IP expert at the Latin America IP SME Helpdesk
If you are an SME in the European Union, you are surely familiar with the famous General Data Protection Regulation (also known as “GDPR” among friends). The GDPR is Europe’s data privacy and security law that establishes some of the most stringent rules and highest standards around the world concerning personal data. For this reason, the GDPR has served as an example to follow by many countries around the world and this is the case with Argentina.
The Personal Data Protection Act 25.326 (“PDPA”) (Ley de Protección de los Datos Personales) was enacted in 2000 to protect personal data, and at the time made Argentina one of the pioneering Latin American countries to legislate on data protection and the first to achieve “adequacy” qualification for data transfers from the EU.
However, the GDPR entered into force in the EU, and Argentina’s legislation became outdated. After several resolutions, rules, guidelines to complement the law, and a couple of failed draft bills, Argentina's Agency of Access to Public Information, their data protection authority (“DPA”), started a reform process in September 2022. Currently, the long-awaited Draft Law on the Protection of Personal Data (the “Draft Law”) is with the National Congress of Argentina pending approval. If approved, it will be the first major legislative reform in data protection in Argentina since 2000.
The Draft Law follows the provisions of the GDPR in many aspects and in this article, we will have a look at the main similarities and differences between the GDPR, the current and proposed data privacy law of Argentina.
Differences between the GDPR vs PDPA vs Draft Law
PDPA |
GDPR |
Draft Law |
Data protection granted to individuals and legal entities |
Data protection granted only to the personal data of individuals |
Scope limited to the protection of personal data of individuals |
The PDPA applies to all persons or legal entities carrying out the treatment or processing of personal data. The Act does not refer to an extraterritorial scope or to the offering of goods and services from abroad |
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU, which offer goods or services to customers or businesses in the EU, though some obligations do not apply to EU SMEs |
The Draft Law will apply to those located in Argentina, even when the processing is performed in another country. It will also apply to those not located in Argentina which provide goods and services to those within the country |
No general obligation to notify a data breach or incident that has involved personal data. However, Annex II(E) of the Regulation states that data security incidents will have to be notified to the AAIP |
Companies must report that they have been the victim of a data breach within 72 hours |
Data controllers must report security incidents to the DPA and data subjects within 72 hours of becoming aware of a potential breach |
Maximum fines: - no fines equating to turnover
|
Maximum fines: - 4% of global revenue - €20 million |
Maximum fines:
|
The PDPA gives companies 10 calendar days from the date of the request for access |
The GDPR gives companies 1 month to respond to data requests from consumers |
The Draft Law gives companies 10 working days to respond to data requests |
The Act does not specifically define children. Resolution 4/2019 provides that in accordance with international regulation, the consent of children and adolescents must be granted for the processing of their data. |
The minimum age for the processing of personal data is 16 years (MS could provide for a lower age up to 13 years). Where the child is below the age of 16 years, processing shall be lawful only if consent is given or authorised by the holder of parental responsibility |
The processing of minors' personal data is specifically governed under the Draft Law, and the minimum age for granting consent is 16 years |
The “right to erasure” could be exercised as long as it does not cause damage to the rights or legitimate interests of third parties, and there is no legal obligation to retain the data |
“The right to be forgotten” gives individuals the right to ask organizations to delete their personal data under certain conditions |
The Draft Law provides for a “right to erasure” similar to the one provided under the GDPR with specific additional conditions attached |
No specific reference to the right to object to the processing of data but provides for the right to withdraw consent. Currently, the right to object is only recognised in cases of direct marketing |
The right to object could be exercised on grounds relating to the data subject’s particular situation, at any time of processing his/her personal data |
Data subjects' right to object to processing personal data will be recognised, in addition to the existing right to access, rectify, update, or erase their personal data |
Other changes proposed by the Draft Law
The Draft Law introduces several other notable changes to the current data protection regime. These include:
- Processing of Personal Data: The Draft Law abandons the consent-based approach to data processing, replacing it with a system of justifications, including the legitimate interest of the data controller.
- Expanded Data Subject Rights: The Draft Law extends data subject rights, incorporating new rights such as limitation, portability, and objection, as well as rights related to automated decisions and profiling.
- Data Protection Delegate and Impact Assessment: The Draft Law introduces the figure of the Data Protection Delegate (“DPD”), responsible for data protection compliance, and mandates data protection impact assessments for certain data processing activities.
- Representative for Non-Resident Controllers: The Draft Law establishes the concept of a "representative" for data controllers and processors not established in Argentina but subject to the law's application.
- National Registry for Personal Data Protection: The Draft Law creates the National Registry for Personal Data Protection, where data controllers and processors must register to demonstrate compliance.
- Special Provisions for Credit Information: The Draft Law outlines specific rules for processing credit information, including the obligation to notify changes in a data subject's credit situation.
- Enhanced Enforcement Mechanisms: The Draft Law strengthens enforcement mechanisms with the introduction of a mobile unit for applying fines, subject to the Consumer Price Index, and the option of imposing fines up to 4% of an offender's total annual global turnover.
The Role of the National Data Protection Authority
In the evolving landscape of data protection in Argentina, the role of the DPA has become pivotal. The DPA will be tasked with overseeing the implementation of the new regulations and ensuring that businesses comply with the updated requirements.
One significant aspect is the Principle of Proactive and Demonstrated Responsibility (also known as the “accountability” principle). This principle requires controllers and processors to adopt necessary due diligence measures to ensure proper processing of personal data, demonstrating effective implementation of the Draft Law.
Implications for EU SMEs
For EU SMEs already acquainted with the GDPR, the alignment of Argentina's new data protection legislation brings a sense of familiarity and ease in international data transfers. The extraterritorial scope of application ensures that even if a business is not physically present in Argentina, if it processes data related to the offer of goods or services to persons located in Argentina, or is in a jurisdiction where Argentine laws apply, it must adhere to the regulations.
In addition, where EU SMEs are not established in Argentina but process personal data in Argentina, a local representative must be designated under the Draft Law, who will act on their behalf. The only exception to this rule is where the processing of data is only occasional. Other obligations and requirements for data controllers and processors that the Draft Law will introduce include the appointment of a DPD (in some cases), the registration in the national registry, the notification of security incidents, and the implementation of privacy by design and by default, among others, which will demand a higher level of responsibility and accountability from the data processing actors.
Furthermore, the incorporation of new rights for data subjects, such as the right to limitation, portability, and opposition, adds an extra layer of protection and control over personal data. For EU SMEs, understanding and adapting to these rights will contribute to building trust with Argentine consumers and adherence to the new law.
Here are some steps you can take as an EU SME to prepare for the Draft Law:
- Review Data Processing Activities: Thoroughly review all data processing activities to identify any potential non-compliance with the Draft Law.
- Update Privacy Policies: Update privacy policies to reflect the new data protection requirements and ensure clear and transparent communication with data subjects.
- Implement Technical and Organisational Measures: Implement appropriate technical and organisational measures to safeguard personal data, including data minimisation, anonymisation, and encryption.
- Appoint a DPD (if applicable): If required, appoint a DPD to oversee data protection compliance and collaborate with the DPA.
- Monitor Regulatory Changes: Closely monitor ongoing developments and ensure adherence to the final version of the Draft Law when enacted.
Conclusion
Argentina's Draft Law on the Protection of Personal Data means a significant step towards modernising and harmonising its data protection landscape with international standards, especially the GDPR. The proposed changes, from redefining the scope and rights of data subjects to introducing novel concepts like the Data Protection Delegate, reflect a commitment to robust data protection practices.
For EU SMEs operating in Argentina, understanding the proposed changes, and taking proactive steps to comply are crucial to navigating the evolving data protection landscape. By proactively addressing compliance requirements, EU SMEs can safeguard the privacy of their Argentinean customers, build trust, and foster long-lasting relationships in the Argentinian market.
As the Draft Law progresses through the legislative process, keeping a watchful eye on developments and proactively adjusting data protection practices will be key.
Contact us
If you have further doubts on how Data Protection in Argentina may affect your company, or how to comply with it, contact us.
Details
- Publication date
- 9 January 2024
- Author
- European Innovation Council and SMEs Executive Agency