Chile Should Amend Privacy Law to Meet EU Standards

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 3 — Chile's antiquated data protection law has drawn the ire of the European Union and is well behind that of other South American countries' standards.

However, the Chilean legislature has heard the plea for increased data security and privacy standards and is looking to move towards a modern model.

President Michelle Bachelet recently announced that lawmakers will begin discussing improvements to the nations' data protection and privacy law.

Chile law deficits

“In the coming weeks, we shall be sending a bill to Congress to create an efficient institution to guarantee an adequate protection of personal and public data,” she said in her annual address to the National Congress of Chile.

Regulating data use is necessary to develop Chile's digital economy and the proposed law will strike “the right balance between privacy and transparency,” she said.

The announcement ends months of speculation about the fate of government plans to strengthen the country's inadequate data protection law. The present structure affects the population's right to privacy and reduces the competitiveness of its growing services sector, Chilean legislative insiders told Bloomberg BNA.

Absent some fundamental change to the law, Chile will be unable to effectively compete for Spanish language services outsourced from the EU, such as customer call centers for Spanish banks. In short, the EU will continue to consider Chile as providing an inadequate level of protection for personal information unless the framework law changes.

But whether those substantial changes will reach fruition remains unclear amid political maneuvering and a lack of transparency in the legislative process may undercut the chances for meaningful privacy reform.

Inadequate Data Protection

With the rise of big data and an interconnected online marketplace, the Chilean data protection law is widely seen as inadequate. The present framework law was obsolete almost from the moment it was enacted.

Fifteen days after the passage of Chile's 1999 Law on the Protection of Personal Data (Law No. 19,628), the Spanish framework it was partly based on was withdrawn for not complying with EU standards of data protection. Additionally, the Chilean law failed to establish a data protection authority (DPA) to oversee privacy compliance, enforce security standards and impose sanctions.

The lack of a DPA has lead to inadequate sanctions for personal data breaches. For example in 2015, a website was allowed to post personal information associated with a person's name without repercussion. The website escaped punishment by arguing that the data was public knowledge.

In March 2016, investigative journalists found that they could access patient records through the Ministry of Health's computer system with little resistance. They also didn't receive any punishment for their actions.

EU Data Transfers

Chile's lack of adequate data protection has limited growth of businesses that store and collect data from EU citizens.

The European Commission, EU's executive arm, verifies whether a countries data protection regime provides an adequate level of privacy protections to EU citizens' data.

Some South American countries have been certified as adequate under the EU data law. Argentina (2 PVLR 737, 7/7/03)and Uruguay have been certified (11 PVLR 1369, 9/10/12).

Other countries in the region, such as Colombia, Mexico and Peru, are updating their data protection rules to fall in line with European standards.

Consensus Over New Bill

Soon after President Bachelet took office in 2014, Undersecretary for the Economy Katia Trusich took a freshlook at the problem. A draft bill was published in August 2014 for public consultation.

A public-private committee, which included representatives from Google Inc., Microsoft Corp., and the Washington-based Information Industry Counsel (ITI), as well as representatives of the banking, retail and insurance industries, provided input on the bill. The committee was able to reach a near consensus on the bill.

Raul Arrieta, a lawyer who coordinated the work as a legal adviser to the undersecretary, told Bloomberg BNA that “obviously there were areas where businesses thought we went too far and others where the academics thought it did not go far enough, but there was agreement on about 80 to 85 percent of the material.”

Even without input, if the bill had been sent directly to the Chilean National Congress “it could have become law relatively easily and marked a significant improvement to Chilean legislation,” Arrieta said.

The bill included clear definitions of individuals' rights based on legitimacy, responsibility, final-use and security and a series of exemptions to facilitate its implementation, such as employer-employee relations.

The bill sought to establish an independent and autonomous data protection authority, responsible for promoting privacy rights, enforcing the law and imposing fines of up to $700,000.

Paulina Silva, an IP and info-tech attorney at Carey y Cia in Santiago and adviser to the U.S.-Chilean Chamber of Commerce, said there were some matters that were left unclarified. For example, self-regulation by companies, a cause championed by the chamber but resisted by the government, wasn't part of the draft bill.

Concern Over Costs

With the bill set for debate, the legislation ran into resistance from the powerful Finance Ministry, which said that a data protection authority would cost too much. Days after taking office in May 2015, Finance Minister Rodrigo Valdes ordered a revision of the legislation.

With the price of Chile's main export, copper, falling 20 percent in 2015, the government has been under pressure to rein in spending to tame its deficit, even curtailing the provision of free higher education to lower income students. The bill was initially included in the government's transparency agenda, aimed to improve probity in public sector following a series of corruption scandals but was quickly dropped.

In late 2015, the Finance Ministry decided to prepare a more streamlined bill, triggering economy undersecretary Trusich's January 2016 resignation from office.

Little Information, Huge Pushback

There has been little information released on the Valdes-backed bill. A Finance Ministry spokeswoman said that no details of the proposed law would be revealed before it is presented before the legislature.

“We are not going to say anything else,” the spokeswoman said, adding that the details are still being finalized between ministries.

However, an early draft of the proposed bill was criticized as inadequate. Rather than developing completely new legislation, many suspect the government is now working on modifications to the original data protection law.

This would be a mistake, the insiders said. According to Silva, “the law should be thrown out and put through the shredder.” The original law contains so many deficiencies that it requires root-and-branch reform, she said.

Arrieta said that “just adding a data protection authority to the current law would make the system worse.” Bringing the original law into line with international standards on data protection would require so many changes that it would be easier to write a completely new law, he said.

Nor is there clarity on what form the new data protection authority will take. Rather than create an entirely new entity, Chile's Council for Transparency has proposed to expand its power to include data protection enforcement.

Jose Luis Santamaria, the council's president, said that the “prestigious” and independent body already has significant experience studying privacy issues and issuing sanctions when reviewing appeals for information from public bodies. By duplicating areas such as administration, finances and human resources, it could fulfill the role at a much lower cost than developing an entirely new institution, he said.

The government's thinking on the matter remains unclear although the president's reference to an “efficient institution” suggests a more streamlined solution than the Trusich bill, he said.

As recently as May 13, Nicolas Eyzaguirre, General Secretary of the Presidency, who is responsible for coordinating the government's legislative program, was unclear what form the new entity would take, Santamaria said.

To contact the reporter on this story: Tom Azzopardi in Santiago at

To contact the editor responsible for this story: Donald G. Aplin at