Argentina Argentina AAIP data protection Ley 25326

Argentina Helped Draft the Iberoamerican AI Data Standards Its Own Law Cannot Enforce

The RIPD's 2026 standards on AI and automated decision-making expose a direct gap in Ley 25.326 — a 26-year-old statute with no algorithmic governance provisions and reform bills stalled in Congress.

Argentina's Data Protection Gap at a Glance People of Internet Research · Argentina 26 yrs Age of Ley 25.326 Argentina's data law, enacted Octo… 2003 EU Adequacy Year EU recognised Argentina's framewor… 173 Reform Consultation Docs Public inputs received in 2022 AAI… 4 states Convention 108+ Gap The Council of Europe's modern dat… peopleofinternet.com

Key Takeaways

A Regional Framework Argentina Co-Produced — But Cannot Follow at Home

In June 2026, Argentina's Agencia de Acceso a la Información Pública (AAIP) participated in the Iberoamerican Data Protection Network's (RIPD) 2026 annual meeting, co-producing the updated Personal Data Protection Standards for Iberoamerican States 2026 — a comprehensive regional upgrade addressing artificial intelligence, automated decision-making, biometrics, and neurodata. The document is on track for formal adoption at the November 4–5 Iberoamerican Summit in Madrid.

The irony is structural: Argentina's AAIP Director Beatriz Anchorena and National Director of Personal Data Protection Violeta Paulero helped shape standards that Argentina's domestic legal framework — the 26-year-old Ley 25.326, enacted October 4, 2000 — is simply not equipped to enforce.

What the 2026 RIPD Standards Actually Require

The updated framework, unanimously approved by RIPD member states, covers ground that was science fiction when Argentina last legislated on personal data:

The standards were also accompanied by the RIPD's Strategic Plan 2026–2030, focused on AI governance, biometric data challenges, and neurotechnology. New observer members — the OECD, Georgia's Data Protection Service, and the World Bank Group — joined the network at the same meeting, signaling growing international weight behind this framework.

Ley 25.326's Gaps in Plain Sight

Argentina was ahead of its time in 2000: Ley 25.326 was the first data protection law in South America, and the European Commission recognised Argentina's framework as "adequate" in 2003 — a legal finding that enables EU–Argentina data transfers without additional safeguards, a significant trade and legal asset.

But the law predates smartphones, social media, generative AI, and the entire modern platform economy. Its structural absences are now glaring:

The AAIP has tried to close specific gaps through soft instruments. Resolution 4/2019 granted individuals the right to request an explanation of the logic behind automated decisions affecting them. Resolution 161/2023 launched the "Program for Transparency and Personal Data Protection in AI." These are meaningful interventions, but they are regulatory workarounds built on a statute that does not actually authorise them with the clarity a modern AI governance regime requires.

The Facial Recognition Signal

In 2023, Buenos Aires' facial recognition surveillance system was declared unconstitutional — a ruling that exposed exactly how inadequate Ley 25.326 is as a governing framework for biometric AI. Courts pushed back where the legislature had not yet acted. That episode galvanised calls for reform and directly informed the AAIP's Resolution 161/2023. It is a pattern familiar from other jurisdictions: when statute fails to anticipate technology, courts and regulators improvise. The improvisation can be creative, but it creates legal uncertainty for businesses and citizens alike.

Reform Bills: Many Drafts, No Finish Line

The case for reform is not new. The AAIP ran an extensive participatory consultation in 2022, receiving 173 documents from 123 participants. In 2023, the executive formally transmitted Message 87/2023 to the Chamber of Deputies — a proposed 83-article law with GDPR-style penalties (2–4% of global annual turnover), expanded territorial scope, and explicit automated decision-making rights.

Multiple competing bills now sit in Congress. One bloc favours a fundamental-rights-first approach tracking the GDPR closely. Another, reflecting the current Milei administration's lighter-touch regulatory philosophy, prioritises innovation and proportionate obligations. No bill has been enacted as of mid-2026. The stalemate is partly ideological and partly practical: Argentina is in a prolonged economic adjustment, and any GDPR-scale compliance burden on domestic businesses is politically contentious in a government committed to deregulation.

Steelmanning the Reformers — and Then the Right Answer

The case for comprehensive reform is strongest where market mechanisms genuinely fail. Individuals cannot negotiate with an algorithm that determines their credit score; they have no visibility into breach events; and consent frameworks built for adults are structurally inadequate for children. On these three points, the reform advocates are right, and the current law leaves real harm unaddressed.

But critics of GDPR copy-paste are also right. The EU's framework was designed for an economy with 27 member states, deep institutional capacity, and a compliance industry built over decades. Imposing equivalent administrative penalties and DPO bureaucracy on Argentina's tech sector — heavily composed of SMEs and startups — risks compliance costs that suppress the very digital economy Argentina needs to grow.

The synthesis is available: a reform that adopts the RIPD 2026 standards' substance (ADM explanation rights, breach notification, child safeguards, biometric proportionality requirements) without importing GDPR's procedural overhead. Argentina does not need a continental compliance regime. It needs a statute that closes the three substantive gaps and gives the AAIP clear legislative authority for the AI governance work it is already doing by resolution.

The Madrid Deadline

If the November Iberoamerican Summit formalises the 2026 RIPD standards as the regional baseline, Argentina will face an uncomfortable question: will it remain the jurisdiction whose regulator co-authored regional AI governance norms while the national law still has no answer to an automated loan rejection? Argentina's EU adequacy finding from 2003 is a critical economic asset — but adequacy is not permanent, and a domestic framework that structurally diverges from the standards Argentina helped write is a long-run vulnerability.

The AAIP has done the international work. The domestic political task — building congressional consensus for reform that is both meaningful and not punishing — is the harder one, and it now has a deadline.

Sources & Citations

  1. AAIP — RIPD 2026 Meeting Participation
  2. AAIP — Proyecto de Ley de Protección de Datos Personales
  3. Infobae — RIPD Updates Standards to Include AI, Biometrics, Neurodata (June 2026)
  4. JURIST — Why Argentina's Pioneering Privacy Law Is Playing Defense Against AI (Dec 2025)