The National Agency for the Protection of Personal Data has prepared a draft bill with the goal of replacing the current Act No. 25,326 on data protection. The Ministry of Justice published the draft bill to facilitate comments from the public. The draft bill has not been presented to the National Congress yet.

In summary, the highlights of the draft bill are as follows:

  • Standards on data protection will no longer be applicable to entities but exclusively to individuals.
  • Specific guidelines on the expression of consent are included, indicating that it may be express or implied and it is stated that, depending on the circumstances, consent may be obtained in written, verbal or electronic form. Specific provisions on personal data of minors are introduced.
  • The draft bill eliminates the obligation to register data bases with the national authorities and makes controllers accountable and proactively responsible.
  • Employers are allowed to keep information on criminal or infringement records of their employees.
  • Several adjustments are contemplated in respect of international transfers of personal data, including the fact that no specific consent is required from the data subject for transfers of personal data between affiliates, provided that the personal data is not applied for purposes incompatible with those that originated their collection.
  • "Cloud Services" are now expressly covered under the draft bill.
  • A "Data Protection Officer" is required to be appointed when: (i) the controller is a governmental body; (ii) sensitive data is processed as part of the principal activity of the controller; or (iii) large-scale data is being processed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.