Recently, the bill regulating the protection and processing of personal data and creating the Personal Data Protection Agency (hereinafter, the “Bill”) concluded its discussion in the Joint Committee, and has been forwarded to the House of Representatives for further processing. The session in which the Bill will be discussed is scheduled for Wednesday, July 31, 2024.
Thus, the Bill advances its legislative process, pending approval by the House of Representatives and the Senate, submission to the Constitutional Court for constitutional review, and subsequent forwarding to the President of the Republic for enactment and subsequent publication.
- I. MATTERS ADDRESSED IN THE LAST SESSION OF THE JOINT COMMITTEE
Regarding the matters discussed in the last session of the Joint Committee, the following points are noteworthy:
- Right of Cancellation: Concerning the right of cancellation contained in Article 7 of the Bill, it was agreed to remove the term "especially," with the purpose of establishing a definitive list of grounds allowing the data subject to exercise this right.
- Sources of Lawfulness for Data Processing: Regarding the regulation in Article 13 of the Bill, related to the sources of lawfulness for data processing without the data subject's consent, the members of the Joint Committee agreed to, firstly, remove letter a) of the said article, which allowed data processing when collected from a publicly accessible source. Secondly, they added the phrase “including data related to the socio-economic situation of the data subject” in literal b) of Article 13, thus allowing the processing of socio-economic data within the framework of financial or credit operations.
- Information Communication: Regarding the information that can be communicated by those responsible for personal databases, it was agreed to include the term "compliance" in Article 17 of the Bill, to allow not only the reporting of non-compliance with financial obligations but also their compliance, thereby facilitating access to credit for individuals.
- Data Processing by Public Agencies: Concerning Article 54 of the Bill, it was agreed to maintain the second paragraph proposed by the Senate, which establishes the jurisdiction of the internal bodies of certain public entities to perform the functions and make the decisions assigned by law to the Personal Data Protection Agency. Additionally, a provision was added allowing judicial appeals against the acts issued by these internal bodies, regarding the matters submitted to their knowledge in exercising such functions.
Moreover, it was agreed to maintain the fourth paragraph proposed by the Senate, which recognizes the autonomy of certain State bodies concerning the regulatory, supervisory, and oversight functions assigned to the Personal Data Protection Agency.
- Applicable Sanctions: It was agreed to amend Article 35 of the Bill, increasing the amount of fines applicable for each type of infraction and establishing only a maximum limit for each category.
Additionally, concerning larger companies, it was established that in the case of recidivism under the terms of Article 36 of the Bill, an alternative penalty may be imposed, being the greater amount between a fine up to three times the value of the committed infraction or a calculation of 2% or 4% of the previous year's sales and service revenues.
Finally, it was agreed to incorporate a transitional provision applicable to smaller companies, allowing for a general admonition penalty to be applied within the first 12 months following the law’s enactment, to facilitate the adaptation of these companies to the new regulations and the criteria adopted by the Personal Data Protection Agency.
- II. NOTABLE ASPECTS OF THE BILL
Firstly, it should be noted that although the Bill primarily aims to amend Law No. 19,628 on the protection of privacy, it also makes amendments to other legal bodies, namely:
- Modificaciones a otros cuerpos normativos
En primer lugar, es preciso indicar que, si bien el Proyecto tiene como objeto primordial modificar la Ley N°19.628, sobre protección de la vida privada, también efectúa modificaciones a otros cuerpos normativos, a saber:
- Law No. 20,285 on access to public information.
- DFL No. 3 of 2021 of the Ministry of Economy, Development, and Tourism, which sets the consolidated, coordinated, and systematized text of Law No. 19,496 establishing rules on consumer rights protection.
- Regulatory Authority
Secondly, it should be highlighted that the Bill stipulates that the regulation of the following matters should be carried out through regulations:
- The establishment of conditions, modalities, and instruments for the communication or transfer of personal data between public agencies and with private persons or entities, as well as procedures for the anonymization of personal data, especially sensitive personal data. These matters must be established through a Regulation issued by the Ministry of the General Secretariat of the Presidency.
- The determination of requirements, modalities, and procedures for the implementation, certification, registration, and supervision of preventive models of infractions by data controllers, whether natural or legal persons, public or private. This regulation must be issued by the Ministry of Finance, and signed by the General Secretariat of the Presidency and the Ministry of Economy, Development, and Tourism.
En caso de requerir información adicional, puede contactar a Macarena Naranjo (mnaranjo@jdf.cl), Javiera Rodríguez (jrodriguez@jdf.cl) o Sofía Ortúzar (msortuzar@jdf.cl)