Allende & Brea – Estudio Jurídico

This report cannot be considered as legal or any other kind of advice by Allende & Brea. For any questions, do not hesitate to contact us.

Introduction to the collective work edited by CETYS entitled: “Data Protection”

Two Decades of Personal Data Protection in Argentina, by Pablo A. Palazzi

1. Introduction

This work that the reader has in his hands is the result of the collaborative work of renowned Argentine specialists in the field of personal data protection, as well as of a few foreign guests.

These authors have generously shared their knowledge to put together an outstanding work on the subject. The original excuse for this collective work was to celebrate the two decades of validity of the Argentine personal data protection law (Law No. 25.326) with a text that would review some of the most important milestones of data protection at the national level and how they are placed within the international context.

In the midst of the preparation and assembly of this collective work, a global pandemic appeared, but that was no excuse and -except for a slight delay- the work was completed by the end of 2020 and will be printed in early 2021 to give testimony of two decades of personal data protection in the Argentine Republic.

The result of this collaborative work is a current and comprehensive work on the whole subject, with diverse points of view and with not only local but also international visions that give a full account of the complexity that the legal rules on the treatment of personal data have acquired today.

2. The current state of the right to the protection of personal data

It is difficult to describe the current state of the right to protection of personal data only by analyzing a local regulation. Several factors influence the description of the current state of the legal regime for the protection of personal data.

First, a text that is already two decades old (and even more if we take into account its basic ideas, which add up to another decade) had to respond to the constant technological developments that are taking place (drones, decisions by algorithms, artificial intelligence, databases connected to the Internet, companies that collect personal data of Argentines from anywhere in the world, facial recognition, biometric data) and other not so new ones (cookies, marketing, data of minors). It also has to face unexpected phenomena such as terrorist attacks or a pandemic, which make it necessary to seek exceptions that are generally not provided for in legal texts.

The protection of personal data must also adapt and succeed in protecting the consumer, but not be an obstacle to business models that have existed for decades and are constantly reappearing and reinventing themselves.

What these business models have in common is that they are all based on the collection and use of personal data. So much so that today the expression surveillance capitalism has been coined to identify it. Surveillance capitalism (in English it always sounds better: surveillance capitalism) is a concept used and popularized since 2014 by Harvard professor Shoshana Zuboff and refers to the commoditization of personal data, that is, the transformation of personal information into a commodity to be used for profit, to generate targeted advertising, to display specific content, to project new products, to personalize experiences, and a long list of functions that have not yet been invented.

At the time of academic conceptualization, this concept of capitalist surveillance had already been repeatedly exploited by the private sector, specifically by the “technological giants”, to create information empires with personal databases. Data protection has emerged as a tool that gives the individual the right to control these realities, but its origins go back half a century to the fear of data collection by the State. Now, let us agree that this control by the individual fell short in practice and this forced to strengthen the protections in the most recent generation of personal data rules.

Secondly, in the face of these privacy rules, there are other fundamental rights that are also opposed and require an important and constant balancing act that is sometimes very difficult to carry out. Thus, we have issues such as the right to be forgotten, which requires a contrast between privacy versus freedom of the press and access to information. With the covid 19 pandemic, the right to privacy and confidentiality of health data is pitted against the use of such data for reasons of general interest and public health to control the pandemic. The use of surveillance technologies such as drones, both state and private, requires reconciling the freedom of their use against the privacy limits of third parties. Mass surveillance and procedural data access tools to combat crime demand reconciling public safety with the privacy of all. International data transfer regulations require reconciling international trade with data sovereignty. In many cases, all data protection legislation implies a limit to transactions on individuals’ information, a regulation that in many jurisdictions where there is no fundamental right over data is limited by other rights such as freedom of enterprise, freedom of expression or the right to trade data.

Third, the geopolitical aspect of personal data cannot be ignored and many articles in this book deal with this approach, which helps to understand the results of some reforms, judicial decisions or international agreements. Examples abound, and suffice it to list a few: the transatlantic battles between Europe and the United States over the regulation of transborder data flow, the Schrems I and II cases, the role of Snowden, the bans imposed by former President Trump on TikTok and WeChat in the United States, the UK’s position on personal data after Brexit, the role of the BRIC countries as an alternative to US hegemony in digital matters, data localization obligations founded on the erroneous concept of data sovereignty or digital state sovereignty, cooperation in the fight against cybercrime and its legal limitations based on privacy, the Cloud Act and access to data from platforms in other countries, terrorism regulations affecting the privacy of foreigners, cybersecurity issues and cyberattacks not only on companies but also on countries, as well as jurisdictions that sponsor hacking as a form of ongoing cyberwarfare. All of these conflicts largely involve the extraterritorial application of personal data rules.

Fourth, the effect of the European Data Protection Regulation (GDPR) has been felt for more than two years around the world, and also in the Latin American region, even reaching the West Coast of the United States (California), with the sanction of the CCPA. In addition to California, China is another jurisdiction that has joined the privacy regulatory wave. In May 2020, a new Civil Code for China came into force, which contains both the typical privacy law rules one finds in private law codes (and other very personal rights) as well as European-flavored personal data protection rules.

All this leads to an obvious conclusion: the GDPR has become the de facto standard worldwide, and therefore constitutes a way to level data protection upwards. Countries should use this as a basis for legislation in order to avoid substantial differences that are obstacles to the free flow of personal data.

At the international level, Convention 108 and its additional protocol, together with Convention 108+, have spread throughout Latin America and are having another important harmonizing effect.

In Latin America, some countries have adopted modern laws inspired by the GDPR, as in the case of Brazil; others, such as Argentina and Chile, have developed modern legislative projects strongly inspired by the new European standard. Many others have been adapting regulatory standards that gradually introduce the new European elements with partial regulations, as in the case of Uruguay and Argentina.

As a fifth aspect, it is worth highlighting the emergence of new players. Privacy issues no longer apply only to databases of classic industries (marketing, commercial reports, etc.) but dominate or have a strong influence on the agenda of Internet regulation, international trade, freedom of expression, open banking in the fintech world, artificial intelligence and algorithmic governance and State transparency. The level of respect for privacy determines whether a society can be classified as a dictatorship or a democracy (although it must be admitted that all, even the most democratic, fall into the sin of spying under the guise of protecting their citizens).

The issues of personal data regulation are so central that numerous new players want to sit down to say something at the privacy table.

At the international level, in 2016, at the United Nations, the position of UN special rapporteur on the right to privacy was created . This new international position is in addition to the local regulatory agencies and the European ones (the WP29, now EDPB together with EDPS), which meet in the Global Privacy Assembly and in the region in the Ibero-American Network for the Protection of Personal Data .

The most important companies in the world also have a privacy officer or DPO (even if the law does not require it locally, almost all of them have already appointed one years ago). This new actor, the DPO, is destined to play an increasingly important role in international, private and state organizations. The role of the DPO is important to evangelize within the organization. Without someone to fulfill this role, organizations will continue to see personal data obligations as an expense and a cost, not as an advantage. This creates a vicious circle, because organizations that do not adopt security measures and internal privacy protocols end up being careless (negligent, to use a legal term) with personal data, which ends up damaging the rights of their customers, users or partners. Security incidents also affect the commercial reputation of the company and the value of listed companies. At the state level, the healthy practice of appointing personal data or privacy officers has also begun.

To finish with the list of new actors, Latin American civil society organizations have started a few years ago to get involved in this issue of data protection (when they used to focus on other more traditional rights, such as freedom of expression, equality, or social rights). This is to be welcomed because for a long time privacy and personal data were absent from the agenda of these regional organizations (by contrast the EFF, the ACLU, EPIC, CDT or Privacy International have in some cases been fighting for thirty years). I remember that in many meetings of the international board of Privacy International, of which I was a member for many years, this debate was a recurring theme and finally became a reality. The presence of these organizations brings more pressure and control to the State to adequately respect this right. On the other hand, as the issue has become fashionable, this has even provoked some suspicion and competition among the different NGOs to be in the center of the scene, dominate the agenda and mark the terrain.

Courses, postgraduate courses, diplomas and master’s degrees also appear. This is a natural consequence of the fact that, as a requirement to become a DPO, several legislations demand proof of knowledge. This also generated legal works on the subject and specialized professors. Nelson Remolina Angarita, a renowned Colombian expert in data protection, has been teaching his course on these subjects since 2001 at the Universidad de los Andes (Bogota, Colombia). Renato Jijena Leiva, a Chilean data expert, has been teaching a similar course on computer law with a high personal data content since 1995 at the Catholic University of Valparaiso (in 1992, seven years before the Chilean personal data law was passed, he had already written a book on the subject). Brazilian professor Danilo Doneda teaches a course on personal data at the University of Rio de Janeiro and at the Getulio Vargas Foundation (FGV), and is the author of a book on personal data published a decade before the LGPD came into force. In addition, Danilo was a visiting scholar at the Italian personal data agency and studied with Professor Stefano Rodotà. As for me, the course on personal data protection that I organized at the University of San Andrés has been going on for a decade. Moreover, at our university the subject of personal data is taught at both undergraduate and graduate levels. In Argentina, the rest of the universities also offer undergraduate and graduate courses on personal data.

Finally, with all these regulatory developments, companies have started to pay more attention to personal data laws. They are realizing that investing in privacy is not an expense, but rather an investment that pays off. A recent Cisco report entitled “From Privacy to Profit: How to Achieve Positive Returns on Privacy Investments. Cisco’s 2020 Data Privacy Benchmarking Study” reports on this trend.

3. Two decades of data protection in Argentina

On October 4, 2000, the Argentine Congress passed Law No. 25.326 on Personal Data Protection. This law was published in the Official Gazette on November 2, 2000. November 2, 2020 marked two decades of validity of this Argentine law, a pioneer in the region. At that date, only Chile had a personal data law in force. After its enactment and after Argentina was declared a suitable country, similar laws were passed in Uruguay, Peru, Colombia, Mexico and Brazil, among many others.

On the other hand, data protection has evolved a lot in the last two decades. It is no longer a strange rule but, in light of it, numerous regulations have been issued to regulate all kinds of issues such as video surveillance, drones, apps, marketing, commercial reports and state databases. A simple query in InfoLeg yields about 110 regulations of varying legal rank that refer to Law No. 25.326. Numerous jurisprudence has shaped the interpretation of the law and transformed it into a fundamental guarantee for the defense of personal data in the information society.

During these two decades, the government first created the National Directorate for the Protection of Personal Data (DNPDP) within the Ministry of Justice and then transferred it to the Agency for Access to Public Information (AAIP, the agency that enforces the Law on Access to Public Information). When the DNPDP became part of the AAIP, Argentina consolidated an independent personal data authority. It had been declared as an adequate country and one of the points that the European Commission had pointed out was the lack of independence of the agency because it depended on a ministry and did not have autonomy. With this, Argentina fulfills an important requirement of the European model, which is the independence of personal data authorities.

In these two decades, the DNPDP first and then its successor, the AAIP, adopted numerous resolutions, imposed several sanctions and initiated audits and proceedings against companies. In these twenty years, the right to data protection evolved considerably.

At the international level, Argentina also made good progress. On December 15, 2017, by means of Law No. 27,411, the Argentine Republic acceded to The Budapest Convention on Cybercrime. On January 2, 2019, it approved the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), together with its additional protocol, by means of Law No. 27,483 and, in July 2020, it had half sanction the so-called Convention 108+.

At the international level, throughout these two decades many technological changes took place, which caused the European rules to be modified in 2016, and thus a new regulation came into force, which, as we have already pointed out, caused another intense wave of reforms. Laws such as the Brazilian law, passed in 2018 and in force since August 2020 (with entry into force of its sanctioning regime by 2021), and the California CCPA (in force since 2020) and now the Virginia law marked a new milestone in the expansion of European ideas of personal data protection. Argentine law is trying to adapt to these trends, and several bills inspired by them have already been discussed.

4. The novelties of the last two decades told through this work and its authors.

This collective work seeks to provide testimony of everything that has happened during these two decades of data protection through articles by specialists and people involved in the day-to-day work in this field in Argentina. It includes articles that analyze some general principle or institute of data protection (such as consent, legitimate interest, international transfers or portability) and comments on specific national or foreign cases that have marked milestones in the history of data protection, such as the “Schrems II” case.

The work is divided into 7 chapters – distributed in two volumes – containing a total of 31 articles written by 28 authors.

The first chapter begins with a commentary by Eduardo Bertoni, who was director of the AAIP until the end of 2020. Bertoni wrote a note where he explains why Law No. 25.326 was born outdated -we widely agree with his vision- and relates the progress that was achieved with the independence of the local agency, and on an international scale with the approval of several conventions, as well as the last important rules approved by the agency, which serves as a sort of management balance sheet.

Professor Oscar R. Puccinelli is the author of an article entitled “La Ley N.º 25.326 de cara a su reforma integral: el proyecto elaborado en el marco del Programa Justicia 2020”, in which he comments on the reform project which, if it had been dealt with by the National Congress, would have updated our personal data law to the European GDPR standard.

This is followed by a note by Brazilian Professor Danilo Doneda on the recognition of the fundamental right to the protection of personal data in the jurisprudence of the Brazilian Federal Court. It is a commentary on a recent Brazilian ruling on the protection of geolocation data during the covid 19 pandemic. The case serves to demonstrate how the Brazilian courts, with no law in force at the time, considered the protection of personal data as a fundamental right.

Then there is a note written by María Julia Giorgelli and Javier Raimo on the proposals for the reform of the Data Protection Law of the City of Buenos Aires No. 1,845 -of which I participated in its drafting- and the influence of the European GDPR. Both authors work at the Buenos Aires personal data agency. The note contains an annex with the bill presented in the Legislature. Its simple reading evidences the European influence.

Lisandro Frene takes stock of the two decades that Law No. 25.326 has been in force and what has been the result in different aspects of its application.

Two articles deal with the extraterritoriality of personal data protection laws, a topic that is always current and in constant evolution. Mariano Peruzzotti writes about the extraterritoriality of the GDPR and its effects in Argentina. This author comments on the territorial scope of the Personal Data Protection Law through a jurisprudential interpretation of the current law. Lucía López Laxague analyzes the extraterritoriality of the European GDPR and the obligation to appoint a DPO. This author’s note was her dissertation in the Master’s Degree in Business Law at the Universidad de San Andrés.

Another note by Lisandro Frene, critically reviews the novelties of the last twenty years in relation to the activity of the Argentine agency of personal data and its operation and enforcement.

Finally, Professor Oscar Puccinelli also writes about the impact of the European GDPR and the “standards” of the Ibero-American Data Protection Network on recent reforms, reform projects and new data protection laws in Latin America.

The second chapter of this book contains articles on the general principles of personal data protection laws. Agustín Allende Larreta writes on the principle of purpose in the processing of personal data. Andrés Chomczyk analyzes the evolution of the duty of information in the Argentine Personal Data Protection Law and in international standards. Regarding consent, Diego Fernández analyzes the consent of minors for the processing of their personal data. In another article, Agustín Allende Larreta addresses the issue of personal data portability. Finally, a very practical note by Diego Fernández and Manuela Adrogué analyzes the treatment of sensitive data in Argentine legislation and jurisprudence.

The third chapter deals with rights and obligations. José Alejandro Bermúdez Durana, former Commissioner of Personal Data of Colombia, explains the principle of proactive responsibility or accountability in Colombian legislation and its origin in international standards. A note by Pablo Segura analyzes the importance of the DPO in organizations. A note by myself focuses on the role of the DPO and its interface with the compliance regime. The text contains two annexes with the rules of Argentina and Uruguay that require the appointment of a DPO in certain cases. Together with Andrés Chomczyk we write about cybersecurity, security incidents and data breaches in Latin America.

The second volume opens with the fourth chapter, which deals with the ever-current issue of international transfers of personal data. Mariano Peruzzotti, in another article, reviews the current Argentine regulation in the light of comparative law. The “Schrems II” case is commented by Esteban Ruiz Martínez and Mikel Recuero Linares.

The fifth chapter deals with the protection of personal data on the Internet. The topics dealt with here are the right of deletion in social networks – analyzed by Lucia Suyai Mendiberri -, the problem of exercising personal data rights on the Internet – by Esteban Ruiz Martínez – and the application of the “Belén Rodríguez” case to data protection – by the undersigned.

The sixth chapter analyzes sectorial data processing. It includes notes on health data and its treatment by pharmaceutical companies (written jointly with Franco Rizzo Jurado), on telemedicine and patient data (by Ambrosio Nougues), on electoral data (written by Lisandro Frene in co-authorship with Damián Navarro), on public video surveillance systems (by Hugo Vaninetti) and on the collection of personal data by means of drones (by Juan Cruz González Allonca, who was director of the National Directorate of Personal Data and promoter during his tenure of the regulation on drones that he himself comments on).

The seventh chapter is devoted to personal data and its relationship with the criminal process and criminal law. Again, the interface between both branches of law is not frequent, and the treatment of this subject in the Argentine doctrine from the point of view of personal data was scarce, if not null. For this reason, we thought it would be interesting to deal expressly with several topics. Hernán Blanco deals with the impact of criminal investigation on the protection of citizens’ personal data. Another article deals with the international transfer of personal data in criminal matters and the impact of the Cloud Act of the United States. This work, written by cybercrime specialists Daniela Dupuy and Mariana Kiefer, makes a very topical contribution because this issue is being discussed at the Council of Europe as a result of the modernization of the Budapest Convention. Finally, the use of OSINT techniques (wrongly called “cyberpatrolling”) and the personal data generated by this activity is commented by Marcelo Temperini and Maximiliano Macedo.

The depth of all these notes shows that in Argentina the two decades of data protection did not pass in vain. Numerous specialists have been trained in the light of Law No. 25.326 and a solid community of practitioners and academics has been created.

Finally, I would like to thank CETYS and Derecho UDESA for their financial support and María Vazquez for the printing of this work.

5. Conclusions

The enthusiasm shown by all the authors in conceiving this work, most of which was carried out during the pandemic, raises the possibility of continuing to develop this type of compilation more frequently, given that the topics are so broad and diverse that it is impossible for them to be covered by a single author. For this reason, we invite all those interested in contributing to the development of personal data in the region to send us current contributions in order to continue this work through additional volumes.

Source: https://pablopalazzi.blogspot.com/2021/03/dos-decadas-de-proteccion-de-datos.html

This report cannot be considered as legal or any other kind of advice by Allende & Brea. For any questions, do not hesitate to contact us.

Related areas