Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Privacy and data security
What is your jurisdiction’s regulatory stance on net neutrality?
Digital Law 27,078 provides for net neutrality. Each user is guaranteed the right to access, use, send, receive or offer any content, application, service or protocol through the Internet with no restriction, discrimination, distinction, blocking, interference, obstruction or degradation. The law will be completed by secondary legislation.
Are there regulations or restrictions on encryption of communications?
There are no specific regulations or restrictions on encryption of communications.
Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?
There is no specific rule regarding consumer data retention terms. Pursuant to Section 328 of the National Civil and Commercial Code, operators must continue to support accounting documents for 10 years.
What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?
Authorities can intercept communications and access consumer communications data only at the request of a judicial court.
Data security obligations
What are telecoms operators’ general data security obligations to consumers?
Telecoms operators must guarantee the confidentiality of communications. They are also bound by Data Protection Law 25,326 and related regulations, which govern how personal data must be collected and treated and the rights that are vested in consumers in this regard.
In particular, Disposition 11/2004 establishes the following mandatory levels of protection depending on the nature of the personal data involved:
- basic – for all files containing personal data;
- medium – for files owned by private entities providing public services that include telecoms services; and
- critical – for all files containing sensitive data (ie, that reveal details of the subject’s racial or ethnic origin; political opinions; religious, philosophical or moral beliefs; trade union membership; health; or sexual orientation).
The basic level of data protection that telecoms operators must provide to consumers requires a security document to be compiled, which must include:
- the procedures and safety measures to be observed in connection with the personal data in question;
- the roles and responsibilities of the staff involved;
- a description of the files and information systems that deal with the personal data;
- a description of the routine controls for data entry programmes and actions to be followed to correct any errors detected. All data entry programmes, whatever their mode of processing (ie, batch or interactive) must include control routines which aim to minimise the possibility of incorporating illogical, incorrect or incomplete data;
- records of any security incidents;
- the procedures for reporting, managing and responding to security incidents;
- back-up and data recovery procedures;
- procedures for the identification and authentication of authorised users. In this regard, the relationship between authorised users and the information systems that authorised users can access must be kept updated. In the event that a password authentication mechanism is used, passwords will be assigned by a safety officer in accordance with a procedure ensuring confidentiality. This procedure will provide for periodic password changes and any passwords stored must be unintelligible;
- access control for data users limited to data and resources required to carry out their duties;
- preventive measures to avoid threats from malicious software (eg, viruses) that may affect files containing personal data, including:
- the periodic installation and updating of virus software; and
- prior notification of viruses in any files received via the Internet, email or other means whose origins are uncertain; and
- the procedure to ensure the proper management of personal data support (ie, the identification of the type of information contained, access to restricted access locations, or inventory, authorisation for release and the transfer and destruction of obsolete information).
Disposition 11 also states that if a file contains personal data that could permit a personal profile to be compiled or the conduct of an individual to be deduced, the security document must comply with additional medium-level security conditions.
The security document must be kept up to date and revised where necessary. Personal data must be destroyed where it is no longer necessary for or relevant to the aim for which it was collected.
Medium-level data protection requires:
- the identification of a security officer (or specific body);
- the provision of details of the conduct of audits aimed to verify compliance with personal data security regulations;
- the implementation of measures to block repeated unauthorised access attempts;
- the establishment of physical access control to the premises where the information systems in question are located;
- the maintenance of a registry of inputs and outputs to the relevant information system;
- the establishment of the measures required to back up the information in question and prevent any retrieval of the information after the technical means used are discarded or reused or the data has been deleted;
- the keeping of records of security incidents identifying the individuals involved and a detailed description of the procedures carried out; and
- the undertaking of operational tests of the information systems before their implementation without the use of real data, unless the data security mechanisms used correspond to the type of computerised data processed.
Critical-level data protection requires the following measures:
- When distributing or transferring media containing personal data (including back-up copies), data must be encrypted in order to ensure that it cannot be read or manipulated during the transfer.
- The access registry must comprise information on the user whose data has been accessed, the date and time of the access and whether this access has been authorised. If authorised, information must include details of the data accessed and how it has been treated. The access registry must be analysed periodically by the security officer and be maintained for three years.
- Back-up copies must be kept in-house as well as externally in a fireproof and gas-tight box or bank safety deposit box located a reasonable distance away from the company’s primary location. A procedure for the recovery of this information must also be available.
- Data transferred through communication networks must be encrypted or protected by any mechanism that prevents its reading or treatment by unauthorised persons.
Click here to view the full article.