Chilean legislation on data protection is on the verge of a long-awaited structural change, as the Bill is in its final stage of discussion before the Chilean Congress.

The current Law No. 19.628 on the Protection of Private Life 1999 (the Data Protection Law), dates to 1999 and has been long criticized for not creating a data protection authority, its lack of flexibility by providing only two legal bases (legal authorization and consent), its failure to regulate international transfers of data, and, in general, for being outdated and not addressing the current and more pressing challenges derived from today's digital economy and data flows.

Understandably, the Data Protection Law has been the subject of many amendment attempts before Congress, all of which have been unsuccessful, except for the current one.

The Bill was proposed in early 2017 to be discussed before the Senate. The text that was approved in the Senate made its way to the Chamber of Deputies, where it was approved with several amendments in late 2023. Today, the differences between the Senate and the Chamber shall be settled by a Mixed Commission (of Senators and Deputies) which was appointed in late 2023 and has begun to session in January 2024.

Predictably, the provisions in the Bill are substantially based on Europe's General Data Protection Regulation (GDPR). With a seriously outdated law, it is foreseeable that the changes in the privacy landscape for controllers, processors, and data subjects will be considerable after the introduction of a GDPR-like legislation.

Some of the most relevant modifications to the Data Protection Law in the Bill include:

• the incorporation of new legal bases;
• the creation of new security obligations for data controllers;
• the regulation, for the first time, of international data transfers;
• detailed regulation of data subject access requests;
• compliance prevention models and data protection officers (DPOs);
• regulation of automated data processing and profiling;
• establishment of privacy by design and data protection impact assessment (DPIA) specific obligations;
• a substantial increase in fines for non-compliance, reaching up to more than $2.1 million; and
• the creation of a Personal Data Protection Agency.

New legal bases and consent

The Data Protection Law provides for only two legal bases: legal authorization or the data subject's consent (with a few poorly drafted exceptions to the obligation to collect consent). In practice, this implies that unless a law or regulation allows or requires some form of data processing, controllers must obtain written, informed, and express consent from data subjects every single time, for every type of processing and purpose - without any exception. Consequently, scenarios such as the processing of employee data or personal data processing for security or anti-fraud purposes need to rely on consent, creating significant challenges for compliance when consent cannot be obtained.

The Bill seems to maintain the importance of consent as a legal basis by setting it as the generally applicable rule. However, it introduces several new legal bases, closely aligned with the GDPR. For the first time, it provides essential tools like the legitimate interest or the execution of a contract as a basis for the processing of personal data, among other scenarios.

Moreover, more elements are required for consent as a legal basis: it needs to be freely given, informed, specific in its purposes, and expressed previously and unambiguously. Consent shall be presumed not to have been freely given if it is collected in the context of the execution of an agreement for which the processing is not essential. In this case, the Bill does not differentiate whether consent is mandatory or optional, omitting in this case the rationale of the second half of Recital 43 of the GDPR.

The new legal bases (distinct from consent and legal obligation) include:

• when processing relates to data related to obligations of an economic, financial, banking, or commercial nature;
• for the execution of a contract between the controller and the data subject;
• when processing is necessary for the satisfaction of legitimate interests that do not affect the rights and freedoms of the owner. In this case, the use of the word 'affect' seems to have a wider scope than GDPR's 'override;' and
• for the protection of the life and health of the data subject.

New security obligations and data breach reporting

The Data Protection Law currently does not establish obligations to implement security measures to protect personal data, nor does it outline data breach notification duties. Presently, the damage resulting from a security breach may only be attributed to noncompliance with a very vague obligation under Article 11 of the Data Protection Law, which states that the controller must 'take care of the personal data with due diligence and shall be held liable for any damages,' unless a sector-specific security obligation is applicable (as is the case in the banking, insurance, telecommunications, pension funds, and electricity industries).

The Bill, therefore, creates the first comprehensive security obligation concerning personal data.

Security is one of the explicit principles that inspire the Bill, which establishes a correlative duty of those responsible to adopt measures to safeguard its compliance. These measures, both technical and organizational, must be adequate to address the risks of each specific activity and shall consider the current state of the art, costs of application, the nature, scope, context, and purposes of the processing, as well as the probability of the risks and the severity of their effects in relation to the type of data that is being processed. These measures must ensure the confidentiality, integrity, availability, and resilience of the data processing systems, and may include:

• pseudonymization and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of the systems and services of processing;
• the ability to quickly restore availability and access to personal data in the event of an incident; or
• a process of regular verification, evaluation, and assessment of the effectiveness of technical measures to ensure the safety of the processing.

Coherently, the Bill creates a specific new duty to inform the Data Protection Agency of breaches to security measures 'through the most expeditious means possible and without undue delay,' provided there is a reasonable risk to the rights and freedoms of the data subjects.

The report shall be made to the Data Protection Agency in general and directly to the data subjects if the breach pertains to sensitive personal data, data relating to children under 14 years of age, or data relating to obligations of an economic, financial, banking, or commercial nature.

The obligation of processors to directly report security breaches was approved in the Senate and later overturned in the Chamber of Deputies, making this one of the matters that shall be resolved before the Mixed Commission in early 2024.

Regulation of international data transfers  

The Bill regulates international transfer of personal data for the first time, setting similar (albeit softer) requirements to the GDPR. In this sense, the transfer must comply with certain scenarios, the main of which are:

• adequacy of the legal system;
• contractual clauses executed between the exporter and the importer, establishing the rights and guarantees of the data subjects and obligations of controllers;
• adoption of a compliance model or a self-regulation model that is binding and certified under applicable legislation;
• consent of the data subject to carry out a specific and determined international data transfer;
• if referred to specific bank, financial, or stock transfers;
• if the transfer is made between companies or entities that belong to the same business group, related companies, or companies subject to the same controller, provided all operate under the same standards and policies;
• compliance with obligations under international treaties;
• legal authorization; or

• execution of a contract or pre-contractual measures between the data subject and the controller.

Compliance prevention models and DPOs

The Bill provides for the right for controllers to implement infringement prevention models which, if certified before the Data Protection Agency, may be considered as a liability-mitigating circumstance in the case of an infringement.

These models or 'compliance programs' shall include the designation of a DPO, the identification of the type of information that the entity processes, its territorial scope, the categories of data it manages and its data subjects, internal reporting mechanisms, and internal administrative sanctions, among others.

The DPO is highlighted as a point of contact with the Data Protection Agency and must be appointed by the highest managerial authority of the data controller. It must have autonomy with respect to the administration in privacy matters and shall avoid conflicts of interest.

Increase of fines

Under the current Data Protection Law, the only applicable fine is one of up to $700, which applies only in the event of non-compliance with obligations related to DSARs.

The Bill provides for fines of up to approximately $4,200,000 in cases of very serious and repetitive infringements. 

Infractions are classified as:

• minor infractions, which carry a written warning or fines of up to approximately $7,000;
• serious infractions (the general rule), which carry fines of up to approximately $350,000 or, in the case of enterprises, a fine of up to the sum equivalent to 2% of the annual income from sales and services in the last calendar year, with a maximum of approximately $ 700,000; and
• very serious infractions, which carry fines of up to approximately $7000,000 or, in the case of enterprises, a fine of up to the sum equivalent to 4% of the annual income from sales and services in the last calendar year, with a maximum of approximately $1,400,000.

A 50% surcharge may be applied to the fine if not corrected within 60 days; and in the case of recidivism (two or more sanctions in 30 months), a fine can be imposed of up to three times the amount assigned to the violation committed.

Finally, if fines are imposed for repeated very serious violations within a period of 24 months, the Data Protection Agency may order the suspension of the data processing operations and activities carried out by the data controller for up to 30 days. This suspension, however, will not affect the storage of data by the controller.

Matters that shall be resolved by the Mixed Commission

The Mixed Commission, as a third constitutional stage, must settle the differences between the texts approved by the Senate and the Deputies. The main ones include:

• the inclusion of publicly accessible sources as a legal basis;
• the obligation for foreign companies to designate a representative in Chile with sufficient powers to be served on data subject requests and judicial summons;
• the duty of controllers to directly report security breaches to the Data Protection Agency;
• the establishment of maximum amounts on fines; and
• powers of the Data Protection Agency to oversee the processing of personal data by the Congress, the Judicial Power, and public agencies with constitutional autonomy.

Paulina Silva Partner
[email protected]
Bitlaw, Chile