The Argentine Data Protection Agency moves forward a bill to reform the Argentine Data Protection Act
The Argentine Data Protection Agency (“Dirección Nacional de Protección de Datos Personales” or “DNPDP”) has issued a press release stating that it has sent to the National Ministry of Justice and Human Rights a draft bill for a new regulation on data protection (the “Bill”), in order to replace Act No. 25,326 (the “Argentine Data Protection Act” or “ADPA”) as well as Act No. 26,951 (“Do Not Call Registry Act”). The Bill is the result of the reflection period that the DNPDP proposed during 2016, which culminated with a summary of the opinions from the community on which aspects the ADPA and the Do Not Call Registry Act should improve.
First, the Bill comes with a twist over the data subjects. The ADPA protected both individuals as well as legal entities, as long as what the law said was compatible with the nature of legal entities. In this regard, the Bill only provides protection to individuals, in line with the European regulation. On the other hand, the Bill makes a review of the concepts defined by the ADPA to adopt a terminology more similar to the terms used by the European General Regulation on Data Protection; not only the Bill redefines terms that were in the old ADPA to more in line their European counterparts but also adds concepts like biometric data or cloud computing.
Following the European influence, the Bill seeks to solve one of the main issues regarding ADPA’s applicability. In particular, the Bill offers a section dealing with the application of the law, something that the current regulation does not have.
In connection with the principles of data protection, the Bill does not introduce big changes but instead it limits to further develop the current wording of the ADPA. The only new addition of the introduction of the accountability principle, which goes side to side with the elimination of the duty to register databases, as required by the current ADPA.
This change replicates the international tendency to not require data processors to registry their databases but instead compelling, upon requirement from the application authority, to demonstrate their compliance with law to protect the personal data of the data subject.
Another new addition is the introduction of a new legal basis for data processing: the legitimate interest. This legal basis allows for data processing that under the ADPA were questioned by the DNPDP. Nevertheless, the Bill does not introduce other new legal basis for data processing, so the argentine situation is still not up to international standards.
Following the innovative spirit, the Bill gathers an extensive amount of the application and interpretative work carried out by the DNPDP since the enactment of the ADPA in terms of consent, revoke of consent and necessary information for the validity of the consent. With the same spirit, the Bill introduces new regulations for the treatment of sensitive personal data, criminal records and minors’ personal data.
Also, the Bill introduces the concept of data breach and the duty to inform such incidents. The wording of the regulation is open to interpretation so the activity of the DNPDP shall be fundamental to guide the compliance practice on this topic.
Transfer of personal data, whether locally or internationally, has also received modifications from the Bill. In case of local transfer, the wording is quite similar to the one that can be found in the ADPA and some clarifications were introduced. The changes come from the international personal data transfers, where the validity scheme proposed by the DNPDP for them shall be constituted by the existence of a legal basis and the fact that the jurisdiction where the personal data is being transferred offers an adequate level of data protection. So, not only the transfer of personal data must have a legal basis, i.e. consent, but also it must be properly protected. The Bill also contains special provisions for cases where the international transfer of personal data is done for purposes of cloud computing.
Just as the ADPA, the Bill guarantees to data subjects the exercise of their access, information, rectification, opposition and suppression rights. Regarding this last right, the suppression right, the Bill includes among its wording the right to be forgotten, the judgement“Google Spain” was pronounced by the European Court of Justice; how this right shall be exercise is something that will surely be determied by theDNPDP. Besides the right to be forgotten, and pursuant to the European General Regulation of Data Protection, the Bill grants data subjects the portability right of their personal data.
As we have already mentioned, the Bill introduces the concept of accountability or proactive responsibility, like it is drafted in the Bill, and which general principles data processors must follow to demonstrate their compliance with the Bill, if approved. Within this set of new duties imposed on the data processors, there are sections dealing with privacy by design, impact analysis, the introduction of a mandatory data protection officer and binding self regulation mechanisms; all these measures are a replica of what was introduced by the European General Regulation of Data Protection.
In an attempt to unify regulations, the Bill also incorporates sections to replace the Do Not Call Registry Act. The wording is quite similar to the existing one and certain deficiencies in the original wording are amended, without introducing groundbreaking changes.
In relation to credit reports, the Bill does not introduce relevant changes. Some of the them are the manner that terms are counted regarding debtors personal data as well as the introduction of a duty to inform an individual in the event that certain agreement or equivalent was not entered into due to negative information contained in a credit report; in this regard, the DNPDP also proposes the introduction of a duty to notify a debtor when his or her personal data related to the debt is going to the transfer to third parties, giving a chance to pay the debt.
Finally, the DNPDP proposes a change on its the current structure, in particular due to the fact that the DNPDP lacks of independence from the National Administration. This was observed by the European Union when Argentina was given the status of adequate jurisdiction for data protection. As the European General Regulation of Data Protection introduced a periodic revision system for such resolutions, this status might be revoked if Argentina does not solve this situation.