TrustArc Blog

Argentina GDPR-like Data Privacy Bill

February 21, 2017

As previously described in our blog post “Doing Business with Argentina Just got Easier, change appears afoot in the land of silver’s data protection law, in order to keep pace with evolving digital technologies and global regulatory regimes.

Whereas in December 2016 the Argentine Data Protection Agency (DPA) issued a report proposing changes to the national Data Protection Act (Act) after nearly a year of public consultation, this month the DPA released a draft bill to update the sixteen-year-old Act in line with many of the European Union’s General Data Protection Regulation (GDPR)’s new requirements taking effect in May 2018.

That the Argentine DPA would model its bill after the GDPR is not surprising, given that Argentina was the first Latin American country to be recognized as being “adequate,” i.e.,  providing data protections essentially equivalent to those of the EU.  

The DPA will accept comments here on the proposed amendments to Law No. 25,326 through February 24, 2017.  

The Spanish-language draft bill may be read here.

Proposed Updates to Argentina’s Data Protection Act

Some of the Argentine data protection draft bill’s new provisions will be familiar to prospective GDPR practitioners, such as dispensing with a database registration requirement and solidifying the DPA’s independence from any other governmental entity.  

Many businesses will be pleased to note the inclusion of Binding Corporate Rules (BCRs) as a legal basis for cross-border data transfers, as well as the establishment of non-consent-focused legal grounds for data processing, such as when processing is undertaken pursuant to the “legitimate interests” of the data controller.

While the GDPR’s Article 8 sets a default age of 16 for child consent but allows for EU Member States to set the age as low as 13 years old, the Argentine bill would allow for processing of the personal data of a child under 13 with parental consent.

Other key changes include the addition of definitions for genetic data and biometric data; the limiting of what constitutes a “data subject” to be only individuals–rather than corporations and other legal entities; new rules revolving around credit reporting; and new sections on data protection impact assessments, DPOs, data breaches and cloud computing.

With the executive and legislative processes still to play out, experts expect a likely 2018 date before the revised law would be enacted.

For further information on trends in Latin American data protection laws, GDPR compliance tools and automating privacy impact assessments, contact TRUSTe today.