On April 13, 2026, Argentina's Agencia de Acceso a la Información Pública (AAIP) opened an investigation into the debt-collection firm 5 ON LINE S.R.L. for alleged breaches of the country's Personal Data Protection Law, Ley 25.326. According to the agency's announcement, the complaints describe a familiar but corrosive practice: collectors phoning people who owe nothing — family members, friends, coworkers, and even neighbors of the debtor — to apply social pressure. The AAIP went a step further than usual, warning that the creditors who handed over the data are not off the hook either: the cesionario (data recipient) remains bound by the same obligations as the party that transferred the file, and can share liability for unlawful processing.
The regulator has the better of the argument here
It is worth stating plainly that the AAIP's instinct is sound. Calling a debtor's neighbor to discuss a debt is not a marketing nuisance; it is the weaponization of personal data to inflict reputational and psychological harm on people who are not party to any contract. Under Ley 25.326, processing personal data requires a lawful basis and must respect the finalidad (purpose) for which the data was collected. A neighbor's phone number gathered for one purpose, then used to embarrass a stranger into paying someone else's bill, fails that test on its face. The agency is also right that liability should follow the data. A bank or retailer that sells or assigns a portfolio of debts cannot launder its accountability by outsourcing the dirty work to an agency it chose precisely because that agency gets results. Naming both ends of the chain is good enforcement design.
So the question is not whether the conduct is wrong. It is whether Argentina's 2000-vintage statute gives the AAIP tools that actually change behavior — and here the evidence is discouraging.
The deterrence problem is structural, not rhetorical
Ley 25.326 was enacted in 2000. Its sanctions provision, Article 31, lets the regulator issue warnings and suspensions and impose fines ranging from 1,000 to 100,000 pesos. When the law passed, 100,000 pesos was a serious sum — pesos traded roughly one-to-one with the dollar. Twenty-six years and several currency crises later, that ceiling is worth a few hundred dollars. The AAIP's own enforcement record reflects the squeeze: an IAPP review of recent sanctions lists fines such as ~80,000 pesos against a bank and ~30,000 against a finance company — figures that round to a few hundred US dollars apiece.
For a collection firm whose business model is aggressive outreach, a maximum penalty smaller than a single employee's monthly cost is not a deterrent; it is a licensing fee. This is the core failure. A privacy law whose worst-case sanction is a rounding error invites exactly the cost-benefit calculation that produces neighbor-shaming call campaigns. The harm is real, the prohibition is clear, and the price of breaking it is trivial.
Proportionality cuts both ways
A pro-innovation, proportionate-regulation stance is sometimes mistaken for a reflex against enforcement. It is the opposite. Proportionality means the penalty should track the gravity of the conduct and the size of the actor — which is precisely what a fixed-peso ceiling cannot do. A turnover-linked penalty, of the kind the EU's GDPR pioneered (up to 4% of global annual revenue) and which Brazil's LGPD adapted with a 2%-of-revenue cap, scales the sanction to the offender. A large bank assigning portfolios to abusive collectors feels a percentage; a small legitimate agency that makes a clerical error does not get crushed. That is the regulatory architecture Argentina lacks.
Argentina has been trying to fix this. A modernization bill to replace Ley 25.326 — aligning it with GDPR-style principles and updating the sanctions regime — has been discussed for years, and the AAIP issued Resolution 126/2024 updating its sanctioning criteria within the limits the old statute allows. But administrative tinkering cannot raise a statutory ceiling. Only Congress can, and it has not.
What good looks like
The lesson of the 5 ON LINE probe is not that Argentina over-regulates data — it is that its enforcement teeth have rotted while the harms have evolved. The fixes are well understood and do not require importing a European bureaucracy wholesale:
- Index the penalties. Tie fines to a unit that floats with inflation — the Unidad de Valor Adquisitivo or a revenue percentage — so the deterrent survives the next currency cycle.
- Codify chain liability. Put the AAIP's cesionario position into statute, so creditors who sell data to abusive collectors face certain, not discretionary, exposure.
- Keep it targeted. Reserve the heaviest sanctions for the specific, demonstrable harm — contacting uninvolved third parties — rather than blanket restrictions that would burden legitimate, consented collection.
The open internet and a healthy fintech and lending sector depend on data flowing under rules people trust. Argentina's debtors deserve a regulator that can actually stop their neighbors from being harassed; its honest lenders deserve rules that punish abuse without strangling routine business. Both goals point the same direction: a modern statute with sanctions that bite the bad actors and spare the rest. The 5 ON LINE case shows the AAIP knows where the harm is. It just needs a Congress willing to hand it a tool sharper than a 26-year-old peso fine.