Chile’s proposed data protection rules overhaul: What it may mean for your business

Chile’s congress is close to greenlighting a bill that will overhaul data protection legislation and pave the way for the creation of a data protection agency.

Awaiting the final nod in the senate, the bill, once enacted, would have implications for business and establish a penalty scheme for non-compliance that could result in maximum fines of around US$1.5mn.

As the onus would be on companies to bring their practices in line with the new rules, the overhaul would generate opportunities for specialists who can help them safely navigate the new regulatory landscape.

To learn more and explore some of the implications, BNamericas conducted an email interview with Roberto Opazo, director and founder of Itzi, a specialist consultancy firm that provides legal advice on data protection and intangible assets in Chile, Argentina and Spain.

BNamericas: What’s the state of play regarding the personal data protection bill?

Opazo: In Chile, we currently have law No. 19,628 on personal data privacy, which dates from 1999 and which has undergone minor modifications, but these have not yet managed to establish the necessary robustness to enforce the ARCOP [access, rectification, cancellation, opposition and portability] rights enshrined in this law. 

In fact, the rules, although they do contain a series of globally accepted and employed concepts, do not recognize special procedures or a requisite institutional framework, which ends up making the legislation an accumulation of concepts and general notions that are difficult to enforce. Notwithstanding the foregoing, Chile’s congress is today debating a powerful update to this law, a process in the final stage in the senate. 

The magnitude of this modification is such that the name of the law will become ‘Law on the protection of personal data and creation of the data protection agency’, which gives us insight into the foundations of the new data rules in Chile, which will bring the framework in line with corresponding international rules, reflecting the approach taken in Europe regarding the relationship between a person and personal data.

BNamericas: Will secondary regulation be needed and when could the law be fully in force?

Opazo: The new rules today are in the third constitutional phase, that is, all that remains is for the senate to approve the bill for it to be promulgated and enter the statute books. 

Once this happens, the same rules grant a period of 24 months for the law to take effect, for the respective regulations to be issued, for the Chilean personal data protection agency to be created, and for entities to adapt to these new rules.

Complementarily, and as international experience has dictated, the personal data protection rules are not sufficient by themselves, but rather require administrative interpretations carried out by the respective authorities, as the data protection agencies in Europe do, for example. Notwithstanding, and complementing what has already been commented, a cybercrime law was published some time ago, and draft cybersecurity framework legislation that protects critical infrastructure is currently being debated in Chile.

BNamericas: What are the central pillars and purpose of the data protection bill?

Opazo: The purpose of this new personal data protection bill is to put the person and their rights at the center of the data economy, urging the ecosystem to make decisions about the data respecting the fundamental pillars of the draft legislation, which are: 1) ARCOP rights; 2) consent; 3) institutionality; 4) special procedures for enforceability of rights; 5) sanctions.

BNamericas: What is the scope of the bill, that is, will companies of all sizes be impacted, as well as public sector entities?

Opazo: I would refer to the triple impact of the law:

1. Public: A new institution is established in Chile called the personal data protection agency, which will be a kind of Sernac [consumer protection agency], but improved, since it will have sanctioning powers that the latter does not have. I believe, a priori, that this new agency will become an example for the modernization of other public institutions that regulate the relationship between rights holders and service/product providers.
    
2. Private: Private organizations must be transparent regarding how they treat the data, what is the objective of that treatment, and of course, have the consent of the data owner. This implies a process of detailed planning, since a new internal process of identification of the type of data that is treated within the company is generated, and how effective compliance procedures for the new standard can be generated.
    
3. Cultural: The holders of personal data will be more empowered concerning the custody of their personal data, which, accompanied by a guaranteeing institution in the enforceability of their rights, will generate awareness of the relevance of the fact that the personal data belongs to the owner and not to the organization that processes them.

BNamericas: What sectors of the economy will see the greatest impact from the new law in the early years?

Opazo: All sectors. Today, after COVID-19, in Chile – as in the whole world – there has been a process of digitization of the market, which implies the processing of personal data, and the exchange of it, so the process that is coming in Chile requires a mandatory process (by law) of adaptation, and those who do not adapt, may receive pecuniary sanctions that reach up to 20,000 UTM [around US$1.53mn], the highest economic penalty provided for in the law, and even the temporary suspension of the processing of personal data.

And on the other hand, an opportunity will be generated for projects already proven in Europe, for example, organizations that have verifiable experience and know-how in automation processes in the management of internal personal data, processes for surveying security breaches and everything related to cybersecurity. Undoubtedly, a window is opened for foreign investment in terms of the protection of intangible assets in general, and not just personal data.

BNamericas: Once enacted, the law will generate strong demand for specialized professionals and consultants? How well prepared is Chile for this?

Opazo: The market has already given signs of the need for a profile linked to personal data management, especially professionals with ISO 27001 certifications, for example, and many large companies have already started recruitment processes for professionals linked to the world of privacy in digital environments. And some higher education centers already offer postgraduate courses in protection of personal data, but even so, I consider that these signs, which are indeed progress, do not allow us to conclude a priori whether Chile is ready.

BNamericas: What will be the sanction scheme for companies that do not comply?

Opazo: According to the latest approved amendments, there will be different infractions: minor, serious and very serious. Thus, in the case of serious infractions, the fines are 2% of the company's revenue from the previous year, with a maximum established of 10,000 UTM. While, in relation to very serious infractions, the fines will be 4% of the company's revenue from the previous year with a maximum of 20,000 UTM. And in the event of reiteration of very serious infringements, data processing may even be temporarily suspended.

BNamericas: Is the bill part of a wider State modernization process?

Opazo: In Chile, for many years, there has been talk of the modernization of the State. Although the bill we are discussing is not expressly part of this plan, the need for public institutions to adapt their technical processes to safeguard citizen data will undoubtedly matter. Notwithstanding, as in Spain, the public administration is not subject to sanctions for reasons that at first seem obvious.

BNamericas: How would the law leave Chile compared to other countries in Latin America, in terms of being the most advanced in terms of data protection?

Opazo: Chile was a pioneer in the region by being the first Latin American country to enact a personal data protection law, No. 19,628 on the protection of private life of 1999, but it lagged other countries in the region for not conforming to European standards. 

Although Argentina and Uruguay are countries that are considered to have an adequate standard for data processing according to European parameters, more than 10 years have passed since those declarations, which has forced them to rethink their regulatory model. On the other hand, just as Chile was a pioneer in enacting its data protection law based on European regulations in 1999, Brazil was the first country in the region to enact a personal data protection law directly inspired by the European GDPR model of 2016: the general data protection law, LGPD (No. 13,709/2018), so Chile would join Brazil in having a regulatory framework with the adjustments required by the European GDPR.