New Bills for a Data Protection Law in Argentina

Three new bills have been submitted to Congress, seeking to replace the current Personal Data Protection Law 25326. The three bills include: one submitted by Representative Yeza, and two others—644-S-2025 and 1948-D-2025—that share the same content, and were presented respectively by others senators and representatives.

All three initiatives ­aim to modernize Argentina’s data protection framework, aligning it with international standards. They incorporate innovative concepts such as anonymization, biometric data, automated decision-making, and profiling.

Key aspects of the bills include:

• Philosophical approach and regulatory tone: Representative Yeza’s bill adopts a tech-driven, innovation-oriented perspective, while the other two proposals prioritize an approach focused on the protection of fundamental rights.
• Legal bases for processing: All three proposals expand on the existing legal bases for data processing, including legitimate interest. However, 644-S-2025 and 1948-D-2025 also introduce “safeguarding a person’s life” as a valid legal basis.
• Specific provisions: All three bills include rules on the processing of minors’ personal data. Additionally, 644-S-2025 and 1948-D-2025 explicitly regulate data processing by public sector entities.
• Classification of actors and risk-based approaches: Deputy Yeza’s bill introduces a novel classification of organizations based on their level of data processing (basic, intermediate, advanced), with differentiated obligations and a special regime for startups and innovative projects.
• Impact assessments: All proposals require data protection impact assessments, depending on the nature, scale, and context of the processing. Bills 644-S-2025 and 1948-D-2025 specifically mandate them for large-scale processing of sensitive or automated data.
• Data Protection Officer (DPO): Appointing a DPO is mandatory in certain cases across the three bills. Deputy Yeza’s bill limits this obligation to organizations with advanced data processing, while the other two extend it more broadly, particularly to public agencies.
• Security incident notification: All three bills require notification of data breaches but differ on deadline. Deputy Yeza’s bill requires notification to the Data Protection Authority “within a reasonable time” and to data subjects only if there is a “significant probability of concrete harm.” The other two bills require notification to the Data Protection Authority within 72 hours and mandate notifying affected individuals, although without a specified timeframe.
• Sanctions regime: Deputy Yeza’s bill contemplates warnings, fines, and temporary suspensions, with fines capped at 1% of annual local revenue. In contrast, the other two allow permanent shutdowns and fines ranging from 2%–5% of the total global annual turnover.
• Additional innovations: Deputy Yeza’s bill explicitly defines inferred data as a distinct category and introduces the concept of a regulatory sandbox.

All three proposals have influence over the current legal framework and are strongly inspired by the GDPR and other international regulations.