At the Privacy Symposium in Venice (21–24 April 2026), Argentina's data-protection regulator spoke with the authority of a global standard-setter. Beatriz de Anchorena — Director of the Agencia de Acceso a la Información Pública (AAIP) and Chair of the Council of Europe's Convention 108 Committee — framed Convention 108+ as "the first legally binding international instrument in this field," a treaty that "offers a platform for cooperation for all the continents" (Privacy Symposium interview). It is a genuine diplomatic achievement for a Latin American regulator to chair the body shaping the only cross-continental data-protection treaty. It also throws an awkward contrast into sharp relief: the statute de Anchorena enforces at home, Ley 25.326, was sanctioned on 4 October 2000 and is now in its 26th year, essentially unamended (Argentina.gob.ar).
A pioneer that stopped iterating
Argentina earned its standing the hard way. Ley 25.326 made it the first Latin American country with a comprehensive data-protection law, and in 2003 the European Commission recognised Argentina's regime as "adequate" — a status only a handful of non-European jurisdictions hold (JURIST). But the world the law was written for is gone. The 2000 statute predates the smartphone, the cloud, large-scale biometric systems and generative AI. It has no concept of data portability, no breach-notification duty, no accountability principle, no rules on automated decision-making or profiling — the architecture that the EU's GDPR made standard in 2018 and that Convention 108+ itself codifies.
The gap is not theoretical. As the JURIST analysis notes, the law now "plays defence" against AI systems that process personal data far beyond any original consent, and in 2023 a Buenos Aires facial-recognition deployment was declared unconstitutional precisely because the statutory safeguards were too thin to govern it. A regulator chairing the treaty that answers these questions is enforcing a domestic text that cannot.
The reform that keeps not happening
This is not for want of drafting. The AAIP itself launched a modernisation effort, releasing a draft bill via Resolution 119/2022 in September 2022 — 72 articles across 11 chapters, deliberately mirroring the GDPR with data minimisation, legitimate-interest processing, 48-hour breach notification, portability and mandatory data-protection officers (IAPP). That bill never cleared Congress. Nor did its predecessors going back to 2017.
The 2025 legislative session produced a fresh wave rather than a resolution: several competing bills, including Senate text S-0644/2025 and the substantively identical 1948-D-2025, both rights-based and closely GDPR-aligned, alongside 0904-D-2025, an innovation-oriented proposal that classifies organisations by processing intensity (basic, intermediate, advanced) and carves out a lighter regime for startups. The proliferation of drafts is itself the symptom: Argentina knows exactly what a modern law should say, and has known for the better part of a decade, but cannot get any single version enacted.
The credibility cost of leading abroad while stalling at home
The steelman for de Anchorena's Venice posture is real and worth stating plainly. Convention 108+ is the only data-protection instrument with genuine cross-continental reach, and it badly needs champions: as of 2025 it had only 33 of the 38 ratifications required to enter into force, and ratifications did not increase at all in 2024 (Oxford IJLIT). An Argentine chair lending credibility and Global-South legitimacy to that push is a public good. Argentina ratified the protocol itself in 2023, which is more than eight EU member states have managed.
But international standard-setting and domestic reform are not substitutes, and treating the first as cover for the second carries a cost. Convention 108+ is technology-neutral and principle-based by design; it sets a floor, not an operating manual. It does not tell an Argentine startup how breach notification works, what lawful basis it can rely on for analytics, or whether a risk-tiered compliance regime applies to it. Those answers live in domestic statute — and Argentina's is silent on all of them. A treaty that has not yet entered into force cannot fill a 25-year-old hole in national law.
What proportionate reform looks like
The encouraging signal in the 2025 crop is the innovation-oriented bill 0904-D-2025. Tiering obligations by processing intensity, and giving startups a lighter-touch path, is exactly the proportionate, evidence-based design that avoids the GDPR's worst failure mode — imposing enterprise-grade compliance overhead on firms that handle trivial volumes of low-risk data. A modern Argentine law should pair GDPR-grade rights (portability, transparency on automated decisions, breach notification) with a genuinely risk-calibrated compliance burden, so that the cost of protection scales with the actual risk rather than flattening every controller into the same paperwork.
The lesson Venice should send back to Buenos Aires is not that Argentina's regulator lacks ambition — it plainly does not. It is that the ambition is pointed outward while the domestic foundation ages. The most valuable thing the AAIP could do for the open internet and for Argentine innovators is less glamorous than chairing a treaty committee: shepherd one of the pending bills — ideally the risk-tiered one — through Congress, and give the country a 21st-century law to match its 21st-century reputation.