A bill to establish and regulate Argentina's data sovereignty was filed with Congress.
On March 9, 2017, a draft bill to regulate data sovereignty in Argentina reached the House of Representatives ("Bill"). The Bill was filed by representatives Sandra Mendoza, Adrián Grana, Carlos Castagneto, Eduardo Seminara, Juan Manuel Huss and Rodrigo Martín Rodríguez.
The Bill emphasizes the need for new regulation, in response to the growing amount of data generated by the Argentine public sector and its increasing importance. It further refers to the growing number of data centers located abroad, outside Argentina's jurisdiction.
In this context, the Bill stresses the need for certain data to be stored exclusively within the Argentine territory, in order to maintain sovereignty over the data and to ensure its security and accessibility, as well as compliance with Argentine regulations. To this effect, the Bill refers as an example to data centers located in the United States of America which are held to the USA Patriot Act, further stating that such access would not be in compliance with the rights guaranteed by the Argentine Data Protection Law No. 25,326.
Furthermore, the document clarifies that establishing data sovereignty is necessary to protect certain data from being accessed not only by foreign countries, but also by companies seeking to exploit them commercially.
The Bill employs certain terms used by the Budapest Convention on Cybercrime ("Budapest Convention"). It establishes the same definition of "computer data", which is understood as any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function. The Bill further builds on this concept to define "state-owned computer data" ("SCD") as any computer data belonging to, generated by or kept by any entity belonging to the national public sector, insofar as ownership of said data has not been transferred, or the data not been made public.
In addition, the Bill adopts a partial version of the definition of "service provider" contained in the Budapest Convention, stating that a service provider is any public or private entity that provides to users of its service the ability to communicate by means of a computer system.
The main purpose of the Bill is to protect digital information produced, generated or kept by the Federal State, to defend Argentina's data sovereignty. To this effect, it establishes the following:
- The provisions of the Bill apply to the whole Argentine public sector, as defined by Section 8 of Law No. 24,156. This law states that the Argentine public sector consists of: i) the Federal Administration (including both centralized and decentralized agencies); ii) state-controlled corporations and companies (which includes any business organization where the Federal Government owns a majority shareholding or holds the majority decision-making power); iii) public entities expressly excluded from the Federal Administration (which extends to any governmental non-business organizations with financial autonomy, its own legal standing and its own assets, where the Federal Government owns a majority shareholding or holds the majority decision-making power, including any public non-governmental entities where the Federal Government has decision-making power); and iv) trust funds which are completely or mostly integrated with goods or funds belonging to the Federal State.
- SCD are part of the public domain and are the property of the Federal State. Therefore, their ownership cannot be transferred, they cannot be seized and they are not subject to a statute of limitations (it is worth noting that the provision stating that SCD cannot be transferred would seem to contradict the definition of SCD the draft itself provides, which excludes data whose ownership has been transferred).
- SCD may only be stored in Argentina, and will be subject exclusively to its law and jurisdiction.
- Any service provider hired by the Federal State must guarantee access to SCD at all times, regardless of any claims related to lack of payment or breach of contract. It must also ensure the confidentiality of the data.
- The Federal State cannot contract the services of any private service provider which has agreements in place which would allow other countries, intelligence agencies, or any companies or organizations access to SCD. If such access is granted, any existing agreement with the Federal State will be null.
- Granting access to, transferring, revealing or profiting from SCD will be considered a criminal offense.
- Unless they are authorized by the Federal State, entities or individuals who wish to access SCD may only do so based on a decision from a competent authority.
- SCD must be stored in compliance with the Argentine Data Protection Law.
- The provisions of the Bill must be completely implemented within 2 years of the law coming into effect.
It is also worth noting that the Bill may have implications in connection with the right to access public information, since Decree No. 1172/2003 establishes as a general principle unrestricted access to public information unless one of the exceptions provided in Section 16 of Decree No. 1172/2003 takes place. It seems that there could be some conflict between data sovereignty and access to public data, which could lead to discussions on how these rights may be reconciled.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.