"Argentina to Conduct Nationwide Census of Databases Containing Personal Data", by David Haskel. (Reproduced with permission from Privacy & Security Law Report. Copyright 2004 by The Bureau of National Affairs, Inc. -800-372-1033-).

BUENOS AIRES--All holders of private databases containing personal information on private citizens, corporate officials, or an organization's members that for any reason is shared with third parties must fill out an online form by April 30 providing details for Argentina's first National Census of Private Databases.

Ruling 1/2004 of the National Directorate for the Protection of Personal Data, announced Feb. 26, sets no minimum of entries for a database to qualify for the census. The online form cites two previous rules to help define what the law considers a database:

* "File, registry, database, or databank all mean an organized collection of personal data subject to treatment or processing, electronic or otherwise, regardless of its configuration or its type of storage, organization, or access" (Art. 2 of Law 25326:); and

* "For the purpose of this ruling, the concept of private files, registries, databases, or databanks used to provide information includes those that exceed the use for exclusively personal purposes and those whose end is to cede or transfer personal data, regardless of whether the circulation of the report or information is on a for-profit or for-free basis"(Art. 1 of Decree 1558/01).

Under the new ruling, all individuals and legal entities must register such databases and provide detailed information on the kind of data they contain, what their purpose is, their means and place of storage, how the information was obtained, and security measures, among other things.

Observers said the census can help protect citizens' privacy and lead more players to comply with a November 2000 ruling requiring that every database of the kind described in the form be registered with the authorities.

"The census is an excellent opportunity to lead those who store and handle people's personal data ignoring legal requirements to start respecting citizens rights, if only out of fear of sanctions," Gustavo Tanus, a lawyer specializing on the Internet and data protection, told BNA March 8.

Opt-In Data Sharing Rule

Meanwhile, Ruling 2/2003, issued in November 2003 and set to take effect in August 2004, bans the transfer of database contents to a third party without written consent from the individuals involved. The request must indicate specifically the reasons why the handover of data is necessary.

Data transfer between two companies belonging to the same group or between two units of the same firm if one of them is in a foreign country also requires the two parties involved to sign a contract whereby the receiving entity pledges to respect the confidentiality of the database contents and send it to Argentine authorities for validation.

Companies based in the European Union, where strict privacy regulations are in force, are exempt from the contract requirement, Tanus said.

However, in some cases, particularly when ceding the information to a third party is critical to providing proper services to customers, a contract may suffice. For example, an Internet service provider operating in Argentina is not required to obtain written consent from every client to outsource data-hosting to a U.S.-based firm, Tanus said.

But the local branch of an American company willing to share its customers' database with headquarters may need its clients' written authorization, he added. This is because the law has a clause requiring that any foreign firm handling Argentine nationals' information agrees to adhere to strict personal-data protection standards similar to those set down by Argentine legislation, Tanus said.

The text of Ruling 1/2004 and a scanned version of the census form are available (in Spanish) at  http://infoleg.mecon.gov.ar/txtnorma/93025.htm.

Tanus' Web site has links to all major information technology, Internet, and electronic commerce rules and projects in Argentina (in Spanish) http://www.ciberderecho.com.ar.

By David Haskel.