Cyber security and data privacy in Argentina
November 2017 | EXPERT BRIEFING | DATA PRIVACY
This article will analyse and summarise Argentine regulations regarding cyber security and data privacy and explore internet issues in the context of employment relationships.
The most comprehensive statutory regulation regarding the protection of personal data in Argentina is the Personal Data Protection Law (Data Protection Law), which is regulated by Decree No. 1558/2001 and enforced by the Data Protection Authority (DPA).
The general principle under the Data Protection Law is that any treatment of personal data must be specifically consented to by the data subject. Such consent must be given freely, based upon the information previously provided to the data subject (informed) and expressed in writing or by equivalent means, depending on each case. The data subject may revoke consent at any time, although this will not have a retroactive effect.
The Data Protection Law defines personal data as any kind of information referring to individuals or legal entities, whether identified or identifiable. In particular, it contains the requirements for valid data treatment and regulates express consent, sensitive data, security and confidentiality of data, assignment of personal data, international data transfers and data processing, among other matters.
Regarding sensitive data, understood as any personal data revealing racial or ethnic origin, political affiliation, religious, moral or philosophical convictions, union activity, or information related to health or sexual orientation, it provides a more restrictive set of regulations, providing that no person may be obliged to supply such information, and that sensitive data may only be collected if authorised by law, and for a public interest purpose.
As to international transfer of personal data, it is forbidden in the case of countries or international organisations that do not provide an appropriate level of protection according to the DPA’s criteria, unless: (i) the data subject has expressly granted its consent; (ii) an international transfer agreement providing the same level of protection is in place; or (iii) assignee and assignor are bound to self-regulation. Further, Regulation No. 60-E/2016 also provides a list of adequate countries as follows: member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only applicable to their private sector), New Zealand, Andorra and Uruguay. In some non-binding administrative decisions, the DPA found the US did not meet an adequate level of protection and approved two sets of standard model clauses addressing the two most common types of transfer of data: the assignment of data to a third party and the transfer of data for the rendering of data processing services.
Regardless of other sanctions or indemnification for damages derived from other applicable laws, the Data Protection Law provides for fines ranging between AR$1000 and AR$100,000 (approximately $64 to $6450), suspension or closure of databases and criminal sanctions.
Data subjects have the right to access any database containing personal data, request information in connection with the data and demand the correction, deletion and updating or confidential treatment of personal data. Non-compliance with such obligations within a period of 10 days entitles the data subject to judicial claims and to give notice of such failure to the DPA.
Recently, the DPA published a Draft Data Protection Bill which, if passed by the Argentine Congress, would replace the Data Protection Law in its entirety. Its main purpose is to update the national regulation based on the technological advances and on the experience gathered by the DPA, adapting it to the new international context, particularly to the approval of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
The bill expands the scope of the law to the integral protection of personal data, reviewing the definitions included in the Data Protection Law and incorporating new ones. The legal ground for the treatment of personal data considered by the bill is still the data subject’s express consent (although under specific circumstances, consent may be implicit). Furthermore, it excludes the registration requirement for databases containing personal data and includes accountability obligations.
Moreover, the bill includes changes regarding requirements for the treatment of sensitive data, assignment of data, data processing and international data transfers. It also specifically regulates the right to be forgotten and the conditions under which minors may consent to data treatment. Additionally, the bill orders the need to conduct impact analysis in cases in which the data processor intends to treat personal data in such a way that – based on its nature, scope, context or purpose – it entails a high risk of affecting the fundamental rights of the data subject.
It also includes the obligation to appoint a data protection officer in the case of public agencies, treatment of sensitive data or Big Data. A major development is the obligation to notify data breaches under certain circumstances, to both the DPA and the data subject.
Cyber crime has not been specifically regulated through legislation in Argentina. For some time, the lack of a regulatory scheme favoured cyber criminals as they could not be prosecuted because a crime does not exist, and thus cannot be punished, unless the activity is expressly and specifically codified. This changed in 2008 when the Criminal Code was amended by the adoption of the Cybercrime Law.
By creating new offences and also modifying certain aspects of the procedures already employed in the country, with the objective to adapt to new forms of technology and the challenges they posed, the Cybercrime Law was passed without any crucial changes to the original proposal. This law, drafted following similar guidelines established by the Budapest Convention on Cybercrime, aligned itself to definitions already established by the international community, assisting the adoption of the law.
The Cybercrime Law was a strong advancement toward protecting cyber security, but it does not cover all of the illicit acts that may be committed. The result is that some crimes go unpunished, leaving victims of cyber security crimes without protection. Another limitation to the law is that it does not establish legislative measures that would permit setting specific criminal procedures for the acquisition of electronic proof of any type of crimes committed through a computer system, leading to problems with enforcement.
The application and enforcement of the Cybercrime Law continues to face difficulties mainly due to the lack of special organisations within the justice system to regulate cyber security breaches. A major step to solve this problem was implemented with the incorporation of Resolution Number 69/2016 which created the National Program against cyber crimes, the main objectives of which are to promote the necessary actions needed to improve the system’s ability to counteract cyber criminals and illegal acts committed using computer software tools and to more efficient criminal investigations using modern means to acquire evidence based on computer systems and telecommunications, guaranteeing that such procedures also respect the fundamental rights of citizens.
Recently, the Argentine government filed with Congress a bill which approves the Budapest Convention on Cybercrime (Budapest Convention). If the bill passes, the new features will be related to procedural law and international cooperation, modernising the ways digital evidence is secured, which would apply to the investigation of any crime, not just cyber crime. However, the draft includes some reserves on the provisions of the Budapest Convention. The approval would make Argentina part of an international cooperative framework on the matter.
Social networks in the workplace
The use of social network platforms in the workplace is not regulated under a specific law in Argentina, and the parameters and rules for their use are usually granted by employers and particular case law. Nevertheless, this has become a matter of increasing concern for employers.
Employer control should be executed within certain parameters, taking into account the employee’s privacy rights. For instance, an employer could be allowed to monitor how much time an employee uses the internet at work or what sites he or she visits. On the other hand, if the employer has access to an employee’s social network account, it could be an infringement of the employee’s privacy rights and the employee could file a complaint against the employer.
The Labor Contract Law governs the majority of labour relationships in Argentina. However, it does not contain a specific rule about this matter. Common practice recommends signing a document in which the employee acknowledges the power of the employer to control the use of social networks by employees at work. This practice would, in principle, minimise the risk of future claims by an employee concerning invasion of privacy.
Use of email
There is no specific regulation in Argentina regarding electronic communications in the workplace or legal prohibitions which prevent employers from establishing a corporate policy to be observed by employees.
The Labor Contract Law grants an employer the authority to direct and organise the company business and establishes that an employee should observe the employer’s instructions regarding work to be carried out. A corporate policy on electronic communications in the workplace could be considered among those instructions. In turn, employee compliance with the policy could be regarded as part of the duty of due diligence and cooperation.
Employees should be warned that misuse of communication tools could lead to disciplinary measures or dismissal with cause in the event of continued misuse. The Labor Contract Law enables an employer to apply disciplinary measures, provided they are proportionate to the breach. Furthermore, the Labor Contract Law establishes that employees may be liable for damages caused to their employer’s interests through malice or willful misconduct.
Notwithstanding the above, it must be taken into account that the National Constitution (Section 18) grants special protection to correspondence and private papers, considering them inviolable. In that sense, in the Lanata’s case, the Criminal and Correctional Court of Appeals held that: “In relation to the legal protection awarded to correspondence and to private papers, email should be put on a level equal to traditional mail. ‘Email’ possesses even more marked privacy protection characteristics than traditional mail, since for its functioning it is required a server, a user name and an access code, which forbid third parties interference in the data that could be filed in, or issued through, it...”
Therefore, it would be reasonable to assume that constitutional protection should cover employees’ personal email accounts. However, it should be determined whether this constitutional right may also be applied to email accounts provided by employers to employees as part of the labour relationship between them.
Argentina has in place a robust data protection regulation which is in the process of being updated based on technological advances and on the experience gathered by the DPA, adapting it to the new international context, particularly to EU regulations. At the same time, legislative efforts to regulate cyber crime have been made, with reasonable success, such as the filing with Congress of a bill which approves the Budapest Convention on Cybercrime.
From a labour standpoint, due to the lack of specific regulation about the use of emails in the workplace, as stated in a recent ruling by the Grand Chamber of the European Court of Human Rights (Bărbulescu v. Romania), it will be very important to balance and harmonise the employee’s right to privacy and correspondence and the interests of the employer to control their performance of labour.
Enrique M. Stile is a partner and Diego Fernandez and Maria Eugenia Cantenys are associates at Marval, O’Farrell & Mairal. Mr Stile can be contacted on +54 (11) 4310 0100 ext. 1606 or by email: email@example.com.Mr Fernandez can be contacted on +54 (11) 4310 0100 ext. 1303 or by email: firstname.lastname@example.org. Ms Cantenys can be contacted on +54 (11) 4310 0100 ext. 1607 or by email: email@example.com.
© Financier Worldwide
Enrique M. Stile, Diego Fernandez and Maria Eugenia Cantenys
Marval, O’Farrell & Mairal