The Privacy, Data Protection and Cybersecurity Law Review: Argentina
Data protection was introduced to the Argentine legal system following the 1994 constitutional reform, with the incorporation of the habeas data procedure.2 With this constitutional reform, data protection rights in Argentina acquired constitutional protection and, thus, are considered fundamental rights that cannot be suppressed or restricted without sufficient cause.
In October 2000, Congress passed Law No. 25,326 (the Data Protection Law), which focused directly on data protection. The Data Protection Law defined several data protection-related terms and included general principles regarding data collection and storage, outlining the data owner's rights and setting out the guidelines for the processing of personal data. It is an omnibus law largely based on the EU Data Protection Directive 95/463 in force at that time, and the subsequent local legislation issued by the European countries (mainly Spain). Moreover, on 30 June 2003, the European Union issued a resolution establishing that Argentina had a level of protection consistent with the protection granted by the Directive with respect to personal data.
In 2014, Law No. 26,951 (the Do-Not-Call Law) created the do-not-call registry and expanded the protection of data owner's rights. This regulation allows the data owner to block contact from companies advertising, selling or giving away products and services. Companies offering products and services by telephonic means must register with the Agency and consult the list of blocked numbers on a monthly basis before engaging in marketing calls.
The Agency of Access to Public Information (the Agency)4 is the enforcement authority in charge of applying the Data Protection Law and the Do-Not-Call Law. Among other responsibilities, the Agency is in charge of administrating the do-not-call registry, assisting individuals regarding their rights, receiving claims and carrying out inspections of companies to assess their compliance with the Data Protection Law.
The year in review
During the early months of 2017, Justice 2020, a governmental initiative for the design of public policies promoted by the Ministry of Justice together with the Data Protection Agency, proposed amendments to the Data Protection Law and the Do Not Call Law. The draft bill (the Draft) was submitted to the legislative branch of government on 19 September 2018.
One of the main reasons for the executive branch to promote this change in legislation was the acknowledgement that technological advances have had a significant impact on privacy since the approval of the Data Protection Law, and therefore a new legislation was needed to protect individuals from new risks. Additionally, the recent international context (in particular, the enactment of the GDPR) has made it necessary for Argentina's legislation to adapt and update, especially if it intends to maintain international protection standards. However, the governmental initiative lost support during the past couple of years and the legislative process for passing the Draft concluded unsuccessfully in 2020.
Moreover, on 6 December 2018, Congress passed Law 27,483, which incorporated the Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data into the local legal framework. The Committee of Ministers of the European Council had accepted Argentina's request to be invited to join the Convention in September 2017.
Continuing with its intention of updating and improving the data privacy framework, in January 2019 the Agency issued Disposition 4/2019 which established a set of best practice guidelines for the interpretation and application of the Data Protection Law. The Disposition provides guiding criteria on (1) right of access to personal data collected through closed circuit television cameras, (2) automated data processing, (3) data dissociation, (4) biometric data, (5) consent and (6) consent of minors.
In the context of the presidential elections that took place during the second semester of 2019, in May 2019 the Agency issued Disposition 86/2019, which set forth the guidelines for data handling with electoral purposes. Among other matters, the guidelines state that personal data published on social media, forums or web platforms with easy or unrestricted access is also subject to the principles of the Data Protection Law. Therefore, those who handle this type of public data must inform, at least through a global notification or a publication on the internet, the purpose of the handling, the person or entity responsible for the handling, the data handler's address and the rights of the data owners.
In January 2020, the Agency, acting together with the enforcement authority of the Republic of Uruguay, published a guideline for the performance of Data Protection Impact Assessments (DPIAs). Unlike the dispositions of the GPDR, DPIAs are not foreseen under Argentine legislation. However, through this guideline the Agency recommended its performance when the rights of data subjects are put at risk as a consequence of the data-handling activities of a company or state entity. The guideline contains updated definitions of data protection-related terms and details the steps and processes required to perform a DPIA.
Lastly, as a consequence of the covid-19 pandemic, the Agency published guidelines for the handling of personal data in the context of the pandemic and for the use of geo-tracking tools. Through these guidelines, the Agency stated that the data protection principles should be strictly applied, even in an emergency situation such as the pandemic. The guidelines include a reminder that information about a covid-19 patient is sensitive data, which requires the data owner's consent in order to be shared with third parties. Health professionals and institutions are allowed to transfer between themselves covid-related data provided that they comply with their duty of professional secrecy. Moreover, the Ministry of Health and the Provincial Ministries are allowed to collect, process and transfer between themselves covid-related data without the data owner's consent.
The guideline for the use of geo-tracking tools in the context of the pandemic establishes that geo-tracking data is personal data protected by the Data Protection Law. As such, it can only be processed with the data owner's consent or through any of the specific exemptions for obtaining consent established by the Personal Data Protection Law (i.e., state entities can use these tools without the data owners' consent provided they act within their functions). All data protection principles (data quality, data minimisation) and rights (i.e., access, rectification and suppression rights and right to revoke consent) should be respected when using geo-tracking tools.
i Privacy and data protection legislation and standards
As expressed above, the Data Protection Law is an omnibus law that regulates data protection in a comprehensive manner. In contrast to other jurisdictions (particularly the United States), Argentina does not have other specific data protection regulations outside the scope of the Data Protection Law, and there is no related legislation at a subnational level (the City of Buenos Aires has a specific data protection law but it only applies to state entities).
The Data Protection Law includes principles regarding data protection, data owners' rights, the organisation of data archives and databases, and actions to protect personal data, to mention a few.
The Law's main purposes are (1) to protect personal data stored in archives, registers, databanks or other technical means of data processing; (2) to guarantee people's honour and privacy; and (3) to ensure data owners their rights to access records of their data stored and processed by third parties.
The following are the main principles expressed by the Data Protection Law:
- due registration: data storage will be lawful if the database is duly registered with the Data Protection Agency; and
- data quality: personal data collected must be true, adequate, relevant and not excessive in relation to the scope and purpose for which the data has been obtained. The collection of personal data cannot be done by unfair or fraudulent means. Personal data subject to processing cannot be used for purposes different from or incompatible with those leading to their collection.
ii General obligations for data handlers
The first obligation for data handlers is to obtain consent from data owners. The processing of personal data is unlawful when the data subject has not given his or her express consent to the processing of the data, either in writing or through any other similar means. The consent must appear in a clear and unequivocal manner. There are certain exceptional cases in which consent is not requested, such as when the personal data (1) derives from unrestricted public-access sources; (2) is collected for the performance of public duties; (3) is limited to name, identification card number, tax or social security identification, occupation, date of birth, domicile and telephone number; (4) arises from a contractual relationship and is necessary for the fulfilment of that contract; or (5) refers to the transactions performed by financial entities and arises from the information provided by their customers.
Another important obligation for database owners is the obligation for registration with the Agency. To file the registration, the company or individual responsible for the database must provide information regarding the location of the database, its characteristics and purpose, specifications of the data provided, origin, means of collection, etc. The registration process is free and the information provided to the Agency must be updated periodically.
iii Data subject rights
The main rights for data owners contained in the Data Protection Law are the right of information, access and suppression: exercising this information right, data owners can request from the person responsible for the database their personal information that has been collected, the purpose of the collection and the identity of the person responsible for it. Additionally, personal data that is totally or partially inaccurate or incomplete should be deleted and replaced or, if necessary, completed by the file manager when the inaccuracy or incompleteness of the information is known. Data owners do not have to pay to exercise these rights. This right of access can be exercised (1) directly, through the person responsible for the database; (2) through the Data Protection Agency; or (3) through the habeas data procedure. To guarantee these rights, data must be stored in a way that allows the exercise of the right of access of the owner. Data must be destroyed when it is no longer necessary or relevant for the purposes for which it was collected.
iv Specific regulatory areas
The Data Protection Law contains several specific regulations applicable to different areas and industries.
One of the most relevant areas is financial information provided by private registries issuing reports. In that sense, to analyse a prospective client's financial records it is common for banks and other financial entities to seek credit information through different credit information services.
The Data Protection Law specifies which information can be processed. First, it needs to be personal data of an economic nature and it must be obtained from public sources or have been given by the data owner or collected with the data owner's consent.
Additionally, information regarding the fulfilment (or not) of a party's financial obligations can be given by the creditor (or by someone acting on its behalf), since both parties are owners of the information. In this case, there is no need to obtain the other party's consent.
Information relevant for the assessment of someone's financial capacity can be stored, registered or transferred for a maximum of five years. If the debtor cancels the debt, or it expires by any means, the period shall be reduced to two years. This issue tends to generate a substantial number of claims from consumers and users of financial services.
The Data Protection Law regulates the processing of personal data by health institutions too. Public and private hospitals and health professionals can process their patients' data relating to mental or physical health, as long as they respect professional secrecy. These registries are very useful for scientific purposes, but it is important to note that they store sensitive data and dissociation of data is advised.
Furthermore, security and surveillance industries are also regulated and are currently the focus of most of the inspections carried out by the Data Protection Agency. Disposition 10/2015 regulates the use of closed-circuit television cameras in public spaces. The Disposition establishes that the use of these cameras is lawful when the data handler has obtained the data owner's prior and informed consent. Consent shall be deemed as granted by the data owner if the data collector includes signs indicating the existence of these cameras, the purpose of the data collection, the person responsible for the processing and the relevant contact information. A template of this sign is included in the Disposition. The relevant database must be registered and the data collector must implement a manual for its use. Additionally, Disposition 4/2019 approved best practice guidelines for individuals to exercise the access right regarding data obtained through closed circuit television cameras.
v Technological innovation
The Data Protection Law has not been amended recently. For that reason, several technological innovations fall outside its scope.
The use of Big Data, on the other hand, presents a much deeper issue. Through Big Data, companies collect large amounts of information and its different uses are not always clearly determinable since data is often reused – so violating one of the Data Protection Law's main principles, which is specifying to the data owner the purpose of the data collection. Moreover, data processed must be accurate, true and not excessive in relation to the purpose. In many cases, it is not possible to assess that all information is accurate. Because of the large volume of information provided, some of it is bound to be inaccurate.6 The Data Protection Law has fallen behind in regulating the use of Big Data. The collection of excessive amounts of information is only of benefit to the user, and regulation of Big Data must recognise this new and useful way of processing data and always respect the user's rights.
The Agency has enacted several regulations aimed at reducing the technological gap generated between the enactment of the Data Protection Law and the present day. For example, Disposition 10/2015 establishes that companies using closed-circuit television cameras must implement a policy that includes the means of data collection, a reference to the place, dates and hours of operation of the cameras, technical and confidentiality mechanisms to be used, ways of exercising the data owner's rights and, if applicable, reasons that justify obtaining a picture of the individuals entering the facilities.
Lastly, Disposition 20/2015 regulates the collection of photos, films, sounds or any other data in digital format through VANTs or drones.
International data transfer and data localisation
Every nation that has specifically regulated data protection has realised that any form of planning and controlling would become useless if collected data could be automatically and unrestrictedly transferred abroad to be processed. Following the European model,7 the Data Protection Law has, in principle, prohibited international data transfer when the transfer is to countries or international or supranational organisations that do not offer 'adequate levels of protection'.8
With this provision, Argentina has tried to avoid data being collected and processed in its territory without regulatory controls in place or without the data owner being able to exercise its rights. Where there are no regulatory controls in place or data owners are unable to exercise their rights, international data transfers are prohibited.
It is considered that a country or organism has an adequate level of protection when that protection derives directly from the legal order, self-regulatory measures or contractual clauses that include specific data protection provisions.
On that basis, Disposition 60 – E/2016 sets forth that the following countries have an adequate level of protection: Member States of the European Union and members of the European Economic Area (EEA), Switzerland, Guernsey, Jersey, Isle of Man, Faroe Islands, Canada (only in relation to its private sector), Andorra, New Zealand, Uruguay and Israel (only in relation to the data handled automatically). The United Kingdom was included through Disposition 34/2019.
International data transfers to countries other than those mentioned above must be made under a standard agreement (similar to the Standard Clauses of the EU). If the parties decide to resort to a different agreement that does not contain the principles, guarantees and content related to the protection of personal data foreseen in the standard clauses, said agreement shall require the approval of the Agency within a 30-calendar-day term as from the date of its execution.
Moreover, the Agency issued Disposition 159/18, which detailed the guidelines for companies to draft and implement binding corporate rules or 'BCRs', which regulate intra-group international transfers of personal data.
According to the Disposition, BCRs adopted following the aforementioned guidelines allow the free flow of personal data within companies of the same business group, even if some companies are located in countries that do not provide an adequate level of protection.
Regulatory Decree 1558/2001 states that if the data owner has given its consent, it does not matter whether the state or organisation does not offer an adequate level of protection and, in that case, the international transfer can take place.
Additionally, consent is not necessary if the personal data is stored in a public registry legally created to provide information and that is open for public consultation or by anyone evidencing a legitimate interest.
The aforementioned prohibition will not apply in cases of (1) international judicial cooperation; (2) transfer of medical information, when the treatment of the deceased requires it, or in the case of an epidemic investigation; (3) bank or stock transfers; (4) transfers decided under international treaties to which Argentina is a party; and (5) when it takes place because of cooperation between agencies fighting organised crime, terrorism or drug trafficking.
Company policies and practices
As previously detailed above, Disposition 10/2015 requires companies to draft a manual for the operation of closed circuit television cameras, Disposition 18/2015 contains guidelines for drafting privacy policies for app developers and Disposition 159/18 contains guidelines for drafting BCRs.
Discovery and disclosure
As stated above, data owners have several rights that derive from the Data Protection Law. Nevertheless, the rights of access, rectification and suppression can be denied when they could affect Argentina's national security, order or public safety, or the protection of rights or interests of third parties.
Additionally, information regarding personal data can be denied when the disclosure of information could become an obstacle to judicial or administrative proceedings regarding tax matters, pension obligations, the development of health and environmental control functions, the investigation of criminal offences or the verification of administrative infringements. The resolution denying access must be reasoned and notified to the affected party, and must relate to the reasons established above.
Since these provisions include a limitation of rights, they should be interpreted restrictively. Additionally, to safeguard the data owner's rights, this limitation must be subject to judicial review.
Despite all these provisions, the data owner must be able to access the registries if his or her defence rights rely on this action, in which case the access restriction must be lifted.
Public and private enforcement
i Enforcement agencies
The Agency is an autonomous body within the scope of the Chief of Staff. Its main functions in relation to personal data are (1) operating as a registry of databases, keeping records of the registration and renewal of databases; (2) enforcing the Data Protection Law and the Do-Not-Call Law, carrying out inspections and imposing sanctions; and (3) creating new dispositions and regulations related to data protection matters. The Agency is also responsible for assuring the effective exercise of the right of access to public information and the enforcement of transparency within the public sector.
In using these powers, the Agency has issued several dispositions relating to its investigatory and auditing powers. In this context, Disposition 55/2016 regulates the Data Protection Agency's auditing procedures. The main aims of these proceedings are to control the activity of the person responsible for the database and ensure its compliance with the law.
The proceedings can be (1) ex officio, either scheduled annually or spontaneous; or (2) initiated upon a complaint, in which case the inspection itself will have an evidentiary nature.
After the inspection is finalised, the inspector will issue a final report with the outcome of the inspection. If the database owner has complied with the law, the proceeding is finalised. If it has not complied with the regulations, it is granted 15 days to remedy its non-fulfilment, otherwise sanctioning proceedings will begin.
ii Recent enforcement cases
The enforcement actions of the Data Protection Agency have evolved and intensified over the years. During its first years, the Agency's role was more educational than punitive, giving companies ample time to adapt to the new legislation and being proactive in responding to enquiries and explaining misconceptions. Nowadays, 20 years after the enactment of the Data Protection Law, the Agency is being more proactive in carrying out inspections and is stricter with its enforcement and punitive capabilities.
The vast majority of recent fines have been for violation of the Do-Not-Call Law, resulting in a large number of administrative proceedings and claims. Some fines have also been imposed in the recent past on companies failing to comply with their obligations under the Data Protection Law (mainly failure to register or renew registrations for their databases and failure to comply with security measures).
On a judicial level, most of the case law regarding personal data protection is connected to financial companies and the information they provide to consumer credit reporting agencies regarding their customers' debts. In most cases, the proceedings relate to financial companies' failure to update their registries once debts have been paid or the statute of limitations applied.
In this context, the Supreme Court has also stated that the 'right to be forgotten' has constitutional rank and must be respected. These cases have all been filed under the habeas data regime.
In this regard, in May 2020, an interesting decision was issued by the Agency in connection with an administrative claim brought against a foreign search engine company and its Argentine affiliate. The claim was brought by an email user that had her account illegitimately accessed. Upon requesting the Argentine affiliate to grant her access to her personal data and lost files, the company replied that it did not administer the email software and that such product was managed by its foreign controlling company. The Argentine affiliate also stated that it did not represent its foreign controlling company and that it was not the offeror of any internet service in Argentina (it only provided marketing services for its foreign controlling company) and, hence, was not liable before email users. The foreign controlling company (which owned and administered the email software) also rejected the access request, stating that the email software offered its users a specific tool for accessing their personal data and recovering their account. Such foreign company also rejected the jurisdiction of the Agency over its data-handling activities.
In its decision, the Agency stated that:
- it had jurisdiction over the foreign controlling company's activities in Argentina, because Argentine data protection laws apply to all companies that handle personal data of Argentine citizens or whose data handling activities have effect in Argentina, irrespective of the company's place of incorporation; and
- the Argentine affiliate had a joint liability with its foreign controlling company because the activities of both affiliates were 'inextricably linked' (a concept derived from the leading case Google Spain and from Section 3 of the GDPR). A fine was imposed to both companies.
iii Private litigation
As stated above, the judicial remedy for private plaintiffs is the habeas data procedure regulated by the National Constitution and the Data Protection Law. Despite the fact that the access right of data owners can also be exercised through an administrative procedure, a judicial action is the only way for private plaintiffs to receive financial compensation.
Considering that the administrative procedure before the Data Protection Agency is a fast, free and accessible mechanism, there are not many cases brought at the judicial level. However, the Argentine Federal Court of Appeals on Contentious Administrative Matters has recently issued a valuable decision related to the consent needed in order for an assignment of personal data to be valid.9 The judgement took place by virtue of an action brought by a third party against Resolution No. 166-E/2016 of the Presidency of the Cabinet of Ministers, which approved an agreement allowing ANSES (the Agency in charge of social security matters) to provide the Secretariat of Public Communication with information about the citizens registered before it from time to time, in order for the Secretariat to communicate different issues.
The main discussion was if a person's email and phone number could be assigned without the owner's consent. The first argument brought by the national government in favour of the assignment was that in this case the owner's consent was not needed based on an exception of the Data Protection Law that lists certain personal data that can be assigned without the owner's consent (name, ID, tax identification number, occupation, date of birth and domicile). The national government considered that such list was not an exhaustive list and, consequently, could be extended to include a person's email and phone number. The Court considered that said exception should be interpreted restrictively and confirmed that the list was indeed an exhaustive list.
Secondly, the national government argued that another exception of the Data Protection Law should apply to this matter, which exempts the obtainment of consent for assigning personal data that 'is collected for the exercise of the functions of the powers of the State or by virtue of a legal obligation'. Upon this discussion, the Court considered that, in order for that exception to apply, certain specific requirements must arise (for example, that the information is necessary for the national defence, public security or suppression of crimes purposes, or if it is collected by the security or intelligence community), which shall also be interpreted restrictively.
The Court concluded that it is necessary to obtain the owner's consent for the assignment of a person's email and phone number and resolved therefore that such data should not be included in the assignment to be performed by ANSES to the Secretariat of Public Communication.
Considerations for foreign organisations
Unlike most recent European legislation and the regulations contained in the Draft, the Data Protection Law does not specifically regulate international jurisdiction. However, in the aforementioned decision against the search engine company, the Agency considered that the Data Protection Law applies to foreign companies if they handle personal data of Argentine citizens or if their data handling activities have any effect on or are connected in any way with, the Argentine territory. However, if such foreign company does not have affiliates in Argentina or assets of any kind, the enforcement authority of the Agency will be impaired, in practice.
Consequently, on a theoretical level, what triggers the need to comply with the Argentine regime for personal data protection is the collection or processing of personal data from Argentine residents. On a practical level, the need to comply with Argentine regulations is triggered by the presence of the foreign company in Argentina by way of affiliates, assets or registrations in the Public Registry of Commerce.
Cybersecurity and data breaches
Cybersecurity is not a highly regulated area in Argentina. There are some regulations enacted by the National Central Bank and the National Securities Commission regarding data security obligations for financial institutions and publicly listed companies, but there is no uniform or omnibus legislation that regulates the matter.
Although Resolution No. 580/2011 of the Chief of Staff created the National Programme for Critical Infrastructures for Information and Cybersecurity, there are not many companies taking part in this programme as it is not mandatory. Its main aim is to promote the creation and adoption of a specific regulatory framework for the protection of strategic infrastructure for the national public sector, inter-jurisdictional organisations and private sector organisations that require it. It seeks the collaboration of those sectors to develop adequate strategies and structures for coordinated action.
Furthermore, Decree 577/2017 has created the Cybersecurity Committee, which will mainly focus on creating a regulatory framework, educating people on the importance of cybersecurity, creating a national cybersecurity plan and creating general guidelines for security breaches. The Ministries of Modernisation, Defence and Security will take part in this initiative.
Resolution General 704-E/2017 of the National Securities Commission dated 29 August 2017 foresees the adoption of international standards with respect to cybersecurity and address the recommendations of the International Organization of Securities Commissions (IOSCO) on the principles of cybersecurity and cybernetic resilience. The Resolution defines the operational risks and deficiencies that might arise related to the processing of data as a consequence of human errors or failures due to external events that might result in the reduction, deterioration or interruption of the services provided by a 'financial market infrastructure'.
Moreover, Resolution 1107-E/2017 of the Ministry of Defence dated 18 October 2017, created the Security Incident Response Committee that in within the framework of the national cybersecurity plan is responsible for, implementing actions of prevention, detection, response, defines and recovery against cyberthreats within the orbit of the Ministry.
On 26 April 2018, Argentine entered into a memorandum of understanding on cooperation in cybersecurity, cybercrime and cyberdefence between Argentina and Chile aimed at, inter alia, strengthening the coordination and cooperation, promoting joint initiatives, exchanging good practices, developing and implementing new legislation and national strategies to response to incidents, information exchange, education and training.
Finally, on 27 July 2018, the Agency enacted Resolution 47/18, which contains the recommended security measures for the processing of personal data through computerised and non-computerised means. Among its dispositions, this resolution recommends data handlers to notify the Agency upon a data breach or security incident.
Despite the lack of any specific regulation included in the Data Protection Law, it does set forth a generic obligation for the data handlers to adopt all technical and organisational measures needed to guarantee the security and confidentiality of the personal data. Registration of personal data in files, registers or banks that do not meet technical conditions of integrity and security is prohibited.
Based on this generic obligation, the Agency started an investigation regarding a security breach suffered by an email provider (made public by the company), which had exposed personal data of its users. During the investigation, the Agency's technical area determined that the company had not taken the technical measures needed to prevent data breaches and therefore sanctioned the company with a fine. The Agency's decision is not final and can be judicially challenged.
The future landscape in Argentina regarding personal data protection includes the need to enact a new law, in line with the new technologies that have emerged since the year 2000 and following the legislative changes brought by the GDPR. The Draft was aimed at fulfilling such objective, but the unsuccessful conclusion of its legislative process brings uncertainty regarding the future protection of personal data in Argentina. If no advances are made in the near future, it is possible for the European Union to strike down its adequacy decision regarding Argentina's level of personal data protection.
In the meantime, many local companies processing European citizens' personal data had to adjust their procedures and processing of personal data to the provisions of the GDPR.
1 Adrián Furman is a partner and Francisco Zappa is an associate at Bomchil. The authors wish to thank Catalina Malara, former associate at Bomchil, for her contribution to writing this chapter.
2 Section 43, Paragraph 3 of the National Constitution states that, 'Any person can file this action to obtain access to any data referring to himself or herself, registered in public or private records or databases, intended to supply information; and in the case of false data or discriminatory data, to request the suppression, rectification, confidentiality or updating of the same. The secret nature of the source of journalistic information shall not be impaired.'
3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
4 The Agency of Access to Public Information was created by Decree 746 dated 26 September 2017, which amended the Ministries Law No. 26.951.
5 Osvaldo Alfredo Gozaini, Habeas Data, Protection of Personal Data (Rubinzal-Culzoni), p. 325.
6 Luciano Gandola, 'Conflicts between Big Data and the Data Protection Law', Infojus.
7 See footnote 3.
8 Section 12 of the Data Protection Law.
9 Federal Court of Appeals on Contentious Administrative Matters, Docket No. 49,482/2016, 'Torres Abad, Carmen C/En JGM s/habeas data', 3 July 2018.