As previously described in our blog post “Doing Business with Argentina Just got Easier“, change appears afoot in the land of silver’s data protection law, in order to keep pace with evolving digital technologies and global regulatory regimes.
Whereas in December 2016 the Argentine Data Protection Agency (DPA) issued a report proposing changes to the national Data Protection Act (Act) after nearly a year of public consultation, this month the DPA released a draft bill to update the sixteen-year-old Act in line with many of the European Union’s General Data Protection Regulation (GDPR)’s new requirements taking effect in May 2018.
That the Argentine DPA would model its bill after the GDPR is not surprising, given that Argentina was the first Latin American country to be recognized as being “adequate,” i.e., providing data protections essentially equivalent to those of the EU.
The DPA will accept comments here on the proposed amendments to Law No. 25,326 through February 24, 2017.
The Spanish-language draft bill may be read here.
Proposed Updates to Argentina’s Data Protection Act
Some of the Argentine data protection draft bill’s new provisions will be familiar to prospective GDPR practitioners, such as dispensing with a database registration requirement and solidifying the DPA’s independence from any other governmental entity.
Many businesses will be pleased to note the inclusion of Binding Corporate Rules (BCRs) as a legal basis for cross-border data transfers, as well as the establishment of non-consent-focused legal grounds for data processing, such as when processing is undertaken pursuant to the “legitimate interests” of the data controller.
While the GDPR’s Article 8 sets a default age of 16 for child consent but allows for EU Member States to set the age as low as 13 years old, the Argentine bill would allow for processing of the personal data of a child under 13 with parental consent.
Other key changes include the addition of definitions for genetic data and biometric data; the limiting of what constitutes a “data subject” to be only individuals–rather than corporations and other legal entities; new rules revolving around credit reporting; and new sections on data protection impact assessments, DPOs, data breaches and cloud computing.
With the executive and legislative processes still to play out, experts expect a likely 2018 date before the revised law would be enacted.
For further information on trends in Latin American data protection laws, GDPR compliance tools and automating privacy impact assessments, contact TRUSTe today.
Latin America Privacy Regimes: Nations at a Glance
Last summer TRUSTe hosted its Privacy Risk Summit, which included a session on doing business in Latin America, and also issued a client advisory on the data protection laws of Latin America, available here. The note included information on the privacy frameworks of several different countries, including Argentina.
As a review, Argentina employs a hybrid approach to its data protection framework, meaning that it combines constitutional protection with expansive data protection regulations. Its data protection law, which was passed in 2000, provides general protection for personal data stored in public or private databases and other processing platforms, just as Chapter VII of the Federal Constitution recognizes individuals’ habeas data rights to access and correct information stored about them. These protections and others contributed to Argentina being deemed by the EU to provide a level of protection “essentially equivalent” to the EU.
At the end of 2016, the Argentina Data Protection Agency (DPA) released a new regulation governing international personal data transfers: DIRECCIÓN NACIONAL DE PROTECCIÓN DE DATOS PERSONALES Disposición 60 – E/2016. This new regulation includes model forms for international data transfers to data controllers and/or data processors. While model forms fashioned after EU standard contractual clauses were provided, controllers may still use other forms if submitted to the DPA for approval.
The Regulation also lists the following “adequate” countries (those that have an adequate level of data protection) for cross-border data transfers:
Article 3 Translation:
“Member States of the EUROPEAN UNION and members of the European Economic Area (EEA), SWISS CONFEDERATION, GUERNSEY, JERSEY, ISLE OF MAN, FAROE ISLANDS, CANADA only for its private sector, PRINCIPAL OF ANDORRA, NEW ZEALAND, URUGUAY and STATE OF ISRAEL only with respect to data that is received by automated means. This list will be periodically reviewed by this National Directorate, publishing the list and its updates on their official website.” Whereas countries such as the United States and Mexico do not appear this list, they may petition for adequacy.
This new Regulation should make doing business with Argentina easier for global corporations. It aligns with EU regulations, making it familiar to businesses already meeting EU requirements. Moreover, if organizations use the models provided by the Regulation, they can more efficiently operate within the data privacy confines of Argentine law.
If you have any questions about conducting cross-border data transfers in Latin America, including Argentina, please contact us.