Contributed By Magliona Abogados
The Chilean legal framework for data protection can be found in Article 19, No 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data will be carried out in the manner, and under the conditions, laid down by law. In addition, Chile has a dedicated data protection law, Law No 19,628 on Privacy Protection (the “Law”), which was published in the official gazette on 28 August 1999. The current Law is not based on any international instrument on privacy or data protection (such as the OECD guidelines, Directive 95/46/EC, the EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).
Furthermore, on 28 October 2021, the Ministry of Science, Technology, Knowledge and Innovation of Chile launched the National Artificial Intelligence Policy (the “Policy”) along with an Action Plan. The Policy has three areas of focus:
The initiative seeks to lay the foundations to promote the development of AI in Chile; however, it does not promote substantial regulatory changes, but rather corresponds to a series of objectives that Chile would like to achieve.
Currently, and in general, the main data privacy regulators are the civil courts under the Law. In Chile, there is no data protection regulator, that is, there is no specific public body created for this purpose as yet.
However, other entities have powers in matters of personal data protection, the main ones being the following.
Currently, the National Consumer Service (“SERNAC”) is the control body in matters of protection of personal data in the context of consumer relations, until a specialised data protection body is formed.
Although it does not have sanctioning powers, SERNAC can exercise its powers to file individual or class actions before the courts, supervise, inspect, investigate, and issue interpretative circulars that are mandatory for SERNAC officials when applying the regulation and the Law (eg, at the time of audit). See 5.6 Digital Technology Regulation/Convergence of Privacy, Competition and Consumer Protection Laws.
The Council for Transparency is responsible for ensuring compliance with the Law by the organs of state administration. The Council has issued the Recommendations on Protection of Personal Data by the Organs of the State Administration, the Guide on Protection of Personal Data for Public Institutions (2021) and Resolution No 489/2022, which approved the Procedure for Processing Requests for the Exercise of ARCO Rights made before the Council for Transparency.
The Financial Market Commission (“CMF”) is the control body in the financial sector and has regulatory and supervisory powers in matters of personal data protection, information security and cybersecurity.
Under Chapters 18-5, on information about debtors from financial institutions, and Chapters 20-6 and following the Updated Compilation of Standards (“RAN”) of the CMF on business continuity, information security and outsourcing of services, financial institutions must have an internal policy on security and management of debtor information (“PISMID”), which must follow international principles and best practices on personal data processing.
Law No 21,521, known as the “Fintech Law”, was also recently published to “[promote] competition and financial inclusion through innovation and technology in the provision of financial services”. The Fintech Law mandates the CMF to dictate the cybersecurity and personal data protection standards that financial institutions participating in the future Open Finance System must comply with (see 1.7 Key Developments). Finally, according to the Bill on Personal Data Protection (Bill No 11.144-07 or the “Bill”), which is currently being discussed in the National Congress, the planned future agency for data protection in Chile will be an independent Personal Data Protection Agency. If the Bill is approved by the National Congress, all the general competencies in matters of protection of personal data will fall under this new national agency, meaning that SERNAC, for example, will eventually only maintain its power to file individual or class actions before the courts in this matter (see 1.8 Significant Pending Changes, Hot Topics and Issues).
There is currently no privacy regulator or data protection authority in Chile, although there is a legal action (habeas data) that data subjects may exercise in the event of a breach of data.
However, the Bill that will update the Law is in its final stages of legislative processing. If the Bill is approved by the National Congress in 2023, the entity that will be in charge of enforcing the Law will be the new Personal Data Protection Agency, which will be able to impose fines, supervise and audit. The compliance system proposed by the Bill is similar to the European standard represented by the General Data Protection Regulation (GDPR) of the EU.
The Law is more than 20 years old – it is outdated and currently does not comply with international standards, except regarding the purpose principle. These are the reasons behind the Bill, which aims to modify the current legal framework on data protection.
Datos Protegidos and Derechos Digitales are two well-known NGOs in data protection matters. Both are dedicated to raising awareness of the importance of protecting personal data by creating various instructions on the subject.
Another important organisation in this area is the new Chapter of the Internet Society in Chile (ISOC Chile). The Chilean Chapter has quickly managed to insert itself among the main national NGOs with an impact on the protection of personal data and new technologies matters.
Chile is working on the Bill that will modify the current Law, adapting it to be in line with EU standards (see 1.8 Significant Pending Changes, Hot Topics and Issues).
Thus, the Bill will propose a regulatory system quite similar to the EU Omnibus Model. However, the compliance system of the Bill will have its own particular characteristics, including:
Similarities between the current Law and other international data protection legislation include the fact that Chile has a special category for sensitive data and that Chile has recognised the purpose principle in data processing.
Key developments in the past 12 months include the following.
In the next 12 months the following developments are expected.
The Law does not currently require the appointment of privacy or data protection officers.
The processing of personal data may only be carried out if authorised by the Law, authorised by other laws or with the express consent of the data subject. If the Law authorises it, however, there is no need for the express consent of the data subject. The Law authorises the processing of personal data as follows:
Currently, there is no exception regarding fulfilment of contract.
The Law features no application of “privacy by design” or “by default” concepts; does not require the conduct of privacy, fairness or legitimate impact analyses; and does not include the need to adopt internal or external privacy policies.
However, the Bill does include, among other elements similar to those existing in the EU’s GDPR:
Data Subject Access Rights
In order to exercise their right to access data held about them, data subjects must address the person responsible for the data registry or bank claiming their right to access their data. This right to access may refer to:
Access to information about personal data must be free of charge. This right to access cannot be limited by means of any act or agreement, except for the following matters: government agency, national security or the national interest.
Data subjects also have the right of rectification if the personal data is erroneous, inexact, equivocal, or incomplete, and that situation is evidenced.
Data subjects have the right of deletion of personal data if its storage lacks legal grounds or those grounds have expired; or if the subject has voluntarily provided their personal data, and it is used for commercial communications; or if they do not want it to continue appearing in the respective registry, either definitively or temporarily.
Data subjects may oppose or object to the use of personal data for the purposes of advertising, market research or opinion polls. If the person responsible for the personal data registry or bank fails to respond to a request within two business days, or refuses a request on grounds other than the security of the nation or the national interest, the data subject will have the right to appeal before the civil court with jurisdiction over the domicile of the party responsible for the data registry or the bank, requesting protection of their right of access or the other rights granted by the Law.
For its part, the Bill, this time following the logic of the GDPR, will also establish the rights of access, rectification, deletion, opposition and portability of data, the contents and scope of which will be strengthened compared to the current law in force.
The Law contains a definition of the dissociation process, which means all personal data processing by which the information obtained cannot be related to an identified or identifiable individual.
There are no additional specific restrictions, other than those expressly established in the Law, on big data analysis, algorithms, AI and the like. The general requirements are that consent must be obtained in writing and that the person providing the data must be informed about the purpose of the storage of their personal data and whether the data will be communicated to the public or not. The authorisation, as with any other authorisation, can be obtained electronically.
Injury or Harm
The Law does not create actionable “harm” regarding data breaches, it only establishes a legal action (habeas data) that the data subject may exercise before the general courts, when the data subject requires information, modification, cancellation or blocking of personal data, and the person responsible for the personal data registry or bank does not provide a proper answer within two days. Therefore, the habeas data does not come from a harm but from specific reasons indicated in the law. If the damage comes from causes other than those indicated in the Law, the data subject may file an action for injunctive relief, before a court, in order to stop the act causing the harm (see 1.3 Administration and Enforcement Process).
According to the Law, “sensitive data” means personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health, and sex life.
There is no definition of financial data, although there are some rules regarding financial data. If the financial data may be deemed as personal data, authorisation will not be necessary if the data comes, or is collected, from sources available to the public. Financial data may not be processed in the following cases:
Health data is deemed as sensitive data. It may not be subject to processing, unless the data subject authorises it, or it is necessary for the determination or granting of health benefits.
For its part, the Bill establishes that data relating to the health of the data subject as well as that relating to the biological profile of the data subject, such as genetic, proteomic or metabolic data, may only be processed for specific purposes established in the Bill and with the consent of the data subject.
Similarly, the Bill expressly regulates biometric data within the category of sensitive data. Biometric data may only be processed with the consent of the data subject and when the data controller provides certain additional information to the data subject before starting the data processing.
There is currently no definition of communications data in the Law. However, in Chile there is constitutional protection of the inviolability of private communications.
Voice Telephony and Text Messaging
There is currently no definition of voice telephony and text messaging in the Law. However, providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services must indicate an expedited way the addressees may request the suspension of this material.
Content of Electronic Communications
There is currently no definition of electronic communications in the Law. However, in Chile there is constitutional protection for the inviolability of private communications.
There is currently no definition of children’s or students’ data in the Law. Although the general rules of the Law therefore apply to this kind of data, the Bill establishes special rules for the processing of the personal data of children and adolescents. According to the Bill, the processing of personal data concerning children and adolescents can only be carried out in the best interests of the children and adolescents and respect for their progressive autonomy.
There is also currently no definition of employment data in the Law, so the general rules of the Law apply to this kind of data.
Internet, streaming and video issues
Browsing and viewing data is not regulated under Chilean law. If cookies gather personal data, they may be deemed as data processing, hence companies that place cookies will require the consent of the data subject. Location data is not regulated in Chile, although the Bill regulates such data. Tracking technology is not regulated in Chile. However, there is a law mandating that, when motor vehicle insurance policies are taken out, the insurers must include, at no extra charge, the delivery of GPS devices, which will be installed and activated exclusively by the vehicle owner.
In copyright matters, internet service providers are not obliged to compensate the damage attributable to third-party copyright infringements committed through systems or networks controlled or operated by a service provider, provided that the service provider complies with the specific conditions requested; internet service providers may only be subject to the remedies established in the Copyright Act, which in all cases requires a previous resolution issued by a court. In addition, internet service providers must forward to their users the infringement notices sent by copyright holders. Service providers fulfil their obligation by simply forwarding infringement notices, and are not compelled to take content down or authorised to provide their users’ personal data to copyright holders without a court resolution.
Hate speech is somewhat regulated in Chile. Article 31 of Act No 19,733 on freedom of opinion and information and the exercise of journalism imposes a fine on anyone who, by any means of social communication, promotes hatred or hostility towards persons on the grounds of their race, sex, religion, or nationality.
Data Subject Rights
The Law provides data subjects with a variety of rights.
Right of access
Data subjects have the right to demand information about data held about themselves, its origin and addressee, the purpose of the storage and the identity of the persons or agencies to whom their data is regularly transmitted. Nevertheless, no information may be requested when it prevents or hinders proper compliance with the supervisory functions of a government agency or if it affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation or the national interest.
Right of modification
If the personal data is erroneous, inexact, equivocal or incomplete, and that situation has been evidenced, the data subject has the right to have it amended.
Right of blocking
A data subject may request the blocking of personal data when that individual has voluntarily provided their personal data or when it is used for commercial communications and the subject does not want to continue to appear in the respective registry, either definitively or temporarily.
Right of cancellation or elimination
Notwithstanding legal exceptions, the data subject may also demand that data be eliminated if its storage lacks legal grounds or those grounds have expired, when the data subject has voluntarily provided their personal data, and it is used for commercial communications or they do not want it to continue appearing in the respective registry, either definitively or temporarily.
Right to free copy
The modification or elimination of personal data is absolutely free of charge, and a copy of the pertinent part of the registry that has been changed must also be provided at the subject’s request. If new modifications or eliminations of data are made, the data subjects may obtain a copy of the updated registry without cost, as long as at least six months have passed since the last time they made use of this right.
Right of opposition
The data subject may oppose the use of their personal data for the purposes of advertising, market research or opinion polls.
Right to be forgotten (or of deletion or erasure)
There is no legal recognition of the right to be forgotten in the Law.
Data access and portability
The Bill includes the right to data portability, whereby the data subject may request and obtain a copy of their personal data from a data controller and communicate or transfer it to another data controller.
Law No 19,496 on the Protection of Consumer Rights contains a provision regarding marketing through email. Every promotional or advertising communication sent by email must indicate its subject, the identification of the sender and a valid email address to which the recipient can address their request for the suspension of the advertising communication, which will remain banned from then on.
Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate an expedited way the addressees may request the suspension of the communications.
Regarding data privacy, this practice requires consent from the data subject, unless the data comes from sources available to the public.
The Political Constitution of the Republic of Chile guarantees the respect and protection of the privacy and honour of a person and their family at a constitutional level. Such constitutional protection extends to workers. The same protection is guaranteed in Article 5 of the Chilean Labour Code.
According to the Labour Department of Chile, employers may regulate the conditions, frequency and timeliness of use of the company’s emails, but may not, under any circumstances, have access to the private email correspondence sent and received by employees. This would violate the fundamental rights granted by the Political Constitution of the Republic of Chile.
If there is a breach of a worker’s privacy, and that worker is part of a union, the union may apply some pressure on the employer to fulfil the Law.
All means to control workers – including cybersecurity tools – must comply with respect for the fundamental rights granted by the Political Constitution of the Republic of Chile, the right to privacy, private life and honour of workers. Therefore, control mechanisms are only allowed if they fulfil the following requirements:
There is no discovery system in Chile.
Data protection enforcement is addressed by general courts with general powers. A summary court procedure is established by the Law if the person responsible for the personal data registry or bank fails to respond to a request for access, modification, elimination or blocking of personal data within two business days or refuses a request on grounds other than the security of the nation or the national interest.
Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (USD70 to USD700, and USD700 to USD3,490 approximately). Fines are determined in a summary court procedure. The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data will be compensated. In those cases, the amount of compensation will be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts. See 1.3 Administration and Enforcement Process.
The same standards used for public litigation also apply to private litigation for alleged privacy or data protection violations.
Eventually, SERNAC could use its powers in matters of personal data protection and file individual or class actions before the courts. These powers will be maintained even if the Bill is approved by the National Congress (see 1.2 Regulators).
Finally, we emphasise that the Bill, if approved by the National Congress, will establish a sanctioning model that includes:
In addition, in its current state of legislative processing, the Bill contemplates the extraterritorial application of the regulations, as does the GDPR.
Personal data processing by a government agency may only be carried out for matters within its scope of jurisdiction subject to the aforesaid rules (see 2. Fundamental Laws). Under those conditions, the consent of the subject is not necessary. Government agencies that process personal data about sentences for felonies, administrative infractions or disciplinary failures may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served.
Regarding the privacy of a data subject who commits a serious crime, personal data about their crime may not be communicated after the penalty has been served. An exception would be when such information is requested by the courts of justice or other public bodies within the scope of their competence, with the requirement that such information should remain confidential.
Finally, there is the Regulation on Interception of Communications and Storage of Communication Data (Decree No 142 of 2005). For the purposes of carrying out the interceptions and recordings decreed, the telecommunications service providers will comply with them, within the period and in the manner established in the respective office issued by the court hearing the case. See 3.4 Key Privacy Issues, Conflicts and Public Debates.
See 3.1 Laws and Standards for Access to Data for Serious Crimes for information about data processing by government agencies.
Organisations in Chile may not invoke a foreign government access request as a legitimate basis to collect and transfer personal data.
There was some debate regarding a new Regulation on Interception of Telephone Communications and other forms of Telecommunication, and Retention of Communication Data. This regulation sought to replace the current Regulation on Interception of Communications and Storage of Communication Data (Decree No 142 of 2005), which regulates the obligation contained in the Code of Criminal Procedure to store the IP addresses of internet users for at least one year. The new regulation ordered telecommunications companies to store the communication data related to any type of communication carried out in Chile for a minimum of two years, also requiring additional data such as the history of internet connections and geolocation of customers. However, the new regulation was rejected by the Chilean comptroller on the grounds that various provisions of the regulation regulate matters of law exceeding the rules of the Code of Criminal Procedure that are invoked as its basis.
At present, the Law does not contain a specific provision in respect of international data transfers. However, the transfer of personal data outside the jurisdiction may be deemed as a use of data, for which authorisation and other requirements established by the Law would therefore be required.
However, the Bill has a chapter dedicated to the international transfer of personal data, contemplating a wide catalogue of cases that would allow them to be implemented dynamically.
The general rules regarding data processing according to the Chilean Law also apply to international data transfers, particularly those regarding the authorisation or consent of the data subject, the purpose principle (personal data may only be used for the purposes for which it has been collected, and those purposes should be permitted by the Chilean legal system) and the informing of users of the potential communication of the data to the public. In addition, the fundamental rights of the data subject must be respected.
For its part, the Bill, following the same logic as the GDPR, establishes that subject to the requirements that confer legality on data processing, international data transfer operations are lawful in specific cases, such as:
No government notifications or approvals are required to transfer data internationally.
According to the Bill, it is not necessary to request authorisation from the Data Protection Agency to carry out an international transfer of data, except when some of the specific requirements under which it is legal to carry out this type of activity have not been met.
Currently the Law does not establish data localisation requirements.
However, under Chapter 20-7 of the Updated Compilation of Standards (“RAN”) on the outsourcing of services by financial institutions (especially banks), the data, technological platforms, and applications to be used in the outsourcing of services must be located at specific processing sites, and in the case of processing abroad, in a defined and known jurisdiction. In addition to jurisdiction, the city where the data centres operate is also required to be known.
For the purposes of contracting any type of service through the modality called cloud computing, the board of directors of a financial institution must pronounce annually on the risk tolerance that the financial institution is willing to assume in this type of outsourcing. This pronouncement must consider an analysis of the data to be stored or processed under this modality and its location.
Without prejudice to the due fulfilment of the different requirements contained in Chapter 20-7, financial institutions may outsource their non-critical services to the public or private cloud. If the financial institution evaluates the contracting of a cloud service for an activity considered strategic or critical, this may also be carried out in public or private cloud mode. However, in these cases, the financial institution must carry out an enhanced due diligence of the provider and the service.
No details of software code or algorithms or similar technical details need to be shared with the government.
However, in the field of public procurement, Decree No 273/2022 of the Undersecretary of the Interior establishes the obligation for heads of service to require, with respect to public procurement contracts concluded after the Decree has come into force, that state ICT service providers share information on threats and vulnerabilities that may affect the networks, platforms and computer systems of the organs of state administration. The mitigation measures applied, as well as the information security policies and practices incorporated in the services provided must also be included in the shared information.
In the same sense, entities providing services to state bodies may have to comply with certain clauses of public procurement contracts that establish the duty to inform and make their algorithms transparent, etc.
When dealing with foreign government data requests, organisations involved in collecting or transferring data have to comply with the requirements established by the Law for data processing.
There are no blocking statutes in Chile.
Big Data Analytics
There are currently no laws in Chile regarding big data analytics, but in the Bill, there is a mention of this topic. The Bill requires that this secondary use of personal data be based on a compatible purpose, that there must be a contractual relationship with the holder that justifies this differentiated use, or that the holder must have renewed their consent.
The Law establishes that data processing may be conducted through an automated process, and it also establishes that a person responsible for a register or personal database may establish an automated procedure for transmission, provided that the rights of the data subjects are safeguarded, and the transmission is related to the tasks and purposes of the bodies involved.
Profiling or Micro-targeting
Profiling or micro-targeting is not regulated in the Law, although the Bill contains provisions on this matter. Thus, the Bill includes, in its current state of legislative processing, a section dedicated to automated individual decision-making, including profiling. According to the Bill, data subjects will therefore have the right to oppose and not be subject to decisions based on the automated processing of their personal data, including profiling, which produces legal effects on them or significantly affects them.
In terms of AI, the Chilean government has issued the first National Artificial Intelligence Policy along with an Action Plan.
Internet of Things
Currently, the internet of things (IoT) is not regulated in Chile. However, Decree No 6/2022 of the Ministry of Health establishes the “Regulation on actions related to health care carried out remotely” which recognises that health providers may perform health actions or benefits through technological tools such as applications, robotics, AI, IoT, among others, to the extent that the nature of the actions or benefits admit it and guarantee the quality of care, the autonomy of the patient’s will, and the security and confidentiality of people’s data.
Facial Recognition and Biometric Data
Neither facial recognition nor biometric data are regulated in Chile. However, either might be deemed as sensitive data and therefore the rules for sensitive data apply, and the Bill considers that as well. This has been confirmed by the Standards and Regulations Unit of the Council for Transparency.
The General Directorate of Civil Aeronautics (“DGAC”) has issued DAN-151, a regulation on the use of drones in Chile. The regulation establishes restrictions regarding the areas in which drones can be used, the altitude at which drones can fly, requirements to operate drones and an express reference that the operation of drones may not violate the rights of others in terms of privacy and intimacy.
Regarding disinformation, there are attempts to legislate on the regulation of hate speech, fake news, misinformation, illegal information, etc. So far, several bills that seek to regulate these matters are being processed in the National Congress, although with little legislative prospective, following what is regulated in the EU Digital Services Law and other international regulatory or legal bodies (ie, the Netzwerkdurchsetzungsgesetz – NetzDGof Germany).
Dark Patterns in E-Commerce
Regarding electronic commerce, the Report on the Results of the Survey of Dark Patterns in Electronic Commerce, published by SERNAC, shows the results of the dark pattern survey in a sample of the companies participating in Cyber Monday in November 2020. The objective of this survey is to find out which are the dark patterns that are most used in Chilean electronic commerce and how they affect people’s purchasing decisions.
Organisations in Chile do not establish protocols for digital governance.
There do not appear to have been any significant audits regarding data protection violations.
See the section on Private Litigation in 2.5 Enforcement and Litigation, for more on this topic.
Regarding data protection, it is important to comply with the Law and other rules that may be applicable to personal data.
No privacy/data protection-specific laws mandate the public disclosure of an organisation’s cybersecurity arrangements. For more on this topic, see 4.5 Sharing Technical Details.
Personal Data Protection and Consumer Rights
SERNAC is currently the authority in control of matters to do with personal data protection in the context of consumer relations by virtue of Law No 21,398, the Pro-Consumer Law, until a body specialised in data protection and with powers in this area is formed.
SERNAC can exercise its powers in this area (although it does not have sanctioning powers) in that it is able to present class actions before the courts, supervise, carry out mediations and request reports, and issue interpretative circulars that are mandatory only for officials of the National Consumer Service. The following are examples of these circulars that also deal with matters related to personal data protection.
Interpretative circular on good practices in electronic commerce
This establishes the following principles of electronic contracting:
Interpretative circular on the criteria of equity in the stipulations contained in standard form contracts referring to the collection and processing of the personal data of consumers
SERNAC may control and supervise, through its officials, the clauses that are established in the terms and conditions of the providers, and especially in their privacy policies, in the following aspects:
Interpretative circular on consumer protection against the use of artificial intelligence systems
This circular includes a series of interpretative rules that aim to establish the meaning and scope of the regulations on the protection of consumer rights and protection of personal data that the SERNAC is responsible for monitoring, in the face of the risks derived from AI systems in the framework of a consumer relationship:
The Electronic Commerce Regulation
The Electronic Commerce Regulation came into force in 2022 and is applicable to sellers who offer goods or services on electronic commerce platforms in exchange for a price or fee, and to operators of electronic commerce platforms that offer the products or services of third parties.
In the regulation, electronic commerce platforms are understood as any website or platform, accessible through electronic means, which allows sellers to offer products or services, and consumers to acquire or contract them, as appropriate. The following are not considered to be electronic commerce platforms: internet sites or online payment service platforms; those where consumers cannot purchase the products or contract the services offered, regardless of whether or not the payment is made through the website or platform; those on which only advertising is displayed; and those on which the consumer is redirected to the websites or platforms of sellers.
With regard to consent, the regulation establishes that consent will not be deemed to have been given if the consumer has not previously had clear, understandable and unambiguous access to the general conditions of the contract and the possibility of storing or printing them.
In addition, the regulation establishes that silence does not constitute acceptance in acts of consumption, and that merely visiting an e-commerce platform does not impose any obligation on the consumer, unless they have unequivocally accepted the terms and conditions offered by the user or platform operator.
There are no other major issues regarding data protection and privacy in Chile.