A Regional Framework Argentina Co-Produced — But Cannot Follow at Home
In June 2026, Argentina's Agencia de Acceso a la Información Pública (AAIP) participated in the Iberoamerican Data Protection Network's (RIPD) 2026 annual meeting, co-producing the updated Personal Data Protection Standards for Iberoamerican States 2026 — a comprehensive regional upgrade addressing artificial intelligence, automated decision-making, biometrics, and neurodata. The document is on track for formal adoption at the November 4–5 Iberoamerican Summit in Madrid.
The irony is structural: Argentina's AAIP Director Beatriz Anchorena and National Director of Personal Data Protection Violeta Paulero helped shape standards that Argentina's domestic legal framework — the 26-year-old Ley 25.326, enacted October 4, 2000 — is simply not equipped to enforce.
What the 2026 RIPD Standards Actually Require
The updated framework, unanimously approved by RIPD member states, covers ground that was science fiction when Argentina last legislated on personal data:
- Automated decision-making: Systems with legal or significant impact on individuals must incorporate "qualified, significant, and effective human intervention" — meaning a human who actually understands the system and can meaningfully override it, not a rubber stamp.
- Neurodata: Defined as information related to brain function, activity, or structure that identifies a person or reveals physiological, health, or mental state — treated as a high-sensitivity category subject to possible processing prohibition.
- Biometrics: Enhanced protections requiring explicit legal basis and proportionality assessment.
- Children: Default privacy settings, age verification, and behavioral advertising restrictions, anchored to a "best interests of the child" standard.
The standards were also accompanied by the RIPD's Strategic Plan 2026–2030, focused on AI governance, biometric data challenges, and neurotechnology. New observer members — the OECD, Georgia's Data Protection Service, and the World Bank Group — joined the network at the same meeting, signaling growing international weight behind this framework.
Ley 25.326's Gaps in Plain Sight
Argentina was ahead of its time in 2000: Ley 25.326 was the first data protection law in South America, and the European Commission recognised Argentina's framework as "adequate" in 2003 — a legal finding that enables EU–Argentina data transfers without additional safeguards, a significant trade and legal asset.
But the law predates smartphones, social media, generative AI, and the entire modern platform economy. Its structural absences are now glaring:
- No automated decision-making protections — the statute has no provision governing algorithmic systems that determine credit, employment, bail, or healthcare access.
- No mandatory breach notification — companies are not required to notify regulators or affected individuals within a defined window after a data breach.
- No explicit Data Protection Officer requirement — large processors have no mandatory accountability officer.
- No data portability right — individuals cannot request their data in machine-readable form for transfer to a competitor.
- No definitions covering AI-generated profiling — the law's categories predate the concept entirely.
The AAIP has tried to close specific gaps through soft instruments. Resolution 4/2019 granted individuals the right to request an explanation of the logic behind automated decisions affecting them. Resolution 161/2023 launched the "Program for Transparency and Personal Data Protection in AI." These are meaningful interventions, but they are regulatory workarounds built on a statute that does not actually authorise them with the clarity a modern AI governance regime requires.
The Facial Recognition Signal
In 2023, Buenos Aires' facial recognition surveillance system was declared unconstitutional — a ruling that exposed exactly how inadequate Ley 25.326 is as a governing framework for biometric AI. Courts pushed back where the legislature had not yet acted. That episode galvanised calls for reform and directly informed the AAIP's Resolution 161/2023. It is a pattern familiar from other jurisdictions: when statute fails to anticipate technology, courts and regulators improvise. The improvisation can be creative, but it creates legal uncertainty for businesses and citizens alike.
Reform Bills: Many Drafts, No Finish Line
The case for reform is not new. The AAIP ran an extensive participatory consultation in 2022, receiving 173 documents from 123 participants. In 2023, the executive formally transmitted Message 87/2023 to the Chamber of Deputies — a proposed 83-article law with GDPR-style penalties (2–4% of global annual turnover), expanded territorial scope, and explicit automated decision-making rights.
Multiple competing bills now sit in Congress. One bloc favours a fundamental-rights-first approach tracking the GDPR closely. Another, reflecting the current Milei administration's lighter-touch regulatory philosophy, prioritises innovation and proportionate obligations. No bill has been enacted as of mid-2026. The stalemate is partly ideological and partly practical: Argentina is in a prolonged economic adjustment, and any GDPR-scale compliance burden on domestic businesses is politically contentious in a government committed to deregulation.
Steelmanning the Reformers — and Then the Right Answer
The case for comprehensive reform is strongest where market mechanisms genuinely fail. Individuals cannot negotiate with an algorithm that determines their credit score; they have no visibility into breach events; and consent frameworks built for adults are structurally inadequate for children. On these three points, the reform advocates are right, and the current law leaves real harm unaddressed.
But critics of GDPR copy-paste are also right. The EU's framework was designed for an economy with 27 member states, deep institutional capacity, and a compliance industry built over decades. Imposing equivalent administrative penalties and DPO bureaucracy on Argentina's tech sector — heavily composed of SMEs and startups — risks compliance costs that suppress the very digital economy Argentina needs to grow.
The synthesis is available: a reform that adopts the RIPD 2026 standards' substance (ADM explanation rights, breach notification, child safeguards, biometric proportionality requirements) without importing GDPR's procedural overhead. Argentina does not need a continental compliance regime. It needs a statute that closes the three substantive gaps and gives the AAIP clear legislative authority for the AI governance work it is already doing by resolution.
The Madrid Deadline
If the November Iberoamerican Summit formalises the 2026 RIPD standards as the regional baseline, Argentina will face an uncomfortable question: will it remain the jurisdiction whose regulator co-authored regional AI governance norms while the national law still has no answer to an automated loan rejection? Argentina's EU adequacy finding from 2003 is a critical economic asset — but adequacy is not permanent, and a domestic framework that structurally diverges from the standards Argentina helped write is a long-run vulnerability.
The AAIP has done the international work. The domestic political task — building congressional consensus for reform that is both meaningful and not punishing — is the harder one, and it now has a deadline.