Data protection was introduced to the Argentine legal system following the 1994 constitutional reform, with the incorporation of the habeas data procedure.2 With this constitutional reform, data protection rights in Argentina acquired constitutional protection and, thus, are considered fundamental rights that cannot be suppressed or restricted without sufficient cause.
In October 2000, Congress passed Law No. 25,326 (the Data Protection Law), which focused directly on data protection. The Data Protection Law defined several data protection-related terms and included general principles regarding data collection and storage, outlining the data owner's rights and setting out the guidelines for the treatment of personal data. It is an omnibus law largely based on the EU Data Protection Directive 95/463 in force at that time, and the subsequent local legislation issued by the European countries (mainly Spain). Moreover, on 30 June 2003, the European Union issued a resolution establishing that Argentina had a level of protection consistent with the protection granted by the Directive with respect to personal data. The issuance of the General Data Protection Regulation (GDPR) might require a reassessment of this recognition.
In 2014, Law No. 26,951 (the Do-Not-Call Law) created the do-not-call registry and expanded the protection of data owner's rights. This regulation allows the data owner to block contact from companies advertising, selling or giving away products and services. Companies offering products and services by telephonic means must register with the Agency and consult the list of blocked numbers on a monthly basis before engaging in marketing calls.
On 27 September 2017, the Committee of Ministers of the European Council, assessed Argentina's Data Protection regime and accepted the country's request to be invited to join the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. As of the date of this publication, the Convention was in process of being internalised to the local legal framework.
The Agency of Access to Public Information (the Agency)4 is the enforcement authority in charge of applying the Data Protection Law and the Do-Not-Call Law. Among other responsibilities, the Agency is in charge of administrating the do-not-call registry, assisting individuals regarding their rights, receiving claims and carrying out inspections of companies to assess their compliance with the Data Protection Law.
II THE YEAR IN REVIEW
During the early months of 2017, Justice 2020, a governmental initiative for the design of public policies promoted by the Ministry of Justice together with the Data Protection Agency, proposed amendments to the Data Protection Law and the Do Not Call Law. As of 23 July 2018, this draft bill (the Draft) has yet to be submitted to the legislative branch of government.
The Draft defines new data protection-related terms and clarifies other terms defined by the Data Protection Law.
One of its most relevant changes is the scope of application and jurisdiction of the law, which is not currently regulated by the Data Protection Law. If it is passed, this new law will apply exclusively to individuals – in contrast with the Data Protection Law that is also applicable to legal entities – in the following cases: (1) when the person responsible for the treatment is domiciled in Argentina, even if the data treatment takes place abroad; (2) when the person responsible for the data treatment is not based in Argentina but in a place where Argentine legislation applies by virtue of international law; and (3) when the data treatment of data owners that reside in Argentina is performed by an entity with responsibility for data treatment that is not based in Argentina but whose data-treatment activities are related to the offer of goods or services to data owners in Argentina, or to the monitoring of their acts, behaviour or interests.5
With this new wording, the Draft specifically recognises that data treatment involving Argentine residents' personal data can occur abroad and grants the same protections as if the treatment had taken place in Argentina.
The Draft also includes new valid ways for obtaining the data owners' consent for the treatment of their personal data,6 stating that express consent may be granted in writing, orally or through electronic means or any other similar means that technology may offer.
Moreover, the concept of tacit consent7 is introduced. Tacit consent shall be deemed granted by the data owner when (1) it emerges clearly from the context of the data treatment; (2) the conduct of the data owner is sufficient to demonstrate the existence of the relevant authorisation. The Draft also states that tacit consent is admissible only when the data requested is necessary for the purpose of the collection and the data owner has been informed of his or her rights arising from the law. Tacit consent is not allowed for the treatment of sensitive data.
The Draft, following the principles set out in the Data Protection Law, expressly prohibits the treatment of sensitive data, with the following exceptions: (1) the data owner has granted his or her express consent to the treatment (with the exception of such cases in which, by law, the granting of such consent is not required); (2) the treatment is necessary: to protect the vital interest of the data owner and the latter – or its representatives – are physically or legally unable to provide consent in a timely manner; for the fulfilment of labour and social security obligations in relation to the data treatment itself or to the data owner; for the recognition, exercise or defence of rights in a judicial procedure; for historical, statistical or scientific purposes, in which case dissociation of data must take place; for public health or sanitary assistance; (3) the treatment is carried out by health institutions or professionals, foundations, civil associations of non-profit organisations with political, philosophical, religious or union purposes in connection to their members. The treatment of sensitive data is also allowed when the data has been made public by the data owner.
Following the Regulation (EU) 2016/679 of the European Parliament and of the Council, the Draft expressly addresses and regulates the consent given by children or teenagers for the treatment of their personal data.8 The Draft establishes that such consent shall be deemed valid when it is applied to the processing of data directly linked to information services specifically designed and suitable for children or teenagers. Teenagers can grant their consent from 13 years of age. For children under 13 years old, the treatment of their personal data shall be considered lawful only if consent is granted by the child's parent or guardian.
Another relevant addition by the Draft is the inclusion of standard procedures and relevant guidelines to be followed by data processors in the event of security and data breaches. In particular, the Draft incorporates the obligation for the person responsible for the data treatment to document and report data incidents to the data owner and the enforcement authority with no delay, and preferably within 72 hours of the acknowledgment of the security breach, unless the breach is unlikely to present a risk to the data owner.9
Regarding the data owner's rights,10 the Draft extends the scope of the information to be provided to the data owner when exercising its right of access, stating that the data owner must be informed of not only the existing data and the purposes of its treatment, but also, inter alia, (1) the recipients or categories of recipients to whom the personal data has been or will be transferred; (2) the data owner rights, and (3) the existence of automatic decision-making processes, including profiling.
Additionally, the right to data portability is incorporated,11 which establishes that when electronic services that comprise personal data treatment are provided, the data owner will have the right to obtain from the person responsible a copy of the personal data in a structured and commonly used format that allows its subsequent use or its direct transference from responsible entity to responsible entity when it is technically possible.
Another relevant addition is the requirement for the creation of a data protection officer,13 who must be appointed when sensitive data or large-scale data treatment is carried out. The data protection officer's responsibilities include, inter alia, internal advice and compliance duties in connection to data protection issues.
Binding self-regulating mechanisms are encouraged, and should be filed with the enforcement authority for approval.
The Draft also excludes the possibility of legal entities registering with the do-not-call registry to block contact.14
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
As expressed above, the Data Protection Law is an omnibus law that regulates data protection in a comprehensive manner. In contrast to other jurisdictions (particularly the United States), Argentina does not have other specific data protection regulations outside the scope of the Data Protection Law, and there is no related legislation at a subnational level.
The Data Protection Law includes principles regarding data protection, data owners' rights, the organisation of data archives and databases, and actions to protect personal data, to mention a few.
The Law's main purposes are (1) to protect personal data stored in archives, registers, databanks or other technical means of data processing; (2) to guarantee people's honour and privacy; and (3) to ensure data owners their rights to access records of their data stored and treated by third parties.
The following are the main principles expressed by the Data Protection Law:
- due registration: data storage will be lawful if the database is duly registered with the Data Protection Agency; and
- data quality: personal data collected must be true, adequate, relevant and not excessive in relation to the scope and purpose for which the data has been obtained. The collection of personal data cannot be done by unfair or fraudulent means. Personal data subject to treatment cannot be used for purposes different from or incompatible with those leading to their collection.
The main rights for data owners contained in the Data Protection Law are the right of information, access and suppression: exercising this information right, data owners can request from the person responsible for the database their personal information that has been collected, the purpose of the collection and the identity of the person responsible for it. Additionally, personal data that is totally or partially inaccurate or incomplete should be deleted and replaced or, if necessary, completed by the file manager when the inaccuracy or incompleteness of the information is known. Data owners do not have to pay to exercise these rights. This right of access can be exercised (1) directly, through the person responsible for the database; (2) through the Data Protection Agency; or (3) through the habeas data procedure. To guarantee these rights, data must be stored in a way that allows the exercise of the right of access of the owner. Data must be destroyed when it is no longer necessary or relevant for the purposes for which it was collected.
ii General obligations for data handlers
The first obligation for data handlers is to obtain consent from data owners. The treatment of personal data is unlawful when the data subject has not given his or her express consent to the treatment of the data, either in writing or through any other similar means. The consent must appear in a clear and unequivocal manner. There are certain exceptional cases in which consent is not requested, such as when the personal data (1) derives from unrestricted public-access sources; (2) is collected for the performance of public duties; (3) is limited to name, identification card number, tax or social security identification, occupation, date of birth, domicile and telephone number; (4) arises from a contractual relationship and is necessary for the fulfilment of that contract; or (5) refers to the transactions performed by financial entities and arises from the information provided by their customers.
Another important obligation for database owners is the obligation for registration with the Agency. To file the registration, the company or individual responsible for the database must provide information regarding the location of the database, its characteristics and purpose, specifications of the data provided, origin, means of collection, etc. This registration must be renewed annually. The registration process is simple and relatively inexpensive.
iii Specific regulatory areas
The Data Protection Law contains several specific regulations applicable to different areas and industries.
One of the most relevant areas is financial information provided by private registries issuing reports. In that sense, to analyse a prospective client's financial records it is common for banks and other financial entities to seek credit information through different credit information services.
The Data Protection Law specifies which information can be treated. First, it needs to be personal data of an economic nature and it must be obtained from public sources or have been given by the data owner or collected with the data owner's consent.
Additionally, information regarding the fulfilment (or not) of a party's financial obligations can be given by the creditor (or by someone acting on its behalf), since both parties are owners of the information. In this case, there is no need to obtain the other party's consent.
Information relevant for the assessment of someone's financial capacity can be stored, registered or transferred for a maximum of five years. If the debtor cancels the debt, or it expires by any means, the period shall be reduced to two years. This issue tends to generate a substantial number of claims from consumers and users of financial services.
The Data Protection Law regulates the treatment of personal data by health institutions too. Public and private hospitals and health professionals can process their patients' data relating to mental or physical health, as long as they respect professional secrecy. These registries are very useful for scientific purposes, but it is important to note that they store sensitive data and dissociation of data is advised.
Furthermore, security and surveillance industries are also regulated and are currently the focus of most of the inspections carried out by the Data Protection Agency. Disposition 10/2015 regulates the use of closed-circuit television cameras in public spaces. The Disposition establishes that the use of these cameras is lawful when the data handler has obtained the data owner's prior and informed consent. Consent shall be deemed as granted by the data owner if the data collector includes signs indicating the existence of these cameras, the purpose of the data collection, the person responsible for the treatment and the relevant contact information. A template of this sign is included in the Disposition. The relevant database must be registered and the data collector must implement a manual for its use.
iv Technological innovation
The Data Protection Law has not been amended recently. For that reason, several technological innovations fall outside its scope.
The use of Big Data, on the other hand, presents a much deeper issue. Through Big Data, companies collect large amounts of information and its different uses are not always clearly determinable since data is often reused – so violating one of the Data Protection Law's main principles, which is specifying to the data owner the purpose of the data collection. Moreover, data treated must be accurate, true and not excessive in relation to the purpose. In many cases, it is not possible to assess that all information is accurate. Because of the large volume of information provided, some of it is bound to be inaccurate.16 The Data Protection Law has fallen behind in regulating the use of Big Data. The collection of excessive amounts of information is only of benefit to the user, and regulation of Big Data must recognise this new and useful way of treating data and always respect the user's rights.
The Agency has enacted several regulations aimed at reducing the technological gap generated between the enactment of the Data Protection Law and the present day. For example, Disposition 10/2015 establishes that companies using closed-circuit television cameras must implement a policy that includes the means of data collection, a reference to the place, dates and hours of operation of the cameras, technical and confidentiality mechanisms to be used, ways of exercising the data owner's rights and, if applicable, reasons that justify obtaining a picture of the individuals entering the facilities.
Lastly, Disposition 20/2015 regulates the collection of photos, films, sounds or any other data in digital format through VANTs or drones .
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Every nation that has specifically regulated data protection has realised that any form of planning and controlling would become useless if collected data could be automatically and unrestrictedly transferred abroad to be processed. Following the European model,17 the Data Protection Law has, in principle, prohibited international data transfer when the transfer is to countries or international or supranational organisations that do not offer 'adequate levels of protection'.18
With this provision, Argentina has tried to avoid data being collected and treated in its territory without regulatory controls in place or without the data owner being able to exercise its rights. Where there are no regulatory controls in place or data owners are unable to exercise their rights, international data transfers are prohibited.
It is considered that a country or organism has an adequate level of protection when that protection derives directly from the legal order, self-regulatory measures or contractual clauses that include specific data protection provisions.
On that basis, Disposition 60 – E/2016 sets forth that the following countries have an adequate level of protection: Member States of the European Union and members of the European Economic Area (EEA), Switzerland, Guernsey, Jersey, Isle of Man, Faroe Islands, Canada (only in relation to its private sector), Andorra, New Zealand, Uruguay and Israel (only in relation to the data handled automatically). International data transfers to countries other than those mentioned above must be made under a standard agreement (similar to the Standard Clauses of the EU). If the parties decide to resort to a different agreement that does not contain the principles, guarantees and content related to the protection of personal data foreseen in the standard clauses, said agreement shall require the approval of the Agency within a 30-calendar-day term as from the date of its execution.
Regulatory Decree 1558/2001 states that if the data owner has given its consent, it does not matter whether the state or organisation does not offer an adequate level of protection and, in that case, the international transfer can take place.
Additionally, consent is not necessary if the personal data is stored in a public registry legally created to provide information and that is open for public consultation or by anyone evidencing a legitimate interest.
The aforementioned prohibition will not apply in cases of (1) international judicial cooperation; (2) transfer of medical information, when the treatment of the deceased requires it, or in the case of an epidemic investigation; (3) bank or stock transfers; (4) transfers decided under international treaties to which Argentina is a party; and (5) when it takes place because of cooperation between agencies fighting organised crime, terrorism or drug trafficking.
V COMPANY POLICIES AND PRACTICES
As previously detailed above, Disposition 10/2015 requires companies to draft a manual for the operation of closed circuit television cameras and Disposition 18/2015 contains guidelines for drafting privacy policies for app developers.
VI DISCOVERY AND DISCLOSURE
As stated above, data owners have several rights that derive from the Data Protection Law. Nevertheless, the rights of access, rectification and suppression can be denied when they could affect Argentina's national security, order or public safety, or the protection of rights or interests of third parties.
Additionally, information regarding personal data can be denied when the disclosure of information could become an obstacle to judicial or administrative proceedings regarding tax matters, pension obligations, the development of health and environmental control functions, the investigation of criminal offences or the verification of administrative infringements. The resolution denying access must be reasoned and notified to the affected party, and must relate to the reasons established above.
Since these provisions include a limitation of rights, they should be interpreted restrictively. Additionally, to safeguard the data owner's rights, this limitation must be subject to judicial review.
Despite all these provisions, the data owner must be able to access the registries if his or her defence rights rely on this action, in which case the access restriction must be lifted.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The Agency is an autonomous body within the scope of the Chief of Staff. Its main functions in relation to personal data are (1) operating as a registry of databases, keeping records of the registration and renewal of databases; (2) enforcing the Data Protection Law and the Do-Not-Call Law, carrying out inspections and imposing sanctions; and (3) creating new dispositions and regulations related to data protection matters. The Agency is also responsible for assuring the effective exercise of the right of access to public information and the enforcement of transparency within the public sector.
In using these powers, the Agency has issued several dispositions relating to its investigatory and auditing powers. In this context, Disposition 55/2016 regulates the Data Protection Agency's auditing procedures. The main aims of these proceedings are to control the activity of the person responsible for the database and ensure its compliance with the law.
The proceedings can be (1) ex officio, either scheduled annually or spontaneous; or (2) initiated upon a complaint, in which case the inspection itself will have an evidentiary nature.
After the inspection is finalised, the inspector will issue a final report with the outcome of the inspection. If the database owner has complied with the law, the proceeding is finalised. If it has not complied with the regulations, it is granted 15 days to remedy its non-fulfilment, otherwise sanctioning proceedings will begin.
ii Recent enforcement cases
The enforcement actions of the Data Protection Agency have evolved and intensified over the years. During its first years, the Agency's role was more educational than punitive, giving companies ample time to adapt to the new legislation and being proactive in responding to enquiries and explaining misconceptions. Nowadays, 18 years after the enactment of the Data Protection Law, the Agency is being more proactive in carrying out inspections and is stricter with its enforcement and punitive capabilities.
The vast majority of recent fines have been for violation of the Do-Not-Call Law, resulting in a large number of administrative proceedings and claims. Some fines have also been imposed in the recent past on companies failing to comply with their obligations under the Data Protection Law (mainly failure to register or renew registrations for their databases and failure to comply with security measures).
On a judicial level, most of the case law regarding personal data protection is connected to financial companies and the information they provide to consumer credit reporting agencies regarding their customers' debts. In most cases, the proceedings relate to financial companies' failure to update their registries once debts have been paid or the statute of limitations applied.
In this context, the Supreme Court has also stated that the 'right to be forgotten' has constitutional rank and must be respected. These cases have all been filed under the habeas data regime.
iii Private litigation
As stated above, the judicial remedy for private plaintiffs is the habeas data procedure regulated by the National Constitution and the Data Protection Law. Despite the fact that the access right of data owners can also be exercised through an administrative procedure, a judicial action is the only way for private plaintiffs to receive financial compensation.
Considering that the administrative procedure before the Data Protection Agency is a fast, free and accessible mechanism, there are not many cases brought at the judicial level. However the Argentine Court of Appeals on Civil Matters has recently issued a valuable decision related to the scope of sensitive data,19 The case was brought to the judiciary by Instituto Patria, a local institution created by Cristina Fernandez de Kirchner (former president of Argentina) for political purposes, that was fined by the Public Registry of Commerce for its denial to submit its Associates Registry Book in the context of an administrative corporate procedure. Instituto Patria refused to provide such information on the basis that this would constitute a violation to its obligations under the Data Protection Law that prevents the disclosure of sensitive data – in the case related to political orientation – without the consent of the data subject. In turn, the Registry was of the view that the names of the associates could not be deemed as sensitive personal data. The Civil Court of Appeals understood that the names of the associates related to their membership to this organisation were sufficient to reveal their political opinions. Following this approach, it concluded that in this particular case, names could be deemed to be a sensitive personal data. As a consequence, the Court ordered the withdrawal of the Registry's request and the annulment of the fines applied to Instituto Patria.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Unlike most recent European legislation and the regulations contained in the Draft, the Data Protection Law does not specifically regulate international jurisdiction. The Agency has no enforcement authority under the current regime regarding companies that are based abroad with no assets or registrations in Argentina, even if these companies collect and treat personal data from Argentine residents. However, foreign companies registered in or that have assets in Argentina must register with the Agency and register their databases, to comply with the Argentine data protection regime.
Consequently, on a theoretical level, what triggers the need to comply with the Argentine regime for personal data protection is the collection or treatment of personal data from Argentine residents. On a practical level, the need to comply with Argentine regulations is triggered by the presence of the foreign company in Argentina by way of assets or registrations in the Public Registry of Commerce.
In 2017, a well-known technology and transport company started offering its services in Argentina, opening offices and hiring personnel. Because of the media coverage its services received, it came to the Agency's attention that the company was operating through mobile applications that necessarily collected data, but no databases were registered. For that reason, the Data Protection Agency started an investigation and required the foreign company to register its databases with the Data Protection Agency.
IX CYBERSECURITY AND DATA BREACHES
Cybersecurity is not a highly regulated area in Argentina. There are some regulations enacted by the National Central Bank regarding data security obligations for financial institutions, but there is no uniform or omnibus legislation that regulates the matter.
Although Resolution No. 580/2011 of the Chief of Staff created the National Programme for Critical Infrastructures for Information and Cybersecurity, there are not many companies taking part in this programme as it is not mandatory. Its main aim is to promote the creation and adoption of a specific regulatory framework for the protection of strategic infrastructures for the national public sector, inter-jurisdictional organisations and private sector organisations that require it. It seeks the collaboration of those sectors to develop adequate strategies and structures for coordinated action.
Furthermore, Decree 577/2017 has created the Cybersecurity Committee, which will mainly focus on creating a regulatory framework, educating people on the importance of cybersecurity, creating a national cybersecurity plan and creating general guidelines for security breaches. The Ministries of Modernisation, Defence and Security will take part in this initiative.
Resolution General 704-E/2017 of the National Securities Commission dated 29 August 2017 foresees the adoption of international standards with respect to cybersecurity and address the recommendations of the International Organization of Securities Commissions (IOSCO) on the principles of cybersecurity and cybernetic resilience. The Resolution defines the operational risks and deficiencies that might arise related to the processing of data as a consequence of human errors or failures due to external events that might result in the reduction, deterioration or interruption of the services provided by a 'financial market infrastructure'.
Moreover, Resolution 1107-E/2017 of the Ministry of Defence dated 18 October 2017, created the Security Incident Response Committee that in within the framework of the national cybersecurity plan is responsible for, implementing actions of prevention, detection, response, defines and recovery against cyberthreats within the orbit of the Ministry.
On 26 April 2018, Argentine entered into a memorandum of understanding on cooperation in cybersecurity, cybercrime and cyberdefence between the Argentina and Chile aimed at, inter alia, strengthening the coordination and cooperation, promoting joint initiatives, exchanging good practices, developing and implementing new legislation and national strategies to response to incidents, information exchange, education and training,
Finally, on 27 July 2018, the Agency enacted Resolution 47/18, which contains the recommended security measures for the treatment of personal data through computerised and non-computerised means. Among its dispositions, this resolution recommends data handlers to notify the Agency upon a data breach or security incident.
The future landscape in Argentina regarding personal data protection includes the almost certain enactment of a new law, in line with the new technologies that have emerged since the year 2000.
It is not certain whether the Draft will be sent to Congress and finally passed, but it is the first stepping stone and is certainly one of the Agency's objectives. We believe that a new law, in line with the GDPR, will be enacted within the next two years. In the meantime, many local companies processing European citizens' personal data had to adjust their procedures and processing of personal data to the provisions of the GDPR.
1 Adrián Lucio Furman is a partner and Mercedes de Artaza and Francisco Zappa are associates at M&M Bomchil.
2 Section 43, Paragraph 3 of the National Constitution states that, 'Any person can file this action to obtain access to any data referring to himself or herself, registered in public or private records or databases, intended to supply information; and in the case of false data or discriminatory data, to request the suppression, rectification, confidentiality or updating of the same. The secret nature of the source of journalistic information shall not be impaired.'
3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
4 The Agency of Access to Public Information was created by Decree 746 dated 26 September 2017 which amended the Ministries Law No. 26.951.
5 Section 4 of the Draft.
6 Section 12 of the Draft.
7 Section 12 of the Draft.
8 Section 18 of the Draft.
9 Section 20 of the Draft.
10 Sections 27 and 28 of the Draft.
11 Section 33 of the Draft.
12 Section 37 of the Draft.
13 Section 43 of the Draft.
14 Section 49 of the Draft.
15 Osvaldo Alfredo Gozaini, Habeas Data, Protection of Personal Data (Rubinzal-Culzoni), p. 325.
16 Luciano Gandola, 'Conflicts between Big Data and the Data Protection Law', Infojus.
17 See footnote 3.
18 Section 12 of the Data Protection Law.
19 Court of Appeals in Civil Matters, Docket No. 8735/2018, Instituto Patria v. IGJ, 24 May 2018.