TMT 2019

Last Updated June 13, 2019

Chile

Law and Practice

Authors



FerradaNehme has a TMT practice that includes three partners and six associates, and regularly collaborates with the firm’s Antitrust and Economic Regulation, Consumer Law, Public Law and Complex Litigation practices. FerredaNehme is well recognised in the Chilean legal market as one of the most experienced firms in the field of antitrust and regulatory issues within the telecommunications industry, and is involved in most of the leading contentious and non-contentious cases and investigations regarding communications (as well as cable, fixed and mobile telecommunications), and in discussions on the implementation of new policies and regulations. The team advises clients on the development of technology projects, and on media and communications in general, utilising its extensive expertise in telecoms regulations and content matters. The firm is frequently involved in developing clients’ digital strategies for including data-intensive processing technologies in their respective businesses, and regularly advises on issues related to intellectual property, data privacy, cybersecurity, and cross-border transactions involving technological services, in addition to handing litigation arising from these matters.

Since 'cloud computing' is an umbrella concept envisaged to encompass a particular set of 'enabling technologies', there is no comprehensive law or regulation related to its use or development. Therefore, general statutes on contracts, torts, intellectual property, conflict of laws and taxation, among others, shall be applicable.

However, as data processing is a core element of cloud computing solutions, a key piece of legislation is Law No 19,628 (Data Protection Act, DPA). All organisations should review the DPA in order to assess potential legal challenges posed by cloud services in the Chilean framework.

The protection of personal data is regulated in the DPA as an omnibus law. However, said law contains no specific provisions in relation to cloud computing. Therefore, the DPA requirements for any data processing activity (eg, data subjects’ rights, controller identity, purposes of the processing and lawful basis for processing of data, among others) should apply either to on-premise IT services or to cloud computing solutions.

Notwithstanding the aforementioned, as explained in-depth in 6 Key Data Protection Principles, below, a bill which aims at reforming the DPA has been presented before the National Congress. In this bill, international transfers of data – a data processing activity often performed by cloud providers in order to reach ubiquitous presence and high scalability of computing facilities – is explicitly regulated, while model contract clauses would be provided by the new data protection authority.

Concerning laws and regulations on specific industries in relation to cloud computing, a special mention can be made to the financial services industry, since it is one of the most comprehensive cloud computing regulations to date. In that regard, Chapter No 20-7 (the 'Chapter') of the Superintendency of Banks and Financial Institutions’ Updated Rulebook (Recopilación Actualizada de Normas de la Superintendencia de Bancos e Instituciones Financieras, 'SBIF’s RAN') regulates the outsourcing of services in the banking industry, expressly referring to cloud computing after an amendment introduced in 2017. The Chapter defines the term 'cloud services' as an adjustable, on-demand model for the provision of services associated to information technology through networking, based on technical mechanisms – such as virtualisation – under different approaches or supply strategies. The Chapter also provides definitions of concepts such as 'Private Cloud' and 'Public Cloud'.

Furthermore, the Chapter establishes special conditions for the outsourcing of cloud services, in order to ensure that the service provider has the appropriate expertise and certifications and complies with the applicable regulations of the jurisdictions where the services are being carried out, as well as with the appropriate safety and encryption standards.

There is no special regulation applicable to public procurement processes in relation to cloud computing services. However, it is important to note that the E-government Division of the Office of the Presidency issued a resolution (No 619-B) on 26th November 2018, which contains comprehensive guidelines for state administrative bodies to contract cloud services. Although the resolution declares that it only contains general, non-binding recommendations for state administrative bodies and providers, it explicitly recognises that its compliance would constitute good practices in the context of acquisition processes. Therefore, given the comprehensive nature of this resolution, its concepts and definitions will probably influence future sectoral regulations in this matter.

Since blockchain is an information technology – or set of technologies – by which integrity and authenticity of shared pieces of information are ensured by employing cryptographic techniques (namely 'hash functions') instead of a trusted intermediary or central authority, legal challenges arise from its business applications rather than from its purely technical features. Consequently, it is not surprising that Chilean authorities and agencies address blockchain disruption in the marketplace adopting a piecemeal approach, not a comprehensive one.

Currently, some public and private entities are developing blockchain solutions in order to facilitate their operations with third parties.

Risks, as well as the liability arising from their potential materialisation, are either related to operational circumstances or to the nature of the transaction or activity supported by a blockchain solution. Concerning the latter, the main example of blockchain hurdles in the Chilean legal framework is represented by crypto-assets and, most notably, the bitcoin.

According to Chilean Central Bank (Banco Central de Chile), crypto-assets are neither legal tender money nor foreign currency. However, and despite the fact that the legal nature of crypto-assets is still unclear, their use both as an investment opportunity and as a payment instrument has increased significantly in recent years. This led to several yet unresolved questions regarding the liability of a crypto-asset operator in relation to end-user payers and payees, particularly in cases of fraud.

Additionally, since exchange platform operators are not subject to anti-money laundering requirements, most notably, know-your-customer procedures and reporting duties before the Chilean Financial Intelligence Unit (Unidad de Análisis Financiero, UAF), some banks and other traditional financial institutions have express concerns or objections to establish a commercial relationship with them. Indeed, a group of operators brought legal actions against certain commercial banks before the Chilean Competition Court (Tribunal de Defensa de la Libre Competencia, TDLC) in 2018, regarding the closing of bank accounts used by operators to settle crypto-assets exchanges in money, alleging an alleged infringement to antitrust law. To this date said proceedings are still yet to be resolved by the TDLC.

There are no legal developments referred explicitly to blockchain solutions. Despite that, following WIPO recommendations, some private organisations are suggesting the use of blockchain as a decentralised IP rights registrar in Chile.

According to Law No 19,628 (Data Protection Act or DPA), one of the data subject’s rights is to request the cancellation of personal data to the controller when there is no lawful basis for processing it, or when the existing basis is no longer valid. Additionally, the data subject is entitled to request a modification of stored personal data in the controller’s databases when they are erroneous, outdated or incomplete.

According to the state of the art of many blockchain solutions, deletion or modification requests can prove to be difficult to handle by the data controllers’ members of a blockchain network, due to the integrity-preserving features of the blockchain ledger and the decentralised nature of the storage of information. This problem is more severe in open blockchain solutions, where each node is entirely independent of the other. However, in private or federated blockchain networks, some of these difficulties might be solved when the operator of the platform or the corresponding governing body sets in place the necessary instructions to ensure compliance with the DPA requirements from the members of the network.

Finally, since many blockchain solutions are cross-border by default – that is, that there are no territorial restrictions associated to the membership of the blockchain – international transfers of personal data should be involved; an issue which, although not expressly regulated in the DPA, is part of a specific section in the bill aimed at reforming the DPA, which is currently being discussed in the National Congress.

Ensuring and being liable for honouring service levels or another type of business continuity requirement can be troublesome in a decentralised network such as blockchain. For example, the number of nodes dedicated to the clearance of bitcoin transactions is highly variable and dependent on the trade price of bitcoin in the marketplace, so an operator of an exchange platform should be cautious when agreeing upon SLA of his or her services.

No response provided.

Legal challenges to the adoption of data-intensive technologies such as big data analytics projects and the deployment of ML and AI-based solutions are highly dependent on the business objectives set by an organisation, including the potential misuses or harmful effects surrounding them.

Since most of the projects imply the massive collection and processing of personal data belonging to individuals, Law No 19,628 (Data Protection Act or DPA) should be applicable. Consequently, pursuant to the DPA, unless otherwise expressly permitted by law, the collection of data must comply with both the notice and consent rule and the purpose limitation requirement, among other requirements set forth in the DPA. However, an exception to both the data subject’s consent being the general lawful basis of data processing (including data collection) and the purpose limitation requirement is the processing of certain personal data retrieved from publicly available sources. Still, all other DPA requirements for processing personal data remain applicable and in force.

As a result, since the DPA shall be applicable whenever personal data is processed, one option available for organisations is to deploy big data projects which fall outside the scope of the DPA, by using entirely anonymous information; that is, information either not referred to an identified or identifiable individual or contained in data sets which have been anonymised, where re-identification should not be possible on a reasonable-effort basis.

Notwithstanding the aforementioned, organisations must consider that a bill aimed at replacing the DPA in its entirety ('Data Protection Bill') is currently being discussed in the National Congress, establishing a GDPR-inspired right for data subjects to object decisions based solely on the automated processing of their personal data, including the elaboration of profiles. Likewise, the Data Protection Bill contains the right to data portability, which may be exercised by the data subject when there is a relevant volume of data that is processed automatically. It consists of the right to request and receive from the data controller, directly or through a third party, a copy of the personal data concerning the subject, in a structured manner, in a standard format, preferably open, interoperable and in everyday use, and communicate them or transfer them to another data controller.

Finally, when big data projects involve massive aggregation of information that ends up being essential for the competitive development of firms within an industry or market, organisations should take proper measures to avoid or mitigate potential anti-trust concerns that may arise; in particular, those related to collusive behaviours and exploitative practices.

There is no particular regulation in the Chilean legal framework regarding the use of predictive tools based on machine learning (ML) algorithms. Moreover, although the DPA shall be applicable when personal data is involved, its provisions only refer explicitly to those issues when prohibiting the execution of any type of prediction or commercial risk assessment not based exclusively on objective information related to delays or defaults in payment from the individuals or legal persons in question (Article 9, Section 3).

Furthermore, similar to Article 22(3) of the EU GDPR, the Data Protection Bill includes a data subject’s right to request human intervention when is not legally feasible to exercise the right to request not being subject to a decision with legal effects based solely on automated data processing.

Additionally, even though there is no specific regulation or guidelines regarding how to handle biases in algorithms or other automated decisional techniques, Law No 20,609 (Anti-Discrimination Act) shall be applicable. This law establishes a legal action that may be brought by persons who are victims of arbitrary discrimination.

The rapid growth of AI solutions in some industries (like financial services, e-commerce and health care providers) has raised government concerns about the risks for individuals involved in them. However, no piece of legislation or any other type of regulation has been passed or issued to set specific requirements for the use of AI in business contexts.

Reflecting the government’s concern, the local securities and insurance supervision agency, the Chilean Financial Market Commission (Comisión para el Mercado Financiero, CMF), is currently conducting a survey on future changes to securities trading and financial advice regulation in order to face the rise of robo-advise technologies. In such regard, the CMF is aware that the current tools that are in place to ensure the quality of financial advice (viz knowledge certification for portfolio managers and stock brokers) are useless when an AI is deployed for recommending investment opportunities.

Finally, an organisation should be aware of potential anti-trust concerns regarding algorithms designed for product pricing, when such algorithms use the competitors’ behaviour as learning input, especially those based on real-time access to third parties’ data.

Intellectual Property Issues Related to Big Data, ML and Cloud Computing Storage Solutions

Regarding the intellectual protection of databases, Article 3 of Law No 17,336 (Copyright Act) establishes a non-exhaustive catalogue of 'works' that can be protected by copyright, including the sui generis protection of compilations of data or other materials “in machine-readable form or other formats, which, for reasons of the selection or arrangement of its contents, constitute creations of an intellectual nature”. However, for a 'work' to be protected by copyright, it must be an original creation (at least a minimum level of originality is required). Therefore, in the case of databases, what would be protected is not the database’s content.

ML algorithms can be subject to a twofold protection as copyrighted work: as part of a computer program, in respect to its computer code implementation; and as a database, in case such algorithm ends up being a core component of an original compilation by virtue of its features as a data arrangement and processing tool (eg, a random forest algorithm fitted to classify customers in a particular matrix of features).

Raw data – that is, data that is not processed, but gathered into (big) databases – can hardly be considered a 'work' in terms of the Copyright Act. However, both raw data and algorithms deployed for processing it can be covered by the trade secrets statute (Title VIII of Law No 19,039, 'Industrial Property Act'), as long as its control under confidentiality provides a competitive advantage to its holder.

Insurance Policies Available to Data Assets

Regarding insurance of data and other informational assets, no special regulation differs from the general rules applicable to casualty and property insurances. According to the website of the CMF, where the general conditions of insurances are published, there are at least eight policies concerning civil liability arising from data protection regulations and losses caused by data breaches. However, organisations should bear in mind that the publication of general conditions of insurance policies on the CMF’s website does not necessarily mean that the CMF has approved them.

Currently, no regulation in Chile governs the Internet of Things (IoT) as a whole. Thus, services of this type do not require a special authorisation, nor are they subject to specific requirements. However, some general telecommunications standards do contemplate certain restrictions relating to the frequency bands and equipment being used to provide IoT services, as well as rules regarding the protection of personal data and the inviolability of communications, that should be considered in the deployment of an IoT service project.

General Telecommunications Regulation

An IoT service that uses radioelectric spectrum to transmit information from one point to another should comply with the requirements of the General Plan for the Use of Radioelectric Spectrum (Decree No 127/2006, of the Telecommunications Agency – Subsecretaría de Telecomunicaciones, SUBTEL), which, among other things, establishes the use that can be given to a particular frequency band.

Since SUBTEL has not yet allocated a frequency band for IoT services, the development of an IoT project would not require a concession or permit, but the use of a frequency band should be requested from SUBTEL, to obtain an experimental licence or experimental permit.

SUBTEL grants experimental licences which have a duration of five years, renewable for another such period at the request of the interested party (Article 9, paragraph 3 of Law No 19,168 – Telecommunications Act, LGT). To obtain these licences to install and operate experimental stations, as well as for their renewal, the payment of a single spectrum right (per station ±USD 21) is required, in accordance with the provisions of Article 32(b) of the LGT.

On the other hand, according to the closing paragraph of Article 15 of the LGT, experimental permits – also granted by SUBTEL – are of a temporary nature (indeed, their duration is two months) and may not be used to provide commercial services. Spectrum usage rights do not need to be paid.

Regarding the equipment used for IoT, the project developer should consider obtaining a certification or an authorisation by SUBTEL, according to the Technical Standard for Reduced Scope Equipment (Decree No 1985/2017), depending on its specific technical characteristics. This standard requires that any equipment emitting radio waves in certain frequency bands with a particular electric field strength must undergo a certification process beforehand. If the electric field strength thresholds are exceeded, or the electromagnetic waves are emitted in frequency bands different from those indicated in the technical standard, an authorisation will need to be requested, according to the type of service (viz concession, permit or licence).

Furthermore, pursuant to Article 7 of SUBTEL’s Decree No 1463, of 16 June 2016, which “sets a technical standard that regulates the minimum technical specifications to be met by equipment used in mobile networks”, IoT devices must be registered in a database with respect to which SUBTEL has real-time access.

Regulation Regarding Data Protection and Inviolability of Communications

For IoT projects intended for domestic purposes (wearables, self-driving cars, home automation), in addition to the general telecommunications standards there are restrictions based on privacy regulation. Thus, general rules apply, which are based on the constitutional rights of privacy; that is, “the respect and protection of privacy and the honor of the person and their family, and also, the protection of their personal data” (Article 19, No 4 of the Constitution), and “the inviolability of the home and of all forms of private communication” (Article 19, No 5 of the Constitution).

The specific regulation on privacy is contained in Law No 19,628 (Data Protection Act, DPA), referred to in detail in section 6 of this guide.

Pursuant to this regulation, if processing of personal data takes place through the provision of IoT services, then the person responsible for this processing must comply with a series of obligations.

Finally, private communications are protected by the Criminal Code. Indeed, a criminal offence is established regarding, among other activities, the capture, interception, recording or reproduction of private communications and private events, in private premises or places that are not freely accessible to the public, without the authorisation of the affected party (Article 161 A). To this date, there is no case law referred to whether an IoT-based machine-to-machine communication would qualify as private communication covered by the criminal offence set forth in the aforementioned Article 161 A. However, malicious wiretapping through IoT devices (eg, leaking of private communications recorded by a smart assistant device) should not be treated differently from other 'traditional' unlawful interceptions of communications.

The Chilean legal framework in this matter is suitable for executing vast amounts of IT agreements, ranging from simple ones (ie retail software licensing and off-site support agreements) to highly complex contracts, such as management of mission-critical facilities and the deployment of cloud computing instances (either SaaS, PaaS or IaaS). Consequently, from a legal-setting perspective, there should be no significant problems with including the most frequently used clauses in the ITC industry within IT agreements, such as limited warranties, as-is disclaimers, service level agreements, liquidated damages, audit rights, no-assignment rules and non-disclosure agreements.

Nevertheless, there are some features of Chilean law that any contractor, software developer and/or IT service provider should consider in order to reach the best possible agreements with Chilean-based customers:

  • There is no omnibus rule for work-for-hire/commissioned works in Law No 17,336 (Copyright Act). Thus, besides certain exceptions, including computer programs and works commissioned by newspapers and other media companies, there is neither a presumption nor an automatic assignment of rights for employers or hiring companies (in the case of works developed by independent contractors).
  • Limitation of liability (LoL) clauses – both limitation on recovery for certain damages and liability caps – are generally accepted and enforced by courts when professional parties execute a contract. However, LoL exceptions concerning gross negligence and wilful misconduct, among other similar circumstances, would be highly desirable in the agreement.
  • The Law No 19,628 (Data Protection Act, DPA), as currently in force, has no explicit rules regarding its territorial scope and applicable restrictions and formalities pertaining to international transfers of data. Furthermore, the DPA does not expressly recognise a figure similar to the 'processor' defined in the EU GDPR (the most common role played by IT vendors). It only states that a data processing activity can be carried out by an agent on behalf of its principal by virtue of a written agency contract (Article 8 of the DPA).
  • Finally, specific regulated industries, such as banking services, have special rules concerning IT services agreements, especially those concerning critical tasks or highly sensitive data processing. For instance, in the case of financial institutions subject to the oversight of the Superintendency of Banks and Financial Institutions (Superintendencia de Bancos e Instituciones Financieras, SBIF), outsourcing agreements – including IT services – must comply with the requirements set forth in Chapter 20-7 of the SBIF’s Updated Rulebook (Recopilación Actualizada de Normas, RAN), including mandatory clauses pertaining to business continuity, subcontracting veto rights, data deleting procedures, granting of on-site and off-site audit rights, and the language of the agreement (a Spanish version should always be available). Furthermore, financial institutions must conduct rigorous supplier/provider selection processes, according to their internal risk assessment procedures. Moreover, IT providers must bear in mind that, even if financial institutions are allowed to outsource critical processes to suppliers who render services abroad, they must have a contingency data centre anyway within Chilean territory and prove an adequate recovery time objective (RTO) according to the level of criticality of the outsourced task or process.

See 5.1 Specific Features.

The legal framework regarding data protection is contained in Law No 19,628 (Data Protection Act, DPA). It is important to note that a bill on Personal Data Protection ('Data Protection Bill') is currently being discussed in the Chilean National Congress. The Data Protection Bill aims to modernise the DPA in order to comply with the international standards in this matter (mainly, in order to comply with Chile’s commitment to the OCDE of bringing its data protection legislation up to date, since its current regulation, which entered into force in 1999, is considered insufficient in many aspects).

According to Articles 1 and 4 of the DPA, 'personal data' processing may take place only when authorised by law or when the data subject consents to it, provided that the purpose for which the processing was authorised is respected (Articles 1 and 4). The definition of 'personal data processing' is broad, including any operation aimed at collecting, storing, organising, selecting, extracting, interconnecting, dissociating, communicating, transferring or transmitting personal data (Article 2, letter (o)).

Article 2, letter (f) of the DPA defines 'personal data' as any information relating to an identified or identifiable natural person. In Article 2, letter (g) of the DPA, a particular sub-category of personal data is established: 'sensitive data' – that is, data which refers to the characteristics or circumstances of a more intimate area of the individual, such as, for example, personal habits, political ideology, religious convictions or health states, and, in general, data of the type that a person could be discriminated for. The Data Protection Bill adds the following 'special categories' of protected data: health data, biometric data, genetic data and data of children and adolescents. However, it does not consider personal habits to be sensitive data.

The main bases for lawful data processing are:

  • the data subject’s consent (which must be explicit, informed and in written form – to which the Data Protection Bill adds that said consent must be 'freely given' and specific regarding its purposes, and must be unequivocally expressed, whether orally, in writing, electronically, or even by an 'affirmative act of will'); and
  • the law’s authorisation (whether the DPA or another piece of legislation).

Data subjects have the right to request:

  • access to information regarding their own data;
  • the modification or rectification of data, if needed;
  • the elimination or cancellation of data; and
  • the blocking of data.

In the Data Protection Bill, a right of opposition to data processing is added, as well as a special right of opposition to automated personal valuations ('big data techniques'). Also, the Data Protection Bill considers a right to data portability, consisting of the possibility of requiring a file of the personal data, in a standardised format, to be stored by the data subject or transferred to another data controller. Such right is subjected to two main limitations: it is only applicable to the information provided by the data subject, and it is only referred to 'large datasets' that are processed by automatic means.

When data subjects exercise one of the mentioned rights, the data controller must respond within two business days (Articles 12 and 15 of the DPA). Otherwise, the data subject may submit a legal claim. Outside the procedures of the DPA, its provisions have been enforced in the context of judicial procedures of the Consumer Protection Act and constitutional actions for the protection of fundamental rights. In the Data Protection Bill, this judicial claim is replaced with new administrative sanctioning procedures before the Data Protection Agency (which does not currently exist but will be created in virtue of the Data Protection Bill). In all, the Data Protection Agency’s decision may be subjected to judicial review.

Currently, the fine for non-compliance of the DPA ranges from ±USD80 to ±USD3,800. In the Data Protection Bill, this changes considerably. A scale of sanctions is created, according to which non-severe violations are fined with up to ±USD38,000, while severe ones are fined with up to ±USD380,000.

See 6.1 Core Rules Regarding Data Protection.

See 6.1 Core Rules Regarding Data Protection.

See 6.1 Core Rules Regarding Data Protection.

The monitoring of employees (in general) and their use of computer resources and handling of company data (in particular) is not explicitly considered as such in the Chilean legal framework in these matters. However, paragraph 2 of Article 2 of the Chilean Labour Code establishes that labour relations should always be based on behaviours compatible with human dignity. This principle is being reflected in rulings issued by the Labour Directorate (Dirección del Trabajo, DT), which contain criteria regarding these matters.

Regarding employee monitoring in general, the DT stated that the assessment to determine whether certain forms of business control are appropriate or not must be carried out considering the employer’s objectives for its implementation, which will ultimately establish whether the form of control at issue affects the employees’ dignity and free exercise of fundamental rights (DT, ruling No 3125-2018).

On audiovisual control mechanisms, such as CCTV, the DT determined that their use is illicit when their sole purpose is to constantly monitor and supervise their employees’ activities, without a spatial or temporal limit, since such control is substantially more intense than that exercised directly by the person of the employer, and thus consists of total control and power over the employees (DT, ruling No 3125-2018).

In the same vein, in a recent ruling on this matter, the Supreme Court stated that the installation of hidden surveillance cameras in employees’ bathrooms and shower rooms is illegal, since it affected their right to privacy and their honour. In order to reach this conclusion, apart from the existence of the cameras as such, the Supreme Court also considered the devices’ specific placement, number and time frame of operation, as well as the conditions of storage of the captured content, and who had access to the images (Supreme Court, Opinion No 18,668-2018).

Regarding the monitoring of an employer’s own devices, such as the use of computers, e-mails, telephones, and information of employees, the DT said that the employer might regulate the conditions, frequency and timeliness of use of the company’s e-mails, but in no case have access to private electronic correspondence sent and received by employees (DT, ruling No 4316-2017).

Concerning devices that block mobile phone signals within the company, the DT ruled that their use consists in an interception of private communication by the employer, thus affecting a fundamental right of the employees and, therefore, being prohibited. This determination is based on the employees’ right to communicate during their breaks with their relatives, friends or with whom they wish via telephone, text message, WhatsApp or e-mail, among others, through personal devices, without the employer being able to prohibit, interrupt or limit these communications (DT, ruling No 2315/054-2017).

Regarding employees in public institutions, since the application of Law No 20,285 (Chilean Freedom of Information Act, FOIA) allows for anyone to file a request for access to public information, it is possible that the content of public employees’ communications may be object to such requests.

There is no rule regulating the 'technology' with which telecommunications services must be rendered. The general sector regulation, contained in Law No 18,168 (Telecommunications Act, LGT) only defines 'telecommunications' (Article 1), classifying the different 'telecommunications services' (Article 3) based on their purposes and not on the technology with which they are provided or should be provided. For example, Article 3, letter (b) the LGT defines 'public telecommunications services' as those “intended to meet the community’s telecommunication needs in general”.

Notwithstanding the aforementioned, there is special sectoral regulation that, when defining certain services, refers to the technology which is to be used. Decree No 484/2008, on public VoIP services, provides that this service is a 'public telecommunications service' if it is possible to establish voice communications intended for the community in general, and interconnect from and to other public telecommunications services (eg, calls from an IP voice network to a public telephone network, and vice versa). If there is no reciprocal connection between the VoIP service and the public telephone network (eg, when calls are only made through the Internet – eg, FaceTime – or when calls can only be made from the Internet to the public telephone network and not the opposite – eg, Skype service without dial-in number), the service would not be a 'public telecommunications service'. Consequently, such services would not fall into the scope of the aforementioned Decree No 484/2008.

On the other hand, as indicated below, the special sectoral regulation also regulates the conditions that certain equipment must meet when using a specific technology.

RFID

Reduced-scope equipment must comply with the provisions of Decree No 1985/2017, which establishes the respective technical standard. These standards require that equipment emitting radio waves in certain frequency bands with a certain electric field strength must undergo a certification process beforehand. If certain electric field strength thresholds are exceeded, or the electromagnetic waves are emitted in frequency bands different from those indicated in the technical standard, an authorisation will need to be requested, according to the type of service (viz concession, permit or licence).

VoIP

As provided in Article 3 of Decree No 484/2008, the installation, operation and exploitation of public VoIP services - that is, when calls made according to an IP protocol are intended for the community in general and can be sent to and from the traditional public telephone network – require a concession of public telecommunications services, granted by the Ministry of Transport and Telecommunications. In addition, being a public telecommunications service, it must comply with all the obligations that this qualification entails (eg, the interconnection obligation established in Article 25 of the LGT).

Instant Messaging

In general, OTT services such as instant messaging services are not regulated by telecommunications regulations. That is, no authorisation from the authority is required, and there are no standards of service quality, interconnection obligation or other specific rules to be complied with. However, this is notwithstanding the applicable general regulations for the protection of consumer rights (eg, Law No 19,496, Consumer Protection Act).

Other Technologies in General

As was indicated above pertaining to RFID systems, if the technology is used in equipment emitting radio waves, then the rules on reduced-scope equipment may be applicable (Decree No 1985/2017), by which, depending on the characteristics of the emission (eg, frequency band and field strength), a prior certification or a SUBTEL authorisation will be required. In the latter case, the kind of service for which the equipment is destined will determine which authorisation must be requested for its supply (viz concessions, permits or licences).

Regarding regulated services, the interested party must request authorisation from SUBTEL, which, depending on the type of service, will consist of a concession, permit or licence.

VoIP as a Public Telecommunications Service

The procedure to request concessions of public and intermediate telecommunications services is regulated in Articles 15 and 16 of the LGT.

Concessions for public VoIP services are granted without the need for a public contest, because they do not use scarce resources (such as radioelectric spectrum).

Finally, regarding the costs, SUBTEL does not charge for the processing of authorisations. In the case of concessions, for example, the only cost that is certain is that of the two publications the interested party must make during the process, amounting to approximately USD700.

Other Technologies that use Equipment Emitting Electromagnetic Waves (eg, RFID)

The procedure of certification of equipment of reduced scope is neither regulated in the LGT nor in administrative regulations. For this reason, before applying for certification, it is highly advisable to check the application process requirements with SUBTEL previously.

Since this procedure is not expressly regulated in sectoral regulation, before applying for certification, it is highly advisable to check with SUBTEL if the above steps and requirements have been modified or replaced.

Finally, with respect to costs, SUBTEL does not charge for the processing of authorisations or certification.

The requirements for providing any telecommunications service, including audiovisual services, are determined by the use of the radio spectrum and by whether the service is limited or freely available.

Radio services

According to Law No 18,168, (Telecommunications Act, LGT), radio services require a licence granted by the Ministry of Transport and Telecommunications, which has a duration of 25 years (Article 8), except in the case of community radio services, which have a duration of ten years, being regulated by Law No 20,433 (Citizen Community Broadcasting Services Act).

According to Decree No 126/1997, which regulates radio services, whomever applies for a licence must be a legal entity incorporated in Chile, as well as have a legal address in the country. Their presidents, directors, managers, administrators and legal representatives must be Chilean and not have been sentenced with a major criminal conviction. In the case of a board of directors, foreigners may be nominated as directors as long as they do not constitute the majority (Article 6).

The licences are granted through a public bid to the applicant offering the best technical conditions, with preference given to the licensee who is renewing its licence, if its proposal at least equals the best technical project. Contests are held three times a year for all the available locations that have been requested and the licences that have expired (Articles 15 to 23, Decree No 126/1997).

Once the licence is granted, the applicant must publish an extract of it in the Official Gazette (Article 23, Decree No 126/1997). Before starting transmissions, the Telecommunications Agency (Subsecretaría de Telecomunicaciones, SUBTEL) must inspect and authorise the company’s facilities (Article 24 A of the LGT).

The licence requires the payment of an annual fee, whose maximum value is UTM90 (±USD6,000), plus UTM1 (±USD70) per link (Article 32 (d) of the LGT).

Free-to-air Broadcasting

According to Article 15 of Law No 18,838 (National Television Council Act, CNTV Act), free-to-air broadcasting services require a licence granted by the National Television Council (Consejo Nacional de Televisión, CNTV) and which have a duration of 20 years (in the case of licences with their own necessary technical means) and of five years (in the case of licences with technical means provided by third parties).

Whomever competes for a licence must be a legal entity incorporated in Chile, with a legal address in the country, as well as having a duration at least equal to the period of the licence. Their presidents, directors, managers, administrators and legal representatives must be Chilean and not have been sentenced with a major criminal conviction (Article 18 of the CNTV Act).

Licences with their own necessary technical means are granted after public contest to the applicant that offers the best technical conditions with preference given to the licensee who is renewing a conferred licence, if its proposal is at least equal to the best technical project. Contests are held for each frequency every time the term of a licence ends, or its expiry date is declared (Article 15 of the CNTV Act).

Licences with technical means provided by third parties are granted at any time, without public contest, on the condition that the applicant declares it will use means of third parties with the capacity to transmit (Article 15 of the CNTV Act).

The license requires the payment of an annual fee, whose maximum value is UTM360 (±USD25,000), plus UTM1 (±USD300) per link (Article 32 (e) of the LGT).

Law No 20,750 (Digital Terrestrial Television Introduction Act, DTV Act), which came into force in May 2014, promotes the transition from analogue to digital broadcasting. For this purpose, the transitory rules of this law forced the titleholders of licences of free-to-air broadcasting services in the VHF band (analogue), which were granted before the DTV Act came into force, to choose between two mutually exclusive rights: a right to maintain their licence in the VHF band, or a right to apply with preference for a new licence in the UHF band (digital) for digital broadcasting.

Regarding the licensees who chose to apply for new licences in the UHF band, the DTV Act and its complementary regulations established the obligation to achieve total digital coverage by the year 2020 (date of the so-called 'analogue blackout'). Despite the aforementioned, the Ministry of Transport and Telecommunications has the faculty to extend the original term by means of a Supreme Decree.

According to press information, by the end of 2018, the migration process only reached 14% of coverage.

Limited telecommunications services, such as pay-TV, require a permit granted by SUBTEL to a legal entity (Article 9 of the LGT). As a rule, the permits have a duration of ten years (applicable to satellite television), and they do not have an expiry date if they do not use radio spectrum (applicable to cable television).

TV and Radio Content Regulation

Regarding content regulation, free-to-air broadcasters and permit holders of pay-TV services must comply with several rules for the proper functioning of television services, which are supervised by the CNTV. These include the obligation of broadcasting a certain minimum of cultural content per week, restrictions on contents deemed violent, pornographic or immoral, time restrictions on certain movies rated by the cinematographic rating board and limitations on advertising of some products, such as alcoholic beverages (Articles 12 and 13 of the CNTV Act). Also, prior to presidential and parliamentary elections, free-to-air broadcasters are bound to transmit electoral propaganda (Articles 31 and 31 bis of Law No 18,700, Election and Ballot Act).

Additionally, when the implementation of digital television progresses, the television broadcasting licensees may exercise the right to 'retransmission consent', charging a fee to the licensees of pay-TV services. Likewise, when the respective regulation is issued, pay-TV services will be obliged to broadcast local signals (Article 15 quater of the CNTV Act).

In the case of radio broadcasting licensees, according to Article 15 of Law No 19,928 (Promotion of Chilean Music Act), they have the obligation of broadcasting a minimum daily quota of Chilean music, including emerging and local artists.

None of these regulations applies to online video channels.

See 9.1 Main Requirements.

There is no general legal requirement for the use of encryption techniques on electronic communications and documents. Notwithstanding, encryption as a cryptographic process of encoding information for confidentiality, integrity and authenticity purposes is subject to certain regulations, depending on the particularities of each context of use of this technology.

eDocument and eSignature

In 2002, Law No 19,799 (Electronic Documents and Signature Act) was enacted, primarily grounded upon the principles of equivalence between paper-based and electronic documents and equal treatment of signature technologies developed in the UNCITRAL Model Laws’ on Electronic Commerce (1996) and Electronic Signatures (2001), respectively. As a general rule, encryption is not mandatory for an electronic signature to produce legal effects. However, advanced electronic signatures (a qualified type of electronic signature which is certified by certification service providers) must comply with the technical standards issued by the competent authority (Entidad Acreditadora). To this date, several of these technical standards are based on asymmetric cryptography processes, mainly referred to as 'Public Key Infrastructure', which uses encryption as a tool for identification and authentication of certain electronic message (viz the signed eDocument).

Execution of Electronic Transfer of Funds or Information (EFT) and Technological Outsourcing by Financial Institutions

According to Chapter No 1-7 of the Superintendency of Banks and Financial Institutions’ Updated Rulebook (Recopilación Actualizada de Normas de la Superintendencia de Bancos e Instituciones Financieras, SBIF’s RAN), in order to execute an electronic transfer of information or funds (ETF) through public communication networks (ie, eBanking through the Internet), banks must put in place, among other things, a technological solution which includes robust encryption procedures.

Additionally, as was detailed in Question N°1 on Cloud Computing, Chapter No 20-7 on Outsourcing of Services of the SBIF’s RAN stated that communications between a supervised financial institution and a service provider must have an adequate encryption level in order to ensure end-to-end integrity and confidentiality of data. Furthermore, in the case of outsourcing a critical process to cloud computing facilities, financial institutions must previously carry out an enhanced due diligence process, including an assessment of which type of data (in terms of nature and sensitivity) deserves to be subject to robust encryption procedures in order to be processed by or transferred to a cloud computing provider.

Complementary Technological Devices for Broadcasting Digital Terrestrial Television

According to SUBTEL’s Decree No 1,217/2016 (amended by Decree No 2,336/2017), nationwide television concessionaires are allowed to meet the geographic coverage ratios required by the National Digital Terrestrial Television Plan ('Plan TVD'), through technical solutions in addition to those outlined in the Plan TVD. In the case of complementary solutions based on satellite technologies, the correspondent receiver shall be capable of tuning, demodulating and decrypting all free-to-air TDT signals. Furthermore, as stated in Decree No 2,576, in order to certify such receivers, the corresponding petitioner must attach a proof of authorisation of use of the IRDETO encryption system.

Encryption as a Tool for Perverting the Course of Justice

The Chilean National Congress is currently discussing a bill to enact a new Cybercrimes Act ('Cybercrime Bill'), which would repeal the legislation currently in force regarding this subject (Law No 19,223). According to the text of the Cybercrime Bill presented before the National Congress by the President of the Republic, the use of encryption technologies with the wilful purpose of obstructing the course of justice shall be considered an aggravating circumstance of criminal liability when committing any of the criminal offences proposed in the Cybercrime Bill.

See 10.1 Legal Requirements Governing the Use of Encryption.

FerradaNehme

Orinoco 90, Piso 16
Las Condes
Santiago de Chile
CP 7560970

+ 56 22 652 9000

+ 56 22 652 9001

fn@fn.cl www.fn.cl
Author Business Card

Law and Practice

Authors



FerradaNehme has a TMT practice that includes three partners and six associates, and regularly collaborates with the firm’s Antitrust and Economic Regulation, Consumer Law, Public Law and Complex Litigation practices. FerredaNehme is well recognised in the Chilean legal market as one of the most experienced firms in the field of antitrust and regulatory issues within the telecommunications industry, and is involved in most of the leading contentious and non-contentious cases and investigations regarding communications (as well as cable, fixed and mobile telecommunications), and in discussions on the implementation of new policies and regulations. The team advises clients on the development of technology projects, and on media and communications in general, utilising its extensive expertise in telecoms regulations and content matters. The firm is frequently involved in developing clients’ digital strategies for including data-intensive processing technologies in their respective businesses, and regularly advises on issues related to intellectual property, data privacy, cybersecurity, and cross-border transactions involving technological services, in addition to handing litigation arising from these matters.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.