By Pablo Andres Palazzi
Argentina and other countries in the region, including Chile and Colombia, are discussing bills to amend and update data protection laws. Discussions are expected to take place across the region in 2024 and in the international fora as well.
On 30 June, 2023, Argentina's executive branch sent the proposed Personal Data Protection Bill to the National Congress for consideration. Drafted by Argentina's data protection authority, the Agencia de Acceso a la Información Pública, the bill seeks to amend the current Personal Data Protection Act.
The PDPB is based on international and regional standards, recommendations and principles, including the EU General Data Protection Regulation, Convention 108+, the Standards for Personal Data Protection for Ibero-American States, and other Latin American countries' regulations on personal data protection and privacy. While the bill was drafted in open consultation with academia, international experts, non-governmental organizations, companies and several government agencies, it has faced some objections and debate will take place in the National Congress in 2024.
The bill introduces definitions, principles and rights often seen in modern data privacy legislation, including privacy by design and by default, privacy impact assessments, accountability obligations, the obligation to appoint a data protection officer and legal representative for foreign companies, extraterritoriality provisions, data breach notifications, detailed regulation of international transfers of personal data, and portability rules. There are also specific regulations for credit reporting, automated decision-making and marketing, and rules for habeas data actions. The bill also grants the AAIP new powers, including the ability to halt personal data processing or activities that may affect users' privacy.
The PDPB introduces a new fine system based on units — a unit is 10,000 pesos — the value of which will be updated by the AAIP annually. If approved, the bill allows the AAIP to sanction companies five to 1 million units, or 2 to 4% of the company's global annual turnover. This has faced criticism since the use of global annual turnover may affect global companies and increase fines. An Argentine company with branches in Mexico, Brazil and Colombia could be fined based on regional global income, for example.
Other areas of concern include the bill's set age of 16 years old for children's consent and a provision stating the local representative of foreign companies can be liable in case the company it represents does not answer a DPA request.
Argentina was the first Latin American country to have an adequacy determination from the European Commission and it appears this bill seeks to preserve this status as most of its provisions follow EU GDPR standards.
Once approved, the PDPB would be effective six months after publication in the Official Gazette. However, the new fines would be applicable immediately upon publication of the law.