Analysis of the Bill that regulates protection of personal data and creates a Personal Data Protection Agency in Chile
On Monday, March 13, 2017, the Chilean President sent a bill (the “Bill”) to the Senate that, if passed, will significantly amend Law No. 19,628 on the Protection of Private Life.
The Bill seeks, among other things, to increase protection of privacy in order to fulfill international standards in matters of personal data processing, to meet the guidelines of the Organization for Economic Cooperation and Development (OECD), to adapt and modernize national legislation to meet the challenges that a digital economy entails, and to balance the safeguarding of people’s privacy with free circulation of information.
- The Bill sets forth new principles that shall govern the use of personal data and new rights for data subjects.
- It regulates in greater detail the concept and requisites for consent, defining it as a free, specific, unequivocal, and informed manifestation that ought to be granted beforehand, and that must be specific regarding a purpose. The unequivocal manifestation must involve, “an act of assertion proving the clarity of the subject’s will”; surpassing the “in writing” requisite of the current law.
- It establishes a new statute of exceptions for consent.
- It further develops the concept of Sources of Public Access, specifying that they shall be those which may be accessed or consulted in a lawful manner by anyone, without restrictions, or legal obstacles, to access or use them. Additionally, it establishes the sources of public access as an autonomous exception.
- It regulates sensitive data in greater detail (establishing new data, such as biometric data, and data regarding biological human profiles); and it establishes a new category of “special data”, for the data of children; data used for historical, statistical, scientific purposes and others; and georeferentiation data.
- It restricts the automated processing of data, entitling data subjects to request that no decision affecting them significantly be adopted exclusively on the grounds of the automated processing of that data, with certain exceptions.
- It creates a Personal Data Protection Agency with the authority to monitor and punish violations of the law with fines of up to 5,000 UTM (approximately USD 350,600 at the date the Bill entered Congress).
- It creates a National Registry for Compliance and Penalties.
- It sets forth new proceedings to prosecute liabilities.
- It regulates international data transfers.
- It regulates the duty to adopt security measures, and reporting obligations in regard to security breaches.
- It establishes the possibility for the data controller to adopt and certify a model for breach prevention, associated with mitigating circumstances regarding liability.
The Bill will enter in force and effect thirteen months after its publication, however, previously established databases will be allowed 4 years from the time the law enters into force to adapt their practices.
For a complete report on the project, click here.
If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Carey contact.
+56 2 2928 2612
This memorandum is provided by Carey y Cía. Ltda. for educational and informational purposes only and is not intended and should not be construed as legal advice.
Isidora Goyenechea 2800, 43rd Floor.
Las Condes, Santiago, Chile.