JULY 17, 2020

Data Privacy and Data Protection Department Bulletin | January–June 2020.

BULLETINS

Data Privacy and Data Protection Department Bulletin | January–June 2020

Dear sir or Madam,

In this bulletin, you will find a selection of the main official news, communications, sanctions, legislation, and court precedents related to Privacy and Personal Data Protection that have taken place during the first half of the current year.

Official News / Communications

Argentina and Uruguay launch the “Data Protection Impact Assessment” guide

As a result of a combined effort, the Argentinean Agency for Access to Public Information and the Uruguayan Regulatory and Personal Data Control Unit published the guide “Data Protection Impact Assessment”, a document that advises companies and public organizations to ensure that, from an early stage, practices, and projects that may affect the rights of individuals are evaluated and incorporated in accordance with certain security and integrity criteria.
Although the performance of an impact assessment is not expressly provided as an obligation under the Data Protection Law No. 25,326, the guide is intended as a mandatory reference for all entities in the region that process personal data.
The document was published by the Agency for Access to Public Information on its website on January 28, 2020.
Click here to read the whole story at the Argentine State official website

Treatment of Personal Data due to Coronavirus

The Agency for Access to Public Information reported that the processing of health information is an activity that must be carried out with special diligence, respecting the privacy of individuals, in accordance with the Data Protection Law No. 25,326.
In this regard, the Agency emphasizes some of the fundamental principles of current regulation, stressing, among others, that the disclosure of the name of a patient suffering from coronavirus requires his/her consent, and that the National Ministry of Health and the provincial ministries are empowered to require, collect, transfer to each other, or otherwise process health information without the patient´s consent, in accordance with the explicit and implicit powers granted to them by law.
The document was published by the Agency for Access to Public Information on its website on 11 March 2020.
Click here to read the whole story at the Argentine State official website

Overall recommendations on the processing of personal data

The Executive Committee of the Global Privacy Assembly (GPA) issued a document on worldwide regulations on data protection to contribute to the challenge of addressing the spread of the COVID-19 Coronavirus and the exchange of health data.
The document was published by the Agency for Access to Public Information on its website on 18 March 2020.
Click here to read the whole story at the Argentine State official website

How personal data should be processed for the use of geolocation tools, especially in the event of a health emergency caused by the coronavirus COVID-19

The Agency for Access to Public Information reported that the Data Protection Law No. 25,326 and the Convention 108 for the Protection of Individuals regarding Automatic Processing of Personal Data, approved in our country by Law No. 27,483, do not prohibit the monitoring of the location of individuals, but the data processing measures so implemented must be carried out respecting the human right to privacy of individuals.
In this connection, the Agency identifies the fundamental principles of the current regulations on data protection that apply to the use of geolocation and tracking tools, whether such tools are used by the public sector, the private sector or by both in collaboration.
The document was published by the Agency for Access to Public Information on its website on 28 April 2020.
Click here to read the whole story at the Argentine State official website

Sanctions

Sanction to the Argentine Federal Police for data breach

On February 5, 2020, through Resolution No. 30/2020, the Agency for Access to Public Information fined the Argentine Federal Police for failing to comply with the Data Protection Law No. 25,326. The sanction was for not complying with the security protocols, the obligation of confidentiality, and for not having responded to a warning of the National Directorate for Personal Data Protection.
The information was leaked from a web portal of the police force that was hacked. In addition, in several Federal Police units, its personnel did not use official accounts to send confidential information.
Click here to read the whole story at the Argentine State official website

Sanction against Google for denying the right to access

On April 13, 2020, through Resolution No. 69/2020, the companies Google Argentina SRL and Google LLC were sanctioned by the Agency for Access to Public Information for failing to comply with Data Protection Law No. 25,326, after not allowing a user to access her own personal data.
The Agency’s National Directorate of Personal Data Protection filed an investigation based on a request regarding the right to access of an individual who requested access to the information in her Gmail account and related applications. She claimed that an unauthorized third party changed her passwords and that the company denied her request for the right to access.
The sanction confirmed the competence of the Agency and of the federal courts throughout the country over those responsible for interconnected databases with an inter-jurisdictional, national or international scope insofar as data of Argentinean owners are processed or that, in any other way, the processing of data is connected with, or produces effects in, the territory of the Argentine Republic. It also ruled that Google Argentina is jointly responsible for the administration of the Gmail service provided by Google LLC in Argentina due to the economic interdependence between both companies, and indicated that Google Argentina operates as a commercial agent of its parent company and represents Google LLC in the Republic of Argentina for the purposes of its notification and location in the proceedings.
Click here to read the whole story at the Argentine State official website

Legislation

Transfer, assignment and exchange of personal data by public sector entities in connection with COVID-19: Administrative Decision No. 431/2020 of the Cabinet of Ministers

The Administrative Decision No. 431/2020 of the Cabinet of Ministers regarding the transfer, assignment and exchange of personal data by public sector entities in connection with the coronavirus pandemic (COVID-19) establishes that, due to the pandemic, it is imperative that entities and jurisdictions at all levels of government must work together to coordinate efforts to protect the welfare of the population and the collective right to public health.
Furthermore, it provides that public officials involved in the processing of data and information must at all times take into account the provisions on the protection of personal data as provided by Data Protection Law No. 25,326 and as provided by the protection of tax secrecy in Law No. 11,683 as amended, and may not be disclosed, transmitted, assigned or divulged outside the entities referred to in the preceding paragraphs.

Implementation of the COVID-19 application: Administrative Decision No. 432/2020 of the Cabinet of Ministers

The Administrative Decision No. 432/2020 of the Cabinet of Ministers regarding the implementation of the COVID 19 application, which was developed by the Ministry of Health in order to apply it to all persons who entered the country in the last 14 days and to those who will do so in the future.

Regulation of the Administrative Decision No. 432/2020 regarding the use of the COVID-19 application: Provision No. 1771/2020 of the National Directorate of Migration

The Provision states that any person who has entered the country from the date of the issuance of the Provision must, for a minimum period of 14 days from his/her entry, join and use the application entitled “COVID-19-Ministry of Health” in its version for mobile devices. It can be downloaded free of charge from the official Android and iOS application stores, or in its web version (the “Application”). The Provision does not refer to those people who entered the country prior to the issuance of the Provision, is our understanding that downloading and using the Application will be optional for them.
In addition, the Provision clarifies that for those cases in which minors or people with disabilities cannot comply with the aforementioned obligation on their own, it will be the parent or responsible person in charge who must complete the data required in the Application on their behalf. Those people who at the time of entry into the country are unable to download the Application due to technical problems that will have a 12-days-term as from that entry to do so.

Suspension of administrative deadlines: AAIP Resolution No. 70/2020

The Resolution established to exempt from the suspension of the administrative terms established by Decree No. 298/20, extended by Decrees No. 327/20 and No. 372/20, those complaints received by the Agency for Access to Public Information under the Data Protection Law No. 25,326, as well as those proceedings currently in progress. The Resolution clarifies that the procedures under Law No. 25,326 in which the sanctioning process has already started and the right involved of the data owner has already been attended will continue to be suspended.
In addition, the Resolution provided for the exception to the suspension of deadlines with respect to the processing of requests and claims under the Access to Public Information Law No. 27,275.

Court Precedents

D., N.R. vs. Google Inc.

The Civil Court No. 78 of the City of Buenos Aires ruled that Google Inc. must remove certain content based on the “right to be forgotten”. The claimant filed a lawsuit against Google Inc. (“Google”) for violation of its personal rights, arguing that she regrets certain public events that occurred in 1996 that had a huge impact on the media at that time. She requested Google to remove certain videos from YouTube and certain links to online newspapers that published articles about those events. Google responded by requesting the court to reject the complaint by arguing primarily freedom of speech.
On February 20, 2020, the Supreme Court of Justice partially admitted the complaint regarding the YouTube videos and certain images, and partially rejected the complaint regarding the links to online newspapers, arguing that in some occasions the public interest of the content persists, while in other occasions the content exhibits fights and aggressions with no informative relevance.
In particular, the judgment ordered Google Inc. to remove from its search engines, both from Google and YouTube, all links including the words “N.R.”, “N.R.D.” or “N.D. case C. “together with an image or video, obtained twenty years or more ago, showing possible scenes that could have been carried out by the claimant and which content may exhibit verbal or physical aggression, insults, discussions in a high tone, scenes of singing and/or dancing, as well as possible videos of possible television reports in which the claimant has provided information about her private life”.

A.F. vs. F.C.G.M.

In January 2020, Judge Gustavo Caramelo, in charge of Civil Court No. 24, issued a precautionary measure against YouTuber Mr. Martin Sirio, who played the character known as “La Faraona” (The Pharaohess), so that he would cease publishing on social networks about the plaintiff, a lawyer who had been Mr. Sirio’s partner.
The precautionary measure orders Mr. Cirio (i) to refrain and/or cease to publicly allude, either directly or indirectly, to the actor, his private life, affective life, sexual orientation and to exercise value judgment on past or present conduct of the plaintiff, (ii) to remove from the social networks with which he operates the questioned publications that referred to the plaintiff in such a way that they cannot be accessed by third parties, (iii) publish on the social networks the following legend “by court order I have removed content I published about a person I referred to as “El Chompirás” who sued me for it”.
To reach this ruling, the Judge considered the right to privacy and the right to freedom of speech in digital media in order to assess their significance and arrive at a solution that would make them compatible.
Finally, the Judge requested the National Communications Entity to inform television and radio channels over which it exercises control of the prohibition to broadcast the content challenged by the plaintiff by means of the precautionary measure.

Please, do not hesitate to contact us should you require any additional information on this matter.

Sincerely,

Emilio Beccar Varela
Florencia Rosati
Mariana Lamarca Vidal
Elías Colabelli
Martín Beccar Varela
Agustina Pardo