Argentina's data protection authority, the Agencia de Acceso a la Información Pública (AAIP), took a visible seat at the region's privacy top table this year. At the 2026 meeting of the Red Iberoamericana de Protección de Datos (RIPD) in Cartagena de Indias, Colombia, the network's member authorities unanimously approved the updated Personal Data Protection Standards for Ibero-American States 2026, and the AAIP was among the delegations that shaped the text. The agency also used the gathering to present its own initiative, the Ibero-American Observatory for Personal Data Protection (Argentina.gob.ar).
What actually changed
The 2026 standards update the RIPD's original 2017 framework, which was itself a soft-law attempt to give Ibero-America something like a shared privacy baseline without the twenty-plus separate national statutes reinventing the same principles. The revision folds in the technologies that didn't exist as regulatory categories in 2017: artificial intelligence, automated decision-making, biometric identifiers, neurodata, algorithmic governance, data-quality obligations for automated systems, and protections specific to children and adolescents online (Infobae). The stated ambition, per the network, is a shift from data protection as a narrow rulebook for personal-information handling toward a broader digital-governance model. The text is now headed to the Ibero-American General Secretariat (SEGIB) for possible endorsement at the Ibero-American Summit of Heads of State and Government in Madrid this November.
Crucially, the standards are not binding law. The RIPD is a coordination forum, not a supranational regulator, and its output functions as a reference model that national authorities can draw on when drafting their own rules — closer to a shared vocabulary than a directive.
The Observatory pitch
Argentina's other contribution at Cartagena de Indias was procedural rather than substantive: the AAIP presented the Ibero-American Observatory for Personal Data Protection, an initiative it established in May 2025 as "a regional space for exchange and production of technical knowledge." The Observatory says it is developing four products: minimum elements for legislative-reform processes, a regional framework for the ethical design and oversight of AI systems, a protocol for responding to data-security incidents, and recommendations for building out regulatory bodies and algorithmic-audit capacity (Argentina.gob.ar). It sits alongside the AAIP's own domestic AI guidance — a 2023 "Guide for the Responsible Use of Artificial Intelligence" issued under Resolution 161/2023, aimed at public and private entities deploying AI systems that touch personal data (Argentina.gob.ar).
The gap at home
The striking part of this story is the contrast between Argentina's regional posture and its domestic legal infrastructure. Ley 25.326, the statute that actually binds Argentine companies and government agencies on personal data, was enacted in 2000 — a year before Facebook's founders finished high school, let alone before anyone was training large language models on scraped personal data. The AAIP itself produced a draft replacement law, but that anteproyecto lost parliamentary status at the end of 2024 when Congress failed to act on it. Two successor bills, from deputy Pablo Carro and senator Martín Doñate, now build on that draft and aim to bring Argentina toward GDPR- and LGPD-style standards — automated-decision opposition rights, privacy-by-design, data portability. A third bill from deputy Martín Yeza (1751-D-2026) would separately regulate facial recognition for security purposes. None of these has passed as of mid-2026 (IAPP).
Steelmanning the regional approach
There is a genuine case for what the RIPD is doing. Latin America's data-protection landscape is a patchwork — Brazil's LGPD, Argentina's aging 25.326, Colombia's Habeas Data regime, and a dozen lighter frameworks elsewhere — and a company operating across the region faces real compliance costs reconciling all of it. A shared reference standard, built by the authorities themselves rather than imposed externally, can reduce that fragmentation without forcing every country through an identical legislative process. Coordinating now on AI-era categories — automated decisions, biometrics, neurodata — before two dozen countries independently draft two dozen incompatible answers is a sensible way to avoid a much messier reconciliation problem a decade from now.
Where that argument runs out
But soft-law convergence is not a substitute for the binding law that actually governs how a company or a government agency handles a citizen's data, and Argentina's own record argues for caution rather than confidence. The AAIP is investing real institutional energy — an Observatory, an executive-committee seat on the RIPD, an AI guide, a seat at Cartagena de Indias — in shaping regional principles, while the concrete statute that would give Argentine data subjects new automated-decision rights or AI-specific safeguards has now failed to pass through two full legislative cycles. Regional standard-setting is valuable diplomatic and technical groundwork, but it should not be mistaken for regulatory progress, and it risks becoming exactly that if it substitutes for the harder work of getting Ley 25.326's replacement across the finish line. The pending domestic bills also show why proportionality still matters at the transposition stage: the Carro and Doñate texts reportedly propose a six-month compliance window, versus the two years GDPR and Brazil's LGPD gave businesses to adapt — a compression that would burden exactly the small and mid-sized firms Argentina's tech sector most needs to keep growing. Argentina should finish the law before the next Ibero-American Summit gives it another standard to point to instead.