- The current Constitution sets out the right to the protection of personal data in Article 19(4), delegating to the legislator the establishment of the form and conditions to determine the way in which this is done.
- The norms contained in the proposed New Constitution describe in greater detail the right to the protection of personal data contained in the current Constitution.
- Rights related to the evolution of IT systems are developed and enshrined in line with comparative experience.
- It also incorporates a right to computer security, which is a world-first in this area.
Proposal contained in the Draft New Constitution
The New Constitution Draft innovates in substantive matters on the protection of personal data. Below, we transcribe the proposed articles and briefly comment on these provisions.
Article 9.- Right to the Protection of Personal Data (first paragraph). All persons have the right to the protection of personal data, to know, decide and control the use of information concerning them.“
Article 27.- Right to informational self-determination. Everyone has the right to the protection of personal data. This right includes the right to access the data collected concerning him/her, to be informed and to oppose the processing of his/her data and to obtain its rectification, cancellation and portability, without prejudice to others established by law.
The processing of personal data may only be carried out in the cases established by law, subject to the principles of legality, loyalty, quality, transparency, security, purpose limitation and data minimisation.“
The latter articles contains the following elements:
i) Rights of access, rectification, cancellation, objection and portability (ARCOP)
It establishes ARCOP rights at the constitutional level, bringing greater precision to the norms contained in the current Constitution, which only broadly stablishes the protection of personal data. This enshrinement does not contradict the norms currently contained in law No. 19,628 on the protection of privacy, but adds a new right of portability, currently guaranteed only for certain personal data in the context of phone number portability and financial portability. In any case, an amending reform of this law is underway (Consolidated bulletins N° 11092-07 and N° 11144-07), which would include all these rights, including the right of portability. This bill is expected to be approved by the time the New Constitution Draft enters into force, if it is approved.
ii) Principles in the processing of personal data
It establishes at the constitutional level principles relating to the processing of personal data provided in the European General Data Protection Regulation, considered one of the most modern regulations in this respect in the West. These principles are partially included in the bill reform of the law on the protection of personal data currently under discusstion. However, the Draft New Constitution adds to these principles the principles of loyalty and minimization, which are not expressly contemplated in said bill. The possible approval of the aforementioned bill and the Draft New Constitution will generate a convergence of principles for the processing of personal data contemplated in the legislation and in the Constitution, which will require interpretative efforts to delimit their scope and content.
iii) Informational self-determination
The right to informational self-determination is expressly enshrined. This right recognizes the power of individuals to control their own information, which circulates and is stored in various databases, and arises from the increasing intrusion into different areas of society brought about by the development of information technology.
iv) Possible harmonisation
Articles 9 and 27 are likely to be merged in the Harmonisation Commission, which is currently in session, as they regulate similar matters.
Article 10.- Right to computer security. All persons, individually and collectively, have the right to the protection and promotion of computer security. The State and private individuals shall adopt the appropriate and necessary measures to guarantee the integrity, confidentiality, availability and resilience of the information contained in the computer systems they administer, except in the cases expressly indicated by law.“
This article contains the following elements:
i) Collective and individual right to computer security
The right to information security is established collectively and individually. The enshrinement of this right constitutes an innovation at the international level, as there is no equivalent provision in any other Constitution. This right is in line with the bills being processed in Congress, especially the law on computer crimes (Bulletin 12192-25) and the Cybersecurity Framework Law (Bulletin 14847-06), which aim to improve the standards and legal tools for protection in digital environments available to citizens.
ii) Adoption of appropriate and necessary measures
This article describes in general terms the appropriate and necessary measures to ensure the triad of information, i.e. the integrity, confidentiality and availability of information. It also incorporates the duty to ensure through these measures the resilience of the information. The latter is imprecise, given that resilience is a quality of IT systems, and not of the information contained in them.
Innovation of the proposal in this area
Two rights that were not previously included in the Constitution are expressly set forth: the right to informational self-determination and the right to information security. The latter is not included in any other Constitution in the world.
The rights enshrined in the New Constitution Draft will require the enactment of new laws for their practical effectiveness, considering the addition of new rights to the existing catalogue, and the shortcomings of the current legal regime in relation to their effective enforcement.
Contact
