Argentina’s Personal Data Protection Act (PDPA) & Recent Developments

From PDPA to the Draft Law

Enacted in October 2000, the Personal Data Protection Act (PDPA), officially known as Ley de Protección de los Datos Personales or Law 25.326, serves as Argentina’s principal data privacy law. It establishes rules and guidelines governing the processing of personal data within the country’s borders. With its inception, Argentina positioned itself as a frontrunner in data protection in Latin America, earning recognition for its alignment with the EU’s General Data Protection Regulation (GDPR). However, after rounds of resolutions and failed attempts at reform, the Draft Law will be poised to revamp Argentina’s data protection.

Core Definitions & Scope of Application

To understand Argentina’s data protection landscape effectively, it’s important to know the key definitions and the scope of the PDPA. The law defines: 

• Data subjects: Individuals or legal entities whose personal data is processed within Argentina. 
• Personal data: Encompasses any information that can identify a specific person.
• Sensitive data: Pertains to information requiring special protection due to its nature.

Under the PDPA, compliance obligations extend to all organizations processing personal data within Argentina’s territory. While the current law doesn’t explicitly address extraterritorial application, the proposed reforms broaden its scope to include businesses outside Argentina that process data of Argentine residents or offer goods/services within the country.

Recent Developments

While the PDPA laid a solid foundation for data protection, the rapid evolution of technology and global privacy standards necessitated updates. Recognizing this need, Argentina’s data protection authority, the Agency for Access to Public Information (AAIP), initiated a reform process in 2022. The proposed reforms, encapsulated in a new bill, aim to modernize Argentina’s data protection framework, aligning it more closely with contemporary privacy norms.

Draft Law: Key Concepts & Provisions

The Draft Law introduces several innovative provisions, including expanded rights for data subjects, privacy by design and by default principles, and enhanced penalties for non-compliance. If enacted, these reforms would usher in a new era of data protection in Argentina, ensuring greater accountability and transparency in personal data processing.

1. Processing of Personal Data: Moving away from a consent-centric approach, the Draft Law emphasizes justifications for data processing, incorporating the legitimate interests of data controllers.
2. Expanded Data Subject Rights: Augmented rights encompass limitation, portability, and objection, alongside regulations on automated decisions and profiling.
3. Data Protection Delegate and Impact Assessment: The appointment of Data Protection Delegates and the mandate for impact assessments signify a proactive stance towards compliance.
4. National Registry and Enhanced Enforcement: A National Registry for Personal Data Protection bolsters accountability, while strengthened enforcement mechanisms ensure adherence to regulations.

Consumer Rights & Business Obligations

The PDPA grants consumers a suite of rights to exert control over their personal data. These rights include the ability to access, update, and delete their data, as well as object to certain processing activities. The proposed reforms seek to enhance these rights further, empowering data subjects with additional avenues for recourse against data misuse.

For businesses, compliance with the PDPA entails a series of obligations aimed at ensuring responsible data-handling practices. These include obtaining lawful bases for data processing, maintaining transparent privacy policies, implementing privacy by design principles, and appointing data protection officers where necessary. Conducting privacy impact assessments and adhering to data breach notification requirements are also integral components of compliance efforts.

Implications for EU Small-Medium Enterprises (SMEs)

For EU Small and Medium-sized Enterprises (SMEs), the Draft Law heralds both challenges and opportunities:

• Compliance Obligations: Aligning with the Draft Law’s provisions, EU SMEs must appoint representatives, implement technical measures, and monitor regulatory changes to ensure compliance.
• Trust and Market Penetration: Adhering to the Draft Law fosters trust among Argentine consumers, enabling smoother market penetration and sustainable business relationships.
• Preparation Measures: EU SMEs should conduct comprehensive reviews of data processing activities, update privacy policies, and consider appointing Data Protection Delegates where necessary.

Enforcement & Penalties

Effective enforcement mechanisms are vital to uphold the integrity of data protection laws. In Argentina, the AAIP assumes the role of enforcing the PDPA and overseeing compliance. The authority employs a tiered approach to penalties, tailoring sanctions to the severity of violations. Penalties for non-compliance may range from warnings and fines to suspension of data processing activities or shutdown of databases.

Key Differences: PDPA vs. GDPR vs. Draft Law

Scope and Applicability

• PDPA: Grants data protection rights to individuals and legal entities. Applies to all entities processing personal data within Argentina without an extraterritorial scope.
• EU GDPR: Protects personal data of individuals within the EU. This applies to all organizations operating within the EU, as well as those outside offering goods/services to EU residents.
• Draft Law: Focuses on protecting the personal data of individuals. Applicable to entities within Argentina, even if processing occurs abroad, and extends to non-Argentinian entities offering goods/services within Argentina.

Notification Requirements

• PDPA: No general obligation for data breach notifications. However, security incidents involving personal data must be notified to the AAIP.
• EU GDPR: Mandates reporting data breaches within 72 hours of awareness.
• Draft Law: Requires data controllers to report security incidents to the DPA and data subjects within 72 hours of becoming aware of a potential breach.

Fines and Penalties

• PDPA: Fines range from ARS 1,000 to ARS 100,000, without equating to turnover.
• EU GDPR: Imposes fines up to 4% of global revenue or €20 million, whichever is higher.
• Draft Law: Introduces fines ranging from 2-4% of total worldwide annual turnover, or ARS 50,000 to ARS 10 billion.

Response Time to Data Requests

• PDPA: Provides companies with 10 calendar days to respond to data access requests.
• GDPR: Gives companies 1 month to respond to data requests from consumers.
• Draft Law: Grants companies 10 working days to respond to data requests.

Minimum Age for Data Processing

• PDPA: Does not specify a minimum age for data processing. Resolution 4/2019 requires consent from children and adolescents for data processing.
• EU GDPR: Sets the minimum age for data processing at 16 years, with Member States having the option to lower it to 13 years.
• Draft Law: Establishes 16 years as the minimum age for granting consent for data processing.

Rights to Erasure and Object

• PDPA: Provides a “right to erasure” as long as it doesn’t harm third parties’ rights. No specific right to object, only the right to withdraw consent.
• EU GDPR: Grants individuals the “right to be forgotten” and the right to object to data processing based on their situation.
• Draft Law: Offers a “right to erasure” akin to the GDPR, along with recognizing data subjects’ right to object to processing personal data.

These differences highlight the evolving landscape of data protection regulations and the efforts to modernize and align privacy laws with international standards.

Wrapping Up

Argentina’s Draft Law represents a significant step towards aligning its data protection standards with global norms. For EU SMEs, embracing this change requires proactive adjustment, careful adherence, and a dedication to maintaining high standards of data protection. By understanding the intricacies of the Draft Law, EU SMEs can contribute to building a secure, transparent, and mutually beneficial digital landscape in Argentina.

As the Draft Law advances, staying informed about legislative updates and promoting a culture of data protection awareness will be essential for EU SMEs aiming to thrive in the Argentine market.

GetTerms can simplify the complicated task of compliance and allow you to get back to business by addressing multiple items on your compliance checklist, including a cookie policy tailored to your business needs and generating cookie consent banners, we can help. Please take advantage of our services today. Create an account and get started in 5 minutes.