After seven years of discussion, on 26 August 2024, the Chilean congress finally approved the reform of the Chilean Data Protection Act (“Reform” and “Act“, respectively). The Act is heavily influenced by the General Data Protection Regulation.
The key changes introduced are as follows:
- Creation of the Data Protection Agency (“Agency“)
- Increase and expansion of rights of data subjects
- New obligations for data controllers
- New types of sensitive data
- New legal bases for processing
- Regulation of international data transfers
- New National Registry of Sanctions and Compliance
Deep dive on the Reform
The Reform is expected to be published within the next few weeks. Once published, the implementation will take 24 months, providing time for (i) companies to adapt to the new requirements and (ii) the creation, staffing and budgeting of the new Agency.
1. Creation of the Agency
- Until today, there was no data protection agency in Chile. Therefore, the Data Protection Law had a relatively low level of enforcement, mainly based on private litigation.
- The new Agency has been granted several powers, such as (i) general administrative powers to interpret the Act, (ii) authority to control its application, (iii) authority to issue fines for noncompliance with the Act (the potential fines have been increased from approximately USD 3,500 to approximately USD 1,450,000) and (iv) authority to potentially order the suspension of personal data processing or international transfers of personal data.
2. New rights of data subjects
- Rights previously established by law, such as access, rectification, blocking and opposition, have been recognized and further developed. For example, after the Reform, the right to access does not only include obtaining information about data that is processed, but also (i) the origin, (ii) the purpose and (iii) the time period in which that data has been processed. Likewise, the right to opposition now includes, besides the prohibition on processing a subject’s data, the prohibition of certain types of processing, such as automatic decision-making, AI or profiling.
- New rights have been introduced, such as the right to data portability and the right to erasure.
3. New obligations for data controllers
- These are called “structural” obligations. They include (i) secrecy and/or confidentiality, (ii) a duty of protection (of personal data) by design or by default (data controllers must design their systems to protect personal data by default), (iii) a duty to implement security measures, (iv) a duty to report data breaches (previously, there was no obligation to report, except in the financial sector) and (v) a duty to perform a data protection impact assessment in certain cases.
- Foreign service providers that process personal data of Chilean residents must now register a representative domiciled in Chile with the Agency.
4. New types of sensitive data
- New categories of sensitive data have been created, including (i) general sensitive data, (ii) biometric sensitive data, (iii) data from minors, (iv) geolocation (v) health and biological profile data, etc.
5. New legal bases for processing
- The original legal bases were consent and express legal authorization. The Reform has added the following: (i) when data processing is required to fulfill a legal obligation; (ii) when data processing is required to execute a contractual obligation between a data subject and a data controller, or for precontractual arrangements leading to a binding contract; (iii) when data processing is necessary to exercise a legitimate interest of the data controller, if such does not affect the rights of freedom of the data subject; and (iv) when data processing is necessary to exercise or defend a right of the data controller before courts or administrative bodies.
6. Regulation of international data transfers
- Before the Reform, this topic was not explicitly regulated in Chile. Now, international data transfers will be legal in any of the following cases: (i) data is transferred to a country that the Agency has declared provides an adequate level of protection; (ii) data is transferred under adequate contractual cases; (iii) the company has adopted a compliance program on binding corporate rules; and (iv) the data subject has given express consent.
7. New National Registry of Sanctions and Compliance
- The National Registry of Sanctions and Compliance will be managed by the Agency, and it will be public.
- This registry will include both companies that voluntarily adopt certified compliance models and sanctioned companies.
- The entries in this registry are public and will be kept for five years.