The Argentina Personal Data Protection Act has been Argentina’s data protection law since 2000. The country is, however, moving away from this law, and has already drafted a new data protection Bill. The reason for this new Bill is to bring Argentinian data protection law in line with the General Data Protection Regulation (GDPR). The current law has various areas that it covers differently from the GDPR. One such area is the definition of data subjects. It includes juristic persons or organisations in its definition of data subjects, whereas the GDPR doesn’t. In this way, the law is similar to the Protection of Personal Information Act (POPIA).
How is the Argentina Personal Data Protection Act going to change?
The proposed new law brings about changes to the Argentina Personal Data Protection Act that will place the country’s data protection on par with European Union (EU) data protection. The European Union, through the Article 29 Working Party’s recommendations, had already declared Argentina as having adequate protection, but had a few concerns. One such concern was about cross-border transfers of a data subject’s personal information to countries with inadequate levels of data protection. The Article 29 Working Party found that the Argentine government had too many exceptions to the general rule that personal information could not transfer to those countries. Another area of concern was the independence of the National Directorate for Personal Data Protection (NDPDP), the supervising authority in charge of compliance with data protection, from the rest of the Argentine government.
Some other changes include new definitions such as biometric data and genetic data, and new bases for data processing other than consent. These are a few of the areas that the new law hopes to address, and the process to enact the new law is already well underway. It will be interesting to see what the new law will look like once it is final and becomes fully effective.
For more on the current version of the Argentina Personal Data Protection Act, download a copy.
What lessons can we learn from Argentina?
The GDPR is not only a law for the EU, it has a global reach. Countries that do business with the EU have to concern themselves with bringing their data protection laws in line with the GDPR. Organisations that do business in the EU have a vested interest in such a process because their compliance efforts will be targeting both the GDPR and their national laws. This means that a law like POPIA may have to be amended by Parliament and the Information Regulator in order to bring it closer to the GDPR. One of those amendments may have to be about inserting a provision into POPIA that deals with privacy by design in the same manner that the GDPR does – clearly and emphatically.