At the Vía Libre Foundation, we have long emphasised the need to reform the Personal Data Protection Act No. 25,326, which was enacted in a context where the challenges facing data protection were very different from those of today; we therefore welcome initiatives to update the legislation.
However, the draft Personal Data Protection Act shared by the Ministry of Deregulation and State Transformation introduces specific setbacks that are particularly problematic in today’s technological landscape. We have therefore submitted a series of comments with a view to securing an update that protects citizens’ rights.
Download comments submitted in SpanishAny draft legislation must address, amongst other things, the following minimum requirements:
- Respect the universal principles of data protection: data minimisation, purpose limitation, transparency, proportionality and consent.
For example: Choosing whether you want to train the AI used by companies. Consent must be actively sought (‘opt-in’) and not assumed until you object (‘opt-out’) - Your data must always be protected, even data you did not provide yourself. What a system infers about you (through cross-referencing, patterns, profiling) must be afforded the same protection as data you provided directly
- The use of biometrics and facial recognition must be limited to exceptional security cases, not applied across the board or for mass surveillance.
- There must be provision for meaningful human review, not merely as a formality. It must be possible to evaluate and discuss how decisions were reached.
- All data must be treated equally. Providing less data must not result in you receiving a different service or being denied access to basic services.
- A supervisory authority must be established that genuinely exercises oversight: it must have technical expertise, sufficient resources and the power to enforce its decisions.
Updating the regulatory framework established by Law 25,326 is necessary and desirable, but a reform that broadens the exceptions to consent and reduces external oversight of those who process data (in particular the State itself) represents a step backwards in terms of the human rights standards that the law itself claims to uphold. We urge that, at the very least, these issues be rectified before the bill is submitted to the Legislature.
