Legislation to Protect Personal Data and Create a Personal Data Protection AgencyDecember 2018
The Chilean Senate is considering important legislation to regulate the protection and treatment of personal data and create a personal data protection authority. A Bill was approved by the Senate Constitution Committee in April 2018. This Report Card addresses the Committee-approved Bill (“The Bill”) but also comments on specific amendments that are being considered.
The Bill is a thoughtful, comprehensive effort modeled on the recently enacted European Union General Data Protection Regulation. As is always the case with broad and complex legislation, there are several provisions that create business uncertainty and risk, especially for startups and small businesses. Improvements to The Bill – and thoughtful regulatory guidance regarding implementation and enforcement – could promote compliance and improve certainty for business, investors and consumers.
In general terms, The Bill:
- Establishes new rights, e.g., data portability and deletion;
- Defines consent as a free, specific, unequivocal and informed manifestation; which must be granted in advance and be specific as to its purpose;
- Establishes exceptions to consent (data relating to obligations of an economic, financial, banking or commercial nature; legitimate interest; when the processing of data is necessary for the formulation, exercise or defense of a right before the courts of law);
- Perfects the concept of Public Access Sources, those sources that are publicly accessible (for example the Internet), without any legal restrictions or impediments to their access or use of the data;
- Establishes greater regulation of sensitive data (including biometric data and data relating to the human biological profile) and of “special data” (children’s data; historical, statistical and scientific data; and geolocation data)
- Grants data holders a limited right to request that no decision affecting him in a significant way be adopted exclusively based on the automated processing of his data;
- Creates a Personal Data Protection Agency to oversee compliance and enforcement;
- Creates a National Compliance and Sanctions Register;
- Establishes new procedures for pursuing liability;
- Regulates international data transfer;
- Regulates the duty to adopt security measures, and obligations to report breaches of security measures;
- Establishes the possibility for data controllers to adopt and certify a model for preventing breaches, associated with mitigating liability.
As noted in the chart above, the Bill does an admirable job of addressing many concerns. However, there are several concerns, some of which are particularly troublesome for small companies and startups:
- Unusual Extraterritorial Jurisdiction. The principle of territoriality traditionally limits Chilean authority to people and activity within Chile’s borders. The Bill, however, seeks to regulate processors of data operating outside of Chile, including global activity that impacts Chilean residents and activity that concerns data of Chilean residents when they are outside of Chile’s borders.
One concern is that global enforcement could overwhelm the Chilean Data Authority. Another concern is a risk that some service providers may choose to cease doing business inside of Chile or with Chilean citizens. A third concern is that businesses will be subjected to multiple governments’ regulation and enforcement, which will increase complexity, cost and risk.
- Penalties Are Potentially Disproportionate and Unfairly Punitive. The Bill proposes very high fines and does not specify factors for regulators to consider that could mitigate their very harsh impact on small businesses. Additionally, the accessory sanction of suspending a firm’s ability to process personal data is highly punitive, perhaps unprecedented in Chilean law, and could result bankruptcy for digital media and data processing enterprises.
- Problems with Consent. First, The Bill adopts a narrow GDPR principle that consent to data processing may be legally impossible when there is an “imbalance” between a person and the data controller or processor. However, The Bill does not adopt the narrow GDPR definition or otherwise define the “imbalance.” Potentially this provision could be used against data collectors to undermine vast amounts of legitimate activity.
Additionally, The Bill requires consent to be specific as to the data’s use, informed and approved in advance of collection. This protects against a generalized risk of “uncertainty,” but it appears to prohibit data collectors from studying data creatively and discovering unexpected and valuable trends that could benefit data holders.
- Obligations of Processers. The Bill assigns to Processers obligations to report data breaches to the Authority and to the Data Holders. However, a Processer is a technical role as compared to the Data Controller. It seems that the Processer’s obligation should be to the Controller, and that the Controller’s obligation should be to the Authority and to Data Holders.
CONCERN IN AMENDMENTS
In addition to this commentary on The Committee Bill, three amendments under consideration cause concern:
- Proposed expansion of “sensitive data” definition to include many types of data that historically have not been considered sensitive and which are not identified with a specific person. This expansion will substantially expand the compliance burden and the risks of non-compliance and does not seem necessary to protect consumers.
- Requiring Data Controllers resident outside of Chile to register with the Chilean Data Authority. This requirement could inadvertently cause non-compliance (and risk serious fines) if enterprises do not know that a property is being accessed inside Chile or by Chilean residents.
- Imposition of fines based on a company’s sales. Although this methodology appears to ensure proportionality of the fines, it risks unfair impact on startups and low-margin businesses if it does not consider these and other variables when penalties are decided.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 7/10]
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 6/10]
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 9/10]
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 7/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 9/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 9/10]
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 7/10]
International Commerce: International commerce and cooperation should not be inhibited. [Score: 8/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 7/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 7/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.