Cyber Law in South America

Argentina

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes, the National Program for Critical Information Infrastructure and Cybersecurity (ICIC). This agency provides strategies and recommendations for safeguarding both public and private organizations from cyber threats. See Cyber Policy Portal: UNIDIR (June2019); National Cybersecurity Directorate, Argetina.gob, (last visited Dec. 16, 2019). 

Is oversight provided on a centralized or sectoral basis?

Sectoral (i.e. the Argentine Central Bank has developed cybersecurity standards for financial institutions.)

Designation of Critical Infrastructure

Why sectors do they designate as critical information infrastructure?

Four Sectors: the Energy Sector, the Transportation Sector, the Water Sector, and the Communications Sector. See Decree No. 1/2015, Secretary for Civil Protection and Comprehensive Approach to Disasters and Emergencies (June 2, 2015). 

How do they designate within these sectors?

Whole sector. Argentina's 2019 Cyber Security Strategy does not differentiate between entities within the sectors. See Resolution 829/2019, Official Bulletin of the Republic of Argentina (May 24, 2019). 

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes but only for specific sectors. Although cybersecurity measures promulgated by the national authority are  voluntary, several regulatory entities have mandatory security  requirements. The Argentine Central Bank requires that financial institutions have encryption capabilities and minimum security standards under Communication A 6354. Regulation 704-E/2017, which is only applicable to listed companies and capital market agencies regulated by the National Securities Commission, requires that data be encrypted under "internationally recognized" standards. See Argentina: Law and Practice, Chambers and Partners (Feb. 29, 2019).  

Does it take a risk-based approach?

Likely yes. Although the 2019 Cybersecurity Strategy does not necessarily embrace a risk-based approach, the National Office of Information Technology enacted the Model Information Security Policy, which takes an explicit "risk management" approach to cybersecurity for public agencies. See Provision 3/2013, Model Information Security Policy, National Public Administration, (last visited Dec. 16, 2019).

Do the security measures enable the use of international standards?

Generally, no. Argentina's draft data protection bill however, references the adoption of "international standards" generally. Draft Law, Protection of Personal Data (Sep. 19, 2018). 

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Not currently.

Do they include prescriptive or technology-based security measures?

No.

Incident Reporting

Are there mandatory incident reporting requirements?

Not nationally. The data protection bill contains mandatory incident reporting requirements. Additionally, Communication A 6,354 appears to include incident reporting requirements for financial institutions. See Section 7.3, Communication A 6354, Central Bank of Argentina (Mar. 11, 2017). 

Are there clear thresholds above which an incident should be reported?

No.

How do they determine the timeline within which an incident must be reported?

No.

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The threat information sharing entity is ICIC and the incident response entity is ICIC-CERT. About ICIC-CERT (last visited Dec. 20, 2019); National Cybersecurity Directorate, ICIC (last visited Dec. 20, 2019). 

Does this entity share information out to industry, as well as receiving information?

Yes.

Is threat information sharing mandatory for any private sector entity?

No.

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Yes. Article 62(h) of the Argentine Digital Act requires that information and communication technology providers grant access to government authorities for inspection purposes. See Law No. 27,078, Argentine Digital Law (Dec. 18, 2014). Furthermore, Communication A 6,354 allows regulators to access financial institution facilities. See Communication A 6,354, Section 2.2.5, Argentine Central Bank (Mar. 11, 2017). 

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No. 

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

No. International data transfers are restricted, but not prohibited. There is no physical location requirement under the PDPA. 

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

It depends on the sector.

 

Under the PDPA, the Argentine Agency of Access to Public Information (AAPI) may impose financial penalties for violations of the PDPA related to the mishandling of data and failure to obtain consent to transfer data. Such penalties may range from $1,000 to $100,000 under Section 31. See Law No. 25,326, Personal Data Protection Act, Section 31

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Under Article 157 of the Penal Code, unauthorized access to personal bank accounts through hacking or other means carries a penalty of one month to two years in prison. The penalty is up to four years when the perpetrator is a public official. Furthermore, Article 153 states that computer hacking carries a criminal penalty of 15 days to six months. Penal Code of the Argentine Nation, Articles 153 & 157.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The PDPA has been in force since 2000. The Argentine AAPI issued Resolution 4/2019 in January 2019 which establishes guidelines and best practices under the PDPA. Resolution 4/2019, Public Information Access Agency (Jan. 13, 2019). The Argentine Digital Law was promulgated in 2014, and updates were made to the law in December 2015. Law No. 26,522 and No. 27,078. Modifications, Decree 267/2015 (Dec. 29, 2019). Communication A 6,354 of the Argentine Central Bank Regulations was enacted in March 2017. Section 7.7, Communication A 6354, Central Bank of Argentina (Mar. 11, 2017). 

Chile

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. In 2017, Supreme Decree No. 533 created the Interministerial Committee on Cybersecurity ("CICS"). CICS is responsible for promulgating a national cybersecurity policy in Chile. See CICS, CIBERseguiridad (last visited Dec. 2, 2019).

  

Is oversight provided on a centralized or sectoral basis?

Sectoral.

 

Although Chile's 2017-2022 cyber strategy envisions technical oversight bodies for each sector of critical infrastructure, only some sectors have cybersecurity regulations. For example, Article 24H of Chile's General Telecommunications Law requires that Internet Service Providers take measures to preserve user privacy and network security. See General Telecommunications Law, BCN (Aug. 20, 2019); Telecoms and Media, Getting the Deal Through (June 2019).

 

The Superintendent of Banks and Financial Institutions has also developed cybersecurity standards and incident reporting measures. See Telecoms and Media, Getting the Deal Through (June 2019).

Which sectors do they designate as critical information infrastructure?

10 Sectors: Energy, telecommunications, water, health, financial services, public security, transport, the civil service, civil protection, and defense. National Cybersecurity Policy 2017-2022, Government of Chile (2017), at 16-17. See CICS, CIBERseguiridad (last visited Dec. 2, 2019).

How do they designate within these sectors?

Whole sector: Where there are sectoral regulations or laws, they appear to apply to the entire industry.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes, but only for specific sectors. The SBIF issued banking regulations in 2018 that required companies to maintain a database of cybersecurity breaches. They also required companies to carry out tests to evaluate the resilience of security systems. Chile - Safety and Security, export.gov (Nov. 27, 2019). Additionally, in October 2018, the President of Chile issued a Presidential Instructive on Cybersecurity containing emergency measures that public bodies must take to update security provisions. This includes updating technical regulations on cybersecurity and appointing an official to serve as a cybersecurity officer in each agency. President Pinera signs Bill to Fight Cybercrime, Gob.cl (Oct. 25, 2018).

Does it take a risk-based approach?

Yes. Chile's 2017-2022 Cybersecurity Strategy takes a risk management approach to confronting and recovering from cybersecurity incidents. See Alfonso Silva and Eduardo Martin, Telecoms and Media: Chile, Telecoms and Media, Getting the Deal Through (June 2019); National Cybersecurity Policy 2017-2022, Government of Chile (2017), at 16, see CICS, CIBERseguiridad (last visited Dec. 2, 2019).

Do the security measures enable the use of international standards?

Yes. Chile's 2017-2022 Cybersecurity Strategy specifically references compliance with ISO 27000 pertaining to the confidentiality of electronic documents. National Cybersecurity Policy 2017-2022, Government of Chile (2017), at 31, see CICS, CIBERseguiridad (last visited Dec. 2, 2019).

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

No.

Do they include prescriptive or technology-based security measures?

No. Although a 2018 Presidential Instructive updated cybersecurity requirements for public bodies, neither this directive nor the 2017-2022 Cybersecurity Strategy include technology-based security measures. See Paulina Silva, Chile: Presidential Instructive On Cybersecurity (Nov. 5, 2018). 

Incident Reporting

Are there mandatory incident reporting requirements?

Only for the banking industry. Chilean Law No. 19.628 does not contain any mandatory incident reporting requirements. See Chile: Data Protection 2019, ICLG (Mar. 7, 2019). There is currently a bill being discussed by the Chilean Congress that would overhaul the data protection regime and create a national authority for data protection. See Data Protection & Privacy: Chile, Telecoms and Media, Getting the Deal Through (June 2019). The 2019 updates to the SBIF regulations (Chapter 20-8) require that financial institutions report cybersecurity incidents to their clients, other institutions, and the SBIF. See Getting the Deal Through (June 2019). 

Are there clear thresholds above which an incident should be reported?

No. 

How do they determine the timeline within which an incident must be reported?

Financial institutions must report cybersecurity incidents to customers and regulators "promptly." There is a digital platform for reporting such incidents. See David Feliba, Chile's SBIF issues regulatory changes for banks on cybersecurity (Sep. 3, 2018). 

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. Threat information sharing is handled by CSIRT Gob. See About Us, CSIRT (last visited Dec. 2, 2019). 

Does this entity share information out to industry, as well as receiving information?

Yes. CSIRT Gob promotes general awareness of cybersecurity threats to both government agencies and the public. See About Us, CSIRT (last visited Dec. 2, 2019). 

Is threat information sharing mandatory for any private sector entity?

Yes. The 2019 updates to the SBIF regulations (Chapter 20-8) require that financial institutions report cybersecurity incidents to their clients, other institutions, and the SBIF. See Getting the Deal Through (June 2019).

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Unclear. However, this is likely not the case, as there is no provision allowing for law enforcement to access data. See State of Privacy in Chile, Privacy International (Jan. 2019). 

Are there requirements to cede control of facilities in an emergency situation?

Likely no. Law 20,478 provides for coordination between telecommunications providers and government agencies during emergency situations. However, there is no express right of agency officials to enter or seize facilities.See Law No. 20,478, BCN (last visited Dec. 15, 2019). 

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

No. 

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Depending on the sector, yes. Data protection breaches caused by improper data processing may lead to fines under Law 19.628 where the breach was the result of negligent or willful conduct. These may range from 48,741 Chilean pesos to 487,410 Chilean pesos. If the breach involves financial data, that penalty could range from 487,410 Chilean pesos to 2.437 million Chilean pesos. Compensation is established by a civil judge in summary procedure, taking into account the severity of the monetary or non-monetary damages. See Data Protection & Privacy: Chile, Getting the Deal Through (August 2019); Law 19.628, Article 23 (last modified Feb. 17, 2012). 

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes. Chile's computer crimes law is Law No. 19,223. However, Chile plans on adding eight new cybercrimes to comply with the Budapest Convention on Cybercrime. The new crimes carry jail time ranging from 61 days in prison to five years. See Carlos Gonzalez Isla, Chile will update cybercrime law for the first time in 24 years (Aug. 16, 2017). However, the old law has not yet been updated. The current law makes unauthorized access, theft, and destruction of information systems a crime. Maximum penalties are not specified. See Law 19,223, BCN (last visited Dec. 15, 2019). 

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

Chilean Law No. 19,628, the Chilean data protection law, was promulgated in 1999. The legislature is currently considering changes to the law. State of Privacy Chile, Privacy International (January 2019). The latest breach reporting regulations promulgated by the SBIF were issued in August 2018. Chile - Safety and Security, export.gov (Nov. 27, 2019).

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.