Argentina has a set framework to receive investment in various industries (other than its leading export industry, agriculture). All TMT areas have received special consideration by the government in recent years in order to ease the way for foreign investors, as well as to promote local entrepreneurship. With many IT centres of ‘Fortune 500’ companies, Argentina is a strong media and technology hub for Hispanic countries. Moreover, Argentina is the third-largest telecommunications market in Latin America, experiencing exponential growth in the last decade.
Federal, provincial and local governments have incentive programmes and tax benefits designed to promote TMT undertakings, and the trend is to de-regulate those industries. While focusing on the private sector, it is also fair to say that lately it has caught up on applicable public rules of procurement and regulations of the kind.
As stated by the Department of Commerce of the United States of America in its 'doing business in Argentina' (2015) report, inter alia, reasons to invest in Argentina include:
Without specific regulation until a few years ago, from 2016 onwards cloud services started to be expressly addressed in certain regulations (particularly those concerning contracts with public entities) and implicitly acknowledged in regulations for specific industries within the private sector (ie, provision of IT services for financial entities, data outsourcing, data hosting and processing of personal data, etc).
Cloud computing agreements are standard practice in Argentina and are also admitted by Argentine legislation. In public sector contracts, cloud technology is expressly mentioned in the recent Cloud First regulations, which not only admit cloud technology but also state that such technologies are “trustful and cost efficient” and that “cloud solutions shall be preferred by Public Sector entities before any other technological solutions” (ONTI Regulation 2/2018). Examples of such regulations are:
Within the private sector regulatory framework, while 'cloud' is not expressly accounted for as such, it is admitted in several regulations that allow and regulate transactions with the main features of cloud services. Cloud computing agreements are a standard practice in Argentina and are also admitted by Argentine legislation. The most relevant example of this is probably Regulation 60/2016 issued by the Argentine Agency of Access to Public Information (AAPI), in charge of enforcing Argentine Personal Data Protection Act Nr 25,326 (PDPA). Complementing Section 25 of the PDPA – which broadly acknowledges the provision of data processing services – Regulation AAPI 60/2016 provides a template agreement with model clauses for the provision of data processing services outside Argentina, in countries without “adequate legislation” in data protection. This provision is inherent and fully applicable to cloud services. Provided that the requirements of this legislation are met, no notification, permission or approval from the AAPI or any other authority is legally required for data outsourcing.
This framework – basic in the hiring of cloud services – was welcomed by almost all the industry, since it regulates international data transfers aligned with EU legislation (ie, EU Directive 87/2010); and positively, it legislated for criteria that were previously contained in mere AAPI opinions, without the binding force of legal provision, providing certainty and legal security in this sector.
Furthermore, in November 2018 the AAPI issued Regulation 159/2018, which set forth 'Guidelines and Basic Contents of Binding Corporate Rules' for the international transfer of personal data among companies of the same economic group. The guidelines attempt to be aligned with Section 47 of the GDPR, and establish (in a generic way) issues such as basic conditions for the legality of the transfer, procedures to ensure the data subjects’ rights, joint liability of the parties, applicable jurisdiction in case of controversies and the AAPI auditing rights. These binding corporate rules – applicable to internal corporate cloud of affiliates of the same economic group – appear as an option to the model clauses set forth by AAPI Regulation 60/2016 for the international transfer of personal data.
In addition to the aforementioned data protection requirements, other industry-specific requirements are applicable for international data transfer in certain areas, such as the financial sector. In the latter, data was requested to be maintained in-country until November 2017, when the Argentina Central Bank issued Communication A 6354, as amended by Communication 6375, allowing banks to hire cloud services and data outsourcing abroad, as long as the many requirements therein established are complied with by both the Argentine financial institution and the foreign data processor (cloud provider).
Pursuant to the aforementioned regulation, financial institutions intending to perform international data transfer and outsourcing activities shall inform so through a communication to the Financial Institutions Bureau ('Secretaría de Entidades Financieras y Cambiarias') at least 60 days before initiating such activities, including in such communication certain mandatory information and a copy of the outsourcing agreement in 'pdf' format. The obligation to comply with the terms of this new regulation shall be expressly indicated in the agreement between the financial institution and the foreign outsourcing services/IT provider. Furthermore, foreign data processors providing services to Argentine financial institutions shall perform internal audits every year considering in such audit the compliance with this new regulation; and submit a copy of the audit to the External Audit Unit of the Argentine Financial Institutions Bureau, which depends on the Argentine Central Bank.
The aforementioned regulation requires the cloud services provider to address different “scenarios of IT services” classified according to the kind of data to be transferred to the IT provider and the risk thereof derived and imposes several “technical and operative requirements” for each scenario, with which both the financial institution and the IT/cloud provider shall comply.
Where queries about whether sensitive data may be submitted to the cloud have been raised, these appear to be unjustified and without legal grounds. Indeed, the model clauses set forth by Regulation AAPI 60/2016 expressly envisage the possibility of an international transfer of sensitive data (ie, submitting them to the cloud).
See 1.1 Laws and Regulations.
See 1.1 Laws and Regulations.
Blockchain as such is neither regulated in Argentina, nor is there case law specifically addressing this particular technology. Thus, legal challenges related thereto shall so far be attended considering general legal principles and the particular restrictions of the industry or area of law where blockchain is applied. Legal issues such as risk and liability, intellectual property, data privacy, service level and jurisdiction shall be analysed under the aforementioned approach.
While the adoption of blockchain in the private sector is booming, at a federal level, government is promoting public/private consortia to foster usage of blockchain, with federal government taking the lead in co-ordinating efforts among governmental agencies, trade associations and private parties.
Among the main risks and liability, the following shall be considered:
'Smart contracts' is also another non-regulated area, where the general principles of law will come into play to resolve implementation issues. Still, issues such as enforceability, binding nature or procedural recognition as evidence are yet to be discussed. As in many other jurisdictions, most likely theories and/or solutions applicable to software programming, other nets (like www) etc, will come into play.
Ownership of the intellectual property of all or part of a blockchain environment is a key factor to be considered by blockchain vendors. The aforementioned ownership may include the software and business processes, the developments added after its release and the underlying data. On top of that, queries should be raised about whether such personal data may be considered IP or even ‘property’ at all, and whether vendors may claim ownership over it, where such personal data belongs to users (even with pseudonymisation).
In spite of the novelty of blockchain, some of these IP issues have arisen already with existing software platforms and/or shared software systems. Similarly, a shared intellectual property strategy might be a good starting point when it comes to thinking about solutions to the aforementioned issues.
Data privacy is a crucial issue in the use of blockchain technology, especially in a country like Argentina, which follows the European Union in data protection legislation (the current PDPA was based on former EU Directive 95/46; and the bill to replace the PDPA is intended to be aligned with the GDPR).
The question of who shall be considered the personal data controller – especially in a non-permissioned blockchain – and the one responsible for complying with the PDPA, and for granting data subject’s rights (ie, ARCO rights) and other personal data regulations is a key factor. In a permissioned blockchain – limiting who can join the blockchain network to 'trusted' nodes and encrypting the data on the blockchain – the super user may be considered the data controller, with the liabilities therein attributable. However, none of these matters have yet been addressed by Argentine law or case law.
Another potential issue from a data privacy perspective is to consider the consequences of the user’s decision to stop using the service under blockchain when he or she does not hold a copy of the data on the ledger. For such cases, there needs to be provisions and processes in place that ensure the vendor hands over all the data subject’s (user) information and a complete record of all the transactions on the blockchain that are linked to the user’s name.
Security issues prescribed by Argentine data protection law should also be analysed under a balanced 'privacy versus transparency' approach, especially considering such data protection security provision as set forth by Sections 9 and 19 of the PDPA, and also AAPI Regulation 47/2018. The fact that in a public blockchain system anyone can access any data subject’s personal data, especially health and/or other sensitive data, poses serious privacy challenges, under both the PDPA and Argentine Medical Records Act 25,629. In turn, compliance with security measures within the financial service industry is particularly delicate, as this industry has specific recent and detailed security legal requirements that need to be complied with (ie, BCRA Communication 6375).
From a service level perspective, the challenge is likely to be solving the balance between the provider’s adherence to standard contracts with limited warranties and liabilities on one side, and the customers’ unwillingness to agree to such restrictions on the other. In addition to this type of contractual negotiation – typical of the IT industry – other legal restrictions need to be considered, such as those imposed by mandatory laws that may be applicable. In Argentina, this concerns the Consumers Defence Act 24,240, the PDPA 25,326 and the Medical Records and Patients’ Act 26,529, all of which grant rights that cannot be waived by the parties involved.
Being a decentralised system in which nodes exist around the planet, determining the correct set of rules to apply in a controversy constitutes a key legal challenge for blockchain. As a matter of fact, disputes derived from blockchain transactions might potentially arise in the jurisdiction(s) of the country of each node in the chain. This circumstance faces blockchain layers with the challenge of needing to comply with many different legal regimes simultaneously. In the event that a fraudulent or erroneous transaction is made, pinpointing its location within the blockchain could be challenging.
In the absence of contractual provisions, Supreme Court of Argentina case law calls for asserting Argentine jurisdictions whether there is performance, of any materiality or kind, in Argentina (CSJN, 20/10/98, Exportadora Buenos Aires S.A.c. Holiday Inn’s Worldwide Inc. Fallos 321:2894), for which setting up proper jurisdiction clauses will be a must, and will clearly help to provide users with legal certainty about which laws and courts should be applicable in a controversy derived from blockchain transactions. However, this may be challenging with multiple customers’ transactions – the essence of a decentralised environment like blockchain – when certain local ‘public order’ regulations are mandatory. In Argentina, this is the case with the Consumers Defence Act 24,240, the PDPA 25,326 and the Medical Records and Patients’ Act 26,529, all of which grant rights that cannot be waived by the parties involved, including mandatory local (Argentine) jurisdiction and applicable law.
'Modern' technological concepts such as 'big data', 'artificial intelligence' and 'machine learning' have scarcely been mentioned in recent Argentine legislation, and none of them have been regulated as such. Thus, assessment and counselling about these topics is so far provided for based on general principles of law; in particular, tort law and contractual, IP and privacy regulations.
With respect to big data, in 2017, Regulation 11/2017 created the 'Big Data Observatory', an entity within the IT & Communications Bureau. Although its specific tasks were to be defined by further regulation, it aims to “study the regulatory framework of personal data use”, “foster and create Big Data technological platforms”, “promote good Big Data practices” and “propose for new regulations”. As of January 2019, Regulation 11/2017 remains without further regulations and none of these regulatory frameworks have been passed.
Furthermore, Internet Service Providers (ISPs) are key actors in the processing of big data and their liability is still unregulated as of to-date, in spite of several bills on the matter. While the generic right of access and deletion of incorrect data is addressed in the PDPA, there are neither takedown nor counter-notice/respond legal proceedings. This question is currently de facto regulated pursuant to case law precedents. In recent years, hundreds of cases have been brought to courts against search engine and/or social media providers where plaintiffs request their data to be erased/blocked, based on 'porn revenge', disinformation, hate speech, slander, non-authorised use of image, privacy etc. In the absence of legislation, each controversy is decided on a 'case-by-case' basis, according to Federal Supreme Court guidelines. Based on such case law, a bill (S-1865/2015) on ISP liability is being considered in Congress with a view to enforcing a negligence system (as opposed to strict liability) on ISPs. If enacted, this bill would be the first regulation concerning ISP liability and, generally speaking, would limit such liability.
Without specific legislation currently in place, ISPs’ duties and liabilities with regards processing big data is judged based on tort principles (Civil and Commercial Code) and privacy law (PDPA), including matters such as database ownership, purpose and final usage (ie, misuse) of analytics made with big data, treatment of sensitive data etc.
More 'advanced' issues are yet to be seen. Examples of insurance derived from improper processing of big data - or claims derived thereof - are currently rarely available or very expensive to access.
In the absence of legislation regarding machine learning and artificial intelligence, there is legal uncertainty in Argentina about these matters.
It is worth mentioning that in November 2018, Decree 996/2018 was issued, by which the Argentine federal government set forth the basis for an 'Argentine Digital Agenda' ('Agenda Digital Argentina') aiming to establish guidelines for a technological legal framework and digital institutional strategy to be implemented throughout the country. These guidelines mention 'artificial intelligence' as well as other 'technological' concepts such as cyber security, 'Digital Inclusion', access to IT services, biotechnology, 'Digital Government', e-commerce and technological neutrality, among many others. Given the terms of the Decree, its broad guidelines and potential scope, further specific regulations accompanying it were expected. However, as of January 2019 none of these regulations have been enacted and as such the Decree and the concepts included therein remain as yet unregulated.
In both cases – machine learning and artificial intelligence – IT systems’ capacity to make autonomous decisions seems to pose the greatest potential impact in terms of liability. Application of causation principles and determining who shall be considered liable for the fault that causes damages seems a crucial legal challenge, particularly if a negligence regime (as opposed to strict liability) is applied.
Aside from the big impact on tort law and liability in general or the open question of if an autonomous car kills someone then who is responsible from a criminal law perspective, one can identify the leitmotif legal issues in all these areas (as briefly discussed before) – security, intellectual property and privacy – as areas heavily impacted by these technologies.
Regarding the 'Internet of Things' (IoT), in April 2017 the Secretariat of Information and Communication Technology issued Regulation 7-E/2017, calling interested parties to submit opinions, proposals and needs of different players and sectors involved in the development of the IoT, pursuant to a pre-established administrative proceeding. This regulation was issued within the framework of Regulation 8/2016, which created the 'Internet Services Workgroup' with the purpose of “analyzing and promoting public policies to develop Internet services”; and, in particular, to “promote development of Internet of Things, specifically for the development of public policies related to security, public health and environmental matters”.
Decree 996/2018, by which the Argentine federal government sets forth the basis for an 'Argentine Digital Agenda' ('Agenda Digital Argentina'), also mentions the IoT – in addition to many other IT concepts – among the guidelines for a technological legal framework and digital institutional strategy to be implemented in Argentina. In spite of all these legal mentions, as of January 2019 none of the expected regulations had been enacted and the IoT remains without specific regulation as such.
In the current legal scenario, when contemplating a project with connected devices in Argentina, analysing it from a data protection perspective is of the essence. The PDPA and Regulations AAPI 60/2016 (regarding international transfer of personal data) and 47/2018 (regarding data security measures) are crucial pieces of legislation, as well as other cloud legal considerations referred to earlier.
It is worth considering that the bill that aims to replace the PDPA in its entirety in order to update it and align it with international standards and principles established by the EU General Data Protection Regulation (ie, GDPR) includes privacy by design and privacy by default sections almost identical to those in the GDPR. If the bill is finally enacted, they shall be considered in the implementation of IoT projects.
IT service agreements are not specifically regulated in Argentine law. The Civil and Commercial Code regulates in Articles 1251 to 1279 the services agreements, but it refers to 'general' services and not particularly to IT services. The general regulation applicable to all private contracts, provided for – mainly – in Articles 957 to 1122, applies. Among those, Article 958 refers to the freedom of contract or party autonomy, which governs the relation between the parties, although that freedom may be restricted by different mandatory provisions.
While it is not clear yet, as the new Civil and Commercial Code came into effect in 2015, outsourcing contracts may be impacted, as this may be considered as a 'supply agreement' and therefore certain provisions may come into play, like a maximum term (20 years), in the absence of a contractual stipulation, provision of services are to be considered to fulfil clients’ needs. A first-refusal right may also come into play, as provided by the Civil and Commercial Code, and certain restrictions for the unilateral termination of long-term agreements.
The legal aspects to be considered when drafting and negotiating an IT service agreement in Argentine are mostly the same as in other countries: changes to services and price, complying with regulation that governs the parties (eg, banking regulation), intellectual property rights, data privacy, limitation of liability etc. The regulation of these aspects is quite similar to the regulation applicable in the majority of the civil law and common law main jurisdiction.
Yet, there are few legal aspects that have to be taken into account as they are regulated in Argentina in a different way than other main jurisdictions; among others, the following: price adjustment provision, currency, labour law, choice of law and pre-formulated or boilerplate contracts. These aspects will be addressed below.
Among others, the followings aspects have to be taken into account:
Processing of some sort of personal data is involved in almost all TMT projects, for which knowing the applicable data protection regime is crucial for a solid legal assessment.
In Argentina, Personal Data Protection is acknowledged in the National Constitution; in Argentine National Civil and Commercial Code (Section 1770); and regulated at a federal level by Argentine Data Protection Act No 25,326 (PDPA) and more than 70 regulations issued by the Argentine Agency of Access to Public Information (“AAPI”), in charge of enforcing the PDPA, pursuant to presidential Decrees 899/2017 and 746/2017. The AAPI – which replaced the former Argentine Data Protection Authority ('Dirección Nacional de Protección de Datos Personales') – is a public autarchic entity recently created within the National Chief of Cabinet (the highest authority of the National Government Ministries).
Other more specific data protection-related laws and sectoral regulations are also applicable, such as regulations about right to the own image and voice (Act 11,723, Section 31; and Argentine Civil and Commercial Code, Section 53); right to intimacy (Argentine Civil and Commercial Code, Section 52); health data and consent for medical treatment (Argentine Civil and Commercial Code, Section 52; and Medical Records and Patient’s Right Act 25,629, as amended by Act 26,742; Financial entities’ data treatment (Argentina Central Bank issued Communication A 6354), etc.
The PDPA is mandatory applicable to data treatment of Argentine residents, regardless of where such treatment is performed. PDPA rights cannot be waived by data subjects, as it is considered a ‘public order’ law.
On 19 September 2018, the Executive Branch submitted to the National Congress a bill that aims to replace the PDPA in its entirety in order to update it and align it with international standards and principles established by the EU General Data Protection Regulation (GDPR). Among the many provisions established by the draft are regulated issues such as: extraterritoriality, notifications of security incidents, new rights such as data portability and opposition, protection by design and by default, risk impact assessments and the obligation to appoint a Data Protection Officer in certain circumstances. If enacted, the same would come into force after two years of its publication in the Official Gazette. During this period, the current PDPA regulations would remain in force.
Under the PDPA, no distinction is made between companies and individuals, as the rights granted therein are applicable to the personal data of individuals and legal entities.
It should be noted that the bill that aims to replace the PDPA in its entirety in order to update it and align it with international standards and principles established by the EU GDPR only protects personal data of individuals (aligned with the GDPR in this aspect). So if the bill is finally enacted, companies’ data will be excluded from the Argentine personal data protection legal regime.
Data subjects’ consent requirement for data collection and/or treatment is one of the key principles of the PDPA. Furthermore, data subjects’ right to access to data and right to correct or erase data is a constitutional right since 1994; and the 'habeas data' proceeding to exercise such right are incorporated in the PDPA.
As one of the exceptions to the consent principle, the PDPA allows the free use of data (ie, no consent required) when it is anonymised or de-identified. Another exception to the data subject’s consent requirement takes place when a data processor receives databases from a data controller for the sole purpose of providing processing services to a data controller, acting on behalf of the latter.
If the data processor is located outside Argentina (ie, data outsourcing, provision of cloud services, etc), the Argentine data controller/exporter and the foreign data processor/importer shall execute a written agreement to provide such services. The requirements of such data transfer agreement depend on whether or not the legislation of the country of the data processor (data importer) provides “adequate levels of data protection”.
In case of data transfer to countries whose laws do not provide “adequate data protection,” such as the USA, the Argentine entity (data exporter) and the foreign data processor (data importer) shall execute a Data Transfer Agreement pursuant to the template set forth by AAPI Regulation 60/2016. This template is extremely similar to the one valid in the European Union for this purpose, as set forth by EU Directive 87/2010. Among other requirements, the Data Transfer Agreement requested by Argentine data protection law shall have:
Furthermore, if the foreign data processor is obliged to disclose Argentine data pursuant to a foreign government data request, the processor shall immediately notify such circumstance to the data exporter, who may be able to terminate the agreement and request data to be transferred again to Argentina.
An identical Data Transfer Agreement pursuant to Argentine law shall be executed by the foreign data processor and any other sub-contractor that may have access to the Argentine data.
On the other hand, if the provider renders data treatment services in countries that do provide adequate levels of protection (eg, EU countries), the client and the service provider are free to choose in the services agreement to which law they will be subject to (ie, either Argentine law or the data importer’s law).
Furthermore, in November 2018 the AAPI issued Regulation 159/2018, which set forth 'Guidelines and Basic Contents of Binding Corporate Rules' for the international transfer of personal data among companies of the same economic group. The guidelines attempt to be aligned with Section 47 of the GDPR, and establishes (in a generic way) issues such as basic conditions for the legality of the transfer, procedures to ensure the data subjects’ rights, joint liability of the parties, applicable jurisdiction in case of controversies and the AAPI auditing rights. These binding corporate rules – applicable to internal corporate cloud of affiliates of the same economic group – appears as an option to the model clauses set forth by aforementioned AAPI Regulation 60/2016 for the international transfer of personal data.
In addition to the aforementioned data protection requirements, other industry-specific requirements are applicable for international data transfer in certain areas. Examples of the latter are Argentina Central Bank Communication A 6354, as amended by Communication 6375, establishing several legal and technical requirements that financial entities and IT data processors shall comply with in order to hire data outsourcing services; or the Medical Records and Patient’s Right Act 25,629, which set forth generic requirements for the processing of digitalised clinical records and treatment of health data.
See 6.3 General Processing of Data.
Argentine law establishes certain generic restrictions on monitoring and limiting use by employees of company computer resources. Indeed, workplace privacy has been an increasingly hot topic in recent years in Argentina, mainly due to the advancement of technologies and its impact on data protection. According to Argentine Employment Contract Law 20,744, the employer has the power to perform personal control to employees within certain limits to safeguard the workers’ dignity and privacy (Sections 65, 70, 71 and 72). Such standards are not precisely defined and are analysed by courts on a case-by-case basis, aligned with other labour legislation (which is very protective of employees’ rights) and the PDPA principles.
Regarding workplace video surveillance, case law has established that the company must notify where the cameras are located, what type of models they are, and whether they can record audio or not (it has been decided that the sound or voice recording is much more intrusive and therefore has greater complications when it is used as evidence at court). Video cameras should not be located in places that disturb the employee’s privacy and/or intimacy and/or psychological integrity. Argentine labour courts have consistently rejected certain video-recorded evidence in cases where the cameras were located in staff toilets and/or places where some employee privacy and intimacy is expected.
In addition, video surveillance is considered a data collection proceeding specifically regulated by the AAPI (Regulation 10/2015). Apart from registering the video surveillance database before the National Databases Registry, companies doing video surveillance shall have a privacy handbook containing certain mandatory information such as references to places, dates and hours in which surveillance cameras will operate; terms during which data shall be stored; security and confidentiality mechanisms; measures to grant the data owners’ basic rights (block, delete, update and/or correct personal data); and reasons that justify the taking of photographs and/or video surveillance.
The collection of images in the aforementioned way shall be limited to the security reasons alleged; without interfering with privacy and/or intimacy of data owners. Letters shall be exhibited to the public/workers expressly indicating: the existence of video cameras, the purpose for video surveillance, the company responsible for the images/data treatment, its domicile and the way in which data subjects may contact such company to exercise their basic rights.
In Argentina, telecommunication is the emission, transmission or reception of signs, signals, data, images, voice, sounds or information of any kind, by wire, radio, optical or other electromagnetic systems (Act 27.078). The purpose of Act 27.078 is to state as a public interest activity the development and regulation of information technology and communications and associated resources, establishing and ensuring complete network neutrality. The aim is to guarantee the human right to communication, giving access to information and communication to all residents in social and equitable geographical conditions.
Many technologies are currently deemed to fall within the scope of local telecommunications rules from which we can emphasise the following ones:
Other technologies do not fall within the scope of telecommunications, such as instant messaging or online video channels, because the providers do not operate a network nor leases network space, which are necessary for its proper working. Instead of that, they use the internet service offered to the user by another supplier.
According to Act 27.078, a unique licence is required to provide a telecommunication service, either fixed or mobile, wired or wireless, national or international, with or without its own infrastructure. Telecommunication services may, however, only be provided after a licence has been granted, in respect of the specific services covered by that licence.
The unique licence has a nationwide scope and there are no mandatory investment obligations; providers are free to choose the technology and network architecture that they consider the most appropriate for the efficient provision of services. The licence does not include the award of a spectrum, which is subject to a separate procedure.
The procedure to obtain the unique licence is established by the Licensing Regulation for Information and Communication Technology Services issued by the Ministry of Modernisation (Resolution No 697/2017). There are no restrictions for the granting of the unique licence to natural persons or juridical entities. Applications must include personal and corporate documentation; information on the services to be provided; and financial statements. The main aspects of the procedure are:
The ENACOM approval may be granted explicit or by deemed approval if ENACOM does not make any official observation within the 60 days after the filing of the petition. Once the licence is granted, the solicitor must register the services to provide. Also the provider must pay:
According to Act 26.522 (Audiovisual Communication Services Act), Act 27.078 (Argentina Digital Act), Decree 267/2015 and Decree 1340/2016, all services of information and communication technology, and audiovisual, must be treated in the same way, regardless of the kind of technology used. Audiovisual communications services are an activity of public interest and includes, among others, regulations for the advertising agencies, content producers and channels.
To provide audiovisual services a formal licence granted by ENACOM with annual updates is required. The procedure is established by the Licensing Regulation for information and Communication Technology Services issued by the Ministry of Modernisation (Resolution No 697/2017).
Once the licence is granted, the provider must register the services with the Public Register of Licences and Authorisations for Audiovisual Communication Services (Resolution No 1502-AFSCA/14). Also, the provider must be registered with the 'Public Information System of Audiovisual Communication Services Suppliers'.
In relation to online video channels or any other OTT services, they are not specifically regulated and there is no licence requisite, except tax obligations (according to Decree 354/2018 OTT services are subject to Value Added Tax). OTT services are not expressly included in the concept of telecommunications because the OTT services provider does not operate by itself a network nor leases network space, and the regulator has not expressly established any requirement.
See 9.1 Main Requirements.
Currently there is no legislation establishing a generic obligation to use encryption technology. However, there are specific cases – particular industries, sectors and/or circumstances – in which the use of encrypted or encrypted is mandatory or recommended.
Regulation AAPI 47/2018, which sets forth 'recommended' (non-binding) security measures for all kind of personal data processing, recommends the use of encryption technology for the process and/or hosting of 'sensitive' data (data revealing religious, sexual, political, racial, ethnical, moral or philosophical preferences, as well as health data and criminal records).
In the public sector, Regulation 1/2015 of the National Office of Information Technologies (“ONTI”) establishes the cases in which cryptographic controls should be used for governmental entities (ie, for the protection of access codes to systems, data and services; for the transmission of classified information outside the scope of the organisation; for the protection of information when this arises from the risk assessment carried out by the IT manager, etc).
In the financial industry, several regulations issued by the Argentine Central Bank (applicable only to financial entities) set certain encryption requirements and minimum security standards (including detailed technical measures) for management, implementation and risk control regarding the provision of IT services to financial entities. In particular, Communication A 6354, as amended by Communication 6375 (allowing banks to hire cloud services and data outsourcing abroad, as long as the many requirements therein established are complied with by both the Argentine financial institution and the foreign data processor/cloud provider) requires “mechanisms for encryption of data and communication channels”. Furthermore, among the 'Technical Operating Requirements for Integrity and Logging', such regulation mandates that IT providers “shall formulate an encryption policy for data at rest, in transit or in both statuses including an allocation of responsibility for all controls defined in each data status”.
Among the public offering regime, Regulation 704-E/2017 of the National Securities Commission, applicable only to listed companies and capital market agencies, stipulates that the storage and transmission of authentication data shall be protected through internationally recognised cryptographic algorithms. In addition, it establishes encryption requirements for other situations (ie, when the information goes beyond the limits of local networks and cross-public networks).
With respect to health data, Act 26,529 (Health Records Act) states that for such data “the use of restricted access shall be adopted with identification keys, non-rewritable storage means, control of modification of fields or any other suitable technique to ensure their integrity”.
Finally, the implementation of 'digital signature', pursuant to Act 25,506, Regulation 399 - E / 2016, of the Ministry of Modernisation, establishes cryptographic requirements among the 'Single Certification Policy' that all Digital Signature Certifiers shall apply for the issuance of the Digital Signature Certificate.
In relation to telecoms operators, there are no specific regulations or restrictions on encryption of communications.
See 10.1 Legal Requirements Governing the Use of Encryption.