The government recently announced that a bill will be submitted to Congress to modify the Chilean Data Privacy Law N° 19,628 (“DPL”). In connection with the future bill (yet to be presented before Congress), the Ministry of Finance sent to several members of Congress a set of informal minutes outlining the structure and core aspects of the bill.
The following is a summary of the minutes, and an initial legal analysis prepared by Carey. Please note that the minutes are not official and have not been officially published by the government.
- The law will have transversal applicability, binding individuals and legal entities alike, whether public or private. The legal definitions will be updated and expanded in accordance with international standards.
- Principles of legality, purpose, proportionality, quality, security, responsibility and information will be expressly incorporated.
- Only some of these principles are captured by the current DPL. These principles will result in new and specific obligations for data controllers.
- We expect that the security and responsibility principles will involve new obligations related to security measures, and notification obligations related to data breaches, none of which are currently required.
- The principles of purpose and information should provide clear provisions regarding the minimum content of personal data processing authorizations.
- Processing of personal data is allowed as permitted by law or upon consent of the data subject.
- We expect that the definition of “law” in the clause above will allow for broad interpretation under this bill, so that companies will be exempted from the obligation to gather consent, provided they are subject to any other law or sector-specific regulation that compels them to process data.
- Consent must be first obtained, freely given, unequivocal and informed.
- Requirements of prior and informed consent are new; notwithstanding that the “prior” requirement was already generally accepted by doctrine and some administrative jurisprudence. The level of detail concerning the “free” requirement will be of great importance.
- Written consent is replaced by the technologically neutral unequivocal consent; which will in practice allow a more liberal interpretation of manifestations of consent.
- It will be interesting to see what exceptions arise under this bill. Currently, the LPD does not provide for reasonable exceptions to the obligation to obtain consent (e.g., domestic use, exigent circumstance).
- Individual’s rights of access, rectification, cancellation and opposition will be free of charge and non-waivable.
- The right to challenge decisions when the decision is based on automated data processing is not included among these fundamental rights. It is likely that this matter will still be regulated in the law, but as a less fundamental, waivable right.