The Data Protection Authority (“DPA”) issued a press release inviting a discussion on possible modifications to the Data Protection Law No. 25.326 (“DPL”).
The DPA has very recently issued a press release on the need to rethink the DPL within the framework of the Justice 2020 Program (Programa Justicia 2020). The document seeks to encourage reflection on data protection regulation in Argentina. It states that modifying the current regulations is necessary due to (i) the technological advances that have been made since the DPL was passed in 2000, (ii) the experience which the DPA has gathered in that time, and (iii) the existence of a the new international context, particularly with the approval of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Taking into account these circumstances, the DPA holds that reforming the DPL is necessary. Therefore, the general question is not whether an amendment should be made, but rather if a partial or complete amendment is required.
The DPA sets certain points of discussion for consideration. These include the identification of a number of proposed additions to the DPL, which are needed in order to update the text of the law to current discussions on data protection. Among them are the addition of regulation on accountability to demonstrate effective compliance with the DPL, the incorporation of a data protection officer for all public entities and some private entities, the inclusion of the right to be forgotten, and adoption of “privacy by design” policies and impact studies.
Moreover, the DPA also proposes modifications to existing aspects of the DPL. It seeks to encourage debate on the objectives of the regulation and the extent of its protection. In particular, this includes discussion on whether the DPL should apply only to individuals or to entities as well. Additionally, the DPA states that the terms the law defines must be revised and extended.
Furthermore, the DPA proposes that reforming the principles underlying the DPL may be required. This could imply a review of provisions on international data transfer provisions, consent given by minors, and licit data treatment. The DPA also encourages debate on the possibility of requiring mandatory notification in cases of data breach.
The press release refers to the need to review rights and obligations of data owners, users and controllers. In this respect, it places special emphasis on the importance of revising regulations that are applicable to credit information.
In addition, the DPA encourages discussion on the institutional framework made by the DPL. This implies evaluating the independence of the DPA as an entity, something that was raised by the European Union when it evaluated Argentina’s level of personal data protection, and which could be important in light of Regulation (EU) 2016/679. The DPA also raises the issue of sanctions for non-compliance with the DPL, and how these could be made effective.