Written by León Lanis V., Paralegal
Data and privacy protection is one the main concerns of modern companies, mainly due to the risks that a negligent use of personal data pose for the clients of a company and the liabilities such negligence may face against regulators.
This dilemma has been under the scrutiny of many governments, especially after the Cambridge Analytica Scandal and Facebook’s negligence of protecting user’s privacy.
Chile is not an exception to said scrutiny. In fact, it has been the concern of many politicians and companies for as long as 30 years. In 1996, the “Privacy Protection Law” entered into force in the country, setting high standards for the region, inspired mainly by Spain’s privacy laws. But with time, this Law became outdated, mainly due to it not keeping up with the gigantic advances of technology, especially social media and the internet-of-things (IOT). This changed international standards, specially with the General Data Protection Regulation or GDPR of the European Union, regarded by experts as the most comprehensive and up to date standard in the world. After that regulation was enacted, the Organisation for Economic Co-operation and Development (OCDE) set the GDPR as the standard to be followed by all nations, leaving the standards set by Chile as very outdated for the modern regulations. This set the stage for many political sectors to begin a long discussion into the amendment of the 1996 Law. The bill, which updates the Privacy Laws to modern standards, is now moving rapidly into becoming law, and so businesses should be preparing to change their standards into what the next law will be requiring.
In the present article, we will discuss some of the most important changes the bill proposes and how you should keep up to date with the new standards.
Creation of the Data Protection Agency
Following again the success of the local regulation of Spain, but also the cases of Germany and Spain, Chile is very keen in the creation of an independent and autonomous institution focused in the creation of specific standards, the penalties for not following the rules and guidance for companies and public institutions in order to adequate their operations towards a better protection for their users.
The bill specifically proposes that the Agency’s objective is to “look after the effective protection of the rights that guarantee a private life of people and their personal data, in conformity of the law”. The bill assures this by allowing the Agency to:
- Interpret the law
- Issue general and specific regulations and normatives
- Control of due diligence
- Punish through fines and other sanctions
- Conflict resolution
If the Agency is set with the same standards as its counterpart in Spain or Italy, probably we will be seeing enormous fines for negligence, as said Agencies have issued to companies such as Facebook or BBVA bank.
Consent is the most important right to any use of data
The 1996 law set such a standard, but the bill is especially keen on the necessity of the data holder’s consent in order to even start any use of data. The consent must be written and fully informed and must contain information such as the duration of use, the extent of the use, to whom it may be communicated, etc. Without express consent there is no legitimacy for data usage, and thus, no personal data related operation can be set without this principle.
These are the minimum standards of any data protection law in almost any country. The new bill adds new insights to said rights and adds a new one we will discuss further on:
- A for Access: this is the expression of the obligation of consent. To add to the previously discussed point, no company can’t deny access to a service or transaction to a user for not giving his or her personal data. The only exception to this is financial services, medical recipes and almost all essential services that can only work through the use of said data, be it because of the market’s nature or from existing regulation. Access also means that a holder must be able to access his/her data at any giving moment with no more than 48 hours of delay.
- R for Rectification: the right for a user to change or clarify legitimately obtained personal data must be assured in any operation, this means that any company holding personal data of a user can’t deny the rectification of data unless there is an express and justified reason, which can be opposed before the Data Protection Agency.
- C for Cancellation: at any given moment, by the mere notification from the holder, a company or institution must cancel totally or partially any operation regarding the use of his/hers personal data. A company or institution may oppose this but only by approval of the Agency.
- O for Opposition: a holder can oppose the total or the partial use of his data for any type of usage, this must be notified to the company using the information and it must comply within 48 hours or oppose in the same term before the Agency.
- P for Portability: due to the fluent information market, companies must assure any holder that their information can be transferred to any company of his or hers choosing, even if said company is competition. This last right is the newest addition to the bill.
Public available records are not protected
Any publicly accessible information is not protected by the same rights as those before discussed. The only exception to this rule is for companies that check their employees social media accounts; for that case, the employee must allow by writing the company to access such information with specific limits to the extension of the use of the data obtained from such access.
The aforementioned are the most essential aspects of the bill. At the moment it is being discussed in the Senate, but many experts suggest it should not suffer essential changes, this in order to be quickly dispatched for the President’s signature.