The Current Importantce of Implementing Data Protection in Argentina. August 2011 While Argentina has had various data protection laws in place for some time, it is important for those of us that do business in Argentina to understand the changes that are occurring, within the Argentinean Data Protection Authority and within Latin America as Mexico gets ready to host the 33rd Data Protection Commisioner´s conference in Mexico City in November. Certainly this will be a time to highlight data protection in Latin America, naturally Argentina included. Enrique M. Stile attorney and partner and Mariano J. Peruzzotti, attorney and associate with Marval, O'Farrell & Mairal in Buenos Aires, Argentina, are very experienced in these matters and they provide with us with the key highlights for implementing data protection in 2011 and beyond. They highlight the unique aspects of data protection today and in the coming years in Argentina as well as some of the major risks and more importantly mitigating controls that are necessary for those of us that do business in Argentina. Enrique M. Stile joined Marval, O'Farrell & Mairal in 1997 and has been a partner since 2006. He specializes in labor and employment law. His practice in the firm focuses on full employment advice for multinational and local corporations, especially in mergers and acquisitions, privacy matters, transference of employees, rightsizings, union issues, compensation programs and in adapting international policies and programs to local legislation. He has also a strong background in negotiating employment conditions and termination agreements with expatriates and key employees and in multhjurisdictional labor advice. He has been nominated as leader in his area by the international publications Chambers & Partners, Who's Who Legal and Global Law Experts. He has written numerous articles in well known international publications such as The International Lawyer of the American Bar Association Employment Law Committee and Latin American Law Business Report and contributed in the books "Employment Law Review" and "Employment Law Client Strategies in Central and South America". Mariano J. Peruzzotti has been an associate at Marval, O'Farrell & Mairal since 2004 and is in charge of the Personal Data Protection Team. He focuses his practice on intellectual property, technology, e-commerce and media-related transactions, personal data protection, data security, and online advertising. He regularly advises clients on a wide range of matters, including privacy and data security compliance, responding to data security breach incidents, preparing privacy and data security policies, data profiling, filings with the proper authorities, behavioural marketing, software issues, children's privacy, international privacy, healthcare privacy, identity theft prevention, and social networking. Nymity: Which laws in Argentina have specific provisions related to privacy and what obligations do these provisions create? Marval: Personal Data Protection is governed by Section 43 of the Argentine Constitution and the Personal Data Protection Law No. 25.326 ("PDPL"), as restated by the Regulatory Decree No. 1558/2001. The main purpose of the PDPL, enacted on October 4, 2000, is to guarantee (i) the complete protection of the Personal Data contained in files, records, databases or other technical means, either public, or private if destined "to supply information", (ii) the rights to good reputation, privacy, and access to information, in accordance with Article 43 of the Argentine Constitution. According to the Regulatory Decree a private file, record or database shall be deemed destined "to supply information" if its use exceeds an exclusive personal use. The PDPL provides a very broad definition of Personal Data as any kind of information referring to individuals or legal entities. Thus, the provisions of the PDPL are also applicable to companies. We list below the main obligations imposed on Data Controllers to ensure that data is processed properly: • Databases have to be registered with the Controlling Authority. • Data Subject's informed consent must be obtained before collecting and/or assigning Personal Data. • Personal Data cannot be collected through dishonest, fraudulent or illegal means. • Incomplete data must be deleted, substituted or completed by the individual or entity responsible of the database if there is knowledge of such inaccuracy or incompleteness. • Necessary technical and organizational measures to guarantee the protection and confidentiality of Personal Data must be adopted Nymity: Does your law contain the protection of the habeas data rights of persons? Marval: Yes. The Argentine Constitution and the PDPL contain the habeas data rights of persons. Section 43 of the Argentine Constitution states that every person shall request a prompt and summary action to know the content and purpose of all the data stored in private or public databases. In case of incorrect data or discrimination, this action may be filed to request the update, removal, rectification, and/or confidentiality treatment of them. Argentine court precedents have recognized "habeas data" as a fundamental and directly applicable right. The PDPL develops and widens the Constitutional provision about Habeas Data. According to the Law, any Data Subject has the rght to (i) access to any database containing Personal Data owned by him/her, (ii) request information in connection with his/her data; and (iii) request the correction, removal, update or confidentiality treatment of his/her Personal Data. Non compliance with such obligations by the responsible or user of the files, records or databases shall entitle the Data Subject to judicial claims and to give notice of such failure to the Controlling Authority. Nymity: How have these laws and regulations evolved? Marval: The PDPL was sanctioned on October 2000 and restated on December 2001 by Decree 1558/2001 as we mentioned above. Since 2003 the Controlling Authority has issued several Dispositions concerning the registration of databases, security measures, Habeas Data Rights, and other formal aspects related to the PDPL. Argentina was the first country in Latin America to be declared to have an adequate level of protection of Personal Data by the European Pariament and of the Council. On June 30, 2003, the Commission of the European Union recognized Argentina as providing an adequate level of protection for Personal Data transferred from the European Union (Commission Decision C (2003) 1731). This represented a very important step for Argentina's Personal Data protection policy. The consideration of a secure country regarding privacy matters allowed investments of foreign companies in the field of services and telecommunications. In that regard, many companies had set up call centers in our country providing services worldwide. The PDPL was amended by Law 26,343, incorporating a new section 47 to its provisions. This new section rules that databases created for supplying credit information must remove from their registers, and refrain from recording, any data referred to individuals or juridical entities who had unpaid obligations born in the period between January 1, 2000, and December 10, 2003, provided that those unpaid obligations had been canceled at the time this new law was enacted or within 180 days as from this date. As you may know, during this period (years 2000/2003) Argentina's economy faced a deep crisis. Last, Data Subjects with debts in the situation mentioned above may exercise the rights of access, removal, and updating of the information contained in the database referred to their financial obligations. Furthermore, on August 13, 2010, the Regulatory Decree No. 1558/2001 was amended by means of the Decree 1160/2010, providing more details concerning the powers of the Controlling Authority to investigate possible infringements of the PDPL. Nymity: What is the status of any pending data protection regulations or changes in laws? Marval: We consider that pending local regulations will be issued promptly. Argentina is a federal country composed of twenty four provinces. The competence for data protection is split between federal and local level. Those provisions of the PDPL regarding general data protection principles, rights of the data subjects, obligations of Data Controllers, and criminal sanctions, apply uniformly throughout the whole territory of Argentina. Provisions of the Act about the control and sanctions powers of the PDPL Controlling Authority as well as rules of procedure of the judicial remedy for the data protection are considered as of "federal jurisdiction". That means that the provisions of the PDPL about judicial remedies and Controlling Authorities' powers applies only to data processing carried out by the federal public administration and when databases are interconnected via national or international networks. In the other cases, databases would fall under provincial jurisdiction and therefore the PDPL do not apply. The PDPL encourages Provinces to adhere to those provisions of the Act that are of an exclusively Federal jurisdiction. Unfortunately, few provinces have issued regulations on procedure for the habeas data remedy or on the establishment of local controlling authorities. In order to comply with the PDPL and international commitments, it is expected that local regulations will be issued very soon. In that regard, when the European Commission recognized Argentina as a country with adequate security level of protection, it expressly requested the establishment of data protection supervisory authorities all over the provinces. As pointed out by the Article 29 Working Party of the European Community, local controlling authorities are "... important to ensure that there exists in all cases a system of direct verification by authorities and an institutional mechanism allowing for independent investigation complaints other than the judiciary." (Opinion 4/2002 on the level of Personal Data protection in Argentina). Determining alternatives means of providing consent to the treatment of Personal Data is another aspect pending of regulation. The PDPL provides that the treatment, disclosure, collection, storage, amendment, evaluation, destruction and processing of Personal Data must be specifically consented by the Data Subject. Such consent must be given freely, based upon the information previously provided to the Data Subject and expressed in written or by an equivalent mean, depending the specific case. Although the Regulatory Decree No. 1558/2001 provides that the Controlling Authority shall determine the requirements for a valid consent that is not expressed in written, so far it has not issued any resolution including equivalent means to provide non written consent, such as the electronic acceptance through a website. Therefore, the validity of consent obtained, for instance, through the Internet or a telephone call is still unsettled in Argentina. The evolution of technologies requires a prompt determination in that respect. Nymity: What are the highlights of key obligations? Marval: We highlight below the main aspects concerning key obligations that Data Controller must observe when treating Personal Data. 1) Principles related to the treatment of Personal Data must be taken acutely into account. Collected Personal Data must be accurate, adequate, pertinent and not excessive in relation with the scope and purpose for which it was effectively obtained. The collection of Personal Data cannot be done through dishonest, fraudulent or illegal means. The regulatory decree states that the determination of the good faith and loyalty in the collection and use of Personal Data shall be based upon the analysis of the procedure utilized and the information previously provided to the Data Subject. Collected Personal Data cannot be used for different or incompatible purposes to those ones which encouraged its collection. Personal Data must be accurate and must be up-dated if necessary. Personal Data which is total or partially inaccurate or incomplete must be deleted, substituted or completed by the individual or entity responsible of the database if there is knowledge of such inaccuracy or incompleteness. Personal Data must be destroyed, without the Data Subject's request, when it has ceased to be necessary or current for the purpose for which it was obtained. 2) The treatment, disclosure, collection, storage, amendment, evaluation, destruction and processing of Personal Data must be specifically consented by the Data Subject. Such consent must be given freely, based upon the information previously provided to the Data Subject and expressed in writing or by an equivalent mean, depending on each case. The Data Subject, with no retroactive effects, may revoke the consent at any time. The above consent shall not be necessary when the data: • is obtained from public sources with unrestricted access; • is collected by the government pursuant to its legal authority or in its capacity as such; • comprises only the following information: name, ID number, tax or social security identification numbers, occupation, date of birth and domicile. • derives from a contractual, scientific or professional relationship with the Data Subject of the data, provided that such data is necessary for the development and compliance with such relationship; and • is related to transactions made by financial institutions. 3) Databases containing personal information must be registered with the Controlling Authority. On a first step, the registration procedure must be carried out on-line through the Website of the Controlling Authority. A form must be completed providing certain information about the database (kind of information stored, purpose of the database, data retention policies, etc.). Once the on-line procedure is completed, the Data Controller must file certain documents with the Controlling Authority. The registration fees vary according to the number of persons whose personal information is included in the database. 4) Data Controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, Personal Data (Section 9, PDPL). In addition, the Controlling Authority has issued the Disposition No. 11/2006, which specifies the mandatory security measures. The Disposition establishes three different security levels considering the nature of the Personal Data stored in the databases. Every security level lists certain security measures that must be adopted by each Data Controller. Nymity: What are the next steps and what changes are likely? Marval: Several bills amending the PDPL were filed with the Argentinean Parliament in the last years. Most of them refer to databases concerning credit information and the possibility of reporting debts. However, we are not aware of conclusive developments in view of the enactment of those bills. Nymity: What is the expected timeline for these next steps, if any and for compliance? Marval: There is no timeline for these changes. Nymity: What recommendations do you have for companies in Argentina and for those that do business in Argentina? What should they be doing now? Marval: Needless to say that we would strongly recommend observing the PDPL and regulations in force. A company collecting and treating Personal Data must comply with all the obligations mentioned above. Besides, we believe that requesting legal advice of experts in the field is highly recommended. Today most companies have their own websites in which they advertise their products and services. Internet is an outstanding means of communication to hence a company's reputation and increase profits. Usually companies collect personal information of their clients through the Internet. When thinking in launching the website, we recommend implementing a website Privacy Policy adjusting its terms to local requirements regarding Personal Data protection. Finally, we strongly suggest that companies doing business in Argentina implement written notices or policies reporting employees that the electronic systems and communications are work tools and shall be used only for work purposes so that no expectation of privacy in connection with their usage is created. Furthermore, these notices should state that: (i) the company has the right to control the use of electronic communications; and (ii) may exercise this right when deem necessary and convenient. If there is no internal regulation or policy regarding use and control of electronic communications and devices, or the policy does not contain any provision in the terms above mentioned, the employer may not be entitled to monitor the electronic communications and devices, unless with the wrtten consent of each employee. Best practice would recommend that this notice is acknowledged by the employees as received and, preferably, accepted and consented to. Nymity: Who is your Data Protection Authority, Commissioner or regulator? Please identify who they are. Marval: The Argentine Personal Data Protection Agency -in Spanish, Dirección Nacional de Protección de los Datos Personales- (hereinafter, the "Agency") is responsible for overseeing the PDPL. The Agency is a governmental body and depends on the Ministry of Justice and Human Rights. The Agency assists and advises individuals on the terms of the PDPL and the remedies available to them. It also issues rules and regulations (Decisions), maintains a permanent registry of all existing databases, monitors compliance, conducts inspections, and imposes sanctions. Nymity: If your Data Protection Authority is active, what has been their primary focus? What types of fines or penalties have they issued, and/or what other enforcement actions have they taken during the last calendar year, if any? Marval: The Agency has been very active in issuing Dispositions regulating the PDPL. Thus, up to date the primary focus of the Controlling Authorty has been orientated in regulating certain aspects of the Law and informing citizens and companies about the rights and obligations imposed by the Law. In other words, the Agency was keen on fostering the culture of the protection of the Personal Data. As to the enforcement actions, the Agency has compelled local individuals and/or entities to register their databases with the National Registry of Databases under the threat of applying administrative sanctions. Indeed, many notices requesting databases registration have been sent to different individuals or companies registered with Public Registries, such as the Public Registry of Commerce, the Federal Tax Authorities and the Social Security Authorities. In the last years the Agency has conducted many inspections on companies to check compliance with the terms of the PDPL. During an inspection the Agency verifies if the Data Controller complies with the duties regarding data protection, such as staff training; proper collection, processing, management, assignment, removal of Personal Data; registration of databases; compliance with security measures for the processing and storage of Personal Data, etc. The Agency may impose the following administrative sanctions for non-compliance with data protection regulations: (i) written warnings; (ii) suspension of the database; (iii) cancellation of the database; (iv) fines ranging from USD 240 to USD 24,000 (at the current exchange rate), depending on the nature of the infrngement. However, up to date the Agency has imposed only nineteen sanctions since 2005 and most of them are written warnings. Nymity: Given your Data Protection Authorities' enforcement actions, what do you recommend companies do or have done to avoid enforcement actions? Marval: As a first step, we suggest registerng databases once they are created. Then, security measures shall be implemented in order to guarantee security and confidentiality of the information stored in those databases. Although it is not compulsory, we deem that it is a good practise to appoint a data protection officer in charge of dealing with all data protection matters. Furthermore, those employees who intervene in any phase of the treatment of Personal Data shall be informed about the duty of confidentiality. Such duty persists even after the relationship with the employee is terminated. We strongly recommend conducting periodical internal audits with experts in the field to check whether the company is complying with all Personal Data protection regulations; particularly if the company will be inspected by the Controlling Authorities. In that regard, Agency's inspections are notified to the Data Controller with a prior notice of not less than 10 working days unless a justified reason requires executing the audit without the pror notification. This term allows the company to conduct a preliminary internal audit before the inspection in order to monitor the state of compliance. Finally, if during an inspection the Controlling Authority detects breach to the PDPL, remedies shall be applied as soon as possible to avoid any sanction. Nymity: In closing, what have we not asked that would be beneficial for our readers to know about? Marval: Since rules regarding international Personal Data transfer are particularly strict, they should be considered when approaching Argentine Law.