25 May 2017
The Argentinian data protection authority (‘PDP’) published, on 17 May 2017, the second draft of its data protection amendment bill (‘the Second Draft’) following the consultation it held on a first draft in February 2017 (‘the Draft Bill’). The Second Draft is part of an ongoing process to modernise Law No. 25.326 on Personal Data Protection 2000 (‘the Law’).
Florencia Rosati and Ludmila Petrinelli, Partner and Associate at Estudio Beccar Varela respectively, told DataGuidance, “Some of our clients have expressed concern regarding the obligations that may be imposed by the Draft Bill, though many of them have not yet paid too much attention to it since it is still under revision and has not yet been filed in Congress. If the Draft Bill is passed, international companies established in Argentina, as well as big local companies, will analyse and adapt their internal policies and practices to the new legislation. As lawyers, we have been seeing how more and more companies in Argentina are focusing on understanding and complying with [the Law] and we believe this tendency will continue.”
The Draft Bill would remove the obligation to register databases with the PDP, and includes provisions to create a national Do Not Call Registry. Moreover, in addition to recognising only natural persons as data subjects, it supplements the current list of definitions under the Law to include data controller, data processor, and data breach. The Draft Bill would also require data controllers to apply the principles of Privacy by Design and Privacy by Default, both before and during data processing, and to carry out Privacy Impact Assessments when the processing is likely to cause harm to data subjects.
The changes that will take place in Europe in 2018 with the GDPR make it necessary to adapt Argentina’s current data protection law […] in order to continue to be considered a country [that provides] an adequate level of data protection
Gustavo Tanús, Partner at Tanús, Steinborn, Kaprielan & Saenz de Santa María, commented, “As soon as Eduardo Bertoni assumed the role of Director of the PDP, with the support of the Ministry of Justice, he promoted the reform because the Law did not respond to the evolution of digital technology experienced in the last 15 years. Moreover, the changes that will take place in Europe in 2018 with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) make it necessary to adapt Argentina’s current data protection law to the GDPR in order to continue to be considered a country [that provides] an adequate level of data protection.”
If the Draft Bill were to be passed, the PDP would become an independent authority and no longer part of the Ministry of Justice. In its current role, the PDP has announced that it is also reviewing other norms, such as PDP Regulation No. 11/2006, which specifies the security measures that must be implemented for the processing and preservation of personal data contained in non-state public and private files, registers, databanks and databases.
Rosati and Petrinelli continued, “Most of the amendments introduced in the Second Draft are formal changes related to punctuation and writing style. Nonetheless, we consider worth mentioning that the PDP has adapted the Draft Bill to business needs by including email accounts within the data that can be processed without the need of express and informed consent.”
Further changes in the Second Draft include the removal of the definitions of cloud computing, biometric data and genetic data, though the latter two are included under the expanded definition of personal data. Moreover, the Second Draft increased the list of legal grounds for processing and introduced a 72-hour timeframe for the notification of data breaches. Additionally, consent would no longer be the main basis for international data transfers, but one amongst a list of other legal options. The use of model clauses and Binding Corporate Rules would also be allowed for such transfers.
Tanús noted, “The amendments that are intended to be made through the Draft Bill are many and important, and will surely have an impact once they are approved […] However, there is a great lack of knowledge regarding both the current legislation and the changes that are intended to be made. [Moreover, though it] is necessary to adapt the Law to the changes that will occur in Europe, I believe that in some aspects, such as health data, marketing and credit bureau processing, the protection provided by the current Law is stronger than the Draft Bill.”
The Draft Bill is expected to be tabled before Congress once the Government finishes reviewing it.
Rachael Nelson-Daley | Privacy Analyst