After being approved by the Argentine Chamber of Deputies, the modernized Convention 108 or also identified as Convention 108+ (updated version of Convention 108 for the Protection of Individuals with respect to Automatic Processing of Personal Data), the Executive issued last November 30, Decree No. 792/2022, by which the approving Law No. 27,699 was enacted.
In this post we analyze how these regulatory advances which strengthen privacy standards, on the one hand, favor and enhance the digital economy of our country facilitating its global integration, and on the other hand, help Argentina to maintain the status of adequate country before a possible review process by the European Council.
The following is a brief review of the background of the modernized Convention 108, as well as the implications of its approval at the national level.
The Convention for the Protection of Individuals regarding Automatic Processing of Personal Data No. 108 (hereinafter “Convention 108”) was signed in 1981 in the city of Strasbourg (France), to protect the privacy of individuals against possible abuses in the processing of their data, being the only binding multilateral instrument on the protection of personal data.
The adhesion to this Convention was open to any non-member State of the Council of Europe, which is why it became an international standard synonymous with legal security in privacy matters for any State that decides to sign it.
This Convention entered into force in Argentina on June 1, 2019 and was opportunely approved by National Law No. 27,483.
Convention 108 modernized
The thirty-five years after Convention 108 was opened for subscription, it became necessary to modernize it to face the advance of new technologies and globalization of processing operations, which brought with them additional risks to the privacy and fundamental rights and freedoms of individuals.
This Convention strengthens the evaluation mechanisms and the original principles, imposing broader obligations on those who process personal data.
Among the new features included in this Convention, the following stand out:
- New data processing principles as key elements of the protection mechanism, such as:
- the principle of transparency: data must be processed in a fair and transparent manner, collected for specific, legitimate purposes, and not processed in a way that is incompatible with these purposes. To this end, further details to be informed by data controllers (e.g., companies) to data subjects (e.g., users) are determined;
- the principle of proportionality: processing must be proportionate to the legitimate aim pursued and reflect at all stages a fair balance between all the interests involved;
- the principle of demonstrated responsibility or accountability: those who process personal data must be able to demonstrate that the data processing under their control complies with the applicable regulations};
- the principle of data minimization: the data processed must be adequate, not excessive in relation to the purpose of processing and must not be kept longer than necessary.
Privacy by design: those who process personal data, whether as controllers or processors, must first analyze the probable impact that the processing may have on the fundamental rights and freedoms of the data subjects.
Extension of the definition of sensitive data to include genetic and biometric data.
Obligation for organizations that process personal data to report security incidents.
Recognition of new rights for data subjects:
- The right not to be subject to a decision based solely on automated processing,
- request to know the logic behind a processing operation when the results are applicable to him/her, and,
- the right to object to such processing
Greater involvement of the principle of proactive accountability, which implies a greater obligation on organizations that process personal data not only to comply with data protection rules, but to be able to demonstrate compliance with them.
Updating the regulations on transborder data flow: For example, it is specifically clarified that when the recipient is subject to the jurisdiction of a State or international organization that is not a Party to the Convention, the transfer could be carried out by ensuring an appropriate level of protection through international agreements, guarantees approved in legally binding instruments or if the data subject gives his or her explicit consent. The supervisory authority may also request the controller to demonstrate the effectiveness of the safeguards, and may prohibit such transfers, suspend them or make them subject to conditions.
New attributions and powers of the supervisory authorities and extension of the legal bases for international cooperation.
Implications of the approval of this Convention
The approval of the modernized Convention 108 implies historic regulatory advances for Argentina, both from a local and international perspective.
In principle, at the local level, it implies the adoption of updated and binding international standards on privacy issues, in line with the principles set forth in the European General Data Protection Regulation (better known as “GDPR”).
It should be noted that Argentina, through the approval of this Convention, must incorporate the provisions of this international treaty, in order to ensure its practical application.
In this context, the Agency for Access to Public Information (the “Agency”) prepared a Draft Bill Proposal that updates the current regulations in force regarding Personal Data Protection (Law No. 25,326), which is inspired by the guidelines of Convention 108+ and the General Personal Data Protection Regulation (GDPR).
In particular, within the framework of a public consultation process for the updating of National Law No. 25,326, enacted in 2000, the Agency, after having completed the process of receiving and reviewing comments, published the final version of the Preliminary Draft, which will be submitted to Congress in the near future.
In line with Convention 108+, the Preliminary Draft emphasizes all the points mentioned above, which are part of the modernized Convention, such as the new principles for processing, including proactive or proven liability, privacy by design, new rights for data subjects, regulation of security incidents and extension of sensitive data to include genetic and biometric data, among other issues.
On the other hand, from the international aspect, it is relevant to point out that, among some of the advantages brought by this Convention, is that of encouraging and enhancing the digital economy in a world without borders, positioning Argentina in its global integration as a State that has a robust framework that respects the highest standards of privacy.
Finally, the approval of the modernized Convention 108 is an auspicious step for Argentina to maintain its status as an adequate country in the event of an eventual review process by the European Council. It should be highlighted that on June 30, 2003, Argentina was considered as a country with adequate legislation by the European Commission by means of Commission Decision C (2003) 1731.
It is important to bear in mind that beyond the acts of internal approval, the entry into force of Convention 108+ depends on the one hand, on an act of ratification to be carried out by Argentina at the international level and, on the other hand, on the conditions of entry into force established by the Convention itself.