The possibility of having, in the short term, a new statute on personal data protection, which updates the current regulation of Law No. 19,628 on the protection of private life, is rather unlikely. Bulletin 11144-07, which modifies said Law, remains at the initial legislative stage in the Chamber of Origin, therefore it is not feasible to foresee the approval of this bill in the medium term.
On the other hand, the recent publication of Law No. 21,398 that establishes measures to improve the protection of consumer rights, also known as “Pro-Consumer Law”, not only imposes new obligations on suppliers, but also sets forth a series of challenges for companies regarding personal data protection matters, through the addition of article 15 bis to the current Consumer Protection Law.
The abovementioned article states that, “the provisions contained in articles 2 bis letter b), 58 and 58 bis shall be applicable with respect to the personal data of consumers, within the framework of consumer relations, unless the faculties contained in said articles fall within the scope of the legal competences of another body”.
Article 2 bis letter b) mandates the application of the procedures established in said Law when special rules do not provide for protection mechanisms for consumers’ collective or diffuse interests and for their right to be duly redressed.
In practice, and under this article, SERNAC will become, de facto, the data protection authority that will ensure compliance with the corresponding regulations within consumer relations. As follows, whenever the consumers’ personal data might be affected within the framework of a consumer relation, SERNAC will be able to intervene.
The great impact and effect that this rule will have on companies regarding personal data matters, which in the past did not count on an authority empowered to ensure compliance with obligations and rights established by the Law, cannot be circumvented. Not only companies that maintain a direct contractual relationship with consumers will have to review their internal protocols and adjust their procedures to the Law, but also those who intervene as agents in personal data processing within consumer relationships shall do the same.
Accordingly, the scenery is that a “consumer/data protection law” axis is being developed, which, while the approval of a new special statute on personal data protection is still pending, will govern consumer relationships which imply the processing of personal data. In practice, this will force companies to examine their privacy policies, terms and conditions, and pre-formulated standard contracts; to verify that consumers’ data bases are legitimately provided with all required consents; to review contractual relationships between the consumers’ personal data controller and its respective processors, among others.
Nevertheless, Consumer Protection Law provides companies with an interesting tool which, while expecting the approval of a new data protection statute, could be useful to navigate a route marked by a rigid and outdated legislation, which does not meet the current needs of suppliers and consumers.
Said tool is presented as one of the mitigating circumstances set forth in Consumer Protection Law on its article 24 letter c), which was added by Law No. 20,081 in 2018. Regarding the sanctions for infringements of the consumer statute, the new concept named “substantial collaboration” was established, which exists if, “the supplier has a specific compliance plan in the matters referred to in the respective infraction, which has been previously approved by the Service and its effective implementation and follow-up is accredited".
Considering that in Chile there is no regulation such as the European Union General Data Protection Regulation (GDPR), and that Law No. 19,628 on the protection of private life does not contain certification procedures in data protection matters, preventive compliance plans in consumer protection issues might turn into an effective compliance tool for companies, until a new law on personal data protection is approved.
In concrete terms, companies that embark on the design, approval, implementation, and constant updating of a consumer compliance plan can improve their internal functioning through the identification of gaps, risks, and their adequate mitigation – a necessary result of the compliance culture –, and count on SERNAC’s approval of their practices and protocols.
One of the virtues of the current consumer compliance regulation is that it mandates suppliers to adjust their plans to their companies’ concrete needs and features. In doing so, companies have the freedom to design plans that adjust to their existing needs and that can be narrowed down in such a way as to concentrate the identification of risks in a critical area, such as, for example, in personal data matters.
Certainly, our country’s requirements and compliance fulfillment level and other personal data protection issues required from companies are growing in order to become equivalent to the European standard, without considering or concretely moving forward into the development of tools to make that possible. Hence, it is necessary and even visionary to look for “alternative” solutions within the mechanisms provided in the Law.
Currently, the incorporation of personal data in the companies’ risk matrices is a real need, considering that SERNAC will probably monitor and ensure compliance with this regulation. The implementation of a compliance plan which, among other things, includes a chapter on personal data protection, may be a highly effective protective barrier for companies.