On June 3, 2026, the Argentine outlet El Estratégico, citing the cybersecurity firm VECERT Analyzer, reported that a threat actor calling itself LaPampaLeaks was offering paid API access to millions of identity records held by RENAPER, the National Registry of Persons. To prove the claim, the actor reportedly published query results for high-profile individuals — President Javier Milei, former president Cristina Fernández de Kirchner, deputy Lilia Lemoine, and officials of the state intelligence service. The seller described the system as "completa y totalmente local" — a standalone criminal API decoupled from government infrastructure so it keeps working even if the original access path is closed.
The pattern is wearily familiar. In September 2021, an account called @AnibalLeaks posted RENAPER ID photos; the Interior Ministry insisted "la base de datos no sufrió vulneración o filtración alguna," blaming a compromised Health Ministry VPN credential rather than a database breach, and filed a criminal complaint. In December 2025, after another suspected mass leak, the data-protection regulator opened an ex-officio investigation. The June 2026 incident is the third act of the same play.
A regulator policing a pre-modern statute
Argentina's data protection rests on Ley 25.326, enacted in 2000 — one of Latin America's first privacy laws and the basis for the EU's 2003 adequacy recognition. Twenty-five years on, the statute shows its age. As a December 2025 JURIST commentary noted, the law "predates many technological advances and the GDPR regime," and enforcement by the Agencia de Acceso a la Información Pública (AAIP) has "historically been limited, with the AAIP becoming more of a guide than an agency for enforcing sanctions."
The most consequential gap is procedural: Ley 25.326 imposes no mandatory breach-notification duty. This is not a footnote — it shapes how every RENAPER incident unfolds. In its December 19, 2025 notice, the AAIP itself acknowledged it "has not received formal notification about a security incident" and had to open proceedings on its own initiative, contacting suspected agencies and asking national cybersecurity authorities whether anything had been reported. A reform bill that would have required incidents to be reported to the AAIP within 72 hours of discovery lost parliamentary status in 2025. So the regulator learns of national-scale leaks the same way the public does: from a security researcher and a news headline.
Steelmanning the light-touch position
There is a real case for caution about mandate-heavy privacy regimes. Notification duties carry compliance costs, and poorly drafted ones produce "notification fatigue" — a flood of low-risk disclosures that desensitizes the public and burdens small firms. Argentina's relatively spare framework has, for two decades, avoided the bureaucratic overhead now associated with the GDPR, and reformers like Representative Yeza (bill 0904-D-2025) have pushed innovation-focused updates precisely to keep any new regime proportionate rather than a copy-paste of Brussels. A pro-innovation publication should take that instinct seriously: more law is not automatically better law.
But the LaPampaLeaks episode is not an argument for that caution — it is the counter-example that defines its limit. The absence of breach notification here does not protect innovation; it corrodes the trust that digital markets run on. When a state register of the entire population can be siphoned and resold via API, and the supervisory authority must reverse-engineer what happened from a researcher's screenshots, the deregulatory "benefit" is illusory. Citizens carry the externality — identity theft, fraud, doxxing of officials — while the entities that failed to secure the data face no obligation even to admit it happened.
The adequacy stakes
The strongest pro-innovation argument for fixing Ley 25.326 is economic, not moralistic. Argentina's EU adequacy decision, in force since June 30, 2003 and reconfirmed in the European Commission's 2024 review of eleven adequacy findings, lets personal data flow from the EU to Argentine firms without extra safeguards. That status is a competitive asset for Argentina's IT and services exporters. It is also conditional: adequacy must reflect protection "essentially equivalent" to EU law, and the European Data Protection Board has been pressing the Commission to scrutinize legacy decisions. A 25-year-old statute with no breach-notification rule, modest fines, and an under-powered regulator is exactly the profile that invites a downgrade. Losing adequacy would do far more damage to Argentine tech firms than a proportionate notification duty ever could.
A proportionate fix
The right reform is narrow and pro-growth. A risk-tiered 72-hour notification duty — mandatory reporting to the AAIP for incidents likely to cause harm, with public notice reserved for high-risk cases — would close the worst gap without drowning firms in paperwork. Pair it with meaningful but predictable fines and clearer security-standard obligations for public registries like RENAPER, which hold the highest-value data and have now failed publicly at least three times.
The several reform bills before Congress (S-0644/2025, 1948-D-2025, 0904-D-2025, S-0968/2025) give legislators the raw material to do this without starting from scratch. The lesson of LaPampaLeaks is not that Argentina over-regulates data — it is that the one rule modern privacy law cannot do without is the one Argentina still lacks. Proportionate regulation here means more certainty, not less freedom: tell people when their identity records have been stolen.