Progress in the discussion of the bill on personal data: summary of the main legislative indications

Dentons
Contact

Dentons

Last month, the Constitution, Legislation, Justice and Regulation Committee of the Chamber of Deputies began the debate on each of the indications formulated to the bill that regulates the protection and treatment of our personal data (Bulletins No. 11,092-07 and No. 11,144-07, recast).

Prior to this, the Commission listened to a large number of organizations, individuals and academic experts, spending several months listening to the different views generated by the bill discussed for more than four years in the Senate. All of them agreed on the importance of moving forward on this matter, as quickly as possible, but recommending changes or improvements in specific areas of the bill.

It should be noted that this project is an update of the current law No. 19,628 on the protection of privacy. The new legislation promises important novelties in data privacy matters, such as:

  1. The enshrining of principles that should guide the activity of personal data processing (purpose, proportionality, security, transparency, etc.).
  2. The establishment of new rights for data owners, specifically opposition and portability of personal data, added to the rights of access, modification and deletion.
  3. The imposition of obligations on data controllers, such as the duty to have cybersecurity measures in place, to ensure the protection of IT systems from design and by default, to report on processing policies, to have transparency and publicity mechanisms, etc.
  4. The establishment of requirements for the international transfer of personal data.
  5. The creation of an agency specialized in the enforcement of the law and the sanctioning of infractions.
  6. Increased penalties, including fines of up to USD 635,000 and the incorporation of the offender into a sanctions registry.

General overview

On Monday, June 6, the deadline set by the Constitution Committee for the parliamentarians and the Executive Branch to submit additions or amendments to the legal initiative, which would set the framework for the debate of the bill in particular, ended. Within this period, the deputies Leonardo Soto, Miguel Ángel Calisto, Andrés Longton, Luis Fernando Sánchez and Raúl Leiva, as well as the Vice-President of the Republic, presented a total of a little more than 100 indications.

In general, the different indications aim at clarifying some minor issues (replacing the term "cancel" by "delete"); strengthening the powers of the Criminal Prosecutor's Office to use personal data in its investigations; eliminating automated data processing; among others.

It should be pointed out that none of the amendments radically alters the regulatory block approved in the Senate, except for the indication of Deputy Leonardo Soto that aims at replacing the Agency for the Protection of Personal Data by the Council for Transparency (CT). However, it seems difficult for this idea to prosper in the debate, since determining the functions of public organisms (in this case, the CT) is a matter whose legislative initiative corresponds exclusively to the President of the Republic. In this regard, the Minister Secretary General of the Presidency, Giorgio Jackson, has already announced that the Executive's guideline is to have an agency specialized in the matter, and not an existing body.

Summary of the main indications

Requirement for foreign suppliers to have a representative in Chile

The bill, in its version approved by the Senate, establishes that data controllers who are not domiciled in Chile must "indicate and keep updated and operative an e-mail address or other suitable means of contact to receive communications from data subjects and from the Personal Data Protection Agency" (art. 14, final clause).

However, indications have been presented that raise questions about the scope of the extraterritoriality of the new legislation. Therefore, it has been proposed that foreign providers must designate in writing to the Agency "a representative domiciled in the country for the purposes of the holder to exercise his rights under this law and to receive the necessary judicial or administrative communications and notifications" (L. Sanchez). It can be seen that a provision is contained in the European Data Protection Regulation, when Article 27.1 provides that data controllers not established in the European Union must "designate in writing a representative in the Union".

Removal of public access sources

The indication of the Executive Branch eliminates as a source of lawfulness of data processing, in which the consent of the holder is not required, personal information that has been collected from publicly available sources. During the discussion in the Commission, it was argued that maintaining this ground would make it impossible to exercise control over personal data, and therefore the exercise of the right to informational self-determination, too. In Europe, public access sources were eliminated as sources of lawfulness.

Replacement of the control authority

The indication of deputies Leonardo Soto and Miguel Ángel Calisto proposes to give the Council for Transparency (CT) the authority to control, supervise and sanction in matters of personal data. This idea was discussed for a long time in the Senate, where it was finally decided to create an agency specially dedicated to data privacy.

Formally, the indication is inadmissible, since it invades matters of exclusive initiative of the President of the Republic by determining the functions and attributions of an already existing public service (in this case, the CT), which would see its prerogatives increased.

Essentially, the idea of giving the CPLT the leadership in data privacy matters functionally contradicts the fundamental mission that the legislator assigned to this agency when it was created: to publicize public information. On the other hand, the data protection function seeks to remove private information from the domain of third parties. Where one should ensure the openness and transparency of acts and resolutions, the other should safeguard where personal and sensitive data are at stake.

Increase in the regulatory burden foreseen for the duty of information and transparency

In the version passed by the Senate, the bill considers as part of the duty of information and transparency the fact that the data controller must keep the data processing policy available to the public; the identification of the person in charge of prevention, if any; the postal address and an e-mail address; the security measures adopted; the rights of the holder and the possibility of recourse to the Agency, etc.

Now, in the Chamber of Deputies, an indication of Deputy Leonardo Soto adds new requirements to this duty of information and transparency, such as: indicating the basis for legitimacy of the processing, and in the case of processing based on the satisfaction of legitimate interests, what these would be; the controller's intention to transfer personal data to a third country or international organization and whether or not these offer an adequate level of protection; the period during which the personal data will be kept or, where this is not possible, the criteria used to determine this period; the existence of automated decisions, including profiling, and, at least in such cases, meaningful information on the logic applied, as well as the significance and expected consequences of such processing for the data subject; among others.

Increase in the regulatory burden foreseen for the duty to adopt security measures

The Executive Branch has proposed as an indication to further specify the content of the duty to adopt security measures. To this end, it proposes that the controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include, among others:

  • Seudonymization and encryption of personal data
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore availability and access to personal data quickly in the event of a physical or technical incident
  • A process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing

However, these measures should be established taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of the processing. It should also consider risks of varying likelihood and severity to the rights and freedoms of data subjects.

Incorporation of an impact assessment

Congressmen Leonardo Soto and Miguel Ángel Calisto propose adding an article 15 quater, which would require an impact assessment of data processing operations. Essentially, this assessment will proceed when "a type of processing, in particular if it uses new technologies, by its nature, scope, context or purposes, is likely to involve a high risk to the rights and freedoms of individuals". A single assessment may address a number of similar processing operations involving similar high risks.

In this assessment, the data controller shall seek the advice of the data protection officer, if appointed. In addition, it shall be mandatory when the Agency so requires. The assessment shall include as a minimum:

  • A systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interest pursued by the controller
  • An assessment of the necessity and proportionality of the processing operations with respect to their purpose
  • An assessment of the risks to the rights and freedoms of the holders
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with this law, taking into account the rights and legitimate interests of data subjects and other affected persons.

The controller shall consult the Agency prior to processing where an impact assessment shows that the processing would entail a high risk if the controller does not take measures to mitigate the risk.

Elimination of automated processing of large volumes of data

Congressmen Leonardo Soto and Miguel Ángel Calisto propose the deletion of Article 15 ter, which regulates the automated processing of large volumes of data. This activity is developed by important companies that develop big data or anyone who has an artificial intelligence system that processes large-scale data. It is a central element of marketing today.

It is not yet known what the purpose of this indication is, but it would hardly seem to be that the parliamentarians want to prohibit these operations. Rather, it would be a matter of avoiding an unnecessary reiteration of the bill, since automated processing would be recognized in the current article 8 bis, and it would be useless to go into detail as to whether large or small volumes of data are involved. On the other hand, during the discussion in the Commission, one of the speakers stated that the regulation on algorithms or automated decisions should not be included in a privacy regulation.

Prohibition of the processing of data relating to health and human biological profile

Deputies Soto and Calisto propose to delete the article dealing with data relating to health and human biological profile, keeping only a subsection linked to its prohibitive side: "The processing and transfer of data relating to the health and biological profile of a holder and biological samples associated with an identified or identifiable person, including the storage of biological material, is prohibited when the data or samples have been collected in the labor, educational, sports, social, insurance, security or identification fields, unless the law expressly authorizes its processing in qualified cases and that it refers to any of the cases mentioned in this article."

In the general discussion of the bill, it was stated that the legislation on the rights and duties of patients already regulates this matter, so it seems unnecessary to address this issue in the data privacy bill.

Expansion of the Agency's audit powers

One of the Agency's powers is to oversee compliance with the provisions of the law, its regulations and the instructions and general rules issued with respect to the processing of personal data. To this end, it may require those who carry out data processing to deliver any document, book or record and all the information necessary for the fulfillment of its supervisory function.

On this last point, the deputies Soto and Calisto propose to complement the authority's attribution, in the sense of also empowering it to "obtain access to the premises of the controller and of the third party mandated or entrusted with the processing, including any equipment and means of data processing, in accordance with the procedural rules governing the matter".

Increase in the fine threshold

The bill passed by the Senate contemplates three types of sanctions: reprimand, suspension of data processing for up to 30 days, and fines. According to the nature of the infraction, the fine may vary from 1 to 100 UTM (minor infractions); from 101 to 5,000 UTM (serious infractions); and from 5,001 to 10,000 UTM (very serious infractions).

The indications of the Executive Branch and of Representatives Soto and Calisto aim at raising the threshold of fines for serious and very serious infringements when the responsible party is a company. In this way, serious infringements will be sanctioned with a fine of 101 to 5,000 UTM, but in the case of companies, the fine may be up to the amount equivalent to 2% of the annual total of the global sales of the infringer in the previous year, opting for the higher amount.

In the case of very serious infringements, those responsible will be sanctioned with a fine of 5,001 to 10,000 UTM, but if they are companies, the fine may amount to the equivalent of 4% of the total annual global sales of the infringer in the previous year, whichever is greater.

Exclusion of revoked certifications as a notation in the Compliance and Sanctions Registry

The indications of Deputy Luis Sánchez and the Executive Branch seek to eliminate from the annotations contained in the Compliance and Sanctions Registry the information of persons who, having had a prevention model certificate, have had it revoked. The purpose of this indication seems to be not to discourage the adoption of prevention models.

However, despite being a matter that was discussed in the general discussion, the inclusion in the Register continues to be for 5 years, without differentiating whether the conviction was for a minor, serious or very serious offense. This could be disproportionate in light of the constitutional guarantee of equality before the law and no arbitrary discrimination.

Unification of the infraction prevention model

The bill offers the responsible party the choice between two alternative infraction prevention model systems: (i) designate a data protection officer; or (ii) have a compliance program, which additionally entails the designation of a data protection officer. Congressman Luis Sánchez proposes to unify the two models that appear in the bill. It seems that it would not make sense to generate two models of prevention, completely voluntary, since the companies will opt for the less burdensome one in order to benefit from the mitigation of liability for a possible wrongdoing. Thus, it seems more reasonable to maintain only one prevention model, completely voluntary, but clear and precise.

Mechanism for the control of constitutionally autonomous bodies

State bodies that enjoy constitutional autonomy, such as the Office of the General Comptroller of the Republic, the Criminal Prosecutor's Office, the Constitutional Court, the Central Bank, the Electoral Service and the Electoral Justice. By virtue of this autonomy, it does not seem desirable that they be subject to another organ or power of the State. For this reason, the bill states that the Agency will have no powers with respect to its actions.

However, an indication of Deputy Luis Sánchez seeks to subject this action to a certain control on the effective compliance with the law. To this end, the indication proposes that such autonomous agencies report once a year on four aspects: (i) the complaints filed against them by data owners; (ii) the policies, rules and instructions they have issued to comply with the principles and obligations established in the law; (iii) the disciplinary actions they have adopted in relation to the infractions committed in this area by their respective officials; and (iv) any other matter that such institutions and agencies consider of interest to the Commission in this area.

Sernac's specific competence in consumer relations matters

An indication of the Executive Branch seeks to maintain the competence of the National Consumer Service regarding the interpretation of personal data regulations applied to consumer relations.

The Senate's proposal, on the other hand, completely left the Agency in charge of the interpretation, supervision and sanctions of data privacy matters, in order to avoid generating regulatory asymmetries.

Other proposed changes

  1. There are other indications that, although of lesser scope and legal consequences, together redesign the physiognomy of personal data processing in the country.
  2. The aim is to remove the police, prosecutors, courts and other authorities in charge of criminal prosecution from the application of the new legislation (A. Longton, L. Soto and M. Calisto). This is in order not to hinder or slow down the work of these actors, who will have a laxer standard for data processing
  3. The aim is to eliminate the enumeration of examples contained in the definition of the term "personal data", such as name, identity card number, etc., in order to include a greater number of hypotheses by the sentencer (A. Longton, L. Soto and M. Calisto)
  4. It is specified that not all "personal habits" constitute sensitive data, but only those habits that refer to sensitive data (Executive Branch). This is due to the fact that most of our daily habits (going to the supermarket, going out to exercise, etc.) do not necessarily imply the existence or relationship with sensitive data
  5. The name of the "right of cancellation" is changed to "right of suppression" (Executive Branch), in order to avoid confusion in domestic law with the creditor's action which, upon payment by the debtor, extinguishes or "cancels" the contracted obligation
  6. The regulation of the right of portability is improved in two ways. On one hand, it establishes that the transmission of data shall be carried out directly between data controllers, when technically possible (Executive Branch). On the other hand, it specifies that the exercise of the right of portability will not always entail the deletion of the data in the transferring controller, since for different reasons the holder may wish to keep his personal data in both entities in order to receive different services (L. Sánchez)
  7. The mention of certifications of prevention models that have been revoked (Executive Branch, L. Sánchez) is eliminated from the Registry of Compliance and Sanctions. This is because it removed the incentive for those responsible for voluntarily adopting these prevention models, since in the event of losing the certification, they would be exposed to the social reproach of appearing in a registry with a withdrawn certification
  8. Clarifications are introduced to the principle of proportionality, in the sense that the personal data processed must be "strictly" (L. Soto and M. Calisto) limited to those that are necessary, "adequate and relevant" (Executive Branch) in relation to the purposes of the processing
  9. It is specified that consent must not only be free, informed, specific as to its purpose, and unequivocal, but must also be "prior" (L. Sánchez) and "express" (A. Longton)
  10. The processing of sensitive data relating to children and adolescents under 16 years of age is allowed to be carried out without parental consent, when such processing is for the purpose of contacting the parents or representatives; for their own protection; or in the context of preventive or counseling services offered directly to them (R. Leiva)
  11. The regulation of the special category of personal data for historical, statistical, scientific and study or research purposes is clarified, in the sense that all of them must serve "public interest purposes" in order to be considered legitimate interest as a basis for lawfulness (L. Sánchez). In addition, the data controller is required to perform a risk analysis when the historical, statistical, scientific or research work involves sensitive data (L. Sánchez)
  12. Some infractions are recategorized. The provision of incomplete information in the process of certification of the prevention model is no longer a very serious infraction, and an indication proposes that it should become a serious infraction (L. Soto and M. Calisto), while another indication proposes that it should be a minor infraction (L. Sánchez). It is also specified that what constitutes a very serious infringement is the provision of false information "knowingly" (L. Soto and M. Calisto) in the certification process of the model
  13. Regarding the suspension of the processing of personal data, it is proposed that such sanction does not affect the storage of data held by the data controller, and may be partial or total, and may not be decreed when the rights of the data subjects are affected (Executive Branch). It is also proposed that this sanction be imposed for successive periods of "maximum" (L. Soto and M. Calisto) 30 days
  14. It is proposed that the claim of illegality to be filed before the Court of Appeals for any resolution of the Agency is sufficient that such act is illegal, not being now necessary to prove that it causes damage to the interested party (L. Soto and M. Calisto)
  15. It is proposed that insurance companies may establish common databases for the purpose of claims settlement and statistical-actuarial collaboration to enable pricing, risk selection and the preparation of insurance technique studies (R. Leiva)
  16. The entry into force of the new legislation is postponed. Originally, it was expected to take one year from its publication in the Official Gazette for new databases and 18 months for pre-existing databases to adapt to the new standards. It is now proposed that the new legislation will enter into force 2 years after its publication in the Official Gazette (R. Leiva). With respect to smaller companies, it is proposed that it becomes effective after 19 months (Executive Branch) and a 24-month period is given for smaller companies to adapt their pre-existing databases (Executive Branch)

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.