A Regional Leap While National Reform Stalls
On June 15, 2026, the Ibero-American Data Protection Network (RIPD) concluded its annual summit in Cartagena de Indias, Colombia, with a unanimous vote to adopt the most significant overhaul of its regional data protection standards in nearly a decade. Argentina's own Agency for Access to Public Information (AAIP) — represented by Director Beatriz Anchorena and National Director of Personal Data Protection Violeta Paulero — voted in favour alongside counterparts from across Latin America and the Iberian Peninsula. AAIP holds a seat on RIPD's Executive Committee and Anchorena also used the occasion to present advances of the Iberoamerican Observatory of Personal Data Protection, a regional knowledge-exchange initiative the AAIP itself championed into existence in May 2025.
The 2026 RIPD Standards are a substantial upgrade from the 2017 version they replace. Most strikingly, they classify neurodata as a special category of sensitive information for the first time — defined as data "related to the functioning, activity or structure of the human brain that allow identifying or making identifiable a person or inferring information relative to their physiology, health or mental states." The document identifies several high-risk AI applications that "could be subject to prohibitions in the legislations of Iberoamerican States," including inferring mental states or intimate convictions, modifying a person's will or behaviour, and identifying individuals through neuronal patterns. For automated decisions with significant legal effects, the standards require "qualified, significant and effective human intervention, with real capacity to understand the system, critically evaluate its results and depart from them." Child protection, biometrics safeguards, and algorithmic governance round out the package. It will be forwarded to the Ibero-American General Secretariat (SEGIB) for potential formal adoption at the November 4–5 Iberoamerican Summit in Madrid.
The Strongest Case for These Standards
The RIPD's neurodata provisions deserve to be taken seriously on their merits. Consumer brain-computer interface devices, workplace EEG monitoring systems, and AI tools that infer emotional states from biometric signals are already commercially available. The risk that data derived from thought and cognition could be exploited for manipulation, discrimination, or profiling is not speculative — it is a documented commercial reality. Chile amended its constitution in 2021 to include mental integrity and brain data protections; the EU's AI Act restricts real-time biometric categorisation. Regional harmonisation of these baseline protections, rather than a patchwork of divergent national rules, reduces compliance complexity for companies and strengthens protections for individuals without banning the underlying technologies. This is proportionate standard-setting.
Argentina's Own Law Is a 2000 Artefact
The irony is pointed. Argentina's domestic data protection statute — Ley 25.326, enacted on October 4, 2000 — was designed for a world of static, identifiable databases. Smartphones did not yet exist in mass-market form. Social media was a decade away. AI-driven data pipelines were a research curiosity. The law established reasonable foundational principles — purpose limitation, data subject rights, a database registration system — but cannot accommodate the continuous, opaque data processing of 2026.
The gaps between Ley 25.326 and both the new RIPD standards and the EU's GDPR are extensive: no statutory right to data portability; no privacy-by-design or privacy-by-default obligation; no proactive accountability framework; no mandatory breach notification timeline; no explicit neurodata category; and ambiguous, low-deterrence treatment of automated decision-making. The AAIP itself has noted that its enforcement posture is primarily reactive — complaint-driven — and that current sanctions are too low to deter large-scale violations.
Reform Has Been Attempted Repeatedly — and Failed
The AAIP is not passive about this. In 2022, it led a thorough public consultation that gathered 173 submissions from 123 stakeholders — citizens, civil society, universities, and the private sector — and produced a comprehensive draft bill aligned with GDPR principles. The Fernández government transmitted this as Message 87/2023 to the Chamber of Deputies. The bill never came to a vote, losing parliamentary state at the end of 2024. Two new bills, introduced in 2025 by Deputy Pablo Carro and Senator Martín Doñate drawing on the AAIP's earlier framework, remained in committee as of early 2026. The reform has now cycled through at least two administrations and multiple legislative sessions without passage.
A notable design flaw in the 2025 proposals compounds the risk: they provide only a six-month compliance transition window, compared to the two-year runway that both GDPR and Brazil's LGPD afforded businesses. That compressed timeline has drawn concern from business groups about feasibility for small and medium enterprises — concern that, whatever the merits, creates additional legislative friction.
What Gets Lost in the Delay
The stall carries concrete costs. The EU Commission's adequacy decision for Argentina — which allows data to flow without supplementary safeguards — was granted in 2003, premised on the adequacy of Ley 25.326 as it then stood. Brazil modernised its framework with the LGPD in 2020. Colombia, Chile, Mexico, and Costa Rica have each updated their laws toward GDPR-equivalent standards. Argentina risks becoming the regional outlier just as the bloc moves toward convergence, and an EU adequacy reassessment could impose significant friction on cross-border data flows that underpin research, outsourcing, and commercial relationships.
There is also a structural embarrassment in the current situation. Argentina's AAIP is actively shaping the regional architecture — co-authoring standards on neurodata, AI oversight, and child protection — that Argentine law cannot implement. AAIP adopted RIPD's Model Contractual Clauses for international transfers via Resolution 198/2023, demonstrating it can move by regulatory instrument when the legislature stalls. But the core law underpinning that framework is 26 years old.
A Proportionate Path Forward
The 2026 RIPD standards are not a maximalist agenda. They do not require sweeping new bureaucracies or blanket technology bans. They require that neurodata be treated with the same heightened care as health data. They require that a human being who can genuinely evaluate and override a system's output be in the loop when automated decisions have legal consequences. They extend child protection principles that Argentine law should already apply by constitutional mandate.
A reform bill incorporating these baseline requirements, alongside GDPR-aligned accountability obligations, a workable breach notification regime, and fines calibrated to actual deterrence, would be internationally credible and domestically proportionate. Congress has had the AAIP's draft in some form since 2022. The Carro and Doñate bills represent a fresh opportunity. If Argentina is still in committee when heads of state meet in Madrid in November to formally endorse the standards that Argentina's own regulator co-authored, the gap between regional leadership and domestic inaction will be difficult to explain.