The Chilean legal framework for data protection can be found in Article 19, No 4 of the Political Constitution of the Republic of Chile, which guarantees that the processing and protection of personal data shall be carried out in the manner, and under the conditions, laid down by law. In addition, Chile has a dedicated data protection law, Law No 19,628 on Privacy Protection, which was published in the Official Gazette on 28 August 1999 (hereinafter the Law). The current Law is not based on any international instrument on privacy or data protection in force (such as the OECD guidelines, Directive 95/46/EC, the EU General Data Protection Regulation or the European Convention on Human Rights and Fundamental Freedoms).

Furthermore, on 28 October 2021, the Ministry of Science, Technology, Knowledge and Innovation of Chile launched the National Artificial Intelligence Policy along with an Action Plan. The Policy has three areas of focus: (i) development of enabling factors, (ii) use and development of technology, and (iii) ethical and safety aspects. The initiative seeks to lay the foundations to promote the development of artificial intelligence in Chile; however, it does not promote substantial regulatory changes, but rather corresponds to a series of objectives that Chile would like to achieve.

Currently, the key data privacy regulators are the civil courts; in Chile there is no data protection regulator (ie, no specific public body created for that purpose). The Chilean Transparency Council is an independent public law corporation, with legal status and its own assets, created by the Law on Transparency of Public Service and Access to Information of the Public Administration. According to a bill that is currently being discussed in the Congress (hereinafter the Bill), the planned future agency for data protection in Chile will be the Chilean Transparency Council.

Currently, there is no privacy regulator or data protection authority. There is, however, a legal action (habeas data) that data subjects may exercise in the event of a breach of data.

The Law is more than 20 years old, outdated and currently does not comply with international standards, except with regard to the finality principle. These are the reasons behind the Bill, which aims to modify the current legal framework on data protection.

Datos Protegidos and Derechos Digitales are two well-known NGOs in data protection matters. Both are dedicated to raising awareness of the importance of protecting personal data by creating various instructions on the subject.

Chile is working on the Bill that will modify the current Law, adapting it to be in line with EU standards. Similarities between the current Law and other international data protection legislation includes the fact that Chile has a special category for sensitive data and that Chile has recognised the finality principle in data processing.

The Bill that will modify the Law is still in the Chilean Congress and has not progressed much this year. There have been no other major developments in data privacy in 2020.

There are no important pending changes or developments on the horizon. Within the context of COVID-19, the Ministry of Science, Technology, Knowledge, and Innovation granted permission to publish and distribute certain databases, this was done through the granting of a licence, which was based on the legal code released by Creative Commons, adapted under the rights granted by the global, free, non-transferable and non-exclusive public licence on that code.

Currently, the Law does not require the appointment of privacy or data protection officers.

The processing of personal data may only be carried out if authorised by the Law, authorised by other laws or with the express consent of the data subject. If the Law authorises it, there is no need of the express consent of the data subject. The Law authorises the processing of personal data:

• when the data comes from or is collected from publicly accessible sources;
• for the exclusive use of private legal entities, their associates and the entities to which they are affiliated, for statistical, pricing or other purposes of general benefit to the former;
• by public bodies, within their competence and subject to the provisions of the Law; and
• sensitive data, when the treatment is necessary for the determination or granting of health benefits to their owners.

Currently, there is no exception regarding fulfilment of contract.

The Law features no application of “privacy by design” or “by default” concepts; does not require the conduct of privacy, fairness or legitimate impact analyses; and does not include the need to adopt internal or external privacy policies.

Data Subject Access Rights

In order to exercise their right to access data held about them, data subjects must address the person responsible for the data registry or bank claiming their right to access their data. This right to access may refer to:

• the origins of the data (how this data was collected);
• the addressee of the data;
• the purpose of the storage of the data; and
• the identification of the persons or agencies to whom the data is regularly transmitted.

Access to information about personal data shall be free of charge. This right to access cannot be limited by means of any act or agreement, except for the following matters: government agency, national security or the national interest.

Data subjects also have the right of rectification if the personal data is erroneous, inexact, equivocal or incomplete, and that situation is evidenced.

Data subjects have the right of deletion of personal data if it’s storage lacks legal grounds or those grounds have expired, when the subject has voluntarily provided their personal data, it is used for commercial communications or they do not want it to continue appearing in the respective registry, either definitively or temporarily.

Data subjects may oppose or object to the use of personal data for the purposes of advertising, market research or opinion polls. If the person responsible for the personal data registry or bank fails to respond to a request within two business days, or refuses a request on grounds other than the security of the nation or the national interest, the data subject shall have the right to appear before the civil court with jurisdiction over the domicile of the party responsible for the data registry or bank requesting protection of their right of access or the other rights granted by the Law.

Anonymisation/Pseudonymisation

The Law contains a definition of the dissociation process, which means all personal data processing by which the information obtained cannot be related to an identified or identifiable individual.

Big Data

There are no additional specific restrictions, other than those expressly established in the Law, on big data analysis, algorithms, AI and the like. The general requirements are that consent must be obtained in writing and that the person providing the data must be informed about the purpose of the storage of their personal data and whether the data will be communicated to the public or not. The authorisation, as with any other authorisation, can be obtained electronically.

Injury or Harm

The Law does not create actionable “harm” regarding data breaches, it only establishes a legal action (habeas data) that the data subject may exercise before general courts, when data subject require information, modification, cancellation or blocking of personal data, and the person responsible for the personal data registry or bank does not provide a proper answer within two days. Therefore, the habeas data does not come from a harm but from specific reasons indicated in the law. If the damage comes from other causes than those indicated in the Law, the data subject may file an action for injunctive relief, before a court, in order to stop the act that causes harm. 

According to the Law, “sensitive data” means personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private or intimate life, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health and sex life.

Financial Data

There is no definition of financial data, although there are some rules regarding financial data. If the financial data may be deemed as personal data, authorisation will not be necessary if the data comes, or is collected, from sources available to the public. Financial data may not be processed in the following cases:

• five years or more since the respective obligation was enforceable;
• in the case of debts incurred during a period of unemployment;
• in the case of data relating to obligations that have been paid or extinguished by other legal means; and
• in the case of debts relating to electricity, water, telephone, gas and highways.

Health Data

Health data is deemed as sensitive data. It may not be subject to processing, unless the data subject authorises it, or it is necessary for the determination or granting of health benefits. 

Communications Data

Currently there is no definition of communications data in the Law. However, in Chile there is constitutional protection of the inviolability of private communications.

Voice Telephony and Text Messaging

Currently there is no definition of voice telephony and text messaging in the Law. However, providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services must indicate an expedited way the addressees may request the suspension thereof.

Content of Electronic Communications

Currently there is no definition of electronic communications in the Law. However, in Chile there is constitutional protection for the inviolability of private communications.

Other Issues

Currently there is no definition of children’s or student data in the Law. General rules of Law apply to this kind of data.

Currently there is no definition of employment data in the Law. General rules of Law apply to this kind of data.

Internet, streaming and video issues

Browsing and viewing data is not regulated in the Chilean Law. If cookies gather personal data, they may be deemed as data processing, hence companies that place cookies will require the consent of the data subject. Location data is not regulated in Chile, although the Bill regulates such data. Tracking technology is not regulated in Chile. However, there is law mandating that insurers, when motor vehicle insurance policies are taken out, include, at no extra charge, the delivery of GPS devices, which will be installed and activated exclusively by the vehicle owner.

In copyright matters, internet service providers will not be obliged to compensate the damage attributable to third-party copyright infringements committed through systems or networks controlled or operated by a service provider, provided that the service provider complies with the specific conditions requested; internet service providers may only be subject to the remedies established in the Copyright Act, which in all cases will require a previous resolution issued by a court. In addition, internet service providers must forward to their users the infringement notices sent by copyright holders. Service providers fulfil their obligation by simply forwarding infringement notices, without being compelled to take content down or being authorised to provide their users’ personal data to copyright holders without a court resolution.

Hate speech

Hate speech is somewhat regulated in Chile. Article 31 of Act No 19,733 on freedom of opinion and information and the exercise of journalism imposes a fine on anyone who, by any means of social communication, promotes hatred or hostility towards persons on grounds of their race, sex, religion or nationality.

Data Subject Rights

The Law provides data subjects with a variety of rights.

Right of access

Data subjects have the right to demand information about data held about themselves, its origin and addressee, the purpose of the storage and the identity of the persons or agencies to whom their data is regularly transmitted. Notwithstanding the aforesaid, no information may be requested when it prevents or hinders proper compliance with the supervisory functions of a government agency or if it affects the confidentiality or secrecy established in legal or regulatory provisions, the security of the nation or the national interest.

Right of modification

If the personal data is erroneous, inexact, equivocal or incomplete, and that situation has been evidenced, the subject shall have the right to have it amended.

Right of blocking

A data subject may request the blocking of personal data when that individual has voluntarily provided their personal data or it is used for commercial communications and the subject does not want to continue to appear in the respective registry, either definitively or temporarily.

Right of cancellation or elimination

Notwithstanding legal exceptions, the subject may also demand that data be eliminated if its storage lacks legal grounds or those grounds have expired, when the subject has voluntarily provided their personal data, it is used for commercial communications or they do not want it to continue appearing in the respective registry, either definitively or temporarily.

Right to free copy

The modification or elimination of personal data shall be absolutely free of charge, and a copy of the pertinent part of the registry that has been changed shall also be provided at the subject’s request. If new modifications or eliminations of data are made, the subject may obtain a copy of the updated registry without cost, as long as at least six months have passed since the last time they made use of this right.

Right of opposition

The subject may oppose the use of their personal data for the purposes of advertising, market research or opinion polls.

Right to be forgotten (or of deletion or erasure)

There is no legal recognition of the right to be forgotten in the Law.

Data access and portability

The Bill includes the right to data portability, whereby the data subject may request and obtain from the data controller a copy of their personal data and communicate or transfer it to another data controller.

Law No 19,496 on the Protection of Consumer Rights contains a provision regarding marketing through email. Every promotional or advertising communication sent by email must indicate its subject, the identification of the sender and a valid email address to which the recipient can address their request for the suspension of the advertising communication, which will remain banned from then on.

Providers that direct promotional or marketing communications to consumers via mail, fax, telephone calls or messaging services shall indicate an expedited way the addressees may request the suspension thereof.

Regarding data privacy, this practice will require consent from the data subject, unless the data comes from source available to the public.

The Political Constitution of the Republic of Chile guarantees the respect and protection of the privacy and honour of the person and their family at a constitutional level. Such constitutional protection extends to workers. The same protection is guaranteed in Article 5 of the Chilean Labour Code.

According to the Labour Department of Chile, employers may regulate the conditions, frequency and timeliness of use of the company’s emails, but may not, under any circumstances, have access to the private email correspondence sent and received by employees. This would violate the fundamental rights granted by the Political Constitution of the Republic of Chile.

If there is a breach of worker’s privacy, and that worker is part of a union, the union may pose some pressure on the employer to fulfil the Law.

All means to control workers – including cybersecurity tools – must comply with respect for the fundamental rights granted by the Political Constitution of the Republic of Chile, the right to privacy, private life and honour of workers. Therefore, control mechanisms are allowed if they fulfil the following requirements:

• they must necessarily be incorporated in the normative text that the law establishes for the effect, that is, the Internal Regulations of Hygiene and Safety of the company, dictated in conformity with the law;
• they may only be carried out by suitable means consistent with the nature of the employment relationship;
• its application must be general, and the impersonality of the measure must be guaranteed (ie, it must not be discriminatory); and
• the dignity of the worker must be respected.

There is no discovery system in Chile.

Data protection enforcement is addressed by general courts with general powers. A summary procedure is established by the Law if the person responsible for the personal data registry or bank fails to respond to a request for access, modification, elimination or blocking of personal data within two business days or refuses a request on grounds other than the security of the nation or the national interest.

Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the Law (USD70 to USD700 and USD700 to USD3,490 approximately). Fines are determined in a summary procedure. The Law establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts.

Private Litigation

The same standards used for public litigation also apply to private litigation for alleged privacy or data protection violations.

Class actions are not available in Chile.

Personal data processing by a government agency may only be carried out for matters within its scope of jurisdiction subject to the aforesaid rules. Under those conditions, the consent of the subject shall not be necessary. Government agencies that process personal data about sentences for felonies, administrative infractions or disciplinary failures may not communicate them after the statute of limitations applicable to the criminal or administrative action, sanction or penalty has elapsed, or after the sanction or penalty has been served.

Regarding the privacy of a data subject who commits a serious crime, personal data about their crimes may not be communicated after the penalty has been served.

See 3.1 Laws and Standards for Access to Data for Serious Crimes for information about data processing by government agencies.

Currently, there are no safeguards to protect privacy in the Law. In practice, many companies have produced good practice guides related to personal data.

Organisations in Chile may not invoke a foreign government access request as a legitimate basis to collect and transfer personal data.

There was some debate regarding a new Regulation on Interception of Telephone Communications and other forms of Telecommunication, and Retention of Communication Data. This Regulation sought to replace the current Regulation on Interception of Communications and Storage of Communication Data (Decree 142 of 2005), which regulates the obligation contained in the Code of Criminal Procedure to store the IP addresses of internet users for at least one year. The new regulation ordered telecommunications companies to store, for a minimum of two years, the communication data related to any type of communication carried out in Chile, also requiring additional data such as history of internet connections and geolocation of customers. Nevertheless, the new regulation was rejected by the Chilean Comptroller, on the grounds that various provisions of the regulation regulate matters of law exceeding the rules of the Code of Criminal Procedure that are invoked as its basis.

At present, the Law does not contain a specific provision in respect of international data transfers. However, the transfer of personal data outside the jurisdiction may be deemed as a use of data and would therefore require authorisation and other requirements established by the Law.

The general rules regarding data processing according to the Chilean Law also apply to international data transfers, particularly those regarding the authorisation or consent of the data subject, the finality principle (personal data must be used only for the purposes they have been collected for, and those purposes, should be permitted by the Chilean legal system) and the informing of users of the potential communication to the public of the data. In addition, the fundamental rights of the data subject must be respected.

No government notifications or approvals are required to transfer data internationally.

Currently the Law does not establish data localisation requirements.

No details of software code or algorithms or similar technical details need to be shared with the government.

The organisation collecting or transferring data will have to comply with the requirements established by the Law for data processing when dealing with foreign government data requests.

There are no blocking statutes in Chile.

Currently, there are no laws regarding big data analytics, but in the Bill, there is a mention of this topic. The Bill requires that this secondary use of personal data be based on a compatible purpose, that there is a contractual relationship with the holder that justifies this differentiated use or that there is a new consent from the holder.

The Law establishes that data processing may be conducted through an automated process, it also establishes that a person responsible for a register or personal database may establish an automated procedure for transmission, provided that the rights of the data subjects are safeguarded and the transmission is related to the tasks and purposes of the bodies involved.

Profiling or microtargeting is not regulated in the Law, although the Bill contains provisions on this matter.

In terms of artificial intelligence, the Chilean government issued the first National Artificial Intelligence Policy along with an Action Plan.

Currently, the internet of things is not regulated in Chile.

Neither facial recognition nor biometric data are regulated in Chile. However, either might be deemed as sensitive data, thus rules for sensitive data apply. This has been confirmed by the Standards and Regulations Unit of the Council for Transparency.

The General Directorate of Civil Aeronautics (DGAC) has issued DAN-151, a regulation on the use of drones in Chile. The regulation establishes restrictions regarding the areas in which drones can be used, the altitude at which drones can fly, requirements to operate drones and an express reference that the operation of drones may not violate the rights of others in their privacy and intimacy.

Organisations in Chile do not establish protocols for digital governance.

We are not aware of any significant audits regarding data protection violations.

Please see the section on Private Litigation in 2.5 Enforcement and Litigation, for more on this topic.

Regarding data protection, it is important to comply with the Law and other rules that may be applicable to personal data.

No privacy/data protection-specific laws mandate the public disclosure of an organisation’s cybersecurity arrangements.

There are no other major issues regarding data protection and privacy in Chile.