The Argentine Personal Data Protection Authority (the “Authority”) has the power, among other things, to conduct inspections/audits; investigate complaints and cases; apply administrative sanctions; act as a private plaintiff (“querellante”) in criminal proceedings initiated as a consequence of breaches to Argentine Personal Data Protection Law No. 25,326 and its related regulations (the “Law”); order the registration of databases, the suspension of processing and/or transfer of personal data, and other similar actions; these orders can be eventually appealed to local courts. In addition to the Law, the 1996 Confidentiality Law No. 24,766, punishes anyone that uses or reveals secret information that has a commercial value and has been reasonably protected. The Law provides that the owner of such confidential information may avoid that:
- Such information is disclosed to third parties without the owner’s previous consent; or
- Is used by third parties in violation of accepted commercial practices (such as the breach of contractual obligations, the abuse of confidence, etc.).
In order to ensure this, the confidential information (the “Information”):
- Shall be secret (the information is not generally available for the public or has limited access); I has a commercial value due to its secret status; and
- The owner has adopted reasonable measures to protect it.
The Law sets forth that any person who has access to the Information for the purpose of his/her work, job title, profession or business relation, and provided that he/she was made aware of the confidentiality of such Information, shall abstain from disclosing such Information without any justified cause or authorization. The Law states that its provisions are applicable to any Information contained in paper, electronic or magnetic form, optic discs, and microfilms and/or films. To protect such Information, the law provides certain legal remedies for its owner, for instance preliminary injunctions, civil actions to prohibit the use of such confidential information by a third party and/or compensation for damages.
Individuals may file complaints with the Authority, and can seek indemnification and judicial remedies for damages suffered as a consequence of breaches of the Law. Please note that the provisions of the Law are relevant, as they apply as public policy (“orden público”) and cannot be waived by data owners or processors of personal data.
The Law has amended the Argentine Criminal Code (the “Code”). In this regard, the Code considers it a criminal offense to knowingly process false personal data and to breach confidentiality or data security measures in order to access databases. In this sense, the Code provides for imprisonment penalties ranging between 3 to 6 years (or 4 1/2 years to 9 years in case of harm to any individual), and disqualification from holding any public office for civil servants. As regards privacy violations, the Code provides for:
- Imprisonment penalties ranging from 15 days to 6 months, which apply for opening electronic communications or letters; or intercepting electronic communications or telephone calls;
- For imprisonment penalties ranging from 1 month to 1 year, if the individual that breaches the law communicates the content to someone else and/or publishes the content of the letter, etc.;
- Imprisonment penalties ranging from 1 month to 2 years, for gaining access to a database by violating confidential and security systems; providing or revealing confidential information registered in a database; inputting or forcing another to input false data into a database; and
- Additional sanctions apply in all cases above mentioned if the individual that breaches the law is a public officer. Finally, fines are also contemplated in the Code under certain case
The Authority may impose the following administrative sanctions:
- Fines ranging between AR$1,000 and AR$100,000; and
- Closure or cancellation of the file, register or databases.
Due to the fluctuation of the exchange rate, we usually suggest that the amount of any fine in US$ be calculated once the same is imposed and is in effect (meaning that no decision of any appeal is still pending). Disposition No. 9/2015 issued by the Authority distinguishes three categories of infringement (“Low infringements”, “Critical Infringements”, “Very Critical Infringements”) to determine the graduation of the administrative sanctions to be applied to each particular case. In this regard, “Low infringements” are penalized with fines ranging between AR$1,000 and AR$25,000; “Critical Infringements” are penalized with fines that range between AR$25,001 and AR$80,000 and an suspension of the file for a period of up to 30 days; and “Very Critical Infringements” are penalized with fines ranging between AR$80,001 and AR$100,000 and an suspension of the file for a period of a minimum of 31 days to a maximum of 365 days and/or cancelation of the file. The category of each infringement would depend on the circumstances of each case.
Selected Enforcement Actions / General Comments
It is important to highlight that the Authority is actively conducting audits to confirm if processors of personal data comply with security obligations and registration of databases (for instance, human resources databases). While the Authority may impose the previously mentioned sanctions, at the moment these sanctions tend to be only warnings and are directed to rectify processors’ future practices. However, fines would probably be imposed by the Authority to processors who do not rectify their practices after being subject to an audit and/or requirement from the Authority. In any event, please note that the Authority keeps a registry of the sanctions imposed to data processors. As per the information provided by the Authority, most sanctions imposed since 2007 have been warnings. In relation to the fines imposed by the Authority, most of the fines have been categorized as “Low Infringements” (as per the categorization resulting from Disposition No. 9/2015 previously mentioned) with an average value of AR$3,000. Notwithstanding the foregoing, the Authority has applied fines categorized as “Critical Infringements” and “Very Critical Infringements” for an amount ranging from AR$40,000 to AR$60,000. Additionally, there are a limited number of published legal precedents in which local courts have ordered the indemnification of data owners in amounts ranging between AR$1,000 and AR$25,000, for damages suffered by data owners due to registration of inaccurate/false data in financial databases. Further examples of cases of enforcement action in Argentina include:
- In April 2007, fines were imposed on Banco Galicia, Bank of Boston and Banco Patagonia in “Sánchez Miguel Ángel c/Banco de Galicia y Buenos Aires y otros s/daños y perjuicios” – CNCIV – Sala B;
- On March 4, 2003, a fine was imposed on the Central Bank in “Gutiérrez, Norma Susana c/ BCRA y Otro ” – CNApel. CCFed; and
- On February 6, 2002 a fine was imposed in “Ravina, Arturo Octavio c/ Organización Veraz S.A.”, CNCiv., Sala F