The following article has been published by the IAPP Latin America Digest. Original version in Spanish here.
By Gabriela Szlak, Luciano N. Gutman and Delfina Bianchi
In recent months, several bills have been introduced in the National Congress of Argentina aimed at updating the personal data protection framework and establishing a general regulation on artificial intelligence (AI). These initiatives reflect a growing interest in aligning technological development with the effective protection of fundamental rights.
Update of the personal data protection law.
Two bills recently introduced in Congress —one promoted by Deputy Pablo Carro and the other by Senator Martín Doñate— propose a comprehensive reform of Law No. 25.326, which this year celebrates its 25th anniversary since its enactment. Both texts are based on the draft prepared by the Access to Public Information Agency (AAIP), which lost parliamentary status at the end of 2024, and aim to align Argentina’s data protection framework with international standards, such as the European Union’s General Data Protection Regulation (GDPR) and Brazil’s General Data Protection Law.
Among the main updates compared to the current law, the bills incorporate new principles, including proactive and demonstrable accountability, privacy by default and by design, and additional data subject rights, such as data portability and the right to object to automated decisions that produce legal effects or significantly affect the individual. They also introduce modern legal institutions in the field of data protection, such as the role of the Data Protection Officer and the obligation to notify security breaches, while eliminating the current requirement to register databases with the supervisory authority.
A significant difference between Senator Doñate’s bill and those presented by Deputy Carro and the AAIP is the requirement that the appointment of the head of the data protection authority be subject to Senate approval. This clause could help strengthen the independence and autonomy of the authority, in line with international standards.
Although the updating of the Personal Data Protection Law is necessary, the analysis of the regulatory impact for the private sector of certain points of the drafts cannot be left aside. For example, the non-extendable term of ten working days to satisfy the rights exercised by the holders may be difficult to comply with. Maintaining it would condemn a large part of the requests to not being answered in time. Establishing more reasonable deadlines, in line with the GDPR, would bring greater legal certainty for data controllers, but also for data subjects, who would be more likely to receive a response to their requests without the need to resort to judicial or administrative proceedings.
Likewise, it would be advisable for the legislative proposals to introduce a differentiated compliance regime for micro, small, and medium-sized enterprises (MSMEs). Such a regime should preserve the core principles of personal data protection for the benefit of data subjects, without unnecessarily increasing the administrative burden of implementation. Given the limited resources of MSMEs, it is essential that the reform bills avoid imposing disproportionate obligations that may compromise their competitiveness or hinder innovation. MSMEs are a cornerstone of Argentina’s economy, and tailoring the law to their reality would strengthen the business ecosystem while ensuring more effective enforcement of data subject rights. This is not merely a local concern —the European Commission has also recently raised similar issues regarding the burden of the GDPR on small and medium-sized enterprises (SMEs).
In this regard, the European Union is working on a reform of the GDPR for SMEs, aimed at reducing their administrative burden while preserving the core principles of data protection.
Another potential improvement from the perspective of the private sector concerns the short adaptation period established in the proposed bills. While both the GDPR and Brazil’s Data Protection Law provided a two-year transition period for companies to comply with the new legal requirements, the drafts under discussion grant only six months.
Regulation of facial recognition for public security purposes.
In parallel, Deputy Martín Yeza introduced a bill that establishes a regulatory framework for the use of facial recognition technologies for purposes of public safety, crime prevention, and judicial investigation.
The bill seeks to reconcile the deployment of these technologies with the protection of fundamental rights, particularly the right to personal data protection. It establishes that facial recognition systems intended for public security must undergo, prior to their implementation, an impact assessment and an authorization process by the AAIP. Furthermore, it explicitly prohibits certain uses, such as mass surveillance or the routine monitoring of individuals not suspected of having committed a crime, in line with the standards set forth in the European Artificial Intelligence Act. The bill also mandates human oversight of the automatic identifications performed by these systems.
Although certain provisions of the proposal may be viewed as conflicting with the principle of technological neutrality —for instance, by requiring the use of distributed ledger technologies to ensure privacy— the incorporation of concepts related to Privacy-Enhancing Technologies (PETs) is positively valued as a mechanism to safeguard the personal data processed by such tools.
When presenting the bill, Deputy Yeza underscored the need for an appropriate legal framework to regulate these systems, citing as precedent the case of the Facial Recognition System for Fugitives implemented in the City of Buenos Aires, which was suspended by the local judiciary in 2022 following complaints by civil society organizations.
Towards a comprehensive regulation of Artificial Intelligence.
Proposals for a general regulatory framework on artificial intelligence have also been introduced in Congress. The bills submitted by Senator Silvia Sapag and Deputy Daniel Gollan identify key guiding principles such as transparency, explainability, safety, and the protection of personal data. Both texts classify AI systems into risk-based categories: prohibited systems, high-risk systems, and other categories subject to progressively lighter regulatory burdens.
Among the use cases prohibited in both proposals are behavioral manipulation that may induce individuals to endanger their health or safety, and the implementation of social scoring systems that result in detrimental treatment or denial of rights to data subjects. In Deputy Gollan’s proposal, the latter prohibition is limited to government use.
Gollan’s bill further distinguishes itself by empowering the supervisory authority to promote the development of regulatory sandboxes for AI systems. These are controlled test environments intended to precede market deployment. Participation in such sandboxes would be time-limited and subject to ongoing oversight by the competent authority.
Final reflections.
These legislative proposals are part of a growing trend, both in Argentina and across the region, aimed at regulating emerging technologies —particularly artificial intelligence— and their intersection with fundamental rights, such as the protection of personal data. This context opens the door to highly relevant debates: Is it more appropriate to adopt specific regulations for particular use cases, as proposed in Deputy Yeza’s bill on facial recognition for public security? Or should efforts focus instead on enacting a general, cross-cutting regulatory framework for personal data protection or artificial intelligence?
Another important point of discussion raised by the reviewed bills is whether the European Artificial Intelligence Act remains a suitable model to follow today. Various European stakeholders have highlighted the need to revise this regulation, as it was drafted prior to the widespread adoption of generative AI and thus does not adequately address the specific risks posed by this technology.
These and many other questions underscore the urgent need to build broad-based consensus. Not only at the political level, but also among key stakeholders in the technological ecosystem: regulatory bodies, businesses, industry associations, academia, users, and civil society organizations. Only through such agreements will it be possible to move toward a regulatory framework capable of effectively balancing individual rights and freedoms with security, economic development, and technological innovation.
**********************************************************************************************************************************************
1- Bill available at: https://www4.hcdn.gob.ar/dependencias/dsecretaria/Periodo2025/PDF2025/TP2025/1948-D-2025.pdf
2- Bill available at: https://www.senado.gob.ar/parlamentario/comisiones/verExp/644.25/S/PL
3- News available in Spanish at: https://commission.europa.eu/news/simplification-measures-save-eu-businesses-eu400-million-annually-2025-05-21_en
4- Bill available at: https://leyesabiertas.hcdn.gob.ar/propuesta?id=682b7f54d356130011a74c59
5-Bill available at: https://www.senado.gob.ar/parlamentario/comisiones/verExp/511.25/S/PL
6-Bill available at: https://www4.hcdn.gob.ar/dependencias/dsecretaria/Periodo2025/PDF2025/TP2025/2130-D-2025.pdf
