The National Direction of Data Protection gives the initial kick off for an amendment of the Data Protection Act
On June 3, 2016, the National Direction of Data Protection (Dirección Nacional de Protección de Datos Personales or “NDDP”) issued press release related to an amendment proposal of Law No. 25,326 (“Data Protection Act” or “DPA”). The amendment is proposed due to the technological changes that have taken place since the enactment of the DPA as well as on the experience gather by the NDDP and the international legislation changes, mainly the recent Regulation of Data Protection of the European Union. The amendment aims to modify 4 topics currently present on the DPA and to introduce 4 topics that are not on the DPA.
First, the proposal of the NDDP seeks a revision of the basic concepts of the DPA, like which are the databases that must comply with the DPA, if only individuals or also legal entities are protected and what kind of personal data is worthy of protection.
Second, the NDDP says that it is necessary to make an integral revision of the provisions dealing with international data transfers, the special conditions for the consent of minors, the conditions for the legality of the data processing and the necessity to add the mandatory notification to the data protection agency in cases of data breach.
Third, and placing focus on credit reports, the NDDP states the necessity to modify the way terms are counted regarding the duties over debtors personal data as well as the introduction of a duty to inform an individual in the event that certain agreement or equivalent was not entered into due to negative information contained in a credit report, duty already contained in the Argentine Civil and Commercial Code in the event that an entity subject to the Central Bank authority denies a credit; moreover, the NDDP states that it is necessary to include the creditor’s duty, if they provide information to companies that issued commercial reports, to inform the debtor prior to the assignment of the personal data in order to allow the debtor to pay the debt.
Fourth, the NDDP proposes a revision of the current structure of the NDDP, in particular due to the fact that the NDDP is not an independent entity as a consequence of the partial veto of the DPA. The lack of independency of the NDDP was observed by the European Union when Argentine was given the status of “jurisdiction with an adequate level of data protection”. As the new Regulation of Data Protection of the European Union has a periodic mechanism to analyze whether a certain jurisdiction maintains the level of adequate data protection or not, Argentina could lose it if measures are not taken to comply with the observation made previously.
Finally, the proposal of the NDDP seeks to: (i) incorporate regulation that compels the responsible of a database to prove the effective compliance of the DPA and their privacy policies; (ii) the introduction of a data protection officer for public entities and private entities that do massive data processing; (iii) the introduction of the “right to be forgotten”, as a consequence of the “Costeja” case issued by the European Union Court of Justice, and the appointment of the NDDP as the administrative agency with powers to resolve claims under that right; and (iv) make the policies of “privacy by design” and impact studies mandatory.