I OVERVIEW

Data protection was introduced to the Argentine legal system following the 1994 constitutional reform, with the incorporation of the habeas data procedure.2 With this constitutional reform, data protection rights in Argentina acquired constitutional protection and, thus, are considered fundamental rights that cannot be suppressed or restricted without sufficient cause.

In October 2000, Congress passed Law No. 25,326 (the Data Protection Law), which focused directly on data protection. The Data Protection Law defined several data protection-related terms and included general principles regarding data collection and storage, outlining the data owner's rights and setting out the guidelines for the treatment of personal data. It is an omnibus law largely based on the EU Data Protection Directive 95/463 in force at that time, and the subsequent local legislation issued by the European countries (mainly Spain). Moreover, on 30 June 2003, the European Union issued a resolution establishing that Argentina had a level of protection consistent with the protection granted by the Directive with respect to personal data.

In 2014, Law No. 26,951 (the Do-Not-Call Law) created the do-not-call registry and expanded the protection of data owner's rights. This regulation allows the data owner to block contact from companies advertising, selling or giving away products and services. Companies offering products and services by telephonic means must register with the Agency and consult the list of blocked numbers on a monthly basis before engaging in marketing calls.

The Agency of Access to Public Information (the Agency)4 is the enforcement authority in charge of applying the Data Protection Law and the Do-Not-Call Law. Among other responsibilities, the Agency is in charge of administrating the do-not-call registry, assisting individuals regarding their rights, receiving claims and carrying out inspections of companies to assess their compliance with the Data Protection Law.

II THE YEAR IN REVIEW

During the early months of 2017, Justice 2020, a governmental initiative for the design of public policies promoted by the Ministry of Justice together with the Data Protection Agency, proposed amendments to the Data Protection Law and the Do Not Call Law. The draft bill (the Draft) was submitted to the legislative branch of government on 19 September 2018 and is yet to be treated by the respective chambers.

One of the main reasons for the executive branch to promote this change in legislation is the acknowledgement that technological advances have had a significant impact on privacy since the approval of the Data Protection Law, and therefore a new legislation is needed to protect individuals from new risks. Additionally, the recent international context (in particular, the enactment of the GDPR) has made it necessary for Argentina's legislation to adapt and update, especially if it intends to maintain international protection standards.

The Draft defines new data protection-related terms and clarifies other terms defined by the Data Protection Law.

One of its most relevant changes is the scope of application and jurisdiction of the law, which is not currently regulated by the Data Protection Law. If it is passed, this new law will apply exclusively to individuals – in contrast with the Data Protection Law that is also applicable to legal entities – in the following cases: (1) when the person responsible for the treatment is domiciled in Argentina, even if the data treatment takes place abroad; (2) when the person responsible for the data treatment is not based in Argentina but in a place where Argentine legislation applies by virtue of international law; and (3) when the data treatment of data owners that reside in Argentina is performed by an entity with responsibility for data treatment that is not based in Argentina but whose data-treatment activities are related to the offer of goods or services to data owners in Argentina, or to the monitoring of their acts, behaviour or interests.5

With this new wording, the Draft specifically recognises that data treatment involving Argentine residents' personal data can occur abroad and grants the same protections as if the treatment had taken place in Argentina.

The Draft also includes new valid ways for obtaining the data owners' consent for the treatment of their personal data,6 stating that express consent may be granted in writing, orally or through electronic means or any other similar means that technology may offer.

Moreover, the concept of tacit consent7 is introduced. Tacit consent shall be deemed granted by the data owner when (1) it emerges clearly from the context of the data treatment; (2) the conduct of the data owner is sufficient to demonstrate the existence of the relevant authorisation. The Draft also states that tacit consent is admissible only when the data requested is necessary for the purpose of the collection and the data owner has been informed of his or her rights arising from the law. Tacit consent is not allowed for the treatment of sensitive data.

The Draft, following the principles set out in the Data Protection Law, expressly prohibits the treatment of sensitive data, with the following exceptions: (1) the data owner has granted his or her express consent to the treatment (with the exception of such cases in which, by law, the granting of such consent is not required); (2) the treatment is necessary: to protect the vital interest of the data owner and the latter – or its representatives – are physically or legally unable to provide consent in a timely manner; for the fulfilment of labour and social security obligations in relation to the data treatment itself or to the data owner; for the recognition, exercise or defence of rights in a judicial procedure; for historical, statistical or scientific purposes, in which case dissociation of data must take place; for public health or sanitary assistance; (3) the treatment is carried out by health institutions or professionals, foundations, civil associations of non-profit organisations with political, philosophical, religious or union purposes in connection to their members. The treatment of sensitive data is also allowed when the data has been made public by the data owner.

Following the Regulation (EU) 2016/679 of the European Parliament and of the Council, the Draft expressly addresses and regulates the consent given by children or teenagers for the treatment of their personal data.8 The Draft establishes that such consent shall be deemed valid when it is applied to the processing of data directly linked to information services specifically designed and suitable for children or teenagers. Teenagers can grant their consent from 13 years of age. For children under 13 years old, the treatment of their personal data shall be considered lawful only if consent is granted by the child's parent or guardian.

Another relevant addition by the Draft is the inclusion of standard procedures and relevant guidelines to be followed by data processors in the event of security and data breaches. In particular, the Draft incorporates the obligation for the person responsible for the data treatment to document and report data incidents to the data owner and the enforcement authority with no delay, and preferably within 72 hours of the acknowledgment of the security breach, unless the breach is unlikely to present a risk to the data owner.9

Regarding the data owner's rights,10 the Draft extends the scope of the information to be provided to the data owner when exercising its right of access, stating that the data owner must be informed of not only the existing data and the purposes of its treatment, but also, inter alia, (1) the recipients or categories of recipients to whom the personal data has been or will be transferred; (2) the data owner rights; and (3) the existence of automatic decision-making processes, including profiling.

Additionally, the right to data portability is incorporated,11 which establishes that when electronic services that comprise personal data treatment are provided, the data owner will have the right to obtain from the person responsible a copy of the personal data in a structured and commonly used format that allows its subsequent use or its direct transference from responsible entity to responsible entity when it is technically possible.

With respect to users and managers of files, records and databases, specific guidelines related to proactive responsibility are established:12 among the technical and organisational measures to be taken, the person responsible for the treatment should include inter alia, internal or external audits, the adoption of a 'privacy policy' or the adherence to binding self-regulatory mechanisms to be submitted for approval by the enforcement authority. In particular, it is ordered that measures should be taken to ensure that, by default, only personal data necessary for each of the purposes of the data treatment are processed.

Another relevant addition is the requirement for the creation of a data protection officer,13 who must be appointed when sensitive data or large-scale data treatment is carried out. The data protection officer's responsibilities include, inter alia, internal advice and compliance duties in connection to data protection issues.

Binding self-regulating mechanisms are encouraged, and should be filed with the enforcement authority for approval.

The Draft also excludes the possibility of legal entities registering with the do-not-call registry to block contact.14

Moreover, on 6 December 2018, Congress passed Law 27,483, which incorporated the Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data into the local legal framework. The Committee of Ministers of the European Council had accepted Argentina's request to be invited to join the Convention in September 2017.

Continuing with its intention of updating and improving the data privacy framework, in January 2019 the Agency issued Disposition 4/2019 which established a set of best practice guidelines for the interpretation and application of the Data Protection Law. The Disposition provides guiding criteria on (1) right of access to personal data collected through closed circuit television cameras, (2) automated data processing, (3) data dissociation, (4) biometric data, (5) consent and (6) consent of minors.

Lastly, in the context of the presidential elections to take place during the second semester of 2019, in May 2019 the Agency issued Disposition 86/2019, which set forth the guidelines for data treatment with electoral purposes. Among other matters, the guidelines state that personal data published on social media, forums or web platforms with easy or unrestricted access is also subject to the principles of the Data Protection Law. Therefore, those who handle this type of public data must inform, at least through a global notification or a publication on the internet, the purpose of the treatment, the person or entity responsible for the treatment, the data handler's address and the rights of the data owners.

III REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

As expressed above, the Data Protection Law is an omnibus law that regulates data protection in a comprehensive manner. In contrast to other jurisdictions (particularly the United States), Argentina does not have other specific data protection regulations outside the scope of the Data Protection Law, and there is no related legislation at a subnational level.

The Data Protection Law includes principles regarding data protection, data owners' rights, the organisation of data archives and databases, and actions to protect personal data, to mention a few.

The Law's main purposes are (1) to protect personal data stored in archives, registers, databanks or other technical means of data processing; (2) to guarantee people's honour and privacy; and (3) to ensure data owners their rights to access records of their data stored and treated by third parties.

The following are the main principles expressed by the Data Protection Law:

  1. due registration: data storage will be lawful if the database is duly registered with the Data Protection Agency; and
  2. data quality: personal data collected must be true, adequate, relevant and not excessive in relation to the scope and purpose for which the data has been obtained. The collection of personal data cannot be done by unfair or fraudulent means. Personal data subject to treatment cannot be used for purposes different from or incompatible with those leading to their collection.

ii General obligations for data handlers

The first obligation for data handlers is to obtain consent from data owners. The treatment of personal data is unlawful when the data subject has not given his or her express consent to the treatment of the data, either in writing or through any other similar means. The consent must appear in a clear and unequivocal manner. There are certain exceptional cases in which consent is not requested, such as when the personal data (1) derives from unrestricted public-access sources; (2) is collected for the performance of public duties; (3) is limited to name, identification card number, tax or social security identification, occupation, date of birth, domicile and telephone number; (4) arises from a contractual relationship and is necessary for the fulfilment of that contract; or (5) refers to the transactions performed by financial entities and arises from the information provided by their customers.

Another important obligation for database owners is the obligation for registration with the Agency. To file the registration, the company or individual responsible for the database must provide information regarding the location of the database, its characteristics and purpose, specifications of the data provided, origin, means of collection, etc. The registration process is free and the information provided to the Agency must be updated periodically.

iii Data subject rights

The main rights for data owners contained in the Data Protection Law are the right of information, access and suppression: exercising this information right, data owners can request from the person responsible for the database their personal information that has been collected, the purpose of the collection and the identity of the person responsible for it. Additionally, personal data that is totally or partially inaccurate or incomplete should be deleted and replaced or, if necessary, completed by the file manager when the inaccuracy or incompleteness of the information is known. Data owners do not have to pay to exercise these rights. This right of access can be exercised (1) directly, through the person responsible for the database; (2) through the Data Protection Agency; or (3) through the habeas data procedure. To guarantee these rights, data must be stored in a way that allows the exercise of the right of access of the owner. Data must be destroyed when it is no longer necessary or relevant for the purposes for which it was collected.

iv Specific regulatory areas

The Data Protection Law contains several specific regulations applicable to different areas and industries.

One of the most relevant areas is financial information provided by private registries issuing reports. In that sense, to analyse a prospective client's financial records it is common for banks and other financial entities to seek credit information through different credit information services.

The Data Protection Law specifies which information can be treated. First, it needs to be personal data of an economic nature and it must be obtained from public sources or have been given by the data owner or collected with the data owner's consent.

Additionally, information regarding the fulfilment (or not) of a party's financial obligations can be given by the creditor (or by someone acting on its behalf), since both parties are owners of the information. In this case, there is no need to obtain the other party's consent.

Information relevant for the assessment of someone's financial capacity can be stored, registered or transferred for a maximum of five years. If the debtor cancels the debt, or it expires by any means, the period shall be reduced to two years. This issue tends to generate a substantial number of claims from consumers and users of financial services.

The Data Protection Law regulates the treatment of personal data by health institutions too. Public and private hospitals and health professionals can process their patients' data relating to mental or physical health, as long as they respect professional secrecy. These registries are very useful for scientific purposes, but it is important to note that they store sensitive data and dissociation of data is advised.

Furthermore, security and surveillance industries are also regulated and are currently the focus of most of the inspections carried out by the Data Protection Agency. Disposition 10/2015 regulates the use of closed-circuit television cameras in public spaces. The Disposition establishes that the use of these cameras is lawful when the data handler has obtained the data owner's prior and informed consent. Consent shall be deemed as granted by the data owner if the data collector includes signs indicating the existence of these cameras, the purpose of the data collection, the person responsible for the treatment and the relevant contact information. A template of this sign is included in the Disposition. The relevant database must be registered and the data collector must implement a manual for its use. Additionally, Disposition 4/2019 approved best practice guidelines for individuals to exercise the access right regarding data obtained through closed circuit television cameras.

v Technological innovation

The Data Protection Law has not been amended recently. For that reason, several technological innovations fall outside its scope.

The use of cookies, for example, was not included in the legislation. Nevertheless, by application of the Data Protection principles, companies trying to obtain information through them must obtain the user's consent to collect information.15

The use of Big Data, on the other hand, presents a much deeper issue. Through Big Data, companies collect large amounts of information and its different uses are not always clearly determinable since data is often reused – so violating one of the Data Protection Law's main principles, which is specifying to the data owner the purpose of the data collection. Moreover, data treated must be accurate, true and not excessive in relation to the purpose. In many cases, it is not possible to assess that all information is accurate. Because of the large volume of information provided, some of it is bound to be inaccurate.16 The Data Protection Law has fallen behind in regulating the use of Big Data. The collection of excessive amounts of information is only of benefit to the user, and regulation of Big Data must recognise this new and useful way of treating data and always respect the user's rights.

The Agency has enacted several regulations aimed at reducing the technological gap generated between the enactment of the Data Protection Law and the present day. For example, Disposition 10/2015 establishes that companies using closed-circuit television cameras must implement a policy that includes the means of data collection, a reference to the place, dates and hours of operation of the cameras, technical and confidentiality mechanisms to be used, ways of exercising the data owner's rights and, if applicable, reasons that justify obtaining a picture of the individuals entering the facilities.

Moreover, Disposition 18/2015 establishes 'best practice guidelines for data collection through apps'. In addition to explaining specifically how data protection principles operate in this matter, the Disposition establishes that the privacy policy should be clear and easily accessible for users. Moreover, the privacy policy for apps designed for use on phones or tablets must be shown in a useful way for users, bearing in mind the size restrictions that apply to these devices. The use of icons, pictures, distinctive colours and sounds is recommended; extra care is requested when the app is suitable for children or teenagers.

Lastly, Disposition 20/2015 regulates the collection of photos, films, sounds or any other data in digital format through VANTs or drones.

IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

Every nation that has specifically regulated data protection has realised that any form of planning and controlling would become useless if collected data could be automatically and unrestrictedly transferred abroad to be processed. Following the European model,17 the Data Protection Law has, in principle, prohibited international data transfer when the transfer is to countries or international or supranational organisations that do not offer 'adequate levels of protection'.18

With this provision, Argentina has tried to avoid data being collected and treated in its territory without regulatory controls in place or without the data owner being able to exercise its rights. Where there are no regulatory controls in place or data owners are unable to exercise their rights, international data transfers are prohibited.

It is considered that a country or organism has an adequate level of protection when that protection derives directly from the legal order, self-regulatory measures or contractual clauses that include specific data protection provisions.

On that basis, Disposition 60 – E/2016 sets forth that the following countries have an adequate level of protection: Member States of the European Union and members of the European Economic Area (EEA), Switzerland, Guernsey, Jersey, Isle of Man, Faroe Islands, Canada (only in relation to its private sector), Andorra, New Zealand, Uruguay and Israel (only in relation to the data handled automatically). The United Kingdom was included through Disposition 34/2019.

International data transfers to countries other than those mentioned above must be made under a standard agreement (similar to the Standard Clauses of the EU). If the parties decide to resort to a different agreement that does not contain the principles, guarantees and content related to the protection of personal data foreseen in the standard clauses, said agreement shall require the approval of the Agency within a 30-calendar-day term as from the date of its execution.

Moreover, the Agency issued Disposition 159/18, which detailed the guidelines for companies to draft and implement binding corporate rules or `BCRs´, which regulate intra-group international transfers of personal data.

According to the Disposition, BCRs adopted following the aforementioned guidelines allow the free flow of personal data within companies of the same business group, even if some companies are located in countries that do not provide an adequate level of protection.

Regulatory Decree 1558/2001 states that if the data owner has given its consent, it does not matter whether the state or organisation does not offer an adequate level of protection and, in that case, the international transfer can take place.

Additionally, consent is not necessary if the personal data is stored in a public registry legally created to provide information and that is open for public consultation or by anyone evidencing a legitimate interest.

The aforementioned prohibition will not apply in cases of (1) international judicial cooperation; (2) transfer of medical information, when the treatment of the deceased requires it, or in the case of an epidemic investigation; (3) bank or stock transfers; (4) transfers decided under international treaties to which Argentina is a party; and (5) when it takes place because of cooperation between agencies fighting organised crime, terrorism or drug trafficking.

V COMPANY POLICIES AND PRACTICES

Although it is not expressly set out in the legislation, companies are encouraged to implement a privacy policy that regulates their personal data collection, treatment and processing and security mechanisms. It is common for the Agency to request this policy from companies upon inspections.

As previously detailed above, Disposition 10/2015 requires companies to draft a manual for the operation of closed circuit television cameras, Disposition 18/2015 contains guidelines for drafting privacy policies for app developers and Disposition 159/18 contains guidelines for drafting BCRs.

VI DISCOVERY AND DISCLOSURE

As stated above, data owners have several rights that derive from the Data Protection Law. Nevertheless, the rights of access, rectification and suppression can be denied when they could affect Argentina's national security, order or public safety, or the protection of rights or interests of third parties.

Additionally, information regarding personal data can be denied when the disclosure of information could become an obstacle to judicial or administrative proceedings regarding tax matters, pension obligations, the development of health and environmental control functions, the investigation of criminal offences or the verification of administrative infringements. The resolution denying access must be reasoned and notified to the affected party, and must relate to the reasons established above.

Since these provisions include a limitation of rights, they should be interpreted restrictively. Additionally, to safeguard the data owner's rights, this limitation must be subject to judicial review.

Despite all these provisions, the data owner must be able to access the registries if his or her defence rights rely on this action, in which case the access restriction must be lifted.

VII PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

The Agency is an autonomous body within the scope of the Chief of Staff. Its main functions in relation to personal data are (1) operating as a registry of databases, keeping records of the registration and renewal of databases; (2) enforcing the Data Protection Law and the Do-Not-Call Law, carrying out inspections and imposing sanctions; and (3) creating new dispositions and regulations related to data protection matters. The Agency is also responsible for assuring the effective exercise of the right of access to public information and the enforcement of transparency within the public sector.

In using these powers, the Agency has issued several dispositions relating to its investigatory and auditing powers. In this context, Disposition 55/2016 regulates the Data Protection Agency's auditing procedures. The main aims of these proceedings are to control the activity of the person responsible for the database and ensure its compliance with the law.

The proceedings can be (1) ex officio, either scheduled annually or spontaneous; or (2) initiated upon a complaint, in which case the inspection itself will have an evidentiary nature.

After the inspection is finalised, the inspector will issue a final report with the outcome of the inspection. If the database owner has complied with the law, the proceeding is finalised. If it has not complied with the regulations, it is granted 15 days to remedy its non-fulfilment, otherwise sanctioning proceedings will begin.

ii Recent enforcement cases

The enforcement actions of the Data Protection Agency have evolved and intensified over the years. During its first years, the Agency's role was more educational than punitive, giving companies ample time to adapt to the new legislation and being proactive in responding to enquiries and explaining misconceptions. Nowadays, 19 years after the enactment of the Data Protection Law, the Agency is being more proactive in carrying out inspections and is stricter with its enforcement and punitive capabilities.

The vast majority of recent fines have been for violation of the Do-Not-Call Law, resulting in a large number of administrative proceedings and claims. Some fines have also been imposed in the recent past on companies failing to comply with their obligations under the Data Protection Law (mainly failure to register or renew registrations for their databases and failure to comply with security measures).

On a judicial level, most of the case law regarding personal data protection is connected to financial companies and the information they provide to consumer credit reporting agencies regarding their customers' debts. In most cases, the proceedings relate to financial companies' failure to update their registries once debts have been paid or the statute of limitations applied.

In this context, the Supreme Court has also stated that the 'right to be forgotten' has constitutional rank and must be respected. These cases have all been filed under the habeas data regime.

iii Private litigation

As stated above, the judicial remedy for private plaintiffs is the habeas data procedure regulated by the National Constitution and the Data Protection Law. Despite the fact that the access right of data owners can also be exercised through an administrative procedure, a judicial action is the only way for private plaintiffs to receive financial compensation.

Considering that the administrative procedure before the Data Protection Agency is a fast, free and accessible mechanism, there are not many cases brought at the judicial level. However, the Argentine Federal Court of Appeals on Contentious Administrative Matters has recently issued a valuable decision related to the consent needed in order for an assignment of personal data to be valid.19 The judgement took place by virtue of an action brought by a third party against Resolution No. 166-E/2016 of the Presidency of the Cabinet of Ministers, which approved an agreement allowing ANSES (the Agency in charge of social security matters) to provide the Secretariat of Public Communication with information about the citizens registered before it from time to time, in order for the Secretariat to communicate different issues.

The main discussion was if a person's e-mail and phone number could be assigned without the owner's consent. The first argument brought by the national government in favour of the assignment was that in this case the owner's consent was not needed based on an exception of the Data Protection Law that lists certain personal data that can be assigned without the owner's consent (name, ID, tax identification number, occupation, date of birth and domicile). The national government considered that such list was not an exhaustive list and, consequently, could be extended to include a person's email and phone number. The Court considered that said exception should be interpreted restrictively and confirmed that the list was indeed an exhaustive list.

Secondly, the national government argued that another exception of the Data Protection Law should apply to this matter, which exempts the obtainment of consent for assigning personal data that 'is collected for the exercise of the functions of the powers of the State or by virtue of a legal obligation'. Upon this discussion, the Court considered that, in order for that exception to apply, certain specific requirements must arise (for example, that the information is necessary for the national defence, public security or suppression of crimes purposes, or if it is collected by the security or intelligence community), which shall also be interpreted restrictively.

The Court concluded that it is necessary to obtain the owner's consent for the assignment of a person's email and phone number and resolved therefore that such data should not be included in the assignment to be performed by ANSES to the Secretariat of Public Communication.

VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS

Unlike most recent European legislation and the regulations contained in the Draft, the Data Protection Law does not specifically regulate international jurisdiction. The Agency has no enforcement authority under the current regime regarding companies that are based abroad with no assets or registrations in Argentina, even if these companies collect and treat personal data from Argentine residents. However, foreign companies registered in or that have assets in Argentina must register with the Agency and register their databases, to comply with the Argentine data protection regime.

Consequently, on a theoretical level, what triggers the need to comply with the Argentine regime for personal data protection is the collection or treatment of personal data from Argentine residents. On a practical level, the need to comply with Argentine regulations is triggered by the presence of the foreign company in Argentina by way of assets or registrations in the Public Registry of Commerce.

In 2017, a well-known technology and transport company started offering its services in Argentina, opening offices and hiring personnel. Because of the media coverage its services received, it came to the Agency's attention that the company was operating through mobile applications that necessarily collected data, but no databases were registered. For that reason, the Data Protection Agency started an investigation and required the foreign company to register its databases with the Data Protection Agency.

IX CYBERSECURITY AND DATA BREACHES

Cybersecurity is not a highly regulated area in Argentina. There are some regulations enacted by the National Central Bank and the National Securities Commission regarding data security obligations for financial institutions and publicly listed companies, but there is no uniform or omnibus legislation that regulates the matter.

Although Resolution No. 580/2011 of the Chief of Staff created the National Programme for Critical Infrastructures for Information and Cybersecurity, there are not many companies taking part in this programme as it is not mandatory. Its main aim is to promote the creation and adoption of a specific regulatory framework for the protection of strategic infrastructures for the national public sector, inter-jurisdictional organisations and private sector organisations that require it. It seeks the collaboration of those sectors to develop adequate strategies and structures for coordinated action.

Furthermore, Decree 577/2017 has created the Cybersecurity Committee, which will mainly focus on creating a regulatory framework, educating people on the importance of cybersecurity, creating a national cybersecurity plan and creating general guidelines for security breaches. The Ministries of Modernisation, Defence and Security will take part in this initiative.

Resolution General 704-E/2017 of the National Securities Commission dated 29 August 2017 foresees the adoption of international standards with respect to cybersecurity and address the recommendations of the International Organization of Securities Commissions (IOSCO) on the principles of cybersecurity and cybernetic resilience. The Resolution defines the operational risks and deficiencies that might arise related to the processing of data as a consequence of human errors or failures due to external events that might result in the reduction, deterioration or interruption of the services provided by a 'financial market infrastructure'.

Moreover, Resolution 1107-E/2017 of the Ministry of Defence dated 18 October 2017, created the Security Incident Response Committee that in within the framework of the national cybersecurity plan is responsible for, implementing actions of prevention, detection, response, defines and recovery against cyberthreats within the orbit of the Ministry.

On 26 April 2018, Argentine entered into a memorandum of understanding on cooperation in cybersecurity, cybercrime and cyberdefence between Argentina and Chile aimed at, inter alia, strengthening the coordination and cooperation, promoting joint initiatives, exchanging good practices, developing and implementing new legislation and national strategies to response to incidents, information exchange, education and training.

Finally, on 27 July 2018, the Agency enacted Resolution 47/18, which contains the recommended security measures for the treatment of personal data through computerised and non-computerised means. Among its dispositions, this resolution recommends data handlers to notify the Agency upon a data breach or security incident.

Despite the lack of any specific regulation included in the Data Protection Law, it does set forth a generic obligation for the data handlers to adopt all technical and organisational measures needed to guarantee the security and confidentiality of the personal data. Registration of personal data in files, registers or banks that do not meet technical conditions of integrity and security is prohibited.

Based on this generic obligation, the Agency started an investigation regarding a security breach suffered by an email provider (made public by the company), which had exposed personal data of its users. During the investigation, the Agency's technical area determined that the company had not taken the technical measures needed to prevent data breaches and therefore sanctioned the company with a fine. The Agency's decision is not final and can be judicially challenged.

X OUTLOOK

The future landscape in Argentina regarding personal data protection includes the almost certain enactment of a new law, in line with the new technologies that have emerged since the year 2000.

It is not certain whether the Draft will finally be passed, but it is the first stepping stone and is certainly one of the Agency's objectives. We believe that a new law, in line with the GDPR, will be enacted in the medium term. In the meantime, many local companies processing European citizens' personal data had to adjust their procedures and processing of personal data to the provisions of the GDPR.


Footnotes

1 Adrián Furman is a partner and Francisco Zappa is an associate at Bomchil. The authors wish to thank Catalina Malara, former associate at Bomchil, for her contribution to writing this chapter.

2 Section 43, Paragraph 3 of the National Constitution states that, 'Any person can file this action to obtain access to any data referring to himself or herself, registered in public or private records or databases, intended to supply information; and in the case of false data or discriminatory data, to request the suppression, rectification, confidentiality or updating of the same. The secret nature of the source of journalistic information shall not be impaired.'

3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

4 The Agency of Access to Public Information was created by Decree 746 dated 26 September 2017 which amended the Ministries Law No. 26.951.

5 Section 4 of the Draft.

6 Section 12 of the Draft.

7 Section 12 of the Draft.

8 Section 18 of the Draft.

9 Section 20 of the Draft.

10 Sections 27 and 28 of the Draft.

11 Section 33 of the Draft.

12 Section 37 of the Draft.

13 Section 43 of the Draft.

14 Section 49 of the Draft.

15 Osvaldo Alfredo Gozaini, Habeas Data, Protection of Personal Data (Rubinzal-Culzoni), p. 325.

16 Luciano Gandola, 'Conflicts between Big Data and the Data Protection Law', Infojus.

17 See footnote 3.

18 Section 12 of the Data Protection Law.

19 Federal Court of Appeals on Contentious Administrative Matters, Docket No. 49,482/2016, 'Torres Abad, Carmen C/En JGM s/habeas data', 3 July 2018.