This week the Federal Administrative Litigation Chamber ordered the Executive Branch delete the CUID.AR application databaseused during the pandemic since 2020 to manage the health pass, circulate and manage data on vaccination and COVID-19 testing.
But, in addition, the Government of Alberto Fernández had issued an administrative decision that maintained that the jurisdictions, entities and organizations of the National Public Administration should “transfer, assign or exchange” citizen datawhich in turn reached the Head of the Cabinet of Ministers, affecting privacy and potentially multiplying the possibilities of data leaks.
Personal data is a valuable asset, although the average citizen does not take it into account. With them, multiple cybercrimes can be committed, from identity theft, which can be used to gain unauthorized access to systems and services such as home banking, to taking advantage of them to carry out social engineering (“the uncle’s story”).
The transversality of the personal information managed by CUID.AR generated a collective protection in May 2023, by the civil association Argentine Computer Law Observatory (ODIA) and a citizen (Eliana Andrade), who demanded that this data be deleted, which, to this day, is still stored and available.
During the pandemic, app data could be shared across all jurisdictions in the country, increasing the possibility that data could end up in the wrong hands. The app stored personal data such as full name, ID number, residence addresscirculation permits and vaccination certificates.
It is not insignificant to remember the large number of data leaks that occurred in these years: just to mention the most resonant, Renaper and driver’s licenses in 2024, PAMI in 2023, Ministry of Health in 2022, Renaper -again- in 2021 and Migrations in 2020.
Last Monday, Chamber IV of the Chamber accepted the collective protection, which indicated that the app’s database had health purposes while the health emergency lasts, a period that has already concluded. It was also highlighted that the data was shared without the users’ consent.
In March of last year, the Undersecretary of Services and Digital Country had canceled the records. However, no measures had been taken regarding delete stored data.
“This week the Chamber revoked the degree ruling, ordering the cessation of the transfer of data collected through the CUID.AR app by the different organizations of the National Public Administration to the Chief of Staff as established by Administrative Decision No. 431/2020 of the Chief of Staff of Ministers of the Nation,” explained Lucas Barreiro, lawyer specializing in personal data protection.
A victory for the protection of personal data
The application made sense during the health emergency, where the State had to manage health permits and have population control due to the pandemic. “As far as this is concerned, the transfer of personal data collected by the ‘CuidAR’ app was made under the protection of a legal obligation based on the COVID-19 health emergency. Although the legal standard provides the enabling framework for the transfer of data, this does not exempt those responsible from complying with the guiding principles of the processing of personal data,” explains the specialist.
“The principles of necessity, proportionality and, I add, the temporality. When the health emergency situation is lifted, it would seem that all personal data collected or transferred for that purpose ceases to be relevant and necessary,” Barreiro added.
One of the civil society associations that was key in this process was ODIA, an entity that has a history of warning about violations of citizens’ rights (such as facial recognition in the City of Buenos Aires).
“This ruling of the Federal Chamber constitutes one more link in the construction of suitable procedural tools to guarantee the effectiveness of Fundamental Rights in the face of the new scenarios deployed by the digitization of our lives“, he said in dialogue with Clarion Tomás Pomar, lawyer and member of the Observatory.
“The ruling constitutes the first case in which ‘collective data deletion’ has been achieved. This, beyond the procedural aspects, also invites us to rethink and redefine the contours of what we still understand as ‘personal data’ in this reality increasingly defined by the tools that process data. large amounts of data“he added.
“On the other hand, regarding the arguments used by Chamber V, we consider it very positive that there are judges who, for example, are aware of the different modes of erasure. The rapid expansion of the digitalization of our lives has pushed all legal operators to focus our attention on issues that previously had no legal substance whatsoever,” he concluded.
In this sense, there is consensus from data protection that the ruling is a step forward. Barreiro complemented: “This ruling is transcendental, because it not only orders the cessation of the processing of personal data between State agencies and the deletion of the data in their possession, it also recognizes a collective action in defense of the right to privacy“.
Is the data really deleted?
Clarion consulted sources close to a state agency that handles large volumes of data and they explained what the data deletion process is like, in a context where information is not only stored on computers within Government offices, but also in the cloud (remote servers that are paid as a service).
Although there has been an effort for years to move systems to the cloud ARSATthe big players locally are the same ones that dominate the global market, such as Amazon’s AWS and Microsoft’s Azure.
“To erase information, all the classic mechanisms of the State are used. Internal and external audits, observers, a team of people. Now, Ensure that 100% data is deleted? Impossible. The only thing that can be done is, if this data is eventually leaked, look for those responsible. But perhaps that information has already been leaked and is circulating on channels like Telegram,” they warned.
In this sense, the deletion of information not only has to do with a question of protecting citizens, but also of State resources: information takes up space. And place is silver.
“Deleting the information is also fine for resource reasons., not only for the protection of citizens’ data. But imagine that there was some operational tool that makes backups and they didn’t remember to delete it: that’s it, the information is there. Honestly, it is almost impossible to ensure that the information is completely deleted,” warned a technical source.
According to experts in the area, the big difference is made by the design of the systems. “The whole point is the design: if you initially have database systems with information on the horizon that will be erased, with such safeguards, before you start using the You program with elimination in mind. “That is not usually done,” they added.
Regarding health data, there is a particularity that makes control over the data more complex. “Add to that that Health had the greatest number of serious problems because they outsourced an important part of the development. The national cybersecurity directorate should serve for these things. There must be a national cybersecurity agency Let these topics continue,” they closed.
If we add to this the enormous supply chain that existed during the pandemic between telephone providers (citizen tracking was done by SMS), hotel chains that housed citizens in quarantine and other private entities, the data that the app managed CUID.AR are already in circulation in spheres whose control completely escapes.
Argentina, for the moment, does not have a National Cybersecurity Agency, as other countries that are a reference in this field do, from the United States to Great Britain. In Latin America, Chile is building a national cybersecurity center, and Peru has a National Digital Security Center (which is, ultimately, a CERT/CSIRT).
Beyond this, the data is not deleted immediately. From the notification of the ruling, the Executive Branch has 10 business days to file an extraordinary federal appeal which, if granted by the Chamber, The file would go to the Supreme Court.
If no appeal is filed, the sentence will become final, the file will return to the first instance and will be ready for execution. In that case, the data will have to be, at least institutionally, deleted forever.
In practice, it is very likely that these data are already in the wrong hands.