"Buenos Aires Creates Autonomous Personal Data Protection Authority". by David Haskel. (Reproduced with permission from Privacy & Security Law Report. Volume 7, Number 20, May 19, 2008. Copyright 2008 by The Bureau of National Affairs, Inc.).
AIRES--The city of Buenos Aires, Argentina has recently created a data
protection agency to oversee personal data maintained in local government
Argentina's highly-criticized national data protection authority, the nascent
Buenos Aires Center for the Protection of Personal Data is independent from the
government. The federal National Directorate for the Protection of Personal Data
reports to the Justice Ministry, but the Buenos Aries DPA, which opened in
April, reports to and is funded by the Buenos Aires City's Ombudsman Office.
makes us totally autonomous," the city center's director, Eduardo Pedutto,
told BNA May 2. "There is no organizational dependence that could put a
limit to the oversight we can exert."
is not only the first local database protection authority in Argentina,"
said Gustavo Tanús, an attorney specializing in Internet and data
protection legislation. "It also is fully autonomous, and covers the
country's most important constituency, the federal capital." Tanús
was one of the attorneys for plaintiffs in a lawsuit in which the court ruled
that Citibank violated Argentina's privacy law by providing customer personal
information to marketers (5 PVLR 810, 6/5/06).
it is not authorized to independently mete out fines or other penalties to
enforce its rulings, the city DPA can ask the city's attorney general to seek
specific sanctions and can file complaints in court on behalf of plaintiffs.
"Going to court with the sponsorship of the Personal Data Protection Center
carries more punch" than going alone, Pedutto said.
addition, there is the weight of social sanction to be considered, said Pablo
Palazzi, a Buenos Aires-based Internet and personal data protection attorney.
"Public exposure by the center and by the Ombudsman Office can put a lot of
pressure on officials and institutions," he said.
most of the governmental and commercial action in Argentina taking place in
Buenos Aires, a city of three million where a large amount of the country's
economic and political power is concentrated, the local database authority is
likely to be quite busy, those interviewed by BNA said.
v. Local Authority
a national DPA rule implementing the federal privacy law, all databases in
Argentina must register with the National Registry of Databases.
either in electronic or hard copy format containing personal data of private
citizens, corporate officials, or an organization's members that are meant to be
shared with third parties must be registered, regardless of whether the
information changes hands for a profit. Database owners were given until March
31, 2006, to register (5 PVLR 131, 1/30/06).
to comply with the law can result in fines of up to 50,000 pesos ($15,723).
However, due to constitutional separation of powers, the national DPA has no
jurisdiction over local databases.
city DPA can only deal with databases either run by the local government, or
those where the local government has some sort of involvement. "Everything
pertaining to the private sector falls within the national directorate's
jurisdiction," Pedutto said.
that still leaves some 5,000 databases that the city DPA can deal with,
including those in hospitals, the offices of physicians hired by the city,
educational institutions, the Office of Vital Records, and the Banco de la
Ciudad de Buenos Aires, the city's official bank and Argentina's sixth largest
in terms of deposits, he emphasized.
added that the Buenos Aires DPA has a staff of five and an initial annual budget
of 1.1 million pesos ($341,000). That may not seem like much, he said, but the
center shares human, infrastructure, and operational resources with the city's
Ombudsman office, and can tap those resources, including personnel, whenever
needed. Access to those resources should suffice for the city DPA to operate
successfully, the experts said, at least in the beginning.
Office's Limited Resources
the other hand, the National Directorate has come under fire both at home and
abroad due to its lack of independence from the government.
adopted its Personal Data Protection Act in 2000. The Argentine law was modeled
after the European Union's Directive on Data Protection (95/46/EC) in general
and Spain's data protection law in particular (2 PVLR 428, 4/21/03). In July
2003, the European Commission held that Argentina's data protection law provided
adequate privacy protection for transfers of personal data from the European
Union (2 PVLR 737, 7/7/03).
that adequacy affirmation from the EC, Argentina's ability to enforce the law's
privacy protections has been questioned.
and foreign experts agree that the fact that the national DPA reports to the
executive branch of government makes it unlikely to be effective in cases where
citizens take issue with the handling of government-managed databases.
Insufficient staff and budget also have raised experts' concerns.
figures are hard to come by, Luis Martinez, who heads the newly-created Center
for Legislation, Investigation, and Promotion of Personal Data Protection within
the national DPA, estimated there were about 20 people working in the national
is limited," he conceded. "That's the way things are," he said.
Martinez would not comment on concerns about a lack of independence, saying he
was not in a position to do so.
Center is in the process of scanning, cataloging, and archiving court cases
dealing with data protection to facilitate people's access to the files and
advance personal data protection rights.
have some 50 to 60 rulings that we are now scanning" in order to add to the
database, Martinez said. While courts are mandated by law to send a copy of each
personal data ruling to the center, "not all courts are complying with that
requirement," he admitted.
Data Protection Awareness
protection of confidential personal information in a country like Argentina has
more to do with creating awareness both among the public and officials handling
information than with a system of sanctions, both Martinez and Pedutto stressed.
"We need to create a culture of private data protection," Martinez said. Pedutto agreed. For example, Perutto said, it was typical for schools to keep sensitive students information in unlocked file cabinets or simple shelves in corridors within easy access to any unauthorized individual without realizing that it was an incorrect practice.
Therefore, a lot of future work at national and city level will be organizing seminars and lectures and seeking other ways to boost data protection consciousness, the officials said.
The Buenos Aires Center for the Protection of Personal Data's Web site, in Spanish, is located at http://www.cpdp.gov.ar/. The National Directorate for the Protection of Personal Data's Web site, in Spanish, is located at http://www.jus.gov.ar/dnpdpnew/
By David Haskel