"Buenos Aires Creates Autonomous Personal Data Protection Authority". by David Haskel. (Reproduced with permission from Privacy & Security Law Report. Volume 7, Number 20, May 19, 2008. Copyright 2008 by The Bureau of National Affairs, Inc.).

BUENOS AIRES--The city of Buenos Aires, Argentina has recently created a data protection agency to oversee personal data maintained in local government databases.

Unlike Argentina's highly-criticized national data protection authority, the nascent Buenos Aires Center for the Protection of Personal Data is independent from the government. The federal National Directorate for the Protection of Personal Data reports to the Justice Ministry, but the Buenos Aries DPA, which opened in April, reports to and is funded by the Buenos Aires City's Ombudsman Office.

"That makes us totally autonomous," the city center's director, Eduardo Pedutto, told BNA May 2. "There is no organizational dependence that could put a limit to the oversight we can exert."

"This is not only the first local database protection authority in Argentina," said Gustavo Tanús, an attorney specializing in Internet and data protection legislation. "It also is fully autonomous, and covers the country's most important constituency, the federal capital." Tanús was one of the attorneys for plaintiffs in a lawsuit in which the court ruled that Citibank violated Argentina's privacy law by providing customer personal information to marketers (5 PVLR 810, 6/5/06).

Although it is not authorized to independently mete out fines or other penalties to enforce its rulings, the city DPA can ask the city's attorney general to seek specific sanctions and can file complaints in court on behalf of plaintiffs. "Going to court with the sponsorship of the Personal Data Protection Center carries more punch" than going alone, Pedutto said.

In addition, there is the weight of social sanction to be considered, said Pablo Palazzi, a Buenos Aires-based Internet and personal data protection attorney. "Public exposure by the center and by the Ombudsman Office can put a lot of pressure on officials and institutions," he said.

With most of the governmental and commercial action in Argentina taking place in Buenos Aires, a city of three million where a large amount of the country's economic and political power is concentrated, the local database authority is likely to be quite busy, those interviewed by BNA said.

Federal v. Local Authority

Under a national DPA rule implementing the federal privacy law, all databases in Argentina must register with the National Registry of Databases.

Databases either in electronic or hard copy format containing personal data of private citizens, corporate officials, or an organization's members that are meant to be shared with third parties must be registered, regardless of whether the information changes hands for a profit. Database owners were given until March 31, 2006, to register (5 PVLR 131, 1/30/06).

Failure to comply with the law can result in fines of up to 50,000 pesos ($15,723). However, due to constitutional separation of powers, the national DPA has no jurisdiction over local databases.

The city DPA can only deal with databases either run by the local government, or those where the local government has some sort of involvement. "Everything pertaining to the private sector falls within the national directorate's jurisdiction," Pedutto said.

But that still leaves some 5,000 databases that the city DPA can deal with, including those in hospitals, the offices of physicians hired by the city, educational institutions, the Office of Vital Records, and the Banco de la Ciudad de Buenos Aires, the city's official bank and Argentina's sixth largest in terms of deposits, he emphasized.

Pedutto added that the Buenos Aires DPA has a staff of five and an initial annual budget of 1.1 million pesos ($341,000). That may not seem like much, he said, but the center shares human, infrastructure, and operational resources with the city's Ombudsman office, and can tap those resources, including personnel, whenever needed. Access to those resources should suffice for the city DPA to operate successfully, the experts said, at least in the beginning.

National Office's Limited Resources

On the other hand, the National Directorate has come under fire both at home and abroad due to its lack of independence from the government.

Argentina adopted its Personal Data Protection Act in 2000. The Argentine law was modeled after the European Union's Directive on Data Protection (95/46/EC) in general and Spain's data protection law in particular (2 PVLR 428, 4/21/03). In July 2003, the European Commission held that Argentina's data protection law provided adequate privacy protection for transfers of personal data from the European Union (2 PVLR 737, 7/7/03).

Despite that adequacy affirmation from the EC, Argentina's ability to enforce the law's privacy protections has been questioned.

Local and foreign experts agree that the fact that the national DPA reports to the executive branch of government makes it unlikely to be effective in cases where citizens take issue with the handling of government-managed databases. Insufficient staff and budget also have raised experts' concerns.

Although figures are hard to come by, Luis Martinez, who heads the newly-created Center for Legislation, Investigation, and Promotion of Personal Data Protection within the national DPA, estimated there were about 20 people working in the national agency.

"Funding is limited," he conceded. "That's the way things are," he said. Martinez would not comment on concerns about a lack of independence, saying he was not in a position to do so.

The Center is in the process of scanning, cataloging, and archiving court cases dealing with data protection to facilitate people's access to the files and advance personal data protection rights.

"We have some 50 to 60 rulings that we are now scanning" in order to add to the database, Martinez said. While courts are mandated by law to send a copy of each personal data ruling to the center, "not all courts are complying with that requirement," he admitted.

Insufficient Data Protection Awareness

Still, protection of confidential personal information in a country like Argentina has more to do with creating awareness both among the public and officials handling information than with a system of sanctions, both Martinez and Pedutto stressed.

"We need to create a culture of private data protection," Martinez said. Pedutto agreed. For example, Perutto said, it was typical for schools to keep sensitive students information in unlocked file cabinets or simple shelves in corridors within easy access to any unauthorized individual without realizing that it was an incorrect practice.

Therefore, a lot of future work at national and city level will be organizing seminars and lectures and seeking other ways to boost data protection consciousness, the officials said.

The Buenos Aires Center for the Protection of Personal Data's Web site, in Spanish, is located at http://www.cpdp.gov.ar/. The National Directorate for the Protection of Personal Data's Web site, in Spanish, is located at http://www.jus.gov.ar/dnpdpnew/

By David Haskel