On April 22, 2026, Argentine Deputy Martín Yeza (PRO, Buenos Aires) filed bill 1751-D-2026, a 72-article framework that would expressly repeal Ley 25.326 — the data-protection statute Argentina passed in 2000 — and its implementing Decree 1558/2001, replacing both with a principles-based regime built around proportionality and proactive accountability. According to the bill's own metadata on the Chamber of Deputies site, it spans 13 titles and draws explicitly on the regimes of South Korea, the United Kingdom, and Singapore alongside the EU's GDPR. It is the most innovation-forward of the several reform proposals now circulating in Congress, and the most explicit about regulating artificial intelligence head-on.
What the bill actually changes
The headline shift is structural. Ley 25.326 was built around consent as the default lawful basis for processing — a design that has aged badly in a world of large-scale model training and inferred data. Per an analysis by the International Association of Privacy Professionals (IAPP), Yeza's Article 5 expands the lawful bases for processing from a consent-centric model to six alternatives, including a new legitimate-interest ground. Article 6 then does something few data-protection statutes anywhere have done explicitly: it permits training AI systems under that legitimate-interest basis, subject to a balancing test that weighs the controller's purpose against the rights of the data subject.
The bill also addresses the questions that consent-era law simply did not anticipate: rules on automated decision-making, the use of pseudonymisation for AI development, the deletion of personal data already absorbed into a trained model, and regulatory sandboxes for AI-based projects. And it codifies an interpretive principle — Article 4(k), in the IAPP's reading — directing regulators toward "solutions that guarantee rights without discouraging technologically viable practices." That is a deliberate thumb on the scale toward what the bill calls a responsible pro-innovation posture.
The case for the cautious view
The strongest argument against this design deserves to be stated plainly. Treating model training as a presumptive legitimate interest shifts the burden: instead of a company asking permission, the individual must rely on a balancing test and, in practice, on a regulator's willingness to police it after the fact. Fundación Vía Libre, Argentina's leading digital-rights group, argues that the broader reform package weakens core protections — failing to classify biometric and genetic data as sensitive, introducing tacit consent, easing cross-border transfers, and leaving the oversight authority subordinate to the executive rather than independent. Those are serious objections. A balancing test is only as strong as the institution applying it, and a data-protection authority that answers to the government it is meant to constrain is a structural weakness, not a drafting quibble. On surveillance and state data use in particular, the precautionary instinct is well-founded.
Why the pro-innovation framing is still the right call
That said, the cautious view mistakes the failure mode. Ley 25.326's consent-default did not produce strong privacy in practice; it produced consent theatre — boilerplate checkboxes that protect no one while making lawful, beneficial data use legally uncertain. A legitimate-interest basis governed by a documented balancing test is not deregulation. It is honest regulation: it forces controllers to articulate and defend their purpose, which is more accountability than an unread consent banner ever delivered.
The AI provisions are where this matters most. A statute that ignores model training does not prevent it — it simply leaves developers guessing whether ordinary research is lawful, which favours incumbents who can absorb legal risk and punishes Argentina's startups and public-sector AI projects. By naming training on public data as a recognised interest subject to a balancing test, the bill replaces ambiguity with a rule. The sandbox mechanism, borrowed from the UK and Singapore, lets regulators supervise novel systems in a controlled setting rather than banning by default — proportionate oversight, not permission-slip government.
The deletion-from-trained-models provision is the bill's most forward-looking element, and the hardest to implement honestly. Removing a single person's contribution from a trained model is not as simple as deleting a database row; the technique is unsettled. A workable regime should demand documented best-effort remediation, not the legal fiction that any record can be perfectly un-trained on demand.
The adequacy stakes
There is a concrete reason Argentina cannot simply copy the most permissive model. Since Commission Decision 2003/490, Argentina has held EU adequacy status — one of a small group of non-EU countries whose companies can receive European personal data without extra safeguards, a status the Commission reaffirmed in its January 2024 review. That status is an economic asset for Argentine data and software exporters, and it is conditioned on maintaining protections the EU regards as essentially equivalent to the GDPR. Lean too far toward the legitimate-interest expansion without GDPR-grade safeguards and Argentina risks an adequacy review it would rather not invite.
This is the needle Yeza's bill has to thread, and competing proposals from Senator Martín Doñate and Deputy Pablo Carro — both descended from the AAIP's own 2024 draft, which lost parliamentary status — pull harder toward institutional independence and EU alignment. The right outcome is a synthesis: keep Yeza's pro-innovation clarity on AI training and sandboxes, but adopt the rivals' insistence on an independent authority confirmed by the Senate and on sensitive-data safeguards robust enough to satisfy Brussels. Argentina built the region's first serious privacy regime in 2000. Modernising it for the AI era is overdue — and doing it as a rule-clarifying reform rather than a deregulation is the version worth passing.