Spotlight: how are data protection laws enforced in Argentina?

All questions

Public and private enforcement

The Agency is an autonomous body within the scope of the Chief of Staff. Its main functions in relation to personal data are: (1) operating as a registry of databases, keeping records of the registration and renewal of databases; (2) enforcing the Data Protection Law and the Do-Not-Call Law, carrying out inspections and imposing sanctions; and (3) creating new dispositions and regulations related to data protection matters. The Agency is also responsible for assuring the effective exercise of the right of access to public information and the enforcement of transparency within the public sector.

In using these powers, the Agency has issued several dispositions relating to its investigatory and auditing powers. In this context, Disposition 55/2016 regulates the Data Protection Agency's auditing procedures. The main aims of these proceedings are to control the activity of the person responsible for the database and ensure its compliance with the law.

The proceedings can be: (1) ex officio, either scheduled annually or spontaneous; or (2) initiated upon a complaint, in which case the inspection itself will have an evidentiary nature.

After the inspection is finalised, the inspector will issue a final report with the outcome of the inspection. If the database owner has complied with the law, the proceeding is finalised. If it has not complied with the regulations, it is granted 15 days to remedy its non-fulfilment, otherwise sanctioning proceedings will begin.

The enforcement actions of the Data Protection Agency have evolved and intensified over the years. During its first years, the Agency's role was more educational than punitive, giving companies ample time to adapt to the new legislation and being proactive in responding to enquiries and explaining misconceptions. Nowadays, 23 years after the enactment of the Data Protection Law, the Agency is being more proactive in carrying out inspections and is stricter with its enforcement and punitive capabilities.

The vast majority of recent fines have been for violation of the Do-Not-Call Law, resulting in a large number of administrative proceedings and claims. Some fines have also been imposed in the recent past on companies failing to comply with their obligations under the Data Protection Law (mainly failure to register or renew registrations for their databases and failure to comply with security measures).

On a judicial level, most of the case law regarding personal data protection is connected to financial companies and the information they provide to consumer credit reporting agencies regarding their customers' debts. In most cases, the proceedings relate to financial companies' failure to update their registries once debts have been paid or the statute of limitations applied.

These cases have all been filed under the habeas data regime.

During 2022 and 2023, the Agency resolved to sanction different companies mainly based on: (1) breaches of confidentiality duties; (2) failure to respond in a timely manner to requests for access, rectification or deletion of personal data; (3) failure to register the data bases before the correspondent National Database Registry; and (4) failure to provide information requested by the Agency in the exercise of the powers attributed to it.

As stated above, the judicial remedy for private plaintiffs is the habeas data procedure regulated by the National Constitution and the Data Protection Law. Despite the fact that the access right of data owners can also be exercised through an administrative procedure, a judicial action is the only way for private plaintiffs to receive financial compensation.

A very interesting private litigation case has been decided in connection with the 'right to be forgotten', which is not expressly foreseen in the Data Protection Law as it is in the GDPR. On 28 June 2022, the Argentine Supreme Court of Justice revoked a judgment by the Court of Appeals issued on 11 August 2020 in the case Denegri, Natalia Ruth c/ Google Inc s/ Derechos Personalísimos: Acciones Relacionadas, which had confirmed the application of the right to be forgotten. The plaintiff had filed a lawsuit against Google Inc for the elimination of certain news about events that occurred more than 20 years ago related to the Coppola case (a yellow-press drug possession criminal case that involved the plaintiff). The Trial Court partially admitted the claim, ordering only the removal of the links showing fights, insults or arguments exposed in the media between plaintiff and the other parties involved in the case and not those contents related to the case itself. Although the Court of Appeals had confirmed the decision of the Trial Court, the Supreme Court revoked the judgment, prioritising and defending the right to information and freedom of expression. The Supreme Court emphasised the importance of freedom of expression, particularly in public interest matters. Considering the public nature of the information with respect to which plaintiff intended to set herself apart, the highest Court concluded that the content in question enjoys the maximum protection that our Argentine Constitution provides to freedom of expression. It emphasised that if, by the mere passage of time, the news or information that was part of a public debate loses that attribute and is erased, history and culture would be put at serious risk as well as the exercise of social memory that is boosted by the different facts of culture, even when the past is reflected to us as unacceptable and offensive by today's standards. Moreover, the Supreme Court upheld that allowing the restriction of memories from the public heritage without further ado would open a dangerous path, likely to distort the debate that freedom of expression seeks to protect.