This article was co-written with Diego Fernandez from Marval, O'Farrell & Mairal
Two important changes are underway if you do business in Argentina. In 2003, Argentina was the first Latin American country to be recognized as an adequate country by the European Commission. Its data protection law, Personal Data Protection Law Number 25,326 (“DPL”), was enacted in October of 2000 and provides broad protections similar to the EU Directive 95/46/EC. Although it already has some of the strictest data protection laws in Latin America, Argentina is currently seeking to further overhaul its data protection laws in two potentially significant ways. First, the Data Protection Authority (“DPA”) made public a comprehensive draft of a data protection bill that would completely overhaul Argentina's data protection laws to align with the General Data Protection Regulation (“GDPR”) requirements. The legislative branch has also introduced a separate bill that would require certain data be stored exclusively in Argentina ("Localization Bill"). Both of these measures may impact the way in which personal data is stored, transferred, and maintained.
New Data Protection Bill
The DPA decided to replace Argentina’s data protection program primarily due to recent advances in technology, experience gained by the DPA over the past decade, and the recent passing of the GDPR. Among other revisions, the new draft bill revises international data transfer requirements and includes new requirements relating to data breach reporting, data protection officers, privacy by design and impact assessments, and consent of minors between the ages of 13-17. While many areas of the new bill are deemed to be more restrictive with respect to how personal information is handled, there are other areas that have been made more business friendly. For example, the draft bill limits the definition of a “data subject” to natural persons and excludes legal entities and eliminates the registration requirement for databases containing personal data.
Data Localization Requirements
Argentina’s legislative branch also introduced the Localization Bill. The main purpose is to protect digital information produced, generated, or stored by the Argentina government and to defend Argentina’s data sovereignty. The Localization Bill's most salient feature involves the need for certain state-owned computer data ("SCD") to be stored within Argentina. SCD is defined broadly to include any computer data belonging to, generated by, or kept by any entity belonging to the national public sector. This requirement is also extended to private-sector companies that provide services for governmental entities and prohibits federal government entities from contracting with any service provider that may allow other international governmental agencies or organizations to access SCD. The Bill specifically refers to data centers located in the United States and states that such access would not be in compliance with the rights guaranteed by the current DPL because of the potential reach of the U.S.A. Patriot Act.
Challenges for Multinational Entities Operating in Argentina
Argentina’s new data protection bill heavily draws from the GDPR and reinforces the GDPR’s role in setting a new standard for privacy worldwide. The Localization Bill is yet another potential law that seeks greater government control over personal data storage, creating new challenges for entities that may provide services or products for the Argentina government or provide services or products for service providers that store or access SCD. These challenges may include responding to international subpoenas, creating a process to segregate SCD records, having appropriate access controls, and either establishing or contracting with reputable and secure data centers located within Argentina.