Argentina AI governance 2026: operators guide to Decreto 1001 and PDPL compliance.

Argentina entered 2026 with a clear AI governance philosophy: principled, voluntary, and oriented toward innovation first. The Milei government's approach to technology regulation rejects the Brussels model of mandatory pre-deployment requirements and risk-based compliance burdens, favouring instead a framework that names values without mandating their implementation through administrative enforcement.

For AI operators in Argentina, this creates a regulatory environment that is genuinely lighter than the EU's. There are no mandatory risk classification requirements, no conformity assessments, no registration obligations, and no high-risk category lists. An Argentine company that builds and deploys an AI agent for domestic use faces no AI-specific compliance obligations beyond those that flow from existing horizontal law.

That existing horizontal law is nonetheless real and binding. Argentina's personal data protection framework, consumer protection regime, and civil liability principles all apply to AI systems that process data, affect consumers, and cause harm. And for companies with EU market exposure, the EU AI Act's extraterritorial reach means that Argentina's domestic deregulatory approach does not eliminate external compliance obligations. This guide works through all of these dimensions in practical terms.

Decreto 1001/2024: principles without mandates

Decreto 1001/2024, signed by President Javier Milei on 4 October 2024, is the central government instrument governing AI in Argentina. It establishes the National Artificial Intelligence Strategy (Estrategia Nacional de Inteligencia Artificial, ENIA) and is coordinated through the Secretaría de Transformación Digital within the executive branch.

The decree names seven governing principles for AI: human benefit, transparency, non-discrimination, safety and security, protection of privacy and personal data, responsibility, and promotion of development and innovation. These principles are stated as objectives for government bodies and as a framework for the national strategy. They do not impose mandatory compliance obligations on private sector AI operators.

The distinction between a framework decree and a mandatory regulatory instrument is significant. A framework decree like Decreto 1001/2024 signals government priorities and creates coordination mechanisms across ministries, but it does not create enforceable rights for individuals or legally binding obligations for private sector entities. No penalty regime flows from non-adherence to the ENIA principles.

This was a deliberate design choice. The Milei government's broader deregulatory agenda has been applied specifically to AI, with officials citing concerns that premature mandatory regulation would harm Argentina's competitiveness as a technology destination. The government has pointed to the EU AI Act as an example of regulatory overreach that imposes burdens on businesses without proportionate safety benefit.

For private sector operators, this means Decreto 1001/2024 is most usefully read as a statement of the government's intentions and as a basis for voluntary alignment that demonstrates good faith toward public sector partners and procurement processes. Companies that align their AI governance practices to the ENIA principles may find this beneficial in government contracting contexts.

Ley 25.326: PDPL and its application to AI systems

The primary binding constraint on AI operators in Argentina comes not from AI-specific law but from the personal data protection framework under Ley 25.326 de Protección de Datos Personales (PDPL), in force since 2000. Argentina's PDPL was among the most advanced data protection frameworks in Latin America at the time of its enactment, and it has been recognised by the European Commission as providing adequate data protection.

The PDPL applies to any processing of personal data in Argentina, defined as the collection, storage, treatment, or transfer of data about identified or identifiable individuals. AI systems that process any information that can be linked to individuals fall within this definition. This includes customer-facing AI chatbots that process names and queries, recommendation engines that process purchase history and behaviour, HR AI systems that process employee or candidate data, and document analysis systems that process contracts or communications containing individual-identifiable information.

Core PDPL obligations for AI operators

Lawful basis for processing. The PDPL requires that personal data be processed only with the informed consent of the data subject, or on a specific lawful basis without consent (such as legal obligation, vital interests, or the legitimate interests of the data controller). For AI operators, this means establishing a clear lawful basis for each category of personal data that an AI system processes. Where consent is used, it must be obtained in a clear and specific way, not buried in general terms of service.

Data subject rights. Individuals have the right to access data held about them, know the source of the data and its processing purpose, request rectification of inaccurate data, and request deletion of unlawfully processed data. AI operators must have mechanisms to handle these rights requests. The PDPL's rights framework does not include a specific right to explanation of automated decisions comparable to GDPR Article 22, but the general rights of access and rectification apply to any data an AI system processes about an individual.

Data quality principles. The PDPL requires that personal data be accurate, up-to-date, and relevant to the stated purpose. AI systems trained on or operating with personal data must ensure that the data quality principles are met. Outdated or inaccurate personal data used by an AI system may create PDPL liability for the operator.

Security obligations. Data controllers must implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, alteration, or disclosure. For AI operators, this means securing not only the data used to train or operate AI systems but also the AI system's outputs where they contain or reveal personal data.

International data transfers. Personal data may only be transferred to third countries that provide an adequate level of data protection, or where specific conditions are met (such as contractual clauses). This is relevant for AI operators using cloud-based AI infrastructure in the United States, the EU, or other jurisdictions. Transfers to the EU are permitted by virtue of Argentina's adequacy recognition. Transfers to the US require specific mechanisms, typically contractual, since the US does not have an equivalent adequacy determination from Argentina's perspective.

PDPL reform. A comprehensive reform of Ley 25.326 has been under active discussion since 2022, and a reform bill has been in the Argentine legislative process. The reform proposals include more specific provisions on automated decision-making, profiling, and AI-generated processing decisions, drawing on GDPR experience. Operators should monitor the progress of this reform, as its adoption would introduce more specific AI-related data protection obligations.

Consumer protection law: Ley 24.240

Ley 24.240 de Defensa del Consumidor (Consumer Defence Law) establishes the framework for consumer protection in Argentina. This law applies whenever a business provides goods or services to consumers, which includes AI-powered services.

The consumer protection framework creates several obligations relevant to AI operators.

Service quality. Consumers are entitled to receive services that meet reasonable quality standards. An AI system that provides systematically inaccurate, misleading, or harmful outputs as part of a service may give rise to consumer protection claims under Article 4 of Ley 24.240, which requires service providers to supply information that is truthful, clear, and not misleading.

Information obligations. Service providers must give consumers adequate information about the products and services they receive, including relevant limitations. An AI-powered service that does not disclose its automated nature, or that presents AI-generated content as if it were human-authored expert advice, may create consumer protection exposure. The ENIA transparency principle, while voluntary for AI operators generally, is functionally supported by consumer protection obligations in commercial service contexts.

Redress and complaint mechanisms. Consumers have the right to file complaints and seek redress. AI operators providing consumer-facing services in Argentina must have functional mechanisms for consumers to raise concerns about AI-generated outputs and to seek correction or compensation where harm results.

Civil liability for AI harm

Argentina's general civil liability framework, codified in the Código Civil y Comercial de la Nación (Civil and Commercial Code), applies to harm caused by AI systems. Articles 1757 and 1758 of the Code establish liability for harm caused by dangerous things and activities, a doctrine that courts in other jurisdictions have applied to AI systems where the system's complexity or autonomous behaviour creates inherent risk.

Argentina has not enacted specific legislation allocating AI liability in the manner of the EU's revised Product Liability Directive (applicable from December 2026 in the EU, treating AI software as a product for strict liability purposes). The allocation of liability between AI developers, operators, and users in Argentina will therefore be determined by existing civil law principles, the contractual arrangements between parties, and ultimately by judicial interpretation as AI-related cases arise.

The absence of an AI-specific strict liability regime means that claimants in Argentina must generally establish fault rather than relying on strict liability. This is a lower risk for AI operators than the EU's Product Liability Directive framework. However, the rapidly evolving judicial interpretation of technology liability in Argentina means operators should not assume a permissive liability environment will persist indefinitely.

Sectoral AI obligations

Outside the horizontal framework, some Argentine sectoral regulators have begun addressing AI use within their domains.

Financial services. The Banco Central de la República Argentina (BCRA) has not yet issued binding AI-specific guidance, but it exercises supervisory authority over operational risk management in financial institutions. Regulated entities using AI systems in credit decisions, fraud detection, or customer service face supervisory scrutiny of those systems as part of broader operational risk management reviews. The superintendency BCRA also monitors consumer protection compliance in financial services, making the Ley 24.240 framework particularly relevant for fintech and banking AI applications.

Healthcare. Argentina's health regulatory body (ANMAT) has authority over medical devices, including software-as-a-medical-device. AI systems used in clinical decision support or diagnostic contexts may require regulatory pathway review under ANMAT's evolving framework for digital health and AI-assisted clinical tools. ANMAT has been monitoring international developments, including the FDA's AI-SaMD guidance and EU MDR provisions, in developing its approach.

Employment. Argentina's labour framework under the Ley de Contrato de Trabajo does not specifically address AI in employment decisions, but general anti-discrimination principles and worker rights protections apply. AI systems used in hiring, performance monitoring, or dismissal decisions operate within the existing framework of labour protections, including non-discrimination requirements applicable to employer decisions.

EU AI Act extraterritorial reach for Argentine companies

Argentine companies with EU market presence face a compliance dimension that is entirely independent of domestic Argentine AI regulation. Regulation (EU) 2024/1689, Article 2(1)(b), explicitly extends the EU AI Act to providers established outside the EU whose systems are placed on the EU market or put into service in the EU.

An Argentine technology company that offers an AI-powered service to EU customers, whose AI system affects EU residents, or whose outputs are used in EU-based business processes, is subject to EU AI Act provider obligations for any system classified as high-risk under Annex III. The high-risk categories include: AI systems used in employment decisions, credit assessments, educational access, and critical infrastructure management. Many AI systems deployed by Argentine technology companies in these categories will have EU exposure through client relationships, subsidiary operations, or direct service provision.

The practical implication is that compliance planning for Argentine AI companies with EU market exposure cannot focus solely on the domestic voluntary framework. The EU AI Act's provider obligations under Articles 9 to 16 and GPAI model obligations under Articles 53 and 55 apply regardless of where the company is incorporated or where the system was developed. The EU's enforcement approach toward third-country providers will clarify over the 2026 to 2028 period, but the legal obligation is clear on the face of the regulation.

For Argentine companies whose EU exposure is through general-purpose AI models accessed via API (OpenAI, Anthropic, Google), the analysis differs. As the deployer of a third-party general-purpose model in an EU context, the company bears deployer obligations under Article 26 for high-risk applications rather than provider obligations. For detailed guidance on deployer obligations when using third-party models, see the deployer obligations guide at agentcertified.eu.

Comparing Argentina and Brazil in 2026

Argentina and Brazil represent distinct Latin American approaches to AI governance that operators must understand when making regional strategy decisions.

Brazil's PL 2338/2023 AI Bill, under active congressional debate in 2026, follows the EU AI Act model: risk-based classification, mandatory requirements for high-risk systems, explicit prohibited uses, administrative enforcement with designated supervisory authority, and penalty provisions. The PL 2338 has not yet been enacted, but its trajectory signals that Brazil is moving toward a compliance environment significantly more demanding than Argentina's current framework.

Argentina's Decreto 1001/2024 explicitly declined this approach. The government's position is that voluntary principles, combined with existing horizontal law, are sufficient and more innovation-compatible than mandatory sector-specific AI regulation.

For operators choosing between Argentina and Brazil as the base for Latin American AI operations, this difference matters. Argentina offers a lighter compliance environment for domestic operations in the near term. If PL 2338 is enacted in its current form, Brazil will require substantially more compliance investment for operations serving Brazilian users or involving Brazilian-resident data. Companies building regional AI products may find Argentina's framework more accommodating for development and iteration, while requiring careful management of the EU AI Act obligations if EU market exposure exists.

The comparison with the Singapore model (which Argentina and Malaysia share in their soft-law, principle-based approaches) is instructive. Singapore has managed to maintain both a technology-friendly environment and genuine institutional authority in AI governance without moving to mandatory pre-deployment requirements. Argentina's approach has similar potential but lacks Singapore's institutional history and the coordination mechanisms the MAS (Monetary Authority of Singapore) and IMDA (Infocomm Media Development Authority) provide in Singapore's framework. For the full Singapore comparison, see the Singapore operators guide.

Compliance priorities for AI operators in Argentina

Given the current framework, the practical compliance priorities for AI operators in Argentina fall into three tiers.

Tier 1: binding obligations regardless of AI-specific governance. PDPL compliance for any AI system processing personal data of Argentine residents. Consumer protection law compliance for any consumer-facing AI service. Civil liability risk management through documentation, oversight design, and incident response protocols. Sectoral regulatory requirements where the operator is in a regulated sector (financial services under BCRA, healthcare under ANMAT).

Tier 2: EU AI Act compliance for EU market exposure. Companies with EU customers, EU subsidiaries, or EU-exposed AI outputs must assess their systems against Annex III high-risk categories and implement the provider or deployer obligations that apply. This is not a domestic Argentine obligation but is a binding external obligation that applies to the EU-facing portion of the business.

Tier 3: voluntary ENIA alignment. Companies seeking to demonstrate AI governance for public sector partnerships, government procurement, or stakeholder purposes may align their practices to the seven ENIA principles from Decreto 1001/2024. This is voluntary but can be commercially relevant, particularly for companies with government clients or those pursuing certification for investor or partner purposes.

For companies operating across multiple Latin American jurisdictions, documenting governance practices against a structured framework simplifies the process of demonstrating compliance across different national requirements. The Agent Certified framework provides a structured seven-dimension assessment that maps to both EU AI Act requirements and the data protection principles shared by PDPL and other national data protection frameworks, making it applicable to multi-jurisdiction operations.