Pablo A. Palazzi from Allende & Brea in Argentina reports that on June 30, 2023, the Argentine Executive Branch sent the new proposed Personal Data Protection Bill (the “Bill”) to the National Congress for consideration. The Bill was drafted by the Argentine Data Protection Authority (Agencia de Acceso a la Información Pública, or “AAIP”) and seeks to amend the current Personal Data Protection Act (Law No. 25,326 of 2000).
The Bill is based on international and regional standards, recommendations and principles, including the EU General Data Protection Regulation (“GDPR”), the Convention 108+ for the Protection of Individuals with regard to Automatic Processing of Personal Data (approved, recently in Argentina by Law 27,699) and its amended version, the Standards for Personal Data Protection for Ibero-American States of the Ibero-American Data Protection Network, and other Latin-American countries’ regulations on personal data protection and privacy. The Bill was drafted with an extensive open consultation with academia, international experts, NGOs, companies and several government agencies.
The Bill introduces definitions, principles and rights often seen in modern legislation on data privacy, including privacy by design and by default, privacy impact assessments, accountability obligations, the obligation to appoint a DPO and a legal representative for foreign companies, extraterritoriality provisions, data breach notifications, a detailed regulation of international transfers of personal data, portability rules, and updated fines, among others. There are also specific regulations for credit reporting, automated decision-making and marketing, and rules for the habeas data action. The Bill also provides the data protection authority (“DPA”) with new powers including orders to halt processing of personal data or activities that may affect privacy of users.
The Bill introduces a new system of fines similar to that available for local antitrust law based on units (a unit is 10,000 pesos, equivalent to 20 dollars). The DPA will update the value of the unit annually. If approved, the Bill provides that the DPA may sanction companies with a fine from five (5) to one million (1,000,000) units, or 2% to 4% of the global annual turnover of the company.
A concept under the Bill that may cause issue to certain companies is that the age for consent for children is sixteen (16). Originally, the Bill set the age of consent at thirteen (13) years, but this has since been changed. Another point to note that the Bill provides that the local representative of foreign companies can be liable in case the company it represents does not answer a DPA request.
Argentina was the first Latin American country to have an adequacy determination from the European Commission and it appears this Bill seeks to preserve this status as most of the provisions of the Bill follow the standards of the GDPR.
As noted, the Bill was sent to the Constitutional and General Legislation Commissions of the House of representatives. It is expected to be discussed during the end of 2023 and next year. Once approved, the Bill will be effective six (6) months after publication in the official journal. However, the new fines will be applicable immediately upon publication of the new law. Read the full text of the Bill. More information about the new law is expected to be posted on AAIP’s website.