A Pioneer That Has Been Lapped
When Argentina enacted Ley 25326 in October 2000, it was a genuine continental first. No other Latin American country had passed comprehensive data protection legislation. The law established consent requirements, habeas data rights allowing individuals to access or delete their personal records through direct court action, and an independent regulator — the Agencia de Acceso a la Información Pública (AAIP). Three years later, the European Commission issued Commission Decision 2003/490, recognising Argentina's framework as sufficient for cross-border data flows from the EU — a status the Commission reaffirmed in January 2024 when it reviewed eleven pre-GDPR adequacy decisions and confirmed all of them.
But the Commission's January 2024 review came with an implicit warning. Several of Argentina's key data protection safeguards exist not in statute but in sub-legislative AAIP resolutions — a weaker form that can be revoked or modified without parliamentary oversight. The Commission noted that adequate protection frameworks should be codified at the statutory level. That is a soft deadline: if Argentina's law continues to diverge from GDPR standards in the next review cycle, the answer may not be the same.
What the AAIP Is — and Isn't
The AAIP has been active within its existing powers. In May 2024, it issued Resolution 126/2024, restructuring the sanctions regime: minor infractions now carry fines up to ARS 40 million per conduct category, serious infractions up to ARS 45 million, and very serious infractions up to ARS 50 million. In August 2025, Resolution 145/2025 created a Program for Strengthening Personal Data Protection in the National Public Administration, directing federal agencies to appoint data protection officers, maintain database registries, and adopt formal privacy policies aligned with Ley 25326.
These are meaningful steps. But they cannot solve the structural enforcement problem. The AAIP's 2025 action against Laboratorios Ferring S.A. illustrates where the framework breaks down: the regulator found three distinct violations — failure to respond to a patient's data access request, processing sensitive health data without valid documented consent, and unauthorised third-party data sharing — and issued a total fine of ARS 205,001, approximately USD 2,400 at current exchange rates. For a multinational pharmaceutical firm, that is a compliance footnote, not a deterrent.
A February 2025 AAIP transparency review covering 206 federal agencies found an average compliance score of 50.6 out of 100 — a 5.6-point improvement over the previous semester, but still below the midpoint. If public bodies cannot clear that bar under existing rules, the private-sector picture is likely similar. Resolutions and voluntary programmes can shift culture at the margins; they cannot substitute for statutory teeth.
A Legislature Generating Bills Without Landing Them
Congress has not been inactive, exactly — it has been producing reform proposals without enacting one. As of June 2026, at least four significant bills are in play.
The most comprehensive are bills S-0644/2025 and 1948-D-2025, both drawing from a draft the AAIP itself submitted in 2024 before it lost parliamentary standing at year's end. Both would transform Argentina's compliance landscape: 72-hour breach notification obligations, mandatory Data Protection Officers for large data processors, data portability rights, explicit protections against purely automated decision-making with legal effects, and — most consequentially — fines scaled to 4 percent of global annual turnover. That would bring Argentina's penalty regime into rough GDPR equivalence.
A competing proposal, Bill 0904-D-2025, takes a more calibrated approach. It classifies organisations by data processing intensity — basic, intermediate, and advanced — and creates tiered compliance obligations, with lighter requirements for startups and heavier burdens for data-intensive enterprises. A fourth proposal, Bill 4243-D-2025, focuses specifically on AI governance, introducing mandatory risk assessments and a National AI Registry for medium- and high-risk systems.
The case for statutory reform is real. Fair credit to the regulators: Ley 25326 genuinely lacks protections that modern data subjects need. There is no statutory breach notification requirement, no portability right, and no explicit framework for algorithmic decision-making. A 2023 Buenos Aires court ruling striking down the city's facial recognition fugitive-identification system as unconstitutional — on privacy and misidentification grounds — demonstrated that courts will step in where legislators haven't. The AAIP's own September 2023 AI Observatory and voluntary transparency guidelines are stopgaps, not governance.
The Innovation Trade-Off Congress Should Get Right
The risk in the current legislative pile-up is that Argentina's reform race to be GDPR-faithful rather than GDPR-appropriate. Full GDPR transposition would impose compliance costs — mandatory DPOs, impact assessment requirements, 72-hour breach timelines — that are proportionate for a large fintech or a multinational bank but potentially crippling for a Buenos Aires startup with ten engineers and a series A round.
Bill 0904-D-2025's tiered architecture deserves serious attention. Argentina has built a real digital services and fintech ecosystem over the past decade. Privacy reform should protect users from documented harms — health data sold without consent, access requests ignored, breach victims left in the dark — without inadvertently taxing the innovation pipeline that produced the companies large enough to regulate in the first place.
The right legislative outcome for 2026 is a consolidated bill that combines the rights architecture of S-0644/2025 — data portability, breach notification, algorithmic transparency — with the tiered obligations of 0904-D-2025, extending heavier compliance requirements to large data controllers on a rolling basis and giving smaller organisations a credible sunset runway.
Argentina earned its EU adequacy status by leading Latin America in 2000. Maintaining it in 2026 requires more than resolutions and voluntary guidelines. Congress has the bills; what it needs is the judgment to combine them well.