Twenty-two years after the enactment of Law 25,326 on Protection of Personal Data, an update project is about to be debated in Congress, after having gone through a process of public consultation, reviews, hearing tables, and even a history of reform in 2018 that lost parliamentary status.

Its main promoter is the Agency for Access to Public Information (AAIP, for its Spanish acronym), in which a new director was appointed in February 2022, Beatriz de Anchorena, and the central goal of her management was to face the update. The official raised Convergencia as a pillar of the new text, the owner of the data as a subject entitled to rights: the current law focuses on the protection of personal data and includes legal persons (companies, associations, among others) within its object; instead, the new regulations aim to guarantee the exercise of the fundamental right of human persons. That is, the data itself is no longer at the center, but the person. Here lies the paradigm shift contained in the reform.

In addition, the reality of the current digital economy is taken into account, far from the incipient one of 2000, when the current law was enacted: growing billing companies are those that have personal data in their core business. The bill points to this reality: the idea of the AAIP is to generate clear rules both for the data owner and for companies, entrepreneurs, and those whose businesses use personal data. These rules include weighty sanctions, along the same lines as the "General Data Protection Regulation" (GDPR), established by the European Parliament in 2016 and in force since 2018. Law 25,326, of 2000, set pecuniary fines of a maximum of $100,000 (US$10,000 at the time), while the new project contemplates limits tied to mobile units, which supposes amounts of up to US$60 million or 4% of the annual global billing of the economic group.

On the other hand, as highlighted by Anchorena, technological neutrality is incorporated, so that the text does not become obsolete: the law applies to all types of data processing regardless of the technologies or procedures used for said purpose.

The project that was submitted to public discussion as of August consisted of 76 articles, distributed in 11 chapters, and was the result of a review process initiated in 2008. It also recovered the progress made by the management of the previous director of the AAIP, Eduardo Bertoni, who had begun the reform process through a platform for the participatory creation of rules -“Justicia2020”- (Justice 2020): the project prepared at the request of these consultations with the entire public and private ecosystem was presented in Congress but was not discussed, for which it lost parliamentary status and Bertoni resigned from his position in the AAIP in January 2021.

Of the 76 articles that made up the proposed regulatory update draft, 43 were reviewed and modified based on 173 comments from 123 participants. In turn, 4 new articles were incorporated, so that the final project has 80. Among the modifications made from the public consultation is the incorporation of the principle of pre-eminence in article 10: it establishes that, in case of doubt about the interpretation and application of the law, the most favorable to the owner of the personal data will prevail. Details were also added on the role of the person in charge of information processing in public or private entities: "He is obliged to implement due diligence in the matter, understood as a continuous process, aimed at identifying, preventing, rendering accounts and mitigate the adverse impacts that could be caused”. Article 17, which addresses the processing of sensitive data, was also amended, including that "when public bodies process sensitive personal data, they must provide stricter security conditions, which must be implemented through additional appropriate safeguards, specifically designed."

As article 74, a period of one year as from the publication of the law in the Official Gazette was incorporated from the public consultation for the adaptation of data responsible people and processors to the new provisions.

The urgency of the need to update Law 25,326 is an idea shared by referents around data protection. Within the framework of the Argensig 2022 event, Adrián Acosta, head of the Computing Security Division of the Argentine Federal Police, said that companies that violate current regulations "receive almost no sanctions." He warned that the databases are stolen "daily", without any repercussions.

For Juan Pablo Altmark, president of the Latin American Privacy Association (ALAP, for its Spanish acronym), the complexity will be in achieving compliance by companies that process personal data. The task of the enforcement authority -the Agency for Access to Public Information and Protection of Personal Data- will have to put into practice the abstract concepts stipulated in the new text, with efforts in "accountability" that proved to be the heart of the effectiveness of the GDPR and the Convention 108+. In particular, the application of extraterritoriality is difficult, an aspect that continues to be an obstacle for the processes faced in the European Union.

Another point that could block the project in Congress, in Altmark's opinion, is the amount established for sanctions, well above the US$20 million stipulated in the European regulation and US$10 million in the Brazilian regulation. For this reason, given the concrete execution complications that a possible new law could have, the head of ALAP considered in dialogue with Convergencia that its importance lies in the establishment of new rules, rather than in a change in the reality of data processing.

In order to follow-up possible breaches, it will also be key for the State to dedicate a budget to the management of privacy and information security, considering that it is the largest data processor in the country, and at the same time, the least secure, according to the information itself. Data privacy professionals are those of the most sought-after talents -and best paid-, so the State must face their incorporation for the application of the new regulations.

Mario Adaro, minister of the Supreme Court of Justice of Mendoza and a benchmark in digitalization of judicial systems, raised during Argensig 2022 that the discussion of the norm must take into account the approach of the person in Web 3.0, with participation in the metaverse and the ownership of digital assets that this stage entails. Given this evolution, it is crucial to avoid "datafying" the person and consider the human dimension from a rights recognition approach.