The Cartagena Commitment
At the XXII Meeting of the Ibero-American Data Protection Network (RIPD), held in Cartagena de Indias, Colombia on May 26–28, Argentina's data protection authority — the AAIP — co-approved the most significant update to the region's shared privacy framework since 2017. The 2026 Iberoamerican Standards for Personal Data Protection add neurodata as an explicit sensitive category, impose new AI governance obligations, and — in the most consequential procedural shift — expand automated-decision protections from decisions that are "exclusively automated" to those that are "exclusively or essentially automated."
That last move matters enormously. It closes the main evasion route companies have relied on under older frameworks: inserting a nominal human reviewer into a decision loop to avoid triggering rights protections. Under the 2026 standards, rubber-stamp oversight no longer suffices. What is required is "qualified, significant, and effective human intervention with the real capacity to understand the system, critically evaluate its results, and deviate from them." This is a meaningful tightening of the baseline, not a cosmetic update.
Three Changes That Shift the Region's Baseline
The neurodata provisions are the most novel. The 2026 standards define neurodata as information related to the functioning, activity, or structure of the human brain that can identify a person or reveal physiological, health, or mental states. Treatment of neurodata for high-risk purposes — inferring mental states, modifying behavior, mass workplace surveillance, or neural pattern identification — "could be subject to prohibitions in the laws of Ibero-American States." This is the first time the RIPD has acknowledged brain-derived data as a distinct sensitive category requiring heightened protection, reflecting the rapid commercialisation of consumer neurotechnology in education, entertainment, and workplace settings.
On AI governance more broadly, the updated standards mandate algorithmic traceability, meaningful human oversight, continuous risk assessment, and regular audits of automated systems. They also extend data quality requirements beyond simple accuracy to encompass representativeness, relevance, integrity, and reliability across the full AI system lifecycle — from training through deployment — explicitly to prevent bias and discrimination. These are not abstract principles; they translate into documented accountability chains and audit trails that data subjects can invoke.
The "essentially automated" shift brings the RIPD framework materially closer to the EU's GDPR Article 22 position. It reflects how modern AI-assisted decision systems actually operate: a human technically reviews outputs, but rarely overrides them, often lacks the technical expertise to do so meaningfully, and sometimes processes hundreds of AI recommendations per hour. Calling that a meaningful safeguard stretches the word past its breaking point; the 2026 standards stop pretending otherwise.
The Argentine Paradox
Here is where Argentina's position becomes genuinely strange. The AAIP's head, Beatriz Anchorena, actively shaped the Cartagena outcomes, presenting the initiative for a new Iberoamerican Data Protection Observatory and leading discussions on international data transfer frameworks as President of the Convention 108 Committee. Argentina was not a passive signatory — it was in the room driving the agenda.
Yet at home, the Milei government is pulling in the opposite direction. In a June 4, 2026 Financial Times op-ed co-authored with Deregulation Minister Federico Sturzenegger, President Milei pledged to keep AI "unregulated" and "free from the deadly hand of premature and poorly understood regulation." The government simultaneously submitted draft legislation on May 29 to amend Argentina's corporations law to create "non-human corporations" — entities operated entirely by AI agents, with no requirement for human shareholders or oversight of any kind.
The steelman version of Milei's position deserves to be heard. There is a genuine risk of premature, poorly-calibrated regulation chilling AI investment in a region hungry for capital and technical talent. Argentina's structural advantages — a large STEM graduate base, competitive costs, favourable time zones — could make it a meaningful AI development hub if regulatory overhead stays proportionate. And there is real substance to the concern that many proposed AI regulations are designed primarily around hypothetical risks rather than documented harms.
But the Milei framework elides a critical distinction: between innovation-hostile process regulation and baseline individual rights protection. Data protection and AI accountability are not the same as industry licensing schemes or antitrust rules. One prevents demonstrable harm to identifiable individuals from opaque automated systems; the other regulates market structure. The RIPD's neurodata provisions and essentially-automated protections are not innovation taxes — they are floors below which unchecked systems cause direct, personal injury. A credit algorithm that discriminates without a right of human review is not a bureaucratic inconvenience; it is a rights violation. The 2026 RIPD standards treat it as such.
The Domestic Deadlock
Argentina's Ley 25326, enacted on October 4, 2000, predates the smartphone, the GDPR, social media at scale, and generative AI by two full decades. It contains no provisions on algorithmic transparency, automated profiling, biometric data, or AI governance. The AAIP's own reform draft, developed through a multi-year public consultation, lost parliamentary status at the end of 2024 without a vote. At least five replacement or reform bills — including proposals by Deputy Pablo Carro and Senator Martín Doñate, both inspired by the AAIP's stalled draft — are now working through Congress with limited momentum.
This deadlock is not purely a Milei-era phenomenon. Reform efforts have stalled under previous administrations too. But the current government's active promotion of the "unregulated AI" posture signals it has no appetite to move reform across the line — even reforms that would merely align Argentina with standards it is already endorsing in Cartagena.
What the Gap Costs
The 2026 RIPD standards are explicitly designed to serve as a "benchmark for the modernization and updating of existing legislation" across Iberoamerica. They will be submitted to SEGIB for possible adoption at the Ibero-American Summit of Heads of State scheduled for November 4–5 in Madrid. If that adoption proceeds, Argentina will be formally committed to a framework that its own domestic law cannot deliver for its own citizens.
Individuals in Argentina today have no statutory right to know whether an employment algorithm, a credit-scoring system, or a public-benefits tool influenced a decision about their lives, no enforceable right to human review, and no explicit protection against brain-derived data being used in consumer or workplace settings. The RIPD's Cartagena update just said all of those things matter — and Argentina's own regulator agreed.
The path forward does not require choosing between innovation and rights. A reformed Ley 25326, aligned with the standards Argentina just helped write, would offer the legal predictability that sophisticated investors actually want. A regime of legal vacuum is not an investment-friendly environment; it is an unpredictable one. Argentina can be an AI hub or it can endorse international standards while ignoring them domestically — but sustaining both simultaneously will become increasingly difficult as the RIPD's Cartagena commitments move toward formal Summit adoption.