Argentina wrote Latin America's first comprehensive privacy statute. A quarter-century later, lawmakers are racing to rewrite it — and the question is no longer whether to modernize, but how fast to force the change.
On 2 June 2026, the IAPP reported that Deputy Martín Yeza had introduced bill 1751-D-2026 in the Chamber of Deputies — a 72-article text organized in 13 titles that would repeal the existing law outright. It joins earlier reform bills from Deputy Pablo Carro and Senator Martín Doñate, all building on a draft circulated by the national data-protection authority, the AAIP. Together they represent the most serious attempt yet to retire Ley 25.326, sanctioned on 4 October 2000.
The case for reform is real
Start with the strongest argument for acting, because it is genuine. Ley 25.326 predates the smartphone, the cloud, the recommendation engine and the large language model. It has no concept of legitimate interest as a lawful basis, no breach-notification duty, no data-portability right and no rules for automated decision-making. Its enforcement teeth — fines denominated in a fixed peso schedule — have been hollowed out by two decades of inflation. A law that cannot meaningfully fine a company that leaks millions of records is not protecting anyone.
There is also a strategic clock running. The European Commission granted Argentina an adequacy finding in 2003 under Commission Decision 2003/490/EC, one of only a handful of non-European countries to hold that status. That decision lets data flow freely from the EU to Argentine servers — a real competitive asset for the country's outsourcing and software sectors. But the Commission committed to monitor Argentina's legal order "on an ongoing basis," and adequacy decisions are no longer permanent. A framework frozen in 2000 is a standing risk to the very data flows that make Argentina attractive. Reform, in other words, is not regulators chasing fashion. It is overdue.
A pro-innovation draft worth defending
What distinguishes the Yeza bill is that it tries to modernize without simply photocopying Brussels. Its first article folds technological innovation and economic development into the law's stated purpose, and Article 4 establishes a "responsible pro-innovation" interpretive principle that favors technically viable solutions. Article 5 finally introduces legitimate interest among six lawful bases; Article 6 expressly permits training AI systems on that basis, subject to a balancing test against individual rights. The bill also proposes a regulatory sandbox, a tiered classification of organizations (basic, intermediate, advanced) with proportionate obligations, and a lighter regime for startups — borrowing as much from South Korea, the United Kingdom and Singapore as from the GDPR.
This is the right instinct. A privacy law that treats a two-person fintech and a multinational ad network identically imposes the heaviest compliance cost on exactly the firms least able to bear it. Yeza's bill caps administrative fines at roughly 1% of local revenue and limits mandatory data-protection-officer appointments to advanced processors — proportionate calibration rather than maximalism. That is what evidence-based regulation looks like.
The six-month problem
The flaw is timing. Like the AAIP-drafted bill sent to Congress in 2023, the current proposals would have most provisions take effect roughly six months after publication, with the new sanctions applying almost immediately. The Hunton privacy team documented that structure: general provisions effective six months after publication, fines "applicable immediately upon publication."
Set that against precedent. The EU's GDPR was adopted in 2016 but did not apply until May 2018 — a two-year runway. Brazil's LGPD (Law 13.709/2018) gave its market a comparable multi-year glide path before enforcement began in 2020. These were not acts of regulatory laziness. They reflected a hard-won lesson: importing accountability, privacy-by-design, portability and automated-decision rights all at once requires firms to re-architect systems, retrain staff, appoint officers, draft impact assessments and renegotiate vendor contracts. Six months is enough time to paper over compliance with policy PDFs; it is not enough to actually build it.
The asymmetry is sharpest for the firms Yeza's own bill claims to protect. A startup can absorb new rules if it has time to design around them. Drop a GDPR-equivalent regime on it in 180 days, with fines live from day one, and the realistic outcomes are defensive over-compliance, paralysis, or simply ignoring the law and hoping the under-resourced AAIP looks elsewhere. None of those advances privacy. As the JURIST commentary on the reform noted, the goal is to "balance innovation and fundamental rights" — but a balance struck in the statute can be undone by the calendar.
The fix is small
The encouraging part is that the substance and the schedule are separable. Argentina does not have to choose between a modern law and a workable one. Lawmakers could keep Yeza's tiered, sandbox-friendly architecture intact and simply extend the transition to the 18–24 months that the EU and Brazil treated as the floor, phasing sanctions in last rather than first. That single amendment would convert a credible reform into a durable one — and make it far likelier to survive the European Commission's adequacy review rather than trigger a fresh round of uncertainty.
Argentina was first to this problem in 2000. It now has a chance to get the second draft right. The danger is not that the new law asks too much. It is that it asks for it too soon.