< Back

Share |

The regulatory framework for data protection in Chile and future challenges

May 2015

Chilean Data Protection Law N° 19.628 (DPL) was enacted in August 1999, after six long years of discussion in Congress.  Despite over fifty Bills having been presented before Congress to modify the DPL, only five minor amendments (in 2002, 2010, 2011 and 2012), which have not drastically changed its basic structure nor modified its distinctive characteristics, have been passed. The remainder have, for a variety of reasons, fallen by the wayside.

It would be difficult to find anyone who believes that Chile's fifteen year old DPL is fit for purpose. Data subjects are faced with a law that resembles a wolf with no teeth: a data protection law that sets out several rights for data subjects without providing them with ways to enforce those rights, starting with the absence of a data protection authority. Data users on the other hand have a list of legal obligations with regards to personal data, but the scope of their duties and the actual extent of a handful of poorly drafted exceptions to their obligations make it very difficult to have any degree of certainty as to how to comply with the law.

The DPL is based on European data protection statutes (in particular those of Spain, France and the UK) some of which were changed or repealed even before the DPL came into existence.

The regulatory framework of data protection in Chile

pen ticking 'opt in'The general rule set out by the DPL is that data processing requires explicit authorisation, either as provided by law, or by way of consent from the data subject.

The data subject must give written, informed and probably prior consent to the processing of their personal data.  The data subject must be informed of the purpose of the processing and any potential transfer of the data to third parties.

Article 4 of the DPL provides for certain exemptions from the consent requirement:

  • no consent is required for the processing of personal data that originates, or is compiled, from sources accessible to the public, provided that such data is: (i) economic, financial, banking or commercial in nature; (ii) indicative of a person belonging to a certain class of persons (e.g. the person's professional or business activities, educational degrees, address, or date of birth); or (iii) necessary for direct commercial communications or the direct sale of goods and services; and
  • an exemption that authorises the internal processing of personal data by companies and judicial persons without obtaining the written consent of the data subject, and states that when the processing of personal data is performed by private entities "for their exclusive use only, for the use of their associates or the entities to which they are affiliated, for statistical or tariff purposes or for other purposes of their general benefit". The actual scope of this exemption is, however, far from clear. We know it was originally intended to benefit insurance companies and later to benefit companies in general. We understand the exemption to mean that private legal entities may process personal data for their exclusive use, for statistical purposes or other purposes for their general benefit; and not-for-profit legal entities may process personal data for the benefit of their associates and affiliates.

The extent of these exemptions have not, to our knowledge, ever been tested in court, nor have they been discussed or interpreted by administrative entities due to the lack of a data protection authority in Chile.

Main criticisms of the DPL

One of the main criticisms of the DPL is the fundamental problem that its basic concepts are poorly drafted, leaving ample margin for interpretation, presumably in the hope or expectation that administrative and judicial case law would come to the rescue to fill the in the gaps. Unfortunately, the DPL does not provide for a Data Protection Authority to interpret the law or outline the meaning of the legal terms.  This leaves any issues to the jurisdiction of ordinary courts on summary proceedings that may take up to three years to resolve at first instance. The fact that the data subject has the burden of proof to show that illegal data processing has caused him/her damage, together with very low fines for non-compliance (up to US$ 3,500), provide little incentive to litigate any data protection related matter. Almost all of the existing case law relates to breaches of obligations related to the disclosure of economic, financial, banking or commercial information in commercial bulletins.

Efforts to amend or repeal the DPL

In the past few years, there have been several legislative initiatives attempting to amend the DPL. The most relevant ones have been the Bill in Bulletin 6120-07 from 2008, presented during President Bachelet's first term; and the Bill in Bulletin 8143-03 from 2001, presented as an initiative during President Piñera's government. Both of these Bills, although still officially "in the process" of discussion, have been effectively abandoned.

The  current administration has been preparing a Bill of law that, if passed, will repeal the DPL and replace it with a brand new law with a completely different structure. This 'pre-Bill' has not yet been presented before Congress.

meeting tableBefore filing the Bill with Congress, the Under Secretary for Economic Affairs, led a series of meetings where relevant stakeholders from the private and public sector and academia participated in a working roundtable, discussing the draft of this pre-Bill. In parallel, an online open citizen consultation process opened the text of the pre-Bill up to questions and comments from anyone who wished to participate.

As a result of the citizen consultation and the work of the stakeholders' roundtable, a document was issued with questions / comments and answers from the Ministry of the Economy, in regards to the content of the pre-Bill.

The final draft of the Bill has not yet been presented to Congress, nor has a new draft of the pre-Bill which takes into account the results of the consultation, been published. However, the initial text of the pre-Bill shows that it will be based mainly on European data protection legislation, particularly the existing Spanish regulation although the unofficial intention is also to take account of the European proposals to update its data protection law. It provides for a data protection authority and regulation of international data transfers for the first time, lists a more comprehensive (although restrictive) list of justifications for processing which are consistent with current international standards, states registration obligations and provides incentives for self regulation. It looks as though Chile is moving towards a more comprehensive and suitable data protection regime, albeit slowly. It is to be hoped that progress will continue.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

open book
Paulina Silva

Paulina Silva      

Paulina (of Carey y Cía) looks at the problems with the current data protection regime in Chile and ahead to possible reform.

"It would be difficult to find anyone who believes that Chile's fifteen year old DPL is fit for purpose. Data subjects are faced with a law that resembles a wolf with no teeth."