This month, the Argentina Data Protection Agency (Dirección Nacional de Protección de Datos Personales or “DNPDP”) posted online a draft bill for a new data protection act.
The bill was prepared taking into consideration several changes proposed by the public during 2016 and is heavily based on the EU GDPR. The DNPDP shall be accepting comments on the draft bill through Feb. 24, 2017, using the Justicia 2020 at https://www.justicia2020.gob.ar/, the digital platform of the government, or via paper.
Among the changes introduced by the draft bill is the elimination of the duty to register databases. Also, the draft bill only recognizes individuals as data subjects; the current data protection act covers both individuals and legal entities (e.g., companies). Moreover, the proposed bill adds several new definitions, like biometric data and genetic data, among others.
The draft bill also introduces new ways to determine whether an entity or certain data processing is subject to Argentine law, quite similar to the criteria found in the European General Data Processing Regulation. Also, and in connection with the European regulation, the proposed bill introduces new legal bases, besides consent, to allow data processing, like the legitimate interests of the data controller.
Among other changes, the draft bill makes an overhaul of the current section dealing with international transfers (including binding corporate rules), and introduces sections on child consent, cloud computing, data breaches, accountability, privacy by design, the duty to have a data protection officer, and mandatory impact studies.
Credit reports, one of the main issues of the current data protection act, are addressed, as well, like the manner that terms are counted regarding the duties over debtors' personal data and the introduction of a duty to inform an individual in the event that a certain agreement or equivalent was not entered into due to negative information contained in a credit report. It should be noted that, considering the elimination of protection for legal entities, the data protection act will not apply to financial information of corporations.
Finally, one of last amendments proposed by the DNPDP in its draft bill is the independence of the DPA from any other governmental entity; currently, the DNPDP depends upon the National Ministry of Justice and Human Rights. In this way, the bill seeks to remedy one of the observations made by the European Union when Argentina was deemed a jurisdiction with an adequate level of data protection.
We expect the DPA to send the bill to the president later this year. The Bill will be discussed during 2018 in Congress.
Photo credit: Día de la bandera argentina via photopin (license)