Anti-spam Laws in Argentina
Staff Attorneys, IBLS Editorial Board
The Data Protection of Argentina Act (the “Act”) grants Argentinean citizens the right to request that a sender of spam mail ceases its transmission, and also created the National Directorate for Personal Data Protection which operates a registry of personal data holders, investigates spam incidents, and is empowered to impose sanctions such as injunctions or fines against spammers. Recipients of spam have successfully sought remedies pursuant to the Act.
Unsolicited nuisance e-mails, also known as spam, can cost organizations and individuals vast amounts in lost time and profits. The power to prevent these is protected by the Argentinean constitution which states that any person may file an action "to obtain information on the data about himself…; and in case of false data or discrimination, this action may be filed to request the suppression, rectification, confidentiality or updating of said data” (Section 43(3)). The Act, which was enacted October 4th, 2000, to protect personal information, does not directly prohibit spam, but rather prevents its proliferation. Spam lawsuits have increased in Argentina and there is already substantial case law on this topic.
In Tanus & Palazi c. Cosa & Magraner, (Habeas Data, Federal Civil and Commercial Court No. 3, Secretariat No. 6), the plaintiffs’ lawyers sued a well known spammer under the Act. Section 27 (3) of the Act states that “the owner may at any time request the withdrawal or blocking of his name from any of the data banks” containing “profiles with promotional, commercial or advertising purposes … [and] data which permit to determine consumption habits, when such data appear on documents which are accessible to the public or have been provided by the owners themselves or have been obtained with their consent.”The defendant, a spammer, refused to comply with the plaintiffs’ request that their e-mail addresses be deleted from the defendant’s database. On April 7, 2006, the Federal Court of Appeals ordered the defendants to stop dealing in any way with the personal data of the plaintiffs and ordered the defendants to delete the plaintiffs’ personal information. The decision affirmed the concept that the sending of spam can infringe upon a recipient’s statutory privacy and data protection rights.
Chapter V (Sections 29 and 30) of the Act created the National Directorate for Personal Data Protection (Dirección Nacional de Protección de Datos Personales, DNPDP), which is responsible for receiving and processing complaints and enforcing the Act. The DNPDP is further endowed with powers of investigation and intervention through sanctions of an administrative and a criminal nature (Act Chapter VI, Sections 31 and 32, respectively). In 2006, the DNPDP registered 232 new spam-based complaints. Every private or public database that contains personal information, whether in electronic or hard-copy format, must be registered in the DNPDP National Database Registry (the Registry). The Register is free and available to the public for consultation. As of 2006, more than 20,000 individuals and companies were registered in the National Database Registry. The Register can assist in identifying the source of spam, one of the main obstacles to prevention.
The Act does not define spam, and does not require that sources of e-mails must be identifiable. Additionally, it does not confer rights on Internet Service Providers (ISPs) to block spam, which can also cause them very significant losses of time, resources, profits and particularly, reputation. Consequently, there have been calls to enact anti-spam legislation that would expressly address these issues.
At the same time, various bills have been proposed in Argentina that would directly address the prohibition against sending spam. In November 2001, the Secretaría de Comunicaciones proposed a bill requiring anybody who sends publicity by e-mail to state so in the mail's subject, to identify themselves in the body of the message and to give an e-mail address so that recipients will be able to state that they don't want to receive other similar messages. Users would then be able to enter their e-mail in a ‘no-spam’ list. Proposed sanctions for breach of this provision include paying the ISP and the recipient up to $25,000. Further, if the ISP or e-mail provider detected spam, they would have been empowered to block the sender's account and start legal action. In 2004, another anti-spam bill was introduced in the Argentinean Congress, proposing opt-out systems by iCAUCE.ar, the Argentinean Committee of the International Coalition Against Unsolicited Commercial Email. Another proposed bill was the result of the first Anti-Spam Conference in Argentina, in June 2004, organized by the Argentine Chamber of Databases and Online Services (CABASE) and the Argentine Direct and Interactive Marketing Association (AMDIA). Yet, none of these bills have yet been approved.
Who is empowered to prevent the transmission of spam?
To initiate legal proceedings against a spammer, and to trigger the protections set forth in Section 27 of the Act the recipient must first attempt to request that the sender of the spam cease its transmission, thereby putting the sender on notice. The recipient may then turn to the DNPDP or apply directly to a court for sanctions. In addition, ISPs generally include anti-spam terms in their customer agreements, and spammers are normally barred under such terms from making contractual claims against ISPs who terminate their Internet access on grounds of illegality and non-compliance. This is particularly true if it could be demonstrated that the spammer was using the ISP’s services in contravention of the Act or the constitutional right of habeas data. ISPs can also request intervention by the DNPDP but at present they have no statutory right as such to withdraw their services from customers suspected of sending spam and no standing to issue court proceedings.
As mentioned, the DNPDP is responsible for enforcing the Act, including Section 27, which has been used to prevent spam. Under the Act, they have extensive powers of investigation and can impose administrative and criminal sanctions (Sections 31 and 32).
Argentinean courts can also order that a spammer cease sending spam, as in the Tanus & Palazi case (above). Under Section 36 of the Act, actions may be brought before the court corresponding to the domicile of the plaintiff, defendant or the place in which the fact or event giving rise to the action materialized or may have had effect, at the plaintiff’s option.
Regarding spam cases, in Argentina, the federal judiciary has jurisdiction,
a) when the action is brought against public data files of national bodies; and
b) when data files are interconnected in inter-jurisdictional, national or international networks; or
c) the case involves the use of the Internet.
What sanctions can be imposed on spammers?
Chapter VI (Sections 31 and 32) of the Act sets forth the administrative and criminal sanctions that may be imposed, including fines of up to 100,000 pesos ($34,500) for spamming. The most common remedy is an injunction to prevent the spammer continuing to send spam to the recipient.
In addition, a detailed series of infringements under Section 31 of the Act and consequent fines in proportion to the seriousness and extent of each infringement are set out in Disposition 1/2003. These include the minor infringement of failure to respond, for formal reasons, to a request by a data owner for the rectification, confidentiality or cancellation of personal data, when that request is justified in law; the serious infringement of “failure to provide on time to the Agency any documents and information due to law no. 25.326 or its implementing provisions; and the very serious infringement of “failure to cease the illegitimate use of personal data processing operations when required to do so by the Data Protection Agency Director or by the persons owning the rights of access.”
What is the basis for the system of fines for violations under the Act and what are the potential fines that may be levied pursuant to such violation?
The amount of the penalties under Disposition 1/2003 is graded taking into account all relevant circumstances relating to culpability including the following,
-- the nature of the personal rights involved;
-- the volume of the processing operations carried out;
-- the profits gained;
-- the degree of intentionality;
-- repetition; and
-- the damage caused to the data owners and to third parties.
The Disposition further provides that,
1. Minor infringements shall be punished by a fine of one thousand pesos ($1,000) to three thousand pesos ($3,000).
2. Serious infringements shall be punished by a fine of three thousand pesos ($3,000) to fifty thousand pesos ($50,000).
3. Very serious infringements shall be punished by a fine of fifty thousand pesos ($50,000) to one hundred thousand pesos ($100,000).
What penalties have been imposed pursuant to the violation of the Act?
Between 2000 and May 2007, the DNPDP imposed just one penalty, against Telefónica de Argentina S.A. In this case, fifteen individuals filed a claim to the DNPDP against Telefónica de Argentina S.A requesting Telefónica to stop their telemarketing activities. The company did not cease its activities. The DNPDP ruled that the conduct of Telefónica de Argentina S.A breached the Data Protection Act and imposed a fine of $ 3,000 per each of the fifteen claimants, $ 45,000 (USD 15,000), and requested that Telefónica de Argentina S.A take explicit actions towards the safeguards of the privacy of their customers (DNPDP penalty to Telefónica de Argentina S.A.
Data Protection Act of Argentina (Law 25,326)
Governing access to, holding and protecting personal information
Argentinean Constitution Including the right of habeas data
Proposed Anti-Spam Bill Proposed anti-spam measures in Argentina
Disposition 1/2003 Infringements and Sanctions under Section 31 of the Data Protection Law
The National Directorate for Personal Data Protection Responsible for receiving and processing complaints and enforcing the Data Protection Act
Links: Case Law
Tanus & Palazi c. Cosa & Magraner, Habeas Data, Federal Civil and Commercial Court No. 3, Secretariat No. 6 The first Argentinian anti-spam decision