In line with the process of modernizing Personal Data Protection Law No. 25,326, the Agency for Access to Public Information (DPA) presented a Draft Bill of Personal Data Protection Law (“Draft Bill“).
On 12 September 2022, Resolution No. 119/2022, which includes the Draft Bill, was published in the Official Gazette.
The Draft Bill is structured in 11 chapters and includes the following novel articles, among others:
- Definitions (Section 2). The definitions of biometric data, genetic data, data processor, data controller and data protection officer, among others, are added to the definitions set forth by the current Personal Data Protection Law. Legal entities are excluded from the definition of data subjects, and the category of sensitive personal data is expanded (it is clarified that the detailed list is an example only).
- Territorial scope of application (Section 4). It contemplates the scenario in which the controller or processor is not established in Argentina but (i) processes data in Argentina, (ii) carries out processing activities related to the offer of goods or services to persons located in Argentina, or (ii) is located in a jurisdiction where Argentine laws apply.
- Principle of proactive and demonstrated responsibility (Section 11). Also known as the ‘accountability’ principle. Basically, the controller or processor must adopt the necessary measures to ensure proper processing of personal data, which will help demonstrate the controller or processor’s effective implementation of the DPA.
- Legal basis for data processing (Section 12). Similar to the General Data Protection Regulation of the European Union, the Draft Bill foresees six legal bases, one of which is the legitimate interest of the data controller. To determine the existence of a legitimate interest, a detailed assessment must be conducted considering the context, reasonable expectations of data subjects and other specific criteria.
- Data processing of children and adolescents (Section 18). The consent of a minor is valid if they are at least 13 years of age. If the minor is under 13 years of age, consent will be valid only if granted by the parent or legal guardian.
- Notification of security incidents (Section 20). As a general rule, in the event of a security incident involving personal data, the data controller must notify the DPA within 48 hours of becoming aware of it.
- Fines (Article 60). The fines that the DPA may impose on data controllers and processors range from five to one million mobile units, or from 2% up to 4% of the total annual global turnover of the previous financial year. The mobile unit is set at ARS 10,000 (approximately USD 70 at the current official exchange rate) and will be updated on an annual basis using the variation of the consumer price index (CPI). Different fines will apply to the public sector.
A term of 15 business days is granted to provide suggestions, opinions and/or comments on the Draft Bill.
To this end, a registry for proposals and opinions on the Draft Bill is established at the DPA’s front desk (Av. Pres. Julio Argentino Roca 710, 3rd floor, City of Buenos Aires, Monday to Friday from 9:00 am to 4:00 pm), and online at https://www.argentina.gob.ar/aaip/consulta-publica-para-la-actualizacion-de-la-ley-de-proteccion-de-datos-personales.
In addition, informal comments can be sent to [email protected]. Comments will be published on the DPA website. Such comments will not be incorporated into the Draft Bill’s file.