Act No. 25.326 of 2000, Landmark Personal Privacy Law
The Personal Data Protection Act, Act No. 25.326 of 2000, also known as the Act for short, is an Argentinian data protection law that was passed in 2000. As the first data protection law to be passed within the continent of South America, the landmark law set forth the regulations that data controllers and processors within Argentina must follow when processing the data of citizens. While the National Congress of Argentina had spent the last few years attempting to pass an updated data protection law in a similar vein to that of the EU’s General Data Protection Regulation or GDPR, these attempts were ultimately unsuccessful, as the proposed Bill lost parliamentary status in March of 2020. Nevertheless, the Personal Data Protection Act, Act No. 25.326 of 2000 still serves as a means of protecting the personal privacy of data subjects within Argentina.
What is the scope and application of the Personal Data Protection Act, Act No. 25.326 of 2000?
As it relates to the personal scope of the law, the Personal Data Protection Act, Act No. 25.326 of 2000 applies “to processors and controllers of databases, meaning all natural persons or legal entities, either public or private”. Conversely, the territorial scope of the law states that “the Regulations apply whenever personal data is processed in the territory of Argentina”. Effectively, this means that isolated data processing activities that occur within Argentina fall under the jurisdiction of law, even if the rest of said activities take place outside of the country. Moreover, the material scope of the law applies to processors and controllers of databases in respect of any personal data processing that takes place in Argentina”.
Under the Personal Data Protection Act, Act No. 25.326 of 2000, data processing is defined broadly to mean “any systematic operation or procedure, either electronic or otherwise, which enables the collection, integration, sorting, storage, change, relation, assessment, blocking, destruction, disclosure of data, or transfer to third parties”. To this end, the law also protects the following forms of sensitive personal data
- Personal data related to racial and ethnic origin.
- Personal data related to political opinions.
- Personal data related to religious, philosophical, or moral beliefs.
- Personal data related to union affiliation.
- Personal data related to health or sexual life.
What are the requirements of data controllers and processors under the Personal Data Protection Act, Act No. 25.326 of 2000?
While the Personal Data Protection Act, Act No. 25.326 of 2000 was passed over 20 years, the law still set forth various principles as it relates to the protection of the personal data of Argentine citizens. These data protection principles include:
- Purpose proportionality– Personal data that is collected for the purpose of processing must be relevant and not excessive in relation to the scope and purpose for which it was collected.
- Transparency– Data collection cannot be performed in a manner that is not unfair, fraudulent, or unlawful.
- Purpose restriction– Personal data must not be used for any other purpose outside of that for which it was collected.
- Data accuracy– All personal data that is collected for the purposes of processing must be correct and accurate at all times. Data controllers and processors are responsible for updating, correcting, and partially or completely deleting personal data when needed.
- Access right– Personal data must be stored in a manner that enables data subjects to exercise their right to access.
- Data retention– Personal data must be destroyed after it is no longer needed for the purposes for which it was collected.
- Confidentiality– Data controllers and processors are responsible for binding individuals and agencies involved in any aspect of their data processing activities by a duty of confidentiality.
- Accountability– The principle of accountability has changed over time, in large part due to the influence of the EU’s GDPR law. Subsequently, in order to maintain compliance with the accountability principle of the Personal Data Protection Act, Act No. 25.326 of 2000, individuals and agencies who process personal data are required to implement appropriate technical and organizational measures for the purposes of guaranteeing the security and confidentiality of personal data in their possession.
In addition to these data protection principles, the Personal Data Protection Act, Act No. 25.326 of 2000 also places obligations on data controllers that are found in other privacy laws that have been passed in recent years. This includes ensuring that data controllers and processors register with the National Registry of Personal Databases for the purposes of providing data subjects with data processing notifications, as well as maintaining detailed data processing records. Data controllers and processors are also obliged to Data Protection Impact Assessment or DPIA. However, unlike many other privacy policies which do set forth guidelines regulating DPIAs, all DPIA under the Personal Data Protection Act, Act No. 25.326 of 2000 must include the following phases:
- Identification of participants and documentation of the processes of development of the evaluation assessment.
- Analysis of the applicable laws.
- Preliminary analysis.
- Processing context.
- Risk management.
- Risk treatment plan.
What are the rights of data subjects under the law?
In keeping with the somewhat outdated nature of the Personal Data Protection Act, Act No. 25.326 of 2000 when compared to the legislated privacy protections set forth in the past decade, the Act does not provide data subjects within Argentina with many rights that are now deemed as standard and common. Such rights include the right to erasure, to object or opt-out, and data portability. Alternatively, the Personal Data Protection Act, Act No. 25.326 of 2000 provides data subjects with the right to be informed, access, and rectification. Additionally, while the law does not provide data subjects with the right not to be subject to automated decision making, data subjects do have the right to request an explanation of the logic that applied to such decisions, in instances where such decisions led to adverse consequences for data subjects.
As it pertains to penalties that can be imposed against individuals and agencies found to be in violation of law, the Argentinian data protection authority, or AAIP for short has the authority to enforce the provisions of the law, and utilizes a three-tier system in doing so. As such, violators of the law are subject to the following penalties:
- Basic level, or minor infringements, which include up to two warnings and a fine from ARS 3,000 ($42) to ARS 25,000 ($355).
- Mid-level, or serious infringements, which include up to four warnings and/or suspension from one to 30 days and a fine from ARS 25,000 ($355) to ARS 80,000 ($1,137).
- Critical level, or very serious infringements, which includes up to six warnings and/or suspension from 31 to 365 days and/or closure or cancellation of the file, register, or databank, and a fine from ARS 80,000 ($1,137) to ARS 100,000 ($1,421).
The Personal Data Protection Act, Act No. 25.326 of 2000 also provides Argentinian citizens with the private right of action to bring civil liability charges against individuals and agencies who violate their rights under the Law. However, the following four requirements must be proven by claimants who bring forth such charges:
- The illegality of the damaging action
- The real and actual damage caused.
- The cause-effect relationship between the action and the damage.
- Any negligence, wrongful misconduct, or objective liability that occurred.
While some of the provisions and rights offered by the Personal Data Protection Act, Act No. 25.326 of 2000 are somewhat archaic by the standard of 2021, the law nevertheless provides Argentinian citizens with a comprehensive level of privacy protection. This dedication to personal privacy was reflected in Argentina’s decision to sign the Convention 108+ for the Protection of Individuals with Regard to Processing of Personal Data or the modernized Convention 108 for short. As such, the nation of Argentina is sure to continue to improve upon the level of privacy protection they offer their respective citizens.