/ Changes in the consent for personal data processing

Macarena Gatica
Partner
Alessandri Abogados

Consent is one of the lawful bases for the processing of personal data. It is also perhaps the most invoked. However, little relevance has been given to the changes introduced by the bill. They imply a radical change in the management of consent.

Law 19,628 on Privacy Protection establishes that personal data may only be processed when authorized by law or with the express consent of the holder (Article 4). As we shall see below, unlike the bill, this regulation does not define what is meant by consent. It only mentions that it must be express, written, informed and specific as to the purposes.

The bill defines consent as: “any free, specific, unequivocal and informed manifestation of will, given through a declaration or a clear affirmative action, by which the data subject, his/her legal representative or agent, as the case may be, authorizes the processing of personal data concerning him/her” (Art. 2 paragraph “p”).

The “free” requirement constitutes the most relevant element introduced by the bill in relation to consent. What the legislator intends to avoid is the tied sale, that is to say, that instance in which the user/data subject cannot contract if he/she does not accept the processing of his/her data for purposes that go beyond the service or product he/she is contracting.

The bill states that consent is presumed not to have been freely given when the data controller collects it in the context of the performance of a contract or the provision of a service where such collection is not necessary. Let us recall that, in this case, the contract is the basis of lawfulness that allows the processing of personal data within the framework of such contract.

The above situation is precisely the way in which most privacy policies and consent clauses associated with personal data have been implemented. In accordance with current legislation, all purposes, including those associated with a request, contract, as well as those that are not strictly related to the fulfillment of the contract, are reported in a single document.

The aim of the legislator is that in practice the data holder can dispose of the data, freely deciding what data processing he/she authorizes and with whom he/she contracts. Such freedom would be curtailed when the data subject cannot enter into a contract if he/she does not authorize the processing of his/her personal data for purposes unrelated to the contract he/she enters into.

In practice, this “free” requirement translates into granting different alternatives to the holder by means of a granular consent, requiring a preference center to manage the selected options.

Another important change is the consent associated with the processing of personal and/or sensitive data of minors. The new regulation requires the consent of the parent or guardian, with some exceptions. This implies important challenges, especially from the point of view of data management and governance: how to determine when the data subject is a minor, how to identify and label him/her in the existing databases, and how to alert the holder when he/she reaches the legal age in order to request the relevant consent?

All of the above implies changes in processes and business models; investments in technology to automate processes and adequately manage consents and continuous training. To successfully undertake this challenge, it must be led by the company’s highest authority. Substantial changes in practices, behaviors and the culture of how things are done are costly; however, they should be considered as an opportunity to lead change, generate consumer confidence and a competitive advantage.