In Chile, there is a lack of regulations concerning cloud computing services. Law No 19.628 (Data Protection Act, DPA) does not include a specific provision regarding cloud providers; however, the activity of cloud providers may be considered as data processing.
According to the DPA, data processing is defined broadly as: any action or set of technical operations or procedures, automated or not, that make it possible to collect, store, record, organise, prepare, select, extract, match, interconnect, dissociate, communicate, assign, transfer, transmit or cancel personal data, or use it in any form. Consequently, the current DPA makes no distinction between those who control or own personal data and those who provide personal data processing services to owners.
The DPA only mentions the person responsible for a data registry or a bank register, which means any private legal entity or individual, or government agency, that has the authority to implement the decisions related to the processing of personal data. Therefore, there are no different duties for owners, controllers or processors. Nevertheless, government agencies can only process data regarding matters within their respective legal authority and subject to the rules set out in the Data Privacy Act.
Furthermore, the DPA states that any individual can process personal data and it is necessary to comply with the provisions contained in the DPA. The following requirements shall be met – the processing of personal data shall be authorised by one of the three following: the DPA; another legal provision; or the subject or holder of the personal data specifically consenting thereto. In addition, personal data shall be used only for the purposes for which they have been collected (the so-called "finality principle"), and those purposes should be permitted by the Chilean law.
Specific Industries Regulations: Banking
Chapter 20-7 of the Updated Compilation of Rules for Banks (RAN) of the Superintendence of Banks and Financial Institutions from the Financial Market Commission (Recopilación Actualizada de Normas de la SBIF – RAN) regulates the outsourcing of services in the banking industry, specifically to cloud computing, after an amendment introduced in 2017.
Chapter 20-7 defines the term "cloud services" as an adjustable, on-demand model of services provision associated with technology information through networking, based on technical mechanisms – such as virtualisation – under different approaches or supply strategies; it also provides definitions of "private cloud" and "public cloud".
Furthermore, the regulation establishes special conditions for the outsourcing of cloud services, to ensure that the service provider has the appropriate expertise and certifications and fulfils the applicable regulations of the jurisdictions where the services are being carried out, as well as meeting the appropriate safety and encryption standards.
The Financial Market Commission (CMF) issued, on 26 December 2019, an amendment to the regulation to Chapter 20-7 of the Updated Compilation of Rules for Banks (RAN) and to Circular No 2, providing for the conditions that shall be complied with by banks, their subsidiaries, the companies which provide them with support and the issuers and operators of payment cards, regarding the "outsourcing of services”.
By complying with some specific requirements, those modifications will exempt regulated entities from the current obligation to have a data processing site in Chile for services that are outsourced outside the country and that involve activities considered to be critical or strategic. In addition, the regulations determine that the board of directors of each entity shall be responsible for evaluating and weighing the benefits and difficulties involved in the outsourcing of services, including so-called "contingency sites", being able to hire the providers that best meet their needs. This authorisation is subject to the compliance with operational requirements and to the issuance of a report by a company of recognised prestige and experience in the evaluation of this type of service.
The regulation also allows the services to be provided from jurisdictions that do not have a country risk rating in terms of investment grade, if there are suitable personal data protection and security laws in place, being the regulated entity responsible for recording the analysis performed in this regard.
Processing of Personal Data by Public Entities
There is a special guidelines regulation applicable to public procurement processes in relation to cloud computing services. The E-government Division of the Office of the Presidency issued a resolution, Directive No 32, on 26 November 2018, which contains comprehensive guidelines for state administrative bodies to contract cloud services. Although the resolution states that it only contains general, non-binding recommendations for state administrative bodies and providers, it explicitly recognises that its compliance would constitute good practice in the context of acquisition processes.
Risk and Liability
Currently, there is no specific legal regulation in Chile, although the presentation of a bill on the subject has been announced. However, various public entities have incorporated this technology. During the last year, the General Treasury of Chile announced a platform dedicated to processing citizens' taxes, so that this obligation becomes faster and more transparent. In addition, the National Electric Coordinator stated that blockchain would be used to certify fuel cost and stock declarations in the country's electrical system.
Furthermore, two financial entities announced the incorporation of blockchain technology: the Central Bank of Chile is experimenting with this technology and the Santiago Stock Exchange has partnered with two other companies to work on technology-based solutions.
Risks and liabilities are either connected to operational environments and/or to the type of transaction or activity supported by a blockchain solution; thus, the main example of blockchain difficulties in the Chilean legal framework is represented by crypto-assets and, most particularly, bitcoin. According to the Central Bank of Chile, crypto-assets are neither legal tender money nor foreign currency.
Notwithstanding the above, the use of crypto-assets has increased significantly in recent years, but there are unanswered questions regarding the liability of operators of crypto-assets in relation to end-user payers and payees, especially in circumstances related to fraud.
Additionally, since exchange platform operators are not subject to anti-money laundering requirements, conflicts between cryptocurrency operators and several banks have been going on for several months. A group of operators brought legal actions against certain commercial banks before the Chilean Competition Court (TDLC) regarding the closing of bank accounts used by operators to settle crypto-assets exchanges in money, alleging an alleged infringement to antitrust law.
The TDLC decided in favour of this group, as soon as they were paid compensation for the closure of the accounts. A final ruling of the Supreme Court was established in a similar case: due to the failure that the entity business includes the purchase and sale of Ethereum, Ripple, Litecoin and bitcoin, all consistent, in computer programs, being specifically algorithms that, as such, lack physical manifestations and have no intrinsic value. Nor, in general, do they have any value that has the support of a particular government or company, being defined, and controlled by a decentralised group of users who use bitcoin protocol on the internet. The ruling states that this financial activity does not currently have a regulatory framework.
It is necessary to regulate this market because its anonymity can protect illegal operations (eg, tax evasion, money laundering) and because such instruments are neither legal tender money nor equivalent to currencies – therefore, the powers that the Central Bank has for the regulation of currencies do not apply to this case.
Blockchain offers rights management from creation to commercialisation.
Essentially, blockchain is a technology that is used to transmit value through a network of contributors/participants. Accordingly, there are several ways in which IP titleholders can use blockchain platforms to enhance control and exploit their IP works, improve collaboration and achieve fair and proficient IP rights management in the digital environment by making the process more transparent and efficient, also cutting out financial intermediaries.
The IP life cycle of the future will ensure that the intangible assets are attributable at the time they are created and that they are protected against fraud and operate in an efficient and innovative network.
Blockchain as a software or database can be protected under the Chilean Copyright Act (Law No 17,336).
At the present time, there still many issues that remain unresolved, such as the required processing control of blockchains, the compatibility and interoperability of different blockchain platforms, and legal issues such as data ownership, privacy, liability, jurisdiction, etc.
Regulators are still reflecting on how blockchain implementations can comply with data privacy laws. The first issue is determining who is the controller and who is the processor in the case of blockchain and distributed ledgers, due to the lack of a single person or entity that fits the definition.
The DPA requires a lawful basis for processing personal data. In the case of private or permission-based networks, the creators and operators of such networks can prescribe rules for participation, including the types of data to be collected and the purpose for collecting the data. This will ensure notice and transparency at the outset. In addition, if participants are required to agree to terms and conditions, then the contract could serve as a basis for processing personal data.
Conflicts with data subject's rights of the DPA
Blockchains are generally designed so that data, once entered, cannot be changed. This immutability directly conflicts with DPA and GDPR provisions allowing data subjects to request that their data be corrected or deleted. According to the Chilean DPA, one of the data subject’s rights is to request to the controller the cancellation of personal data when there is no lawful basis for processing it, or when the existing basis is no longer valid. Additionally, the data subject is entitled to request a modification of stored personal data in the controller’s databases when they are erroneous, outdated, or incomplete.
However, those rights cannot be readily invoked unless there is a clearly identified controller, such as in a private or permission-based network that has access to all the data on the network. If a network has multiple nodes, with each node having access to only a subset of personal data, it may be necessary to set up a mechanism where requests can be circulated to all required nodes for response.
Blockchain solutions are cross-border by default, there are no territorial restrictions associated to the membership of the blockchain and international transfers of personal data are invariably involved. At present, the DPA does not include a specific provision in this respect. However, considering that transfer of data is deemed as data processing according to the DPA, it follows that it will require authorisation from the individual (ie, the data subject), unless there are exceptions contemplated by the DPA Law and the authorisation is not subject to these exceptions.
Although it is not expressly regulated in the DPA, the transfer of personal data is part of a specific section in the bill aimed at restructuring the Chilean DPA which is currently being discussed in the National Congress.
Blockchain-enabled contracts or smart contracts should play a significant role in automating parts of service level agreements (SLAs) in the coming years. Service level agreement management is one of the most promising areas for blockchain use – for example, aiming to create software products that enable SLA management among telecom operators utilising blockchain in specific, smart contracts.
It will be necessary to include a regulation that considers all of the issues raised above so that, within a legal framework, the rights and guarantees of people are respected and, at the same time, the development of technology and innovation is not prevented. The laws and regulations will need to be updated to adapt to these new technologies because safeguards need to be taken and businesses and consumers should be protected from misuse.
These technologies do not have natural frontiers or jurisdictions as limitations because they are designed to operate over the internet.
The Chilean DPA does not contain an explicit provision on the scope of the law limited to personal data owners and processors established or operating in the Chilean jurisdiction.
It will be necessary to provide a global regulatory framework to ensure the rights of the people. Local complementary laws and regulations should also be implemented to achieve the same goal. In addition, antitrust and net neutrality regulations should be reviewed and strengthened to guarantee free competition and technological innovation.
Automation in decision-making through the algorithmic analysis of large databases (big data), without the appropriate checks and balances, can lead to discriminatory, arbitrary results, and/or violate people's fundamental rights. It is necessary to set limits and controls to combat information asymmetries and their consequences.
The collection of large databases can violate people's privacy and makes the protection of privacy becomes more difficult because the information is multiplied and exchanged between different entities around the world without borders.
Since most of the projects imply the collection and processing of large amount of personal data of individuals, Law No 19,628 (DPA) is applicable. The processing of personal data can only be carried out if authorised by the DPA, by other laws or with the express consent of the data subject. If the DPA authorises, there is no need for the express consent of the data subject.
The DPA authorises the processing of personal data:
Consequently, pursuant to the DPA, unless otherwise expressly permitted by law, the collection of data must comply with both consent and the notice rule and the purpose limitation requirement, among other requirements set forth in the DPA. However, an exception to both the data subject’s consent being the general lawful basis of data processing (including data collection) and the purpose limitation requirement is the processing of certain personal data retrieved from publicly available sources. Nevertheless, all other DPA requirements for processing personal data remain applicable and in force.
A bill aimed at replacing the DPA is currently being discussed in the National Congress, establishing GDPR standard rights for data subjects to object decisions based solely on the automated processing of their personal data, including the elaboration of profiles. The bill includes this phenomenon and requires that this secondary use of personal data be based on a compatible purpose – ie, that there is a contractual relationship with the holder that justifies this differentiated use or that there is a new consent by the holder. This contrasts with the European experience, in which the consent criterion co-exists with enablers to exploit the data, which is complemented by demands of responsibility and control mechanisms endorsed by companies that process this data.
Machine Learning (ML)
There is a lack of regulation in the Chilean legal framework regarding the use of predictive tools based on machine-learning algorithms.
The DPA only refers to the prohibition of the execution of any type of prediction or commercial risk assessment not based exclusively on objective information related to delays or defaults in payment from the individuals or legal persons in question. Moreover, even if there is no guideline regarding how to handle biases in algorithms or other automated decisional techniques, then Law No 20,609 (Anti-Discrimination Act, ADA) shall be applicable. The ADA establishes a legal action that may be filed by persons who are victims of arbitrary discrimination.
Finally, similarly to the GDPR, the Data Protection Bill includes a data subject’s right to request human intervention when is not legally feasible to exercise the right to request, not being subject to a decision with legal effects based solely on automated data processing.
Artificial Intelligence (AI)
Since the beginning of 2020, the government and committee of experts are currently working on The National Policy on Artificial Intelligence that will contain the strategic guidelines that the country must follow in this matter during the next ten years with the aim of empowering people in the use and development of AI tools, and participate in the debate on their legal consequences, as well as related ethical, social and economic issues.
On 15 December 2020, the Ministry of Science opened the citizen consultation on the draft of the Artificial Intelligence Policy. After a drafting process that included discussions in regional and self-convened tables in addition to the work of a committee of experts and an inter-ministerial committee, this second instance of participation aims to present the first draft of this policy to receive comments from both researchers and AI developers, as well as citizens who are exposed to this technology in their day-to-day lives.
The consultation is the last step prior to the publication of the first Chilean Artificial Intelligence Policy, which will outline a roadmap for the responsible development and adoption of this technology in the country.
Furthermore, the local securities and insurance supervision agency, the Chilean Financial Market Commission (CMF), is conducting research about possible future changes to securities trading and financial advice regulation to face the rise of robot-adviser technologies. In such regard, the CMF is aware that the current tools that are in place to ensure the quality of financial advice are useless when an AI is deployed for recommending investment opportunities.
IP Issues Related to Big Data, ML and Cloud Computing Storage Solutions
Regarding the intellectual protection of databases, Article 3 of Law No 17,336 (Copyright Act) establishes a non-exhaustive catalogue of "works" that can be protected by copyright, including the sui generis protection of compilations of data or other materials “in machine-readable form or other formats, which, for reasons of the selection or arrangement of its contents, constitute creations of an intellectual nature”. However, for a work to be protected by copyright, it must be an original creation (effectively, at least a minimum level of originality is required). Therefore, in the case of databases, what would be protected is not the database’s content.
ML algorithms can be subject to a twofold protection as copyrighted work: (i) as part of a computer program, in respect to its computer code implementation; and (ii) as a database in case such algorithm ends up being a core component of an original compilation by virtue of its features as a data arrangement and processing tool (eg, a "random forest algorithm" fitted to classify customers in a particular matrix of features).
Insurance Policies Available to Data Assets
Regarding insurance of data and other informational assets, there is no special regulation that differs from the general rules applicable to casualty and property insurances. According to the CMF's website, there are several policies concerning civil liability arising from data protection regulations and losses caused by data breaches.
Fifth-generation mobile telephony (5G) has been presented as the promise of future telecommunications development, its faster speed meaning an ability to move more data, to connect more devices at the same time, and to aid the development of artificial intelligence (AI) and the Internet of Things (IoT).
The National Cybersecurity Policy (NCSP) establishes that it is necessary to promote the protection of public and private-sector networks and computer systems, especially those that are essential for the proper functioning of the country, ensuring the operational continuity of basic services. In addition, it seeks to establish common standards and protocols on how telecommunications will operate, prevent negative effects on the rights of citizens, including constitutional guarantees related to privacy, the protection of their personal data, the inviolability of communications, freedom of expression and access to information.
Currently, IoT services do not require a special authorisation, nor are they subject to specific requirements. Nonetheless, some general telecommunications standards do contemplate certain restrictions relating to the frequency bands and equipment being used to provide IoT services, as well as considering rules concerning the protection of personal data and the inviolability of communications that should be considered in the deployment of IoT services.
General Telecommunications Regulation
An IoT service that uses the radioelectric spectrum to transmit information from one point to another should comply with the requirements of the General Plan for the Use of Radioelectric Spectrum, Decree No 127-2006 of SUBTEL, which states the use that can be assigned to a specific frequency band.
As SUBTEL has not allocated a frequency band for IoT services, the use of a frequency band must be officially applied for; SUBTEL grants experimental licences which have a duration of five years, renewable for another such period at the request of the interested party (Law No 19,168 Telecommunications Act, LGT). To obtain such a licence, or to renew an existing licence, the payment of a single spectrum right is required. According to the LGT, experimental permits – also granted by SUBTEL – are of a temporary nature (their duration is two months) and may not be used to provide commercial services. Spectrum usage rights do not need to be paid.
Regarding the equipment used for IoT, the project developer should consider obtaining a certification or an authorisation by SUBTEL, according to the Technical Standard for Reduced Scope Equipment (Decree No 1985-2017), depending on the equipment's specific technical characteristics.
Decree No 1463 of 2016 of SUBTEL regulates the minimum technical specifications that need to be fulfilled by equipment used in mobile networks; thus, IoT devices must be registered in a database with respect to which SUBTEL has real-time access.
Regulation of IoT Regarding Data Protection and Inviolability of Communications
IoT with domestic objectives must meet not only general telecommunications standards, but also abide by restrictions based on the regulation of privacy. The guarantees of Article 19 No 4 and No 5 of the Constitution respects and protects the privacy and honour of the person and their family, and protects their personal data, establishing the inviolability of the home and all forms of private communication. The specific regulation on privacy is contained in Law No 19.628 (DPA), detailed in 6.1 Core Rules for Individual/Company Data.
The criminal code establishes the illegality of the capture, interception, recording or reproduction of private communications and private events, in private premises or places that are not freely accessible to the public, without the authorisation of the party affected (Article 161 A). In this regard, malicious wiretapping through IoT devices, such as the leak of private communications recorded by smart devices, should not be treated differently than traditional illegal communications interceptions (ie, machine-to-machine).
Challenges with IT Service Agreements
The Chilean legal framework is appropriate for executing IT agreements, ranging from simple ones to extremely complex contract agreements.
The most frequently used clauses in the IT industry within IT agreements are limited liability, "as is" disclaimers, service level agreements (SLAs), audit rights, no-assignment rules, and non-disclosure agreements.
Nevertheless, the following are some aspects of Chilean law that any service provider, software developer and/or IT contractor should consider in order to reach the most favourable agreements with Chilean-based customers.
Limitation of liability clauses – both limitation on recovery for certain damages and liability caps – are generally accepted and enforced by courts when professional parties execute a contract but there is gross negligence and wilful misconduct, among other similar circumstances. In case of public entities those type of clauses are not allowed.
Law No 19,628 (DPA) does not currently include a specific provision regarding restrictions on international data transfers of personal information. Nevertheless, the transfer of personal data outside the jurisdiction of Chile may be considered as a use of data and will require authorisation and other restrictions established by the Law.
Chapter No 20-7 of the Updated Compilation of Rules for Banks (RAN) of the Superintendence of Banks and Financial Institutions from the Financial Market Commission regulates the outsourcing of services in the banking industry, specifically to cloud computing, after an amendment introduced in 2017. It included mandatory clauses that refer to business continuity, subcontracting, data-deleting procedures, and supervising rigorous supplier/provider selection processes, according to their internal risk assessment procedures. In addition, the regulation establishes special conditions for the outsourcing of cloud services, to ensure that the service provider has the appropriate expertise and certifications and fulfils the applicable regulations of the jurisdictions where the services are being carried out, as well as abiding by the appropriate safety and encryption standards.
On 26 December 2019, the Financial Market Commission (CMF) issued an amendment to the regulation to Chapter 20-7, providing for the conditions that shall be complied with by banks, their subsidiaries, the companies which provide them support and the issuers and operators of payment cards, regarding “the outsourcing of services”.
It is important to bear in mind the bill on computer crimes, which establishes that computer crimes be added to Law No 20,393 regarding criminal liability of legal persons/entities, this in terms of the crimes of money laundering, terrorist financing and bribery offences. The issue of compliance in data governance and cybersecurity is precisely related to this type of IT services agreement. The bill is expected to be enacted in 2021.
Core Rules Regarding Data Protection
The legal framework governing privacy can be found in Article 19 No 4 of the Political Constitution of the Republic of Chile, which guarantees the respect and protection of privacy and honour of the person and his or her family. Article 19 No 4 of the Chilean Constitution was amended by Law No 21,096, establishing the Right to Protection of Personal Data; it precisely recognises the protection of personal data within the scope of the constitutional guarantee of the protection of private life and honour, stating that the treatment and protection of this data will be subject to the forms and conditions established by law.
Furthermore, Chile has a data protection law, Law No 19,628 on Privacy Protection (Data Privacy Act, DPA); this regulates the treatment of personal information in public and private databases or bank register. Further, regarding the public sector, there are some special rules concerning use of the public database or bank register by public agencies, and restricted rights for holders of personal data stored or processed by public entities.
Law No 19,496, which provides provisions regarding credit information, operates along with the DPA (Article 9, amended by Law No 20,521) which contains provisions about personal data related to obligations of an economic, ﬁnancial, banking or commercial character to ensure that the information delivered through risk predictors is accurate, updated and truthful.
Law No 20,584, which regulates privacy on healthcare, encompasses provisions concerning the privacy of medical records and operates together with the DPA, which details the conﬁdentiality of doctors’ prescriptions and laboratory analyses, together with examinations, etc, related to health services.
Distinction between Companies/Individuals
Only individuals are under the protection of the DPA.
General Processing of Data
Currently, the DPA has no requirements for the appointment of privacy or data protection officers (DPOs).
The processing of personal data could only be carried out if authorised by the DPA, by other laws or with the express consent of the data subject. If the DPA authorises, there is no need for the express consent of the data subject. The DPA authorises the processing of personal data:
Currently, there is no exception regarding fulfilment of contract and the DPA does not include the need to adopt internal or external privacy policies.
The law contains a definition of the dissociation process, which means all personal data processing by which the information obtained cannot be related to an identified or identifiable individual (ie, anonymisation, pseudonymisation).
Processing of Personal Data
The Data Privacy Act states any individual can process personal data, if the following requirements are met.
To exercise the right to access, the data subject must address the person responsible for the data registry or bank claiming his or her right to access his or her data. This right to access may refer to:
Access to information on personal data shall be free of charge. This right to access cannot be limited by means of any act or agreement, except in case of government agency, the security of the nation or national interest. Data subjects also have the right of rectification if the personal data is erroneous, inexact, equivocal, or incomplete, and such a situation has been evidenced.
Data subjects also have the right of deletion of personal data if its storage lacks legal grounds or if it has expired, when the subject has voluntarily provided his or her personal data, it is used for commercial communications or he or she does not want it to continue appearing in the respective registry, either definitively or temporarily.
Data subjects may oppose or object to the use of personal data for purposes of advertising, market research or opinion polls. If the person responsible for the personal data registry or bank register fails to respond to a request within two business days or refuses a request on grounds other than the security of the nation or national interest, the subject of the personal data shall have the right to attend before the civil court requesting protection to his or her right of access or the other rights granted by the DPA.
Article 5 of the Labour Code expressly states that employers can exercise their rights within the limits imposed by the Constitution, especially regarding privacy. Employers must abide by and comply with the privacy statements. Article 154 bis of the Chilean Labour Code states that the employer shall maintain a reserve of all private information and data of the employee to which it has access due to the labour relationship.
In this matter, the issue raises the existence of a possible conflict between, on the one hand, the constitutional guarantee of the inviolability of all forms of private communication and, on the other hand, the employer's power to organise, direct and manage his or her company, which comes from the constitutional guarantee of the right of property (Articles 19 No 5 and No 24 of the Constitution).
The Labour Authority (LA) has ruled that the employer has the right to regulate the conditions, frequency and timing of use of their property, provided they do not infringe the constitutional guarantee of the inviolability of all forms of private communication. In this regard, the LA sees no objection in the regulation of corporate emails, provided this does not affect the above-mentioned constitutional guarantee.
According to Ruling No 260/0019-2002 of the LA, the employer can regulate the conditions, frequency and timing of the use of corporate email and, where necessary, can ensure that all emails sent from the company server are copied to management. Moreover, the employer may regulate the use of non-productive emails (ie, those not directly related to the business of the company). These measures should be included in the internal rules of the company, of which the employee had prior knowledge. The employee must also understand that corporate or institutional email should be used only for work; the employee should keep his or her personal relationships, etc, out of this area.
Regarding employee monitoring in general, the LA states that a determination as to whether certain forms of business control are appropriate must be carried out considering the employer’s objectives for its implementation, which will ultimately establish whether the form of control at issue affects the employees’ dignity and free exercise of fundamental rights (Ruling No 3125-2018).
The LA has ruled that it can review or audit corporate emails to an extent that meets certain requirements or conditions since corporate email is a tool that the employer makes available to employees for the faithful performance of its orders. The control measures of the employer regarding the use of corporate email cannot involve excessive control that infringes the rights of privacy and dignity of the employee. The review or audit of corporate emails must be incorporated in the internal rules so that employees are aware that corporate emails can be monitored and audited. In addition, it should include an internal procedure for reviewing such mailings, which must protect and not infringe the privacy rights, dignity and honour of the employees. The review should be random (all employees of the company, or an area or a section of the company) or be the result of a specific complaint about misuse of the corporate email, which should be evident in the rules of procedure. The review, in this case, should be limited to verifying the existence of the alleged infringement.
Through Ruling No 260/19 of 15 November 2019, LA expressly stated that any email sent by the employee from the email account provided by the company will be automatically copied and deposited in an employer's folder; thereby, such emails do not have the character of private communication but are rather the property of the company, which is fully empowered to monitor and keep these emails, even after the end of the employment relationship. However, this criterion applies only in the case of emails sent by the worker, in which the employer has a copy sent from his or her electronic mailbox – it does not apply to any emails received, for which the worker can legitimately have higher expectations of privacy, since it is correspondence in respect of which the worker-user of the corporate email lacks full control.
Furthermore, Ruling No 4316 of the LA states that any obligation and prohibition provided by the employer which affects matters of order, hygiene, and safety:
In addition, any control measure – that is, not only those that find their foundation in the law, but in other normative sources – can only be carried out by suitable means and be consistent with the nature of the employment relationship and, in any case, its application must be general, guaranteeing the impersonality of the measure to respect the dignity of the worker.
Technologies within Local Telecommunications Rules
Currently, there is not a specific technology deemed to fall within the scope of local telecommunications rules. Thus, the Telecommunications Act (the LGT), defines "telecommunications", classifying the different "telecommunications services" in its Article 3, based on their purposes and not on the technology with which they are or should be provided.
Notwithstanding, there is special sectorial regulation in telecoms when defining some services, citing the technology which is to be used; moreover, there is regulation about the conditions that certain equipment must meet when using a specific technology. Decree No 484-2008 on public VoIP services states this service is a public telecommunications service if it is likely to establish voice communications intended for the community in general, and interconnect with other public telecommunications services (eg, calls from an IP voice network to a public telephone network).
There is no reciprocal connection between the VoIP service and the public telephone network, such as calls that are made through the internet or without a dial-in number; therefore, the service would not be defined as a public telecommunications service and, subsequently, such services would not fall under the scope of the Decree.
The installation, operation and exploitation of public VoIP services require a concession of public telecommunications services, granted by the Ministry of Transport and Telecommunications (MTT). Furthermore, as a public telecommunications service, it must comply with all the obligations that this qualification entails (the LGT). Concessions are granted without the need for a public contest because they do not use the scant resources of the radio-electric spectrum.
Equipment for radio frequency identification (RFID) must comply with the provisions of Decree No 1985-2017, which establishes the respective technical standard. These standards require that equipment emitting radio waves in certain frequency bands with a certain electric field strength must undergo a certification process in advance.
In broadcasting, an OTT (over-the-top, free streaming) service consists of the transmission of audio, video, and other content over the internet without the involvement of traditional operators in the control or distribution of content. OTT services such as instant messaging services are not regulated by telecommunications regulations – no authorisation is required, and there are no standards of service quality, interconnection obligation or other specific rules to be complied with. Nevertheless, the Consumer Protection Act and the DPA are applicable.
The requirements for providing any telecommunications service, including audio-visual services, are regulated for the use of the radio spectrum and according to if the service is limited or freely available.
According to the Telecommunications Act (Law No 18,168, the LGT), radio services require a licence granted by the Ministry of Transport and Telecommunications (MTT), which has a duration of 25 years; a licence for community radio services has a duration of ten years, being regulated by the Citizen Community Broadcasting Services Act (Law No 20,433).
Radio services are granted through a public bid to the applicant offering the best technical condition. The applicant must be a legal entity incorporated in Chile and have a legal address in the country. The entity's presidents, directors, managers, administrators and legal representatives must be Chilean and not have a major criminal conviction. In the case of a board of directors, foreigners may be nominated as directors, but they may not constitute the majority. Once the licence is granted, the applicant must publish an extract of it in the Official Gazette (Decree No 126-1997). Before starting transmissions, SUBTEL shall inspect and authorise the company’s facilities (the LGT).
TV and radio content regulation
Regarding content regulation, free-to-air broadcasters and permit-holders of pay-tv services must comply with several rules for the proper functioning of television services.
These include the obligation of broadcasting a certain amount of cultural content per week, restrictions on content deemed violent, pornographic or immoral, time restrictions on certain movies rated by the cinematographic rating board and limitations on advertising of some products, such as alcohol.
In the case of radio broadcasting licensees, according to the Promotion of Chilean Music Act (Law No 19,928), there is an obligation of broadcasting a minimum daily quota of Chilean music, including emerging and local artists.
None of these regulations apply to online video channels.
According to the National Television Council Act (Law No 18,838), free-to-air broadcasting services require a licence granted by the National Television Council – the licence has a duration of 20 years (in the case of licences with their own necessary technical means), and of five years (in the case of licences with technical means provided by third parties).
The Digital Terrestrial Television Introduction Act of 2014 (Law No 20,750) encouraged the transition from analogue to digital broadcasting. It also established the obligation to achieve total digital coverage by the year 2020, the date of the so-called "analogue blackout". However, the MTT has the facility to extend the original term by means of a Supreme Decree.
Limited telecommunications services, such as pay-tv, require a permit granted by SUBTEL to a legal entity (the LGT). Satellite television permits have a duration of ten years; in the case of cable TV there is no expiry date if the radio spectrum is not used.
There is no general legal requirement for the use of encryption techniques on electronic communications and documents. However, encryption as a cryptographic process of encoding information for confidentiality, integrity and authenticity purposes is subject to certain regulations, depending on the characteristics of each framework of use of this technology.
According to the DPA, those responsible for or in control of the database are required to ensure that those involved in personal data processing comply with conﬁdentiality obligations because of the security liability of the personal data storage in the database and that the rights of the data subjects are safeguarded.
In case of a request for personal data through an electronic network, the following information must be recorded: (i) the inquirer’s identity, (ii) the requested purpose, and (iii) the speciﬁc data being transferred.
Regarding security requirements, the DPA does not impose any type of security measures of the data subjects in relation to processing of personal data. However, responsibility for the database in which personal data is stored (after its collection) should be managed with due diligence, conﬁdentiality and assuming responsibility for damages.
Furthermore, there are speciﬁc rules regarding banks and financial institutions in which the data of their clients and their wire transfers, encryption and notice of security breach is mandatory. This regulation is transitory and was dictated by the entity that supervises the banks (the CMF). Currently, the bill that includes regulation in these matters is pending in Congress.
Additionally, there are some other regulations that contain cybersecurity provisions applicable only for certain areas, such as those listed below.
Law No 19,223 on cybercrimes regulates (i) unauthorised access to databases or information, and (ii) unauthorised disclosure of such information, among other criminal actions. Currently, there is a Bill in the Congress which will amend all rulings on cybercrimes, and in which the use of encryption technologies with the wilful purpose of obstructing the course of justice shall be considered an aggravating circumstance of criminal liability when committing any of the criminal offences proposed in the draft.
The General Telecoms Law (GTL) in Article 24 H rules in relation to the obligation of seeking to safeguard network security for internet service providers (ISPs) and telecommunications concessionaires.
Decree No 83 of 2005, issued by the Ministry General Secretariat of the Presidency, deals with the Conﬁdentiality and Security of Electronic Documents for the Public Administration.
In 2017, the government's ﬁrst National Cybersecurity Policy was released. The objectives by 2022 include a risk management approach to preventing and reacting to incidents, including the protection of information/critical infrastructure, and preventing and reducing cybercrime. In relation to this, the NCSP states the requirement of differentiated standards in cybersecurity, as follows.
Due to the pandemic, during the last year, TMT has faced the need for higher service levels. This has triggered a fundamental necessity for players in the sector, encouraging the development of a framework according to the new standards which help to support a digital economy and digital platforms.
The government has been reinforcing telecoms networks in remote parts of the country and trying to maintain levels of employment through several labour laws. In addition, Chile enacted employment measures to mitigate the spread of COVID-19. On 2 April 2020, Chile passed the Remote Work Law – this law is a very important step and defines remote work as the provision of services totally or partially from home or any other place different from the company's premises, and work provided or reported from those different places through technological tools.
In Chile, there are still areas that are only covered by a very few mobile service operators that were not required to share their networks with other providers. However, in June 2020, Law No 21,245 on Automatic National Roaming was passed, the objective of which is to reduce the digital breach and improve connectivity throughout the country by establishing the requirement that mobile service operators share their networks with other in certain cases. However, its provisions will only come into effect once the various issues and relevant regulations have been resolved.
The process of digital transformation of the state began with the promulgation of Law 21,180 on 11 November 2019, which seeks to transform the way in which citizens relate to the state, through a series of amendments to the administrative procedures, establishing as a rule that these will be carried out by electronic means. According to the Law of Digital Transformation, within a year of its promulgation its regulations must be issued, before which the Ministry of the General Secretariat of the Presidency opened a public consultation on a document that contains the general guidelines of the future regulations. In this regard, it is important to remark on the necessity to prioritise the implementation of digital transformation in the services most used by citizens, establish high standards of quality and security of the platforms, as well as the requirement to comply with the regulations on transparency and protection of personal data. Due to the pandemic, this process of digital transformation of the state took priority and the public consultation on the applicable regulations and policies has caused great interest among stakeholders from all sectors.
The Ministry of Economy, Development and Tourism made available to interested persons a query regarding the draft regulations on electronic commerce. This consultation was enabled until 4 November 2020. The regulation aims to safeguard the transparency and quality of the information delivered to online consumers, to ensure that they have the maximum amount of information when making their purchases online.
Las Hualtatas 6650
+569 6495 email@example.com
Digital Transformation and COVID-19
At the beginning of 2020, when COVID-19 was officially declared as a pandemic, the emergency measures decreed – such as prohibition on people gathering together, closure of shops, quarantine, etc – forced digital transformation to increase by leaps and bounds. Many companies, organisations and employers found it necessary to arrange for their employees to work remotely from their homes, and they were forced to implement measures to protect their workers – for example, avoiding infections while people travelled by bus or subway to or from their workplaces, or within the offices themselves, respecting the maximum capacity of people allowed under the new rules by the government authority and the minimum distancing measures. However, working remotely created a new source of danger in terms of cybersecurity.
We shall examine the scenarios currently faced with this enforced digital transformation – many of which we were not technically prepared for – and consider what are the measures that can be taken in this regard.
Businesses, companies or organisations seem to have overlooked the greater risks that remote work or telework implies for the security of their networks, systems and data, and they have not taken the recommended security measures or protocols in this regard.
In terms of security, we have seen that there are greater risks of exposure of confidential data. Thus, we have compiled information from different means of public access. One area of concern is that employees, to facilitate work, do so through personal devices or outside the secure environment of the organisation; either emails are sent to personal accounts with attachments containing confidential information, or employees upload that data to personal accounts in cloud storage.
Use of technological tools
Along with the door that has been opened to security problems mentioned in the previous paragraph, the lack of equipment or hardware provided by the employer is a further problem. This has contributed to the increase in exponential risks, due to the increasing use of personal (non-secure) devices by employees, particularly if those devices can connect to the organisation's network or systems remotely.
Law 21,220 on telework or remote work, that came into force in April 2020, states that equipment, tools and materials for work, including personal protection items, must be provided by the employer. It should be added that the employee may not be forced to use elements of his or her property. Likewise, the costs of operation, maintenance and repair of equipment will always be the responsibility of the employer. However, in reality, this has not happened and in many cases employees have had to provide their own technological means or, in the case that the company has provided the technological means, they have not taken the necessary safeguards in matters of cybersecurity.
Privacy: processing of personal data
It is important to also bear in mind the other side of information security – that is, data processing and privacy.
Chile's Personal Data Law 19.628 (DPA) is in full force in remote work; the data that is sent outside the network of a company or organisation not only generates exposure to greater security breaches but could also create obligations in terms of regulations on privacy and personal data protection laws, involving the necessity to notify the company's clients, regulators and employees on those matters.
The DPA establishes that anyone can process personal data and it is necessary to comply with the provisions contained therein. Thus, for data processing, it is required to comply with those rules related to the authorisation or consent of the interested party, the principle of purpose (ie, personal data will be used only for the purposes for which they have been collected, and those purposes must be allowed by Chilean law) and to notify concerned parties about the possible public communication of the data.
As stated, anyone can process personal data, if it is done in a manner consistent with the DPA and Article 19 No 4 of the Chilean Constitution and for the purposes allowed by law. In any case, this process must respect the full exercise of the fundamental rights of the holders of the data and the rules of the DPA.
Pursuant to the DPA, unless expressly permitted by law, data collection must comply with consent requirement, notification rule and the purpose limitation rule, among other obligations. The authorisation must be in writing. The authorisation can be revoked, but without retroactive effect, which must also be in writing. Personal data should be used only for the purposes for which it was collected unless it comes from or was collected from public sources. In any case, the information must be accurate, up-to-date and respond truthfully to the real situation of the owner of the data.
The DPA does not currently include a specific provision regarding restrictions on international data transfers of personal information. Nevertheless, the transfer of personal data outside the jurisdiction of Chile could be considered as data processing and in some way could require authorisation and other restrictions established by the DPA, this depending on case-by-case details.
Failure to comply with these provisions – such as lack of consent of the interested party – can result in fines of between approximately USD75 and USD760. In addition, since the penalties are determined in a summary procedure before the court, the risks of legal disputes and lawsuits are high. Furthermore, the DPA establishes that non-monetary and monetary damages resulting from the incorrect processing of personal data will be compensated to those natural persons who own the data who decide to sue under current procedures; it should be noted that, under the protection of the bill of the DPA in Congress, this matter has a regulation developed in a more beneficial way to defend ARCOP rights for data-holders.
As already mentioned, a bill destined to replace the DPA is currently being discussed in the National Congress, which establishes certain rights and obligations and is even stricter than the GDPR. In addition to ARCOP rights, the creation of an independent entity is included, the Data Protection Agency, with full authority to regulate and oversee the processing of personal data, to monitor companies and all those who carry out data processing to comply with the new standards of privacy and information security, as well as the power to impose fines, etc.
In general terms, in Chile and in comparative law, the data protection regulations include the general prohibition of the treatment of health data – classified as sensitive data, unless there is express consent of the interested party or the treatment can be covered by any of the exceptions included in the respective law.
In this respect, governments have relied on exceptions of the public interest or the vital interests of the interested parties or society in order to avoid the uncontrolled spread of COVID-19, emphasising the fact that only data that is necessary for the fight against the pandemic or that have been requested by the competent authorities for this purpose should be collected, respecting as far as possible the privacy of the interested parties.
In accordance with Chile's personal data protection law, which regulates the treatment of databases, the state of health of a person (ie, a person's medical record) is sensitive personal data. Furthermore, according to the Health Code, the content of a patient's clinical record is reserved, except for the use of the health authority to exercise its powers, the courts and the public ministry.
Phishing and malware
There have been positive aspects to the development of new online services and the improvement of existing services, such as remote support (extending the capacity of self-services on the web, such as chatbots, training, etc). Nevertheless, it is important to note that the COVID-19 crisis has generated new opportunities for cyber-attackers. For example, cyber-attackers have taken advantage of the fear of the pandemic by sending phishing emails that claim to contain updates to company COVID-19-related policies, requesting employees to validate their data or credentials and/or asking them to install additional software to enable remote connectivity – all of which would allow cybercriminals opportunities to infiltrate company networks and systems. The same has happened with web pages related to unofficial COVID-19 information.
In response to the growth of cybercrime, and the high risk of fraud, the phishing of bank or email pages, etc, the Chilean authority – through the Computer Security Incident Response Team of the Government of Chile (CSIRT) – has published the measures to be taken in this regard. For example, in Report No 40, the CSIRT informs of a high risk of fraud, drawing attention to the activation of three fraudulent portals associated with an IP that impersonates the official websites of Banco Estado, Banco de Chile and Banco BCI, and which could serve to steal credentials of users of those entities. The foregoing constitutes a falsification of the institutional brand that could affect users, clients and the bank in question. In addition, identity theft has increased dramatically.
Remote working: risk of intrusions and data privacy issues
Another point of vulnerability that experts have identified is that the pressure to strengthen the capacity to support remote work (in the IT infrastructure) can lead to hasty implementation decisions that increase the chances of unwanted intrusions, opening a new window through the systems and networks operated by external service providers that support the applications and data flows necessary to facilitate an effective remote workforce.
Protecting the company's or the organisation's sensitive data or confidential information is essential when employees work from home, particularly in terms of protecting their network and systems. Likewise, it is crucial to comply with the regulations regarding personal data not only owned by the company but also by its employees and clients, when employees are working from their homes (telecommuting or remote working).
Working together to face the challenges ahead
It is here that lawyers specialising in privacy, cybersecurity and TMT matters can play an important leadership role, guiding and working together with IT teams, HR departments, companies, organisations or employers, advising on the steps they must take to adapt to these new paradigms.
The challenges in the face of this digital transformation, accelerated by the pandemic, confront us with new circumstances in matters of privacy and cybersecurity regulation, which are transversal for all entities (public or private), for-profit or not-for-profit. There remain issues that have not yet been addressed and that are affecting such everyday areas as the way employees' information is managed.
We are in a period of constant change and uncertainty, not only in terms of labour regulations, but also in computer crime, privacy, IA, IoT and cybersecurity regulations. For example, the cybercrimes bill modifies the law of criminal responsibility of legal persons, making them now also responsible for this type of crime. It regulates crimes of computer disruption, illicit access, illegal interception, computer damage, computer forgery, computer fraud and abuse of devices.
It is important to underline that companies or organisations must prepare in advance of all the regulatory changes that have been mentioned. We encourage advice to create self-regulation policies that will be considered by the authority, modifying and adapting their internal policies, their contracts with suppliers, their regulations, etc.
For this reason, we reiterate that lawyers specialising in privacy, cybersecurity and technology today play a fundamental role, working together with companies or organisations (and their IT teams, information security areas, directories and HR teams), since they have the ability to collaborate and guide in the evaluation of risks, security gaps, compliance, self-regulation, privacy and cybersecurity policies. This will mean an investment in both the short-term and the long-term, but make a real contribution in mitigating these risks, threats and breaches.
Las Hualtatas 6650
+569 6495 firstname.lastname@example.org