The Chilean government has drafted a new data privacy bill that will create a Data Protection Authority with regulatory and sanction powers, ban international transfers to destinations that do not have “adequate” protections, and impose higher fines for privacy violations. Currently, the maximum fine is about €3,000 or $3,475, and has never been imposed.
The purpose of this new proposed law is to address enforcement gaps that have been a source of criticism of Chile’s current law (which is based on Spain’s data protection framework). Another key condition of the proposed law is that it will require companies to register databases containing personal information, which isn’t required under the country’s current data protection law. Also, under the proposed law, individuals will be allowed to request the removal of their personal information from a database if the information is being used for purposes other than for the purpose it was originally provided.
Chile does not currently have a government agency to oversee compliance of its 1999 Data Protection Law, which was updated in 2002. This law “regulates the processing of personal information of natural persons by both the public and private sectors,” according to a 2014 Privacy and Security Law Report from The Bureau of National Affairs, Inc. “The Chilean Law also contains the usual set of obligations found in most comprehensive privacy laws: notice, consent, access and correction rights, collection and use limitations, security, data retention and data quality. There are no registration requirements and no restrictions on cross-border transfers. Unlike most privacy laws, the Chilean law does not establish a DPA to oversee enforcement of the law.”
“The bill is not yet before the congress but there was a public consultation last July,” said Paulina Silva of Carey y Cia, a law firm, at the CPDP privacy conference in Brussels on Jan. 21, according to PrivacyLaws.com.
As part of an open consultation about Chile’s new data privacy bill, experts looked at the data privacy practices of the EU and surrounding Latin American countries for guidance. Argentina, Uruguay, Costa Rica, Peru and Colombia all have data protection laws.
If the proposed law passes, it will align Chile more closely to the EU approach, as well as these other Latin American countries.