal data, as well as the introduction of a duty to inform an individual in the event that certain agreement or equivalent was not entered into due to negative information contained in a credit report. It should be noted that considering the elimination of protection for legal entities, the data protection act will not apply to financial information of corporations.
Finally, one of the last amendments proposed by the DNPDP in its draft bill is the independence of the DNPDP from any other governmental entity and the creation of the Agencia Nacional de Protección de Datos Personales; currently, the DNPDP falls under the National Ministry of Justice and Human Rights. The bill seeks to remedy one of the observations made by the European Union when Argentina was deemed a jurisdiction with an adequate level of data protection as, with the GDPR and its periodic evaluations of the jurisdictions deemed adequate, Argentina could lose this status if they do not remedy this observation. The updated version of the bill improves the powers, duties and organization of the ADPNP from the original version.
photo credit: Día de la bandera argentina via photopin (license)