Opinion: Chile, a suitable country?

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

In 2010, Chile joined the Organization for Economic Cooperation and Development (hereinafter “OECD”), becoming the first South American member country of the organization.

To join this organization, countries must adopt certain international standards in economic and commercial matters, in order to establish a minimum common denominator regarding the way in which public policies are organized and performed. Beyond purely economic aspects, and always under the basis of the joint efforts of member countries to share experiences, statistics and regulations, the OECD seeks to develop best practices in different public policy areas, such as education, probity and integrity, corporate governance, financial markets, environment and personal data protection.

In the field of personal data protection, perhaps because the OECD did not set a strict deadline for its adaptation and final adoption, or perhaps because other issues were considered more pressing, the fact is that Chile has still not managed to improve its legislation, being currently considered by the OECD as an “unsuitable” country in this matter.

Among the main shortcomings of the current legislation, according to the OECD, are: the absence of an independent and impartial oversight or supervising authority, with disciplinary powers to ensure compliance; the absence of a general regime of responsibility derived from the incorrect processing of personal data; low penalties and level of fines that do not have any preventive or deterrent effects, and the absence of rules governing international data transfer.

The supervisory authority is one of the most relevant and necessary aspects for incorporating data protection in the legislation, since the lack of an institutional framework with the aforementioned characteristics currently results in legislation with few degrees of control. All these, considering the fact that accelerated global technological development requires constant updating in the sphere of domestic regulation and interpretation, which can only be effectively achieved by an institution totally dedicated to the matter in question.

In order to cope with this reality, the Chilean Congress is studying a bill of law (hereinafter the “Bill”), which seeks to remedy the above, introducing amendments that will substantially update existing Law No. 19,628 (hereinafter, the “Personal Data Law”). The guidelines and legislation set as reference for the drafting of the Bill were those of the European Council and other regulations of the European Union, the Asia-Pacific Economic Cooperation Forum (APEC) and the Madrid Resolution on International Standards for the Protection of Personal Data and Privacy, as well as recommendations of the OECD itself.

Although one of the first major advances in this area was the constitutional amendment of June 2018, which enshrined the right to personal data protection, the Bill contains new features that are worth highlighting and that would adjust the Personal Data Law to international standards. Thus, Chile would be on the way to reach adequate levels of protection in accordance with OECD requirements. Among the main proposed changes, we can highlight the following:

a) The establishment of the principles of legality of treatment, purpose, proportionality, quality, safety, responsibility, transparency and information and confidentiality, which will govern the processing of personal data and will comprise the theoretical and regulatory framework of this regulation. For government agencies involved in data processing, the principles of coordination, efficiency, transparency and publicity are also incorporated.

b) The adaptation of the terminology of the Personal Data Law for streamlining it with more modern regulations in this matter.

c) The incorporation of new rights to protect the personal data of individuals, the so-called “ARCO” rights, access, rectification, cancellation and opposition, which will be personal, non-transferable and inalienable, and limitations by any act or convention being prohibited. The right to personal data portability is also introduced, giving individuals the right to request a copy of them in a structured manner, in a generic and commonly used format, and to communicate or transfer them to another data controller, if certain requirements or circumstances concur. In this same area, the procedure and the means whereby individuals can exercise their rights before the data controller are also established.

d) The regulation of the consent requirements for authorizing data processing, which must be free, informed, unequivocal and specific in terms of their purpose, and the implementation of other lawful forms for the processing of data.

e)  The establishment of a regime of responsibilities, obligations and duties for those responsible for data, also regulating the automated processing of large volumes of data and the assignment or transfer of personal databases, as well as the processing of data through a third party or agent representing or commissioned by the person responsible. It also contemplates adopting new descriptions and classifications of the infringements that may be incurred by those responsible for data, categorizing them as minor, serious and very serious, depending on the protected legal right; fines and penalties are increased considerably, recidivism is regulated, increasing penalties, creating the National Compliance and Sanctions Registry and establishing mitigating factors, such as the adoption of crime prevention models.

f) The establishment of general rules and regulations for the treatment of sensitive personal data and their exceptions, and the incorporation of new special categories related to children and adolescents, data for historical, statistical, scientific and research purposes and geolocation data, which are all subject to special regulation.

g) The creation of a Personal Data Protection Agency (hereinafter the “Agency”), a public, autonomous, decentralized, technical agency with legal status and its own equity, subject to the supervision of the President of the Republic through the Ministry of Finance, whose mission will be to ensure compliance with regulations regarding the processing of personal data and their protection.

h) The regulation of the international transfer of personal data.

As mentioned above, the creation of an oversight authority is perhaps one of the most important modifications of the Bill, since it is essential to establish a body with broad powers to supervise the massification of internet access, electronic commerce, etc. especially in such a specific area that has developed at an accelerated rate with technological changes. However, it was noted that, under the standards of the OECD in this particular sphere, the authority would not be entirely independent, since that body would be subject to the supervision of the President of the Republic through the Ministry of Finance.

Since there is no single model in comparative law, it cannot be stated a priori that the Bill does not meet international criteria, due to this single structural fact of the Agency; however, this is an aspect that must be addressed during the parliamentary discussion, with a view to maintaining continuity in the Bill’s criteria and objectives, allowing adequate data protection beyond the changes in the current government. Furthermore, the government is potentially – as has already occurred – a party interested in the use of the data and, therefore, for it to have sole control of the Agency seems at least questionable.

Finally, and in relation to the above, a few weeks ago the National Congress received a proposal from the Executive Power for the Council for Transparency (“CPLT”), an autonomous body of a constitutional nature that oversees public transparency, lobbying practices before public officers and the right of access to information by citizens, to be the authority that oversees the rules and regulations in regard to data protection.

Among existing agencies, the CPLT is probably the one that most closely relates to the area under discussion, nonetheless one must bear in mind that the rights protected by the Agency proposed in the Bill, on the one hand, and by the CPLT, on the other, are different because their scope and purpose are diverse and, to a certain extent, contradictory. Until now, the purpose of the CPLT is to make grounds for the decisions of government administrative agencies to be transparent and public, whereas the Agency seeks to safeguard the rights and freedoms of individuals with regard to the processing of their personal data by other individuals or legal, public or private bodies, preventing said data from being breached. It will therefore be essential, if the Executive’s indication is approved, for the CPLT to maintain the necessary independence, not only in terms of its organizational structure, but also in the application of the criteria and decisions it adopts regarding the protection of personal data, streamlining interests that may appear to be conflicting.

Fuente: Abogados.com.ar
2 de agosto de 2018

Alejandra Leiton
Associate

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.