DATA PROTECTION POLICY ANALYSIS
Chile: Legislation to Protect Personal Data and Create a Personal Data Protection Agency
Date: December 2018
The Chilean Senate is considering important legislation to regulate the protection and treatment of personal data and create a personal data protection authority. A Bill was approved by the Senate Constitution Committee in April 2018. This Report Card addresses the Committee-approved Bill (“The Bill”) but also comments on specific amendments that are being considered. The Bill is a thoughtful, comprehensive effort modeled on the recently enacted European Union General Data Protection Regulation. As is always the case with broad and complex legislation, there are several provisions that create business uncertainty and risk, especially for startups and small businesses. Improvements to The Bill – and thoughtful regulatory guidance regarding implementation and enforcement – could promote compliance and improve certainty for business, investors and consumers.
In general terms, The Bill:
- Establishes new rights, e.g., data portability and deletion;
- Defines consent as a free, specific, unequivocal and informed manifestation; which must be granted in advance and be specific as to its purpose;
- Establishes exceptions to consent (data relating to obligations of an economic, financial, banking or commercial nature; legitimate interest; when the processing of data is necessary for the formulation, exercise or defense of a right before the courts of law);
- Perfects the concept of Public Access Sources, those sources that are publicly accessible (for example the Internet), without any legal restrictions or impediments to their access or use of the data;
- Establishes greater regulation of sensitive data (including biometric data and data relating to the human biological profile) and of "special data" (children's data; historical, statistical and scientific data; and geolocation data)
- Grants data holders a limited right to request that no decision affecting him in a significant way be adopted exclusively based on the automated processing of his data;
- Creates a Personal Data Protection Agency to oversee compliance and enforcement;
- Creates a National Compliance and Sanctions Register;
- Establishes new procedures for pursuing liability;
- Regulates international data transfer;
- Regulates the duty to adopt security measures, and obligations to report breaches of security measures;
- Establishes the possibility for data controllers to adopt and certify a model for preventing breaches, associated with mitigating liability.
(particularly for small companies and startups)
As noted in the chart above, the Bill does an admirable job of addressing many concerns. However, there are several concerns, some of which are particularly troublesome for small companies and startups:
- Unusual Extraterritorial Jurisdiction. The principle of territoriality traditionally limits Chilean authority to people and activity within Chile’s borders. The Bill, however, seeks to regulate processors of data operating outside of Chile, including global activity that impacts Chilean residents and activity that concerns data of Chilean residents when they are outside of Chile’s borders. One concern is that global enforcement could overwhelm the Chilean Data Authority. Another concern is a risk that some service providers may choose to cease doing business inside of Chile or with Chilean citizens. A third concern is that businesses will be subjected to multiple governments’ regulation and enforcement, which will increase complexity, cost and risk.
- Penalties Are Potentially Disproportionate and Unfairly Punitive. The Bill proposes very high fines and does not specify factors for regulators to consider that could mitigate their very harsh impact on small businesses. Additionally, the accessory sanction of suspending a firm’s ability to process personal data is highly punitive, perhaps unprecedented in Chilean law, and could result bankruptcy for digital media and data processing enterprises.
- Problems with Consent. First, The Bill adopts a narrow GDPR principle that consent to data processing may be legally impossible when there is an "imbalance" between a person and the data controller or processor. However, The Bill does not adopt the narrow GDPR definition or otherwise define the "imbalance.” Potentially this provision could be used against data collectors to undermine vast amounts of legitimate activity. Additionally, The Bill requires consent to be specific as to the data’s use, informed and approved in advance of collection. This protects against a generalized risk of “uncertainty,” but it appears to prohibit data collectors from studying data creatively and discovering unexpected and valuable trends that could benefit data holders.
- Obligations of Processers. The Bill assigns to Processers obligations to report data breaches to the Authority and to the Data Holders. However, a Processer is a technical role as compared to the Data Controller. It seems that the Processer’s obligation should be to the Controller, and that the Controller’s obligation should be to the Authority and to Data Holders.
CONCERN IN AMENDMENTS
In addition to this commentary on The Committee Bill, three amendments under consideration cause concern:
- Proposed expansion of “sensitive data” definition to include many types of data that historically have not been considered sensitive and which are not identified with a specific person. This expansion will substantially expand the compliance burden and the risks of non-compliance and does not seem necessary to protect consumers.
- Requiring Data Controllers resident outside of Chile to register with the Chilean Data Authority. This requirement could inadvertently cause non-compliance (and risk serious fines) if enterprises do not know that a property is being accessed inside Chile or by Chilean residents.
- Imposition of fines based on a company’s sales. Although this methodology appears to ensure proportionality of the fines, it risks unfair impact on startups and low-margin businesses if it does not consider these and other variables when penalties are decided.
CLEAR TERMS: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 7/10]
Most definitions are very clear, but some important definitions may be too broad. For example, the Bill defines “data controller” and “data processor” very differently, but some of the controller’s obligations, such as breach notifications, are inexplicably applicable to processors also.
SPECIFIC HARMS: Legislation should focus on specific harms and outcomes. [Score: 6/10]
In some cases the Bill focuses on specific results - for example, the privacy policies of controllers or the procedures by which holders of personal data can exercise their rights quickly. On other occasions, the Bill seeks more general outcomes, such as the treatment of sensitive data to enable use for scientific studies, statistics, medical assistance or legal defense. In general, the Bill’s desired "result" is that processing of personal data should be for the purpose for which the data was collected and not for different purposes. This protects against a generalized risk of “uncertainty,” but it appears to prohibit data collectors from studying data creatively and discovering unexpected and valuable trends that could benefit data holders.
HELPFUL PROCESSES: Required processes and notices should be clearly defined and helpful. [Score: 9/10]
The Bill regulates in detail the different procedures, the conduct associated with infractions, and actions to object to decisions of the data authority.
NOT RETROACTIVE: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 7/10]
The bill provides two years between enactment and implementation, which will be helpful to most industry stakeholders. However, the Bill requires deletion of large amounts of data collected prior to the implementation date (two years after enactment). This may have punitive impacts on data-collecting companies that were following the law for many years, and this data’s removal may harm results of some collectors’ and processors’ analytical work.
NOT HARMFUL: Legislation should not inhibit beneficial data models and uses. [Score: 9/10]
The Bill does not appear to inhibit any existing models and uses of data, or to inhibit potential new models or uses of data.
FREE SPEECH: Legislation should not inhibit freedom of expression or government transparency. [Score: 9/10]
The Bill expressly protects processing data in the exercise of the freedoms to express opinion and to inform, as guaranteed by the Political Constitution of the Republic of Chile. Likewise, the media are excluded, being only obliged to the Bill when processing data for purposes other than that of expressing an opinion and informing.
SIMPLE CONSENTS: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 7/10]
The Bill requires consent that is a "free, specific, unequivocal and informed.” These requirements appear to be straightforward, but it is uncertain how much detail will be required with regard to specificity and information. If consumers are overwhelmed with extremely long, detailed data processing requests then “consent fatigue” may occur – as consumers simply agree to all requests without reading them. There is also a concern that future analytical discovery may be inhibited by the obligations of specificity and advance approval.
INTERNATIONAL COMMERCE: International commerce and cooperation should not be inhibited. [Score: 8/10]
Although the Bill regulates for the first time in Chile the international transfer of personal data, which will impose new contractual and operational burdens, unlike the GDPR it does not create significant commercial barriers and burdens on companies wishing to operate in Chile. In significant part this is because The Bill establishes several types of cases in which international transfer will be permitted.
FAIR ENFORCEMENT: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 7/10]
The Bill’s enforcement provisions are straightforward and neutral, but there are two enforcement concerns. One concern is that potentially very high fines (including fines based on income if amendments are approved) could have much harsher impact on startups and low-margin businesses as compared to mature high-margin businesses. Another concern is that overlapping global enforcement by many governments will overwhelm businesses with compliance complexity, conflicts between governments and different enforcement outcomes. Both of these concerns can be addressed by regulatory flexibility and enforcement authority coordination.
SMALL ENTERPRISES: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 7/10]
Small organizations, particularly those with no margin or negative margins, may be unfairly punished by revenue-based penalties if enforcement authorities are not sensitive to their particular circumstances.
means the legislation thoughtfully accounts for the concern.
means that, with adjustments, it can likely account for the concern.
means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.