A Full Repeal, Not a Patch
On April 22, 2026, Deputy Martín Yeza (PRO, Buenos Aires) filed Expediente 1751-D-2026, a 72-article, 13-title bill that would repeal Argentina's 26-year-old Ley 25,326 in its entirety and replace it with a framework built around what the bill calls a "pro-responsible-innovation" interpretive principle (diputados.gob.ar). The bill has been referred to the Constitutional Affairs, Justice, and Budget and Finance committees.
This is not the only reform bill in play. Senator Doñate's 644-S-2025 and Deputy Carro's 1948-D-2025 both track the GDPR closely, and the executive branch has its own reform effort running since a 2022 public consultation that drew 173 submissions (AAIP). Yeza's bill is the outlier — and the most explicit break from the European template.
Six Doors Instead of One
Ley 25,326, like the GDPR it was modeled on, treats consent as the default gateway to lawful processing. Yeza's bill instead sets out six co-equal bases: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest (IAPP). Legitimate interest is defined broadly enough to explicitly cover training AI systems on personal data, subject to a "test de prevalencia de los derechos del titular" — a balancing test weighing the processing against the data subject's rights, rather than a flat consent requirement.
The bill also introduces a tiered classification of data controllers — basic, intermediate, advanced — with a lighter compliance regime for startups and "innovative projects," plus a regulatory sandbox for AI development. Breach notification to the AAIP would be required only "within a reasonable time," and notification to affected individuals only where there is a "significant probability of concrete harm" — a materially lower bar than the 72-hour regulator notice mandated by both the Carro and Doñate bills. Maximum fines are capped at 1% of local annual revenue, versus the 2–5% of global turnover — with permanent shutdown as a possible sanction — in the competing bills (Marval).
The Case Against Moving Too Far From GDPR
The strongest objection to Yeza's approach isn't ideological, it's structural: Argentina has held an EU adequacy decision since 2003, one of only a handful of countries outside Europe with that status, and it lets personal data flow from the EU to Argentine companies — including the BPO and knowledge-economy firms that are a real part of Argentina's export base — without additional contractual safeguards (European Commission). When the Commission reviewed that adequacy finding on January 15, 2024, it kept it in place but recommended Argentina "enshrine in legislation" protections that currently exist only in case law and sub-legislative rules, and it flagged that adequacy could be revisited if the framework falls too far behind the GDPR baseline.
A bill that lets AI developers train on personal data under a legitimate-interest test rather than consent, sets a materially softer breach-notification trigger, and caps fines an order of magnitude below the GDPR standard is precisely the kind of divergence that risks feeding that future review. Critics of a separate executive-branch proposal have also raised a fair point that applies here too: any reform that leaves government use of personal data loosely regulated, or leaves the AAIP's independence under-specified, invites scrutiny regardless of how the private-sector rules are drawn.
Why the Divergence Is Still Worth Taking Seriously
That said, adequacy under EU law has never required a verbatim GDPR clone — it requires essential equivalence, a standard South Korea, the UK, and Singapore (the three jurisdictions Yeza's bill draws from) have each satisfied through frameworks that are not consent-maximalist. Consent-fatigue is a well-documented failure mode of GDPR-style regimes: endless cookie banners and boilerplate consent clicks that protect no one while adding friction for every legitimate use, including the kind of aggregate-data AI training that has little realistic path to individualized consent at scale.
For an economy where startups and the knowledge sector are a genuine growth engine, a tiered compliance burden and a sandbox for AI pilots is a defensible design choice, not a giveaway — provided the legitimate-interest test for AI training is enforced with real teeth by an independent regulator, and provided state processing gets the same scrutiny as private processing. The bill's weakest points are fixable without abandoning its core structure: tighten the breach-notification trigger, raise the fine ceiling enough to deter large platforms rather than only small firms, and make the AAIP's independence from the executive explicit in the text.
What Happens Next
With three competing bills now in Congress and none advanced past committee referral, Yeza's proposal is unlikely to become law as filed. Its real function may be to shift the Overton window of Argentina's reform debate away from reflexive GDPR-copying and toward the harder question of what proportionate, adequacy-compatible regulation looks like for a mid-sized digital economy. That is a debate worth having on the merits — not one Argentina should resolve by simply importing Brussels' rulebook wholesale, but one it also can't win by ignoring what Brussels has already said it wants to see.