The Scope of the Habeas Data Action Is Interpreted

Following public reports that the National Registry of Individuals (RENAPER) had suffered a security breach, the plaintiff submitted an administrative request asking the agency to inform him of all personal data it held about him, including biometric data, and of the security measures adopted to protect such data, among other matters (Fed. Admin. Litig. Ct., Chamber V, Case No. CAF 18307/2021, Palazzi, Pablo v. National Registry of Persons re: Habeas Data, 13/02/2025). In response, RENAPER provided an individual report with general information on the data it manages and stated that it had adopted the security measures required by Personal Data Protection Law No. 25.326. It also stated that the plaintiff was not among those affected by the security incident. The plaintiff, considering the response insufficient, filed a habeas data lawsuit against RENAPER.

The trial court dismissed the claim, arguing that by providing a report containing the plaintiff’s personal data, RENAPER had fulfilled its obligation, and that part of the plaintiff’s requests exceeded the scope of the habeas data action.

The plaintiff appealed the ruling, arguing that RENAPER’s response was incomplete and insufficient. He contended that current regulations require broad access to the full personal data records the agency holds, which includes the security measures it adopts and information about possible transfers to third parties.

The Federal Administrative Litigation Court held that information related to the purpose of data processing, the security of the systems that protect the data, and the duty of confidentiality is covered by article 43 of the Argentine Constitution, which governs the habeas data action. In this regard, the Court affirmed that the action is not limited to protecting individuals from false or discriminatory data, but also ensures the right to informational self-determination—understood as individuals’ ability to control the processing of their personal data.

Further, the Court ruled against a restrictive interpretation of the habeas data action, stating that such an interpretation is contrary to with case law and regulatory developments in the field. It emphasized that the concept of informational self-determination has been recognized as an autonomous right, essential for protecting other rights such as privacy, honor, and dignity. For this reason, access to personal information—including the protective measures adopted by public bodies—must fall within the scope of this constitutional guarantee.

Lastly, the Court concluded that the claims the plaintiff made in his initial filing were well-grounded, as the information RENAPER provided was incomplete. The Court, therefore, it decided to overturn the appealed ruling, partially uphold the action, and order the agency to provide the missing information.