Digital therapeutics and AI-driven health apps: sanitary regulatory and IP considerations in Argentina

Martín J Mosteirin
Marval O’Farrell Mairal, Buenos Aires
mjmo@marval.com

Diego Fernández
Marval O’Farrell Mairal, Buenos Aires
dfer@marval.com

Camila Leone
Marval O’Farrell Mairal, Buenos Aires
cal@marval.com

Carolina A Ramirez
Marval O’Farrell Mairal, Buenos Aires
candr@marval.com

Introduction

Artificial intelligence (AI) is rapidly evolving and reshaping the healthcare system. Health apps are gaining immense prominence, as their functions are becoming more sophisticated. These AI-driven apps comprise a wide variety of features, from real-time, AI-powered conversations to exercise recommendations. Though its advantages are noteworthy, the speedy evolution of these technologies has caused a new set of concerns regarding its regulation. It is vital to understand the key regulatory frameworks that apply from an interdisciplinary perspective, including healthcare, data privacy and AI, to guarantee the ethical and responsible use and implementation of digital therapeutics and AI-driven health apps and, ultimately, to guarantee that patients’ rights are protected.

Sanitary regulatory considerations

Recently, there has been an increase in activities involving the development of digital health solutions, including mobile applications (apps), wearables, telemedicine platforms, electronic health records and e-prescription systems. Within this broader ecosystem, digital therapeutics have emerged as a distinct category of software-based health technologies. These therapeutics are commonly defined as ‘evidence-based therapeutic interventions driven by software to prevent, manage, or treat a medical disorder or disease.’^[1]

However, Argentina has not yet adopted a specific regulatory framework applicable to digital therapeutics and their approval for clinical use nor for AI digital health devices. In practice, if such devices or software solutions fall within the definition of a ‘medical device’, the general provisions governing medical devices will apply, indistinctively.

Under the newly issued National Administration of Medicines, Food and Medical Technology (Administración Nacional de Medicamentos, Alimentos y Tecnología Médica or ANMAT) Regulation 64/2025, medical devices are defined as:

‘…any instrument, device, equipment, implant, in vitro diagnostic product, computer program (software), materials or other item, intended by the manufacturer to be used, alone or in combination, in human beings, for any of the specific medical purposes mentioned below, and whose principal intended action is not achieved by pharmacological, immunological or metabolic means in the human body, but which such means may contribute to its intended action: (a) to diagnose, prevent, monitor, treat or relieve a disease; (b) to diagnose, monitor, treat, or repair an injury or disability; (c) to investigate, replace, modify the anatomy, or a physiological or pathological process or condition; (d) sustain or support life; (e) to control or support conception; and (f) obtain information through in vitro examination of human body samples, including organ and tissue donations.’

Furthermore, the Regulation defines ‘software as a medical device’ (SaMD) as ‘…a software product or application that is intended for one or more of the purposes listed in the definition of a medical device and that performs its functions without being part of the hardware of a medical device.’

According to the general guidelines outlined in ANMAT Regulation 64/2025, mobile apps that meet this definition are considered SaMD and, as such, must comply with the regulatory requirements applicable to medical devices.^[2] Although ANMAT has established certain criteria for classifying and registering SaMD, a case-by-case analysis is necessary to determine whether a specific technology falls within the scope of this definition.

In addition, given that Argentina is a federal country, further requirements may apply in the form of provincial and municipal regulations in the medical devices area. As a result, companies entering the digital health market must navigate a diverse regulatory framework and assess their compliance at both the federal and local level.

Data privacy considerations

Digital therapeutics and AI-driven health apps often rely on the continuous collection and processing of users’ personal data, including health-related information. In Argentina, the protection of personal data is governed by the Personal Data Protection Law 25326 (DPL), Regulatory Decree 1558/2001, Convention 108 for the Protection of Individuals with respect to Automatic Processing of Personal Data ratified by Law 27483, its Amending Protocol approved by Law 27699 (Convention 108+)^[3] and through the complementary rules issued by the Agency of Access to Public Information (La Agencia de Acceso a la Información Pública or AAIP) (collectively, the ‘Argentine Data Protection Regime’). This framework is closely aligned with the European model, particularly the General Data Protection Regulation (GDPR), although certain differences exist.

Under the DPL, data controllers must provide individuals with specific information prior to processing their personal data. This includes information on the purpose of the processing; the categories of potential recipients; the existence and identity of the database and its controller; whether the provision of data is mandatory or optional; the consequences of providing or refusing to provide data; the mechanisms available to the data subject in order to exercise their rights of access, rectification and deletion; and the possibility of filing claims before the AAIP using the mandatory text established by Regulation 14/2018.

Unlike the GDPR, the DPL does not recognise legitimate interest as a lawful basis for processing. As a general rule, any processing of personal data must be based on the data subject’s consent, unless a statutory exception applies. Consent must be obtained prior to processing, must be free and informed, and must be expressed in writing or through equivalent electronic means (clickthrough agreements are considered valid).

The DPL allows limited exceptions to the consent requirement, such as when the data is obtained from publicly accessible sources; processed during the exercise of state functions or legal obligations; limited to certain basic identification information; or derived from a contractual, scientific or professional relationship where processing is necessary to perform such an agreement. Accordingly, certain processing activities related to the onboarding process or the provision of a digital therapeutic service may fall within the scope of the legal basis of contractual necessity and, therefore, may not require consent. However, it should be noted that when sensitive data is involved, exceptions to consent are interpreted restrictively, and any processing that exceeds what is strictly necessary to perform the contract (such as model training or fine tuning) must be based on the user’s explicit consent, unless another exception applies. AAIP Resolution 4/2019 also requires data controllers to implement mechanisms to validate the identity of the user that is granting their consent.

The DPL also recognises specific rights of data subjects, including the right to access their personal data, which must be satisfied within ten calendar days as of the request, and the right to request its rectification, updating or deletion, which must be implemented within five business days. The right to object to processing is limited to processing for direct marketing purposes. Furthermore, individuals are entitled to request an explanation from the data controller regarding the logic applied when decisions are made solely based on automated data processing and when such a decision produces negative legal effects or significantly affects the data subject.

These requirements are particularly relevant in the context of digital therapeutics and AI-driven health apps, as these technologies routinely process health data and may rely on automated decision-making, thereby falling within the scope of heightened regulatory scrutiny under the Argentine Data Protection Regime.

AI governance considerations

Despite the growing relevance of AI technology, Argentina has not yet enacted a specific regulatory framework governing its use, deployment and implementation. As a result, the use of AI is currently governed by existing legal regimes.

The Argentine Data Protection Regime applies where AI systems process personal data. Within this framework, the Guide for Public and Private Entities on Transparency and Protection of Personal Data for Responsible Artificial Intelligence,^[4] issued by the AAIP, plays a crucial role, as it outlines recommendations for public and private entities to encourage the ethical and responsible use of AI.

The AAIP Data Protection Impact Assessment Guideline^[5] is also relevant, particularly when companies use AI tools to create predictive profiles based on personal data and make decisions based solely on those profiles, as such practices may trigger the need to carry out a Data Protection Impact Assessment (DPIA). As mentioned above, AAIP Resolution 4/2019 further provides individuals with the right to request information from the data controller regarding the logic applied in regard to decisions made based exclusively on automated processing.

Other non-binding instruments also contribute to the emerging governance landscape. Argentina has adhered to principles and guidelines developed by the United Nations Educational, Scientific and Cultural Organisation (UNESCO) and the Organisation for Economic Co-operation and Development (OECD) on AI-related issues. Despite their non-binding character, these resources may be useful references for companies using and implementing AI. Some of their key principles comprise safety and security, fairness and non-discrimination, transparency and explainability, accountability, human-centred value, proportionality and do no harm, among others.

Furthermore, and although not mandatory, a set of additional guidelines issued by the Ibero-American Data Protection Network^[6] may be considered as soft law for the purposes of implementing AI tools. Key recommendations include complying with local data protection regulations; conducting DPIAs; incorporating privacy, ethics and security by design and default; and guaranteeing the right of users not to be subject to automated decisions or discriminatory treatment, among others.

Conclusion

The current sanitary regulatory and data protection legal frameworks in Argentina apply to digital therapeutics and AI-driven health apps, although these legal regimes were not specifically enacted for these technologies. As these technologies continue to evolve, compliance with medical device and data protection regimes will remain central to their lawful deployment in Argentina.