20 years of Argentinian privacy law: its current status and what to expect
Richards Cardinal, Buenos Aires
What are the consequences for infringing Argentinian personal data legislation? This is a good starting question to consider the scarce (indeed, almost non-existent) degree of practical implementation of the privacy regulation in Argentina. Two decades ago, Argentina was the first country in America to enact a comprehensive federal personal data law, for which the European Union acknowledged it as a country with ‘adequate data protection legislation’. What happened to Argentina from 2000 to today? And more importantly, what should we expect in terms of Argentinian privacy regulation now, and in the future?
The lack of ‘enforcement’ of Argentinian privacy regulations is evidenced by the scant case law, lack of sanctions by the local data privacy authority (currently the Agency for Access to Public Information (AAPI)) and in the meagre regulations of the AAPI for personal data processing. Despite several data privacy regulations in force, issues such as security measures and cybersecurity incidents, handling of sensitive data, right to be forgotten, data outsourcing, use of data for online marketing and term of data storage – to name just a few – lack a clear regulatory framework under Argentinian law. We will discuss some of those issues below.
Pursuant to official reports, (ie, the AAPI Annual Management Reports) during the past three years, the AAPI imposed fewer than ten fines per year for Personal Data Protection Act (PDPA) infringement. In all cases, fines did not exceed $2,000. This fact alone reveals a lack of PDPA enforceability in Argentina. If a company faces a very low probability of receiving a circa $1,000 find for violating PDPA its incentive to comply with it – and thus absorb the operating costs that this compliance implies – will be minimal.
Cybersecurity is a top of concern for both managers and inhouse attorneys. Since it came into force, the highest penalties derived from breaches to the General Data Protection Regulation (GDPR) have been for cybersecurity incidents. In this global context, we are frequently asked whether there are mandatory security measures under Argentinian law to preserve personal data, or if there is a legal procedure to follow in the event of a data breach. It seems unbelievable that in 2021 the answer to these questions is negative.
The AAPI has only issued a set of ‘recommended’ (ie, non-binding) measures for this purpose. Moreover, the AAPI has stated in its reports that ‘in Argentina, the obligation to report cybersecurity incidents is not legally established’. Thus, while the risk of cyberattacks and data breaches looms large across the world, Argentina lacks specific mandatory legislation to address this crucial matter.
International data transfer
In line with international standards, the cross-border transfer of personal data has been well regulated in Argentina since 2016. It closely follows the text of the EU model in this matter.
The rule could have gone further and dealt with yet-unregulated aspects of international transfer, such as the different responsibilities of the transferee importer and the importer providing data processing services. Nonetheless, it is clear that the National Directorate of Personal Data Protection’s Regulation E 60/2016 contributed decisively to provide legal security to the international transfer of data, which constitutes the essence of current technological development.
Data for advertising purposes
One of the most glaring violations of the Argentinian data protection regime occurs, in my opinion, with the Argentinian regulation of the use of data for advertising purposes. Like almost all personal data protection regulations, the PDPA is established on the basis of data subjects’ prior, free and informed consent. However, in response to pressure from marketing entities, the AAPI created exceptions to this principle when data is used for ‘advertising purposes’ through several regulations that contravene the PDPA. This has led to a legal abuse,where unclear regulations are construed as a permission to process all kinds of personal data without data subjects’ consent by alleging marketing reasons.
This ‘free use of data’ for ‘advertising purposes’ (a sort of ‘opt out’ system) is embedded in most of the bills aiming to supersede the PDPA, even though it infringes elementary principles of the GDPR which the bills intend to follow.
The PDPA's definition of ‘sensitive data’ is similar to the ‘special categories of personal data’ set forth in the GDPR. It further establishes that sensitive data ‘can only be collected and processed when there are general interest reasons authorised by law’ and that, as a general principle, ‘databases that directly or indirectly reveals sensitive data are prohibited’, without specific exceptions to this principle. However, case law and the AAPI authorise collection of sensitive data with data subjects’ consent.
This contradiction is addressed in most of the bills to reform the PDPA, which in general terms intend to regulate the processing of sensitive data in more detail.
Right to be forgotten
There is no ‘right to be forgotten’ principle in Argentinian law, save for specific provisions of the PDPA applicable to credit data. The ‘deletion right’ granted to data subjects by the PDPA has been construed as applicable only to inaccurate data. There have been attempts to apply this deletion right as a ‘right to be forgotten’ but without a specific legal basis, they have so far proved unsuccessful.
Most bills to replace the PDPA include a sort of erasure right (without calling it such), similar to the right to be forgotten. If enacted, it will be interesting to see how this erasure right – which is subjective and difficult to implement – develops in Argentina.
Data storage period
Another question that has never been legally clarified is how long the personal data of third parties can or shall be kept. The PDPA only provides generic principles, without establishing specific terms or periods- a thread also running through comparative legislation.
Problems arise when these principles must be put into practice in a measurable timeframe, in accordance with other laws (inter alia, tax, telecommunications, money laundering, customs, banking, labour), some of which do establish specific storage periods. In addition, the Argentinian Civil and Commercial Code establishes a generic mandatory ten-year term to keep ‘supporting documents’.
These uncertainties are acute in cases of conflict of interest (eg, consider the case of a data subject intending to exercise his deletion right and the data controller alleging the need to keep it for the above-mentioned ten-year term). In these types of cases, the legal resolution is unclear. Personally, I believe that the principle of minimisation should guide the interpretation of the rules in terms of retaining data for the shortest possible timeframe.
What to expect for the future of Argentinian data privacy law
Most of the bills currently in Parliament to replace the PDPA intend to align Argentinian personal data protection law with the GDPR, which is the perceived global standard. Indeed, several articles in these bills are copied from the GDPR. This is an advancement: the enactment of any of these bills would constitute legal progress in Argentinian law.
It is reasonable to suppose that, sooner or later, one or more of these bills will end up becoming law. Technology and data processing are advancing at speed and the current PDPA is increasingly outdated. But, regardless of the pros and cons of these bills, enforceability will be fundamental to any data protection law in Argentina. Otherwise, any privacy law will be ‘dead letter’- as the PDPA has been during these last 20 years.
* Lisandro Frene is a partner and Head of Telecoms, Media and Technology at of Richards Cardinal, Head of Telecoms, Chair of the AI Subcommittee of the IBA Technology Committee and Privacy Professor at the Austral University in Buenos Aires.