Introduction 

Argentina occupies a unique place in the global history of data protection. At the turn of the millennium, long before privacy became a mainstream regulatory concern, Argentina enacted one of the most comprehensive personal data protection regimes in the world. Law 25,326, adopted in 2000, placed the country at the forefront of privacy governance in Latin America and earned it early international recognition, including an adequacy decision from the European Union in 2003.  

Yet, two decades later, that pioneering framework is being tested by a technological environment it was never designed to regulate. The rapid expansion of generative artificial intelligence (GAI), algorithmic decision-making, and large-scale data processing has exposed structural gaps in Argentina’s once-cutting-edge privacy regime. Today, Argentina’s privacy law is no longer shaping technological development; instead, it is increasingly being forced to respond defensively to AI-driven practices that challenge its foundational assumptions. 

Argentina’s Early Leadership in Data Protection 

Argentina was the first country in Latin America to adopt a comprehensive personal data protection law. Enacted in 2000, the Personal Data Protection Act (Law 25,326) integrated privacy protections into a unified legislative framework at a time when most jurisdictions were still addressing data protection in a fragmented or sectoral manner. 

The law established core principles that remain central to modern privacy regulation: consent, purpose limitation, data quality, security safeguards, and restrictions on cross-border data transfers. It also created an independent supervisory authority now known as the Agency for Access to Public Information (Agencia de Acceso a la Información Pública, AAIP) making Argentina the first country in the region to institutionalise data protection oversight. 

Crucially, Law 25,326 granted individuals enforceable rights through the constitutional mechanism of habeas data, allowing them to access, correct, update, or delete personal data held in public or private databases. This rights-based approach, combined with database registration requirements and international transfer restrictions aligned with European standards, positioned Argentina as a global privacy frontrunner. 

In recognition of these safeguards, the European Union granted Argentina an adequacy decision in 2003, affirming that Argentine law provided a level of protection essentially equivalent to EU standards at the time. 

Stagnation in a Robustly Evolving Technological Landscape 

Despite its progressive origins, Argentina’s privacy framework remained largely unchanged for years. While technology evolved at an exponential pace, the legal architecture governing personal data did not undergo comparable modernization. Law 25,326 predates not only the EU’s General Data Protection Regulation (GDPR) but also the emergence of big data analytics, machine learning systems, and generative AI platforms. 

As a result, Argentina’s early institutional commitment to privacy began to appear static. Legislative efforts to update or replace the law stalled, and enforcement remained relatively restrained. The AAIP increasingly functioned as a guiding and educational authority rather than a sanctions-driven regulator, relying on awareness and compliance assistance rather than aggressive enforcement. Systems that rely on continuous data ingestion, probabilistic inference, and automated decision-making strain legal concepts originally designed for static databases and linear data processing. The result is a growing mismatch between Argentina’s privacy law and the realities of AI-driven governance. 

The Core Privacy Framework Still in Force 

Despite these challenges, Law 25,326 remains the legal baseline governing AI-related data processing in Argentina. The law applies to any AI system that processes personal data, regardless of whether the technology itself is explicitly regulated. 

Under the existing framework, organisations deploying AI systems must continue to comply with obligations related to lawful consent, legitimate purpose, data accuracy, and transparency. Individuals retain the right to access their personal data, request corrections, and seek deletion where appropriate. 

• Legal baseline under Law 25,326 

  
  

• Law 25,326 remains the foundational statute governing AI-related data processing in Argentina. 

  
  

• Its applicability is technology-neutral, covering any AI system that processes personal data irrespective of whether AI itself is explicitly regulated. 

Obligations for AI-deploying organisations 

• Organisations deploying AI systems remain bound by core data protection obligations. 

  
  

• These include obtaining lawful consent, adhering to purpose limitation, ensuring data accuracy, and maintaining transparency in processing operations. 

  
  

• Rights of individuals 

  
  

• Correspondingly, individuals continue to enjoy enforceable rights over their personal data. 

  
  

• These include the right of access, the right to seek correction of inaccurate data, and the right to request deletion where legally appropriate. 

  
  

• Such rights apply with equal force to data processed through AI-driven systems. 

  
  

• Cross-border data transfers 

  
  

• The integration of AI has not diluted Argentina’s approach to international data flows. 

  
  

• Cross-border transfers remain contingent on adequacy determinations and the adoption of appropriate legal and technical safeguards. 

  
  

• International alignment and Convention 108+ 

  
  

• Argentina’s domestic framework is further reinforced through alignment with international norms. 

• 
  

• Participation in the Council of Europe’s Convention 108+ explicitly embeds protections related to algorithmic and automated decision-making within the broader privacy regime. 

• AAIP Resolution 4/2019 

  
  

  Institutional interpretation has played a pivotal role in adapting existing law to AI. 

  
  

• In 2019, the Agencia de Acceso a la Información Pública (AAIP) issued Resolution 4/2019, recognising the right of individuals to request an explanation of the logic underlying decisions made solely through automated processing when such decisions produce significant and adverse effects. 

  
  

• Procedural transparency and due process 

  
  

• Although Argentina lacks a dedicated AI statute, Resolution 4/2019 effectively bridges this regulatory gap. 

  
  

• It extends principles of procedural transparency and due process into the algorithmic domain, reinforcing constitutional guarantees in automated contexts. 

  
  

• Practical enforcement challenges 

  
  

• Notwithstanding this normative framework, enforcement in practice remains complex. 

  
  

• The opacity of advanced machine learning models often characterised as “black boxes” continues to impede meaningful explanations of decision logic, accurate assessment of data quality, and the effective exercise of rectification rights. 

  
  

How Generative AI Challenges Privacy Assumptions 

The rise of generative AI has intensified existing tensions within Argentina’s privacy framework. GAI systems depend on massive volumes of data, frequently repurposed in ways that exceed the scope of original consent. This practice directly challenges foundational principles such as purpose limitation and informed consent. 

Transparency is another major concern. Even when data subjects are informed that their data is being processed, understanding how generative models generate outputs or influence decisions is often practically impossible. This undermines individuals’ ability to challenge inaccuracies or discriminatory outcomes. 

Bias and discrimination risks further complicate compliance. If biased data is used in training or deployment, automated systems can produce unfair or unlawful outcomes, particularly in sensitive contexts such as credit assessment, employment screening, public benefits, or surveillance. 

While Argentina’s laws impose duties of data quality and transparency that theoretically apply to GAI systems, operationalizing these principles without detailed regulatory guidance remains a significant challenge. Habeas data actions provide a constitutional pathway for individuals to challenge AI-driven misuse of personal data, but the technical complexity of AI systems often limits the effectiveness of such remedies. 

Judicial Intervention: Courts as De Facto AI Regulators 

In the absence of AI-specific legislation, Argentine courts have emerged as key actors in enforcing privacy protections against unregulated AI deployments. A landmark example is the 2023 decision of the Court of Administrative, Tax and Consumer Relations of the City of Buenos Aires concerning the city’s facial recognition system. 

The Sistema de Reconocimiento Facial de Prófugos (SRFP) scanned live camera feeds to identify fugitives. Civil society organisations challenged the system, citing privacy violations, lack of safeguards, and risks of misidentification. The Court declared the program unconstitutional and ordered its suspension, emphasizing the absence of proportionality, accuracy guarantees, and effective oversight. 

The decision underscored that even without a dedicated AI law, existing constitutional and data protection principles can impose meaningful limits on high-risk AI systems. It also signaled that courts are willing to act as a corrective mechanism when technological deployments outpace regulatory safeguards. 

Institutional Responses to AI Risks 

Recognising the growing pressure on its privacy framework, Argentina has launched several initiatives aimed at increasing transparency and institutional capacity in relation to AI. 

In September 2023, the AAIP adopted Resolution 161/2023, establishing the “Program for Transparency and Personal Data Protection in the Use of Artificial Intelligence.” This program represents a coordinated effort to address AI-related risks through interim governance tools while broader legislative reforms remain under debate. 

Key components of the program include the creation of an AI Observatory to monitor technological developments and regulatory trends, the issuance of non-binding guidelines for responsible AI across the system lifecycle, and the establishment of a multidisciplinary advisory council bringing together legal, technical, and ethical expertise. 

The program also prioritises capacity building, focusing on training public authorities and educating private organizations about transparency obligations and data protection risks in AI deployment. Public agencies are required to document automated decision-making systems and publish transparency criteria on the National Transparency Portal, reinforcing Argentina’s broader open government agenda. 

Complementing the AAIP’s efforts, Administrative Decision 750/2023 created an Interministerial Roundtable on the Use of Artificial Intelligence, signaling a whole-of-government approach to AI governance. Together, these measures reflect a strategy of gradual adaptation through soft-law instruments while more comprehensive regulation is under development. 

Legislative Reform and Emerging AI Governance 

Argentina’s Congress is currently considering multiple bills aimed at either amending or replacing Law 25,326 and introducing a clearer regulatory framework for AI. These proposals reflect a shift toward risk-based governance, drawing inspiration from international models such as the EU AI Act. 

Common themes include explicit rules on automated decision-making and profiling, stronger protections for biometric and children’s data, anonymization standards, mandatory risk assessments for medium- and high-risk AI systems, and enhanced audit and enforcement powers for authorities. 

While none of these bills have yet been enacted, they offer a preview of future compliance expectations. In parallel, several provinces have adopted local AI protocols, and judicial practice continues to shape the boundaries of acceptable AI use. 

Conclusion 

Argentina’s privacy framework, once a regional benchmark, now operates in a defensive yet transformative phase as it confronts the disruptive realities of artificial intelligence. While the country’s current AI governance remains fragmented and largely dependent on soft law, judicial oversight, institutional initiatives, and sustained legislative debate collectively signal a recalibration of Argentina’s constitutional commitment to privacy in the digital age. 

The challenge lies in balancing technological innovation with fundamental rights. As Beatriz Anchorena has rightly emphasised, democratic legitimacy in AI deployment depends on society’s ability to understand how algorithmic decisions are made. Transparency, explainability, and accountability have therefore shifted from aspirational ideals to constitutional necessities. In the absence of a comprehensive AI statute, these principles embedded within Argentina’s data protection regime and reinforced through judicial scrutiny continue to serve as the primary safeguards against unchecked automation. 

Far from representing regulatory stagnation, this moment reflects a process of renewal. Argentina’s experience illustrates that early leadership in privacy law is not a static achievement but an enduring responsibility. As AI technologies evolve, so too must the legal frameworks that govern them, ensuring that innovation proceeds without eroding the democratic values and fundamental rights at the core of the constitutional order.