Protecting personal data in Argentina: A work in progress

By Valeria Milanés

Cloud technology continues to forge ahead, with one analyst firm tipping the surge in demand by Argentine businesses to continue into 2015.

According to recent studies (Usuaria Research, 2013), steady growth in the adoption of cloud technology by Argentine businesses is expected to continue into 2015, especially with the emergence of public cloud services provided by large multinational companies including Rackspace, Google, Amazon and Microsoft, to name a few.

The biggest concerns raised over the reliance by businesses and organizations on cloud computing infrastructure and services include data security and privacy in relation to the companies or organizations utilizing cloud technology and perhaps more importantly, information belonging to their users, members and/or clients.

What is the situation regarding data protection in Argentina? The dominant legal framework in the country is the Personal Data Protection Law N° 25.326, enacted on 4th October 2000 and restated in Regulatory Decree No. 1558/2001 (PDPL), which is based, nearly word for word off its Spanish equivalent.

The PDPL establishes the lawfulness of databases that are duly registered with the DNPDP, taking “datafile”, “register”, “database” or databank” indistinctly to mean any organized set of personal data being treated or processed, electronically or otherwise, in any form of collection, storage, organization or access.

The PDPL also contains provisions on data quality (Section 4), security (Section 9), confidentiality (Section 10), consent (Section 5), applicable conditions for assigning and transferring data internationally (including in both cases shared responsibility between the person responsible for the data and the contracting third party), data owner’s rights (regarding information, access, rectification, updating, suspension), habeas data (Section 14), requirements and procedures concerning database registration (Section 21) and criminal sanctions (Section 32), amongst others.

Section 44 establishes the nature of Chapters I, II, III, IV and Section 32 of the PDPL as public order or policy. This should be noted, as public order legislation is neither negotiable nor renounceable, meaning that any obligation assumed to the contrary goes against the law.

Also relevant are the various regulations made under the PDPL and the Provisions issued by the Argentine enforcement authority, the National Directorate for Personal Data Protection (DNPDP, as it is known in Spanish), for example Provision 4/2009. Other legislation that should also be noted include the international conventions that are constitutional in nature and applicable in the country in accordance with Article 75, subparagraph 22 of the Constitution of Argentina, as well as Article 43 of the same body of law, which states:

“Any person shall file a prompt and summary proceeding regarding constitutional guarantees…which currently or imminently may damage, limit, modify or threaten rights and guarantees recognized by this Constitution…This summary proceeding against any form of discrimination and about rights protecting the environment, competition, users and consumers, as well as about rights of general public interest, shall be filed by the damaged party…Any person shall file this action to obtain information on the data about himself and their purpose, registered in public records or data bases, or in private ones intended to supply information; and in case of false data or discrimination, this action may be filed to request the suppression, rectification, confidentiality or updating of said data.”

It is clear that there exists a legal framework in place for data protection in Argentina. However, in Argentina and other countries, the evolution of technology has outpaced the development of legal regimes intended to govern their use. While the PDPL is regarded by many as being among the most advanced legislation on data protection, the problems lie in its implementation.

Statistics show that compliance with the PDPL appears to remain at a low level overall, suggesting that the PDPL’s application is rather limited. For example, in 2012, after twelve years in service, the DNPDP had registered 20,000 databases, compared with 1,600,000 databases registered by that date and within the same period with the Spanish Data Protection Agency.

When it comes to personal data, cloud computing also presents other challenges – large multinational public cloud service providers are known for using adhesion contracts, which generally do not contain specifications established by the PDPL and in which the applicable law and predetermined jurisdiction are that of the country where these companies are legally domiciled, mainly cities in the United States. Most of the time, even the servers that store the information are not located within Argentina, making matters more complicated.

Section 12 of the PDPL prohibits the transfer of personal data to countries that do not have an adequate level of protection in place. To date, the NDPDP and the Executive Branch of the Argentina Government has not determined which countries fall within this category. However, as the U.S. does not have a dedicated data protection law, this may be considered to be inadequate protection in relation to national and international standards. In relation to this, Argentine law also provides that special administrative authority may be required in the case of international data transfers (Article 12 Regulatory Decree No. 1558/2001).

On top of that, it appears that Argentine businesses have yet to fully embrace the adoption of international data protection standards or guidelines. There are few local companies that have obtained certification under ISO/IEC 27001 in regards to information security management, with only a handful being compliant with the recent ISO/IEC 27018, which deals specifically with protection of personally identifiable information which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

Thus, the Argentinean experience is no different from other countries in the region, who despite having laws protecting the personal data of individuals and corporations still have a long way to go.

To address the issue, the adoption of responsible and sound business practices in order to bring commercial practices in line with the current legal framework is required, followed by actions towards the effective implementation and compliance of current laws to allow, in as far as possible, for personal data privacy and security guarantees to be preserved.

About the author

Valeria Milanés
Valeria Natalia Milanés heads her own law firm based in Buenos Aires, Argentina. Her practice is dedicated to internet, computing and information and communications technology (ICT) law. She has consulted for and advised numerous startups, businesses and organizations on issues including regulatory and related transactional and business matters in the ICT sector. She is also the director of the Access to Information and Privacy unit of the Association for Civil Rights (ADC), a non-governmental and non-profit organization based in Buenos Aires. She may be contacted at estudio[at]valeriamilanes.com.ar.