By Maria Sol Porro
As we mentioned in previous articles, compared to the changes in Personal Data that the European Union experienced last year, both at the community level and at the national level, due to the sanction of the General Data Protection Regulation (GDRP), many Latin American countries began to modify their own laws, not only to comply with the regulations in the cases in which the same are applicable to them but also to be in accordance with this wave of modernization and strengthening.
In the specific case of Argentina, a bill was recently presented to Congress that would replace the Personal Data Protection Law No. 25,326, which has been in force since 2000, in an attempt to align the data protection standards of the country with the GDPR. Furthermore, through Resolution 159/2018, published in the Official Gazette dated December 5th, 2018, the modification of the personal data protection authority was arranged, replacing the National Directorate for the Protection of Personal Data by the Agency of Access to Public Information (known as ¨AAIP¨ in Spanish).
It is in this context of continuous changes in data protection in Argentina and while awaiting the treatment in the National Congress of the new law mentioned, that on January 16th, 2019, it was published in the Official Gazette the Resolution No. 4/2019 called “Guiding criteria and indicators of best practices in the application of Law No. 25,326”. This recent resolution issued by the AAIP aims to unify the criteria of the agency for the correct interpretation and implementation of the current regulations on the protection of personal data, whose observance is mandatory “for all those subjects reached by Law No. 25.326ii. Then we will explain the established criteria:
1. Right of access to personal data collected through video surveillance systems
This criterion refers to the guidelines that must be applied to a request that the owner of the data demands in order to access their personal data (in this case her/his personal image) which were collected through video surveillance systems.
In other words, anyone who wants to access their image (personal data) collected through video surveillance systems must prove their identity and indicate the approximate date and time at which their image could have been captured, as well as provide the necessary information to identify it. For its part, the person responsible for the database must provide the personal data clearly, accompanied by an explanation of the duration of the registration, place of image registration, purpose, eventual assignments, destination of the data and indicate if the data bank is registered with the AAIP.
Basically this point aims to regulate the video surveillance systems and the image of the people taken by these devices, which is cataloged as “personal data”. In this way, according to the current system, the means of video surveillance must be registered as a database before the AAIP, an obligation that, on the other hand, is eliminated in the Project to amend the Personal Data Law.
2. Automated Data Processing
This criterion deals with the right of the owner of the data to ask the database officer for an explanation regarding the logic applied to the automated processing of their data, when such treatment causes a prejudice, that is, pernicious legal effects or affect her/him significantly in a negative way.
Within this point it is important to highlight that the automated data processing and its correlative right to obtain information about it is stipulated in GDPR. However, in the GDPR, the principle of making decisions which evaluates personal aspects of a person and that are based merely on an automated treatment is prohibited, unless it is specifically permitted by the European Union or by a Member State or that the holder has given his explicit consent.
3. Data dissociation
To understand this criterion, it is necessary to begin with the point of when the Argentine personal data regime is applicable. In this way, Law 25.236, in its article 2, establishes that the regulations apply to “information of any kind referring to physical persons or ideal existence determined or determinable”. Therefore, the information obtained that can not be associated to a determined or determinable person will not be protected as a ¨protected data¨ in the terms of the Argentine regime.
In this sense, the resolution establishes that it will not be considered “information related to a determinable person”, under the terms of Article 2 of Law No. 25,326, the one whose procedure applied to achieve its identification requires the application of disproportionate or non-viable measures or deadlines.
However, this point generates certain legal gaps since it is not defined precisely when a measure or term is disproportionate or unfeasible.
4. Biometric data
Like Article 2 of Law 25,236 and Article 4 of the GDRP, the new resolution also defines “biometric data” as “those personal data obtained from a specific technical treatment, related to physical, physiological or behavior of a human person, that allow or confirm their unique identification¨.
In this sense, it establishes that the biometric data of a person will be considered sensitive data when they reveal data that may be discriminatory for the owner (for example, data that reveal ethnic origin or health information).
In art. 5 of Law 25,236 establishes that ¨the treatment of personal data is illegal when the owner has not given his free, express and informed consent, which must be recorded in writing, or by any other means that allows him to be equated, according to the circumstances¨.
Therefore, in line with the provisions of the GDRP and ahead of what will be discussed in the new bill on data protection, the Resolution adds in this criterion that the person responsible for the database must have effective identity validation mechanisms that prove that the person who has given the consent is actually the owner of the data and not a third party, leaving ample margin to the information officers of the databases to apply for those mechanisms that are most convenient for them.
6. Consent cession between Public Organisms
In relation to what is established in the previous generic criterion about consent, the resolution specifically regulates the case of consent between Public Organizations, stating that the consent of the owner of the data will not be required, provided that:
(i) the assignor has obtained the data in the exercise of its functions;
(ii) the transferee uses the data for a purpose that is within the scope of its competence and;
(iii) the data are adequate and do not exceed the limit of what is necessary in relation to the latter purpose.
7. Consent of minors
Finally, and in harmony with the Civil and Commercial Code of the Nation and the gradual capacity that this establishes, it is established that the minor may give informed consent for the treatment of their personal data taking into account their psychophysical characteristics, aptitudes and development, so that if the minor does not possess the sufficient capacity to give the informed consent, the holder of the parental responsibility or guardianship must give the consent for the treatment.
Faced with all these developments in data protection that Argentina has been experiencing in a short period of time, we consider that it is valid to understand that all these changes aim to maintain the title of a ¨safe country¨ for the processing of personal data, that the aforementioned country has obtained over the past few, according to international standards protection of the confidentiality and integrity of the information that contains personal data throughout the treatment process (from collection to destruction years . Therefore, we believe that we will have interesting news about the analyzed sector in Argentina during the course of this year.
i ¨ Wave of Personal Data Updates in Latam¨, By Maria Sol Porro, 29 JANUARY, 2019 (Link: https://www.moellerip.com/wave-of-personal-data-updates-in-latam/); ¨Significant Fines for Infringement of the Data Protection Law¨, By Maria Sol Porro, 6 MARCH, 2019 (Link: https://www.moellerip.com/significant-fines-for-infringement-of-the-data-protection-law/).
ii Law Nª 25326, 04/10/2000, article 1: The present law has the objective of the integral protection of the personal data settled in archives, registries, data banks, or other technical means of data processing, be they public, or private destined to give reports, to guarantee the right to the honor and privacy of the people, as well as access to the information registered about them, in accordance with the provisions of article 43, third paragraph of the National Constitution. The provisions of this law will also be applicable, insofar as it is pertinent, to the data relating to persons of ideal existence. In no case may the database or journalistic information sources be affected.