- The definition of sensitive data is extended to include gender, genetic and biomedical identity. New categories of sensitive data will be created such as health, children, biometric, genetic and proteomic related data.
- It will be relevant to analyze the way in which the standards of data processing will be increased. The current LPD regulates sensitive and non sensitive data in a similar manner, only drawing a distinction on the fact that sensitive data allows for no exceptions to the obligation to gather the individual’s consent.
- Innovation is made on the recognition of biometric, proteomic and genetic data. It will be interesting to analyze its definition; the practical application of its associated obligations; and how the law works out any contradictions arising between these limitations and the development of scientific activities.
- Cross border data transfer is regulated for the first time. These transfers shall only be allowed in countries with reasonable levels of protection, which would be countries with a similar standard of regulation to Chile.
- No changes are made regarding financial, banking and commercial personal data.
- This is being done in concert with the announcement of processing the bill of law on SOE (Economic Obligations System for its acronym in Spanish) in parallel.
- A Data Privacy Authority will be created: the National Direction of Data Privacy, which will oversee regulatory compliance with the LPD and enforcement.
- A new set of infringements will be created with specific sanctions of up to UTM 10,000 (USD 671,500 approximately) or in extreme cases the closure of the data processing operation.
- An obligation to register databases will be implemented, excluding databases for domestic use.
- It will be important to review the extent of this obligation, particularly if the obligation requires registering modifications of the content of the registered databases (which are naturally dynamic and subject to constant change).
- A complaint procedure will be launched with three mandatory steps: first, a direct claim before the data processor; second, an administrative claim before the National Direction of Data Privacy; and finally a judicial claim disputing the decision of the National Direction of Data Privacy.
- New incentives for companies’ compliance obligations are set up in the form of “infringement prevention models”.
- This space for self-regulation or construction of codes of conduct can be essential in the adjustment of the companies to this new legal structure. The specific tools granted to the private sector shall be relevant, and they will most likely be related to codes of conduct and self-regulatory statutes.
- The adoption of “preventive models of infringements” shall consider clear and easily applicable incentives.
AUTHOR: Guillermo Carey.
