The Data Protection Authority made public a draft bill which would supersede the current Data Protection Law.
In June 2016 the Data Protection Authority (“DPA”) issued a press release fostering a process of rethinking the current Data Protection Law (“DPL”) (more information here).
This process was primarily grounded on (i) the technological advances that have been made since the DPL was passed in 2000, (ii) the experience which the DPA has gathered in that time, and (iii) the existence of a new international context, particularly with the approval of Regulation (EU) 2016/679 of the European Parliament and of the Council.
The debate was conducted within the different activities conducted by the DPA and was part of the Justice 2020 Program (Programa Justicia 2020), guided by the Ministry of Justice and Human Rights.
Subsequently, the DPA published the results of these activities to grant transparency and publicity to the debate.
The Spanish version of the document can be downloaded here.
Recently, the DPA issued a statement making public a Draft Bill for the Protection of Personal Data (“Draft Bill”) which – if passed into law by Congress – will replace in its entirety the current DPL as well as Law No. 26,951, which created and regulates the Do Not Call Registry.
The most relevant modifications and inclusions of the Draft Bill are the following:
First, the current DPA is replaced by the Argentine Data Protection Agency, which will have functional autonomy and will be dependent of the Ministry of Justice and Human Rights. This structural change addresses an observation made by the European Community when approving Argentina as an adequate country for the international transfer of data.
On the other hand, the Draft Bill limits the concept of data subject to natural persons and excludes legal entities, which is in line with European legislation.
Moreover, it expands the scope of the protection to the integral protection of personal data, independently of whether it is stored in a database, whether the database is public or private, or if the database is aimed at providing reports.
In the light of the European legislation, it revisits general concepts included in the current DPL such as data base, personal data and sensitive data, and it incorporates new ones such as genetic data, biometric data and cloud computing.
Furthermore, and in line with the elimination of the registration requirement for databases containing personal data, the Draft Bill includes accountability obligations.
The general legal basis for the treatment of personal is still the data subject’s express consent (although under the Draft Bill and under specific circumstances, consent can be given implicitly), with the addition of the data processor’s legitimate interest as a new legal basis, as long as the data subject’s rights do not prevail over such legitimate interest, especially in the case of minors.
In connection with data subject’s rights, the Draft Bill follows the current DPL acknowledging the right to access, rectification, and opposition, although it acknowledges for the first time the right to be forgotten, clarifying that this right would not be enforceable when the treatment of the personal data is necessary to exercise the right to free speech or information. It also includes the new data portability right, although it does not address its concrete enforceability.
Even more, the Draft Bill incorporates new regulations in connection with sensitive data (the definition of which is now more extensive), backgrounds checks and minors’ consent. Particularly in connection with minors’ consent, the Draft Bill provides that minors from ages 13 to 17 may consent themselves to the treatment of their personal data in connection with information society services which are directly developed and intended for them.
A major development is also the inclusion of a data notification breach. The Draft Bill provides for notification to the DPA and the data subject.
In respect of international data transfers, it slightly changes the current regulation and provides that all international transfers must be consent by the data subject or a legitimate interest in the data processor must exist, and it must be done to countries providing an adequate level of protection at the DPA’s own criteria. At the same time, the Draft Bill addresses cloud computing as a mechanism to treat personal data and it provides for certain obligations of the data processor.
Moreover, the Draft Bill also provides for the mandatory need of and impact analysis in cases in which the data processor intends to treat personal in such a way that – abased on its nature, scope, context or purpose – entails a high risk of affecting the fundamental rights of the data subject.
Lastly, it also includes the obligation to appoint a data protection officer in the case of (i) public agencies; (ii) treatment of sensitive data; or (iii) big data. The data protection officer will only answer to the highest ranking members of the public agency or company and will carry out his or her duties without receiving any instructions.
The Spanish version of the Draft Bill can be downloaded here.
The DPA foresees sending the Draft Bill to the President in the short term.