Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
International: Legislative context of data protection – comparing Brazil and Chile
Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Samara Schuch and Debora Batista Araújo, from Schuch & Araújo Specialized Law Firm, provide a comparison between the frameworks in both Brazil and Chile, and discuss the challenges and successes of both.
The current legislation landscape
The creation of a general legal framework for the processing of personal data in Brazil is something new. After almost one decade of discussions, Brazil has been helped by the development of the GDPR with its extraterritorial application representing an urgency for local adequacy.
The Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') entered into force in September 2020. The constitutional acknowledgement of personal data protection as a fundamental right, on its turn, has entered the Brazilian legal system via the Constitutional Amendment n. 115 to the Constitution of the Federative Republic of Brazil, in 2022.
The Brazilian data protection authority ('ANPD') was created under the LGPD, thus opening communication channels with the data subjects, as well as with public and private entities. With the creation of the ANPD, it has become possible to exercise the right to petition, to report incidents, to request responses from companies to data subjects rights requests, and to take part in public consultations related to the matters to be regulated.
New concepts and rights are now being considered when doing business, as private and public entities name their data protection officers ('DPO') and live the challenges of building data protection governance.
Chile seems to have a similar challenge, despite being one of the first countries in Latin America to have enacted a data protection law, Law No. 19.628 on the Protection of Private Life 1999 ('the Law'). It has been taking actions towards modernising the Law and making it compatible with current social and economic realities, with inspiration from European regulatory references.
The Law sets forth important rules for the processing of personal data. It is founded on the expansionist theory of personal data, adopted by the GDPR and the LGPD.
Current debates on the need for modernisation of the Law highlight the lack of provisions regarding the creation of an authority, on sanctions, and on the right to petition as a means for enforcement of the Law. In addition, the need to have additional legal bases for the lawfulness of processing (apart from consent and compliance to the Law), and the need for clarification on the data subjects' rights.
To address those challenges and to make the Law compatible with the digital environment and with international best practices, Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority ('the Bill') sets forth principles for data processing, creates new data subjects rights and legal bases for processing, establishes the need for a data protection authority, for the appointment of a DPO, as well as defines infractions and sanctions, among other important evolutions.
The principles provided for by the Bill are in line with the Fair Information Practices Principles, an important development on data protection laws since their insertion in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') and other instruments. In fact, we can see the fairness, purpose specification, use limitation, data quality security, openness, and accountability principles in the Bill, which consist of an important development, since the Law mentioned only purpose limitation and confidentiality.
It is also interesting to note that the Bill brings new matters, as compared to the existing Law, that have a lot of similarities with the LGPD (which, in turn, is based on the GDPR), such as the concepts of anonymisation and pseudonymisation. The anonymisation process is also understood as a process that does not trigger the application of law, pursuant to the Bill.
The Bill also introduces the concept of data processor and puts the definition of data controller in line with the GDPR and the LGPD definitions and and states that it is the entity that makes decisions on the data processing, but that the controller determines the purposes and means of processing. Within the Chilean framework, there is not a 'controller' and 'processor', but a 'responsible' and 'third-party agent' or 'commissioner', respectively.
With respect to the data subjects' rights, important differences are noted not only when we compare the basic framework of the Law (Access, Rectification, Correction, Objection) with the Bill, which incorporated other data subjects rights, but also when we compare them with the LGPD.
One of those differences is the fact that the Bill already sets forth the criteria for granting the right of portability, with provisions that are very similar to the GDPR: it already informs that it is applicable to the processing of data based on consent and performance of a contract and only to data provided by the data subject, while the LGPD addresses the whole portability matter to a regulation to be issued by the authority.
The right to object also brings some main differences. The GDPR states that the data subject has the right to object when its personal data is processed on the basis of public interest or legitimate interests, including profiling based on those lawful grounds.
The controller shall stop processing, including in direct marketing processing and the profiling for such purpose, unless there are 'compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or for establishment, exercise or defense of legal claims'. In addition, under the GDPR, it is possible to object to processing where personal data are processed for scientific or historical purposes or statistical purposes, unless there are compelling public interest grounds.
In the Bill, objection is a possibility when: (i) processing affects the rights and freedoms of the data subject; (ii) for direct marketing, except when there is a contract between the data subject and the controller; or (iii) the data subject is deceased, in which objection can be requested by his/her heirs.
It is worth highlighting that the exception for objection for direct marketing, based on a contract signed between the data subject and the controller, is an opportunity to controller, but is also a risk for the profiling and for the communication with the data subject, that is left without an option in case of the mishandling of data by the controller.
With respect to objection, it might not have been necessary to insert the possibility that the heirs objected to the processing of the deceased data subject, considering the concept that the data subject is a natural person, processing data shall be considered unlawful when the data subject is deceased, which could trigger a complaint for the data protection authority.
Finally, with respect to the objection as stated by the LGPD, once it is based on the assumption that the data processing is unlawful and once the controllers in good faith do not operate based on that assumption, it ends up consisting on a right to petition, rather than a right to object as inserted in the GDPR and the bill.
The Bill also addresses consent requirements and moves from express consent to unambiguous consent, an important prerequisite for having a valid, yet more flexible possibility of processing personal data.
Comparing the laws
To enrich this and provide a glimpse into the expectation of evolution of Chilean law, below is a comparison can be found of the similarities and differences between the Law, the Bill, and the LGPD.
Subject | The Law | The Bill | LGPD |
Special categories of data (sensitive data) | Personal data related to physical or moral attributes or to facts or circumstances of the private life or intimacy of an individual, such as personal habits, racial origin, ideologies and political opinions, religious beliefs or convictions, data concerning physical or mental health, and sex life. | Only personal data revealing ethnic or racial origin, political, union or fraternity affiliation, personal habits, ideological or philosophical beliefs, religious beliefs, data concerning health, the human biologic profile, biometric data, and data concerning a person's sex life, sexual orientation, and gender identity. | Personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organisation membership, data concerning health or sex life, and genetic or biometric data, when related to a natural person.
|
Public sources of data | Records or compilations of public or private personal data, access to which is not restricted or classified to the requesters | All databases or data sets that can be used when there are no restrictions or legal restraints to its use, such as professional associations, official journal, means of communication, or public registry, as provided for by law. | Data manifestly made public by the data subject, without prejudice of its rights. Data processing of publicly accessed data shall consider the purpose, good faith, and public interest that are grounds to its availability. |
DPO | Does not exist.
| It is possible to appoint a DPO as a preventative measure to avoid fines, under the accountability principle. It is an optional measure. The DPO shall be appointed by the company and shall have autonomy to work. The DPO shall be the point of contact with the data subjects and supervisory authority, promote the privacy and data protection policy, supervise compliance with law, and be a consultant to the controller. A group of companies can have a controller.
| A personal or legal entity to be the means of communication between the controller, the data subjects, and the supervisory authority. |
Data protection authority | There is no authority under the Law. | The data protection authority is currently in the Council of Transparency, to become the Council of Transparency and Data Protection. | The authority is currently part of the indirect public administration, and can be converted to an independent organ within two years from the approval of the rules of procedure of the authority. |
Lawfulness of processing |
(i) Consent. (ii) Specific legal provision. | (i) Consent as the main legal basis. (ii) Public access sources. (iii) Data processing related to economic, financial, banking, or commercial obligations. (iv) Performance or compliance with legal obligations. (v) Execution or performance of a contract between the data subject and the data responsible, or in order to take pre-contractual measures, at the request of the data subject. (vi) legitimate interests. (vii) Complaint, exercise, or defense of a right in court. (viii) To protect life or health of the data subject.
| (i) Consent. (ii) Performance or compliance with legal or regulatory obligations. (iii) By the public administration for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments. (iv) For carrying out studies by research entities, ensuring, whenever possible, the anonymisation of personal data. (v) When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject. (vi) For the regular exercise of rights in judicial, administrative, or arbitration procedures (vii) For the protection of life or physical safety of the data subject or a third party. (viii) To protect the health, exclusively, in a procedure carried out by health professionals, health services, or sanitary authorities. (ix) Legitimate interests. (x) Dor the protection of credit. |
Lawfulness of processing sensitive data | Only possible when: (i) authorised by law; (ii) the data subject has consented; (iii) it is necessary to establish or grant health benefits to the data subjects (Article 10). | Only possible upon consent. Exceptions: (i) if the data subject has made them publicly available and further data processing is related to the same purposes; (ii) for legitimate interests of a non-profit entity, provided certain requirements have been met; (iii) if indispensable for protecting the life, health, or physical or mental integrity of the data subject or other person, or when the data subject is physically or legally incapable of giving consent; (iv) necessary for a complaint or in the exercise or defense of a right of court or administrative department; (v) necessary for exercising rights and compliance with obligations of the responsible or the data subject, in labour and social security areas; or (vi) for compliance with legal obligation.
| Specific and distinct consent. Exceptions: (i) necessary for exercising rights and compliance with obligations of the responsible; (ii) shared processing of data necessary for the execution, by the public administration, of public policies set forth in laws or regulations; (iii) studies carried out by a research entity, whenever possible, ensuring the anonymisation of sensitive personal data; (iv) the regular exercise of rights, including in a contract and in a judicial, administrative, and arbitration procedure; (v) protecting life or physical safety of the data subject or a third party; (vi) to protect the health, exclusively, in a procedure carried out by health professionals, health services, or sanitary authorities; (vii) ensuring the prevention of fraud and the safety of the data subject, in processes of identification and authentication of registration in electronic systems, respecting the rights mentioned in Article 9 of the LGPD, and except when fundamental rights and liberties of the data subject which require protection of personal data prevail. |
Data related to health | Prescriptions, analysis, or exams can only be informed upon consent of the patient. Pharmacies can share such information in a statistical format, indicating name and quantity. In no case the names of the patients or the doctors shall be shared. | Requirements for processing include: (i) if necessary for diagnosis or for determining a medical treatment, whenever it is made by a healthcare establishment or professional; (ii) for a medical or sanitary urgency; (iii) to identify the level of dependency or disability of a person; (iv) if indispensable for executing or performing a contract which scope is processing health data (v) for historical, statistical, or scientific purposes, for research or investigation in the public interest or beneficial to the human health, or for development of products or supplies that cannot be developed in a different manner; (vi) if necessary for the complaint, exercise, or defense of a right in court; and (vii) when the purpose of processing is expressly set forth by law - the result of the studies and scientific investigations that use health data may be published or freely transmitted, provided data is previously anonymised. | Health data is considered sensitive data. For studies in the public health area, health data shall be processed within the public entity strictly for the purpose of studies and research, in a secure and controlled environment, pursuant to security practices set forth in specific regulation. Transfer to third parties is not allowed.
|
Data subject rights | There is no time frame for responding to data subject access requests ('DSARs').
Free of charge
Rights to access, rectification, exclusion, and objection. | The time frame is 15 days for a response to DSARs.
Free of charge.
Rights to access, rectification, exclusion, objection, objection to automated decision-making, and to data portability. | The time frame is 15 days for response to DSARs.
Free of charge. Rights to confirmation of processing and access to data, rectification, anonymisation, suspension of processing, or exclusion (including of personal data processed on the basis of consent), objection; review automated decision-making, data portability; access information about public and private entities with which the controller has shared data; access information about the possibility of denying consent and the consequences of such denial; and withdraw consent. |
Sanctions | There are no sanctions. |
Light infractions: written notification and a fine of 1 to 50 fiscal units per month.
Serious infractions: fine of 51 to 500 fiscal units per month.
Grave infractions: fine of 501 to 5000 fiscal units per month.
Accessory sanctions: in case of repeated grave infractions, within 24 months, the data protection authority may determine the suspension of processing activities for up to 30 days.
During such a time frame, the controller shall adopt measures to ensure adequacy of its processing activities to the requirements set forth in the decision that determined suspension.
In case the controller does not comply with the suspension decision, such measure can be indefinitely extended for successive 30-day periods, until the controller is compliant with the determination.
When suspension is directed to an entity subject to fiscalisation by a public agency, the data protection authority shall communicate to the corresponding public agency, for protection of the rights of the subjects of such entity. | Sanctions include: (i) A warning, with an indication of the time period for adopting corrective measures. (ii) A simple fine of up to 2% of a private legal entity, group, or conglomerate's revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of BRL 50 million (approx. €9.7 million) per infraction. (iii) A daily fine, subject to the total maximum referred to above. (iv) The disclosure and publicisation of the infraction once it has been duly ascertained and its occurrence has been confirmed. (v) The blocking of the personal data to which the infraction refers to until its regularisation. (vi) The deletion of the personal data to which the infraction refers to. (vii) The partial suspension of the operation of the database related to the infraction for a maximum period of six months, extendable for the same period, until the normalisation of the processing activity by the controller. (viii) The suspension of the personal data processing activity related to the infraction for a maximum period of six months, extendable for the same period. (ix) The partial or total prohibition of activities related to data processing.
|
Data breach notification | There are no provisions. | To be reported when there are reasonable risks of damage for the data subjects and effects on their rights.
When the data breach concerns sensitive data or economic, financial, banking, or commercial data, the controller shall also communicate all to data subjects. Such communication shall be made in clear and plain language, informing of the affected data, the possible consequences of the data breach, and the measures for solution or protection adopted. The notification shall be made to each affected data subject and, in case it is not possible, it shall be made via broadcasting or publication of notice in a mass means of communication of national reach. | The controller shall notify the data protection authority that the data breach may generate risk or relevant damage to the data subjects. Communication shall be made within two working days (interim determination by the Brazilian data protection authority) and shall mention, at least:
(i) the nature of the personal data affected; (ii) information about the data subjects involved; (iii) the technical and security measures for the protection of the data, provided commercial and patent secrecy are preserved; (iv) the risks related to the incident; (v) the reasons for the delay, in case communication has not been immediately made; and (vi) the measures taken to reverse or mitigate the effects of the damage. |
Final considerations
The Bill is a proposal for turning the Law into a comprehensive data protection law, with the main features that exist in the main data protection laws in force around the world (even though extraterritoriality provisions are missing). In some aspects, such as scope, principles, DSARs, and legal bases, the LGPD seems broader than the Bill.
On the other hand, the Bill brings innovation in relation to the LGPD, in matters such as the processing of biometric data and also when it inserts personal habits and gender identity into the concept of personal data. Another point that is addressed specifically in the Bill is the mandatory communication to the data subjects in case of a breach of sensitive data or economic, financial, credit, or commercial data (not sensitive, but still may generate damages to the data subjects).
With respect to sanctions, enforcement of the law is an important step and the Bill has not waited for regulation to insert some criteria and examples about the kinds of data breach and the definition of categories, such as light, serious, or grave. When compared to the Brazilian legislation, even though there is some criteria set forth by LGPD, there is still a need for clarity in various aspects.
It is worth noting that discussions on the data protection laws have been evolving around the world and in Latin America. The Bill shows this effort of modernisation of the Law and the country has an important opportunity to restore Chilean's position in the legal path of the digital economy, in addition to showing that its innovations can also serve as inspiration for the regulation of some data protection laws around Latin America.
Samara Schuch Partner
[email protected]
Debora Batista Araújo Partner
[email protected]
Schuch & Araújo Specialized Law Firm, Sao Paulo
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
