/ Data protection and Sernac’s role

22 January, 2021

With the rise of e-commerce, Sernac has taken an active role in defending consumers’ personal data. We need a data privacy regulation that solves the problem at its root and protects the data of all citizens.

Santiago Ortúzar D.

Partner Alessandri Abogados

The year 2020 was a turning point for e-commerce. While its explosive growth emerges in response to the need for confinement, it is a trend that is projected beyond the pandemic. An e-business is inconceivable without handling consumer data and it should come as no surprise that Sernac has taken such active role in its defense. However, we believe that such a self-imposed role is ill-conceived and will create more problems than it seeks to solve.

In first place, an authority whose sole aim is to protect consumers leaves out those who are not in a consumer relation, but whose data are being processed equally. We are forcing our citizens to consume so that their data is protected when the protection they deserve is based on their dignity as human beings and not as subjects of commerce.

Secondly, the way in which Sernac has chosen to look after these rights does not seem to be the most appropriate. The reason for its interest in this matter arises from the supplier’s obligation to provide truthful and complete information. Sernac has said that they must inform consumers about the use that suppliers make of their data, which normally takes the form of a privacy policy and terms and conditions. The data privacy goes far beyond mere information so that any limitation excludes the most important aspect of personal data protection. ARCO rights (access, rectification, cancellation and opposition) must be taken into consideration, which cannot be reduced to a mere informative text.

Within the ARCO rights, it is not clear that Sernac’s requirements cover the last three rights. If we only require information, an atmosphere of limited complacency can be created, which may affect compliance with legal requirements with the enactment of the new law.

By establishing limited requirements, t businesses may assume that if by only informing they are in compliance with data privacy regulations. When the new data privacy law is enacted, providers will realize that their obligations are greater, and that the resources and time used to comply with Sernac’s requirements are not sufficient.

Thirdly, Sernac is creating criteria, case law and establishing obligations for providers, but nothing guarantees that all this will be ratified by the future National Data Privacy Agency. It is practically impossible for Sernac’s current criteria not to conflict with the future criteria of that agency, and will it establish the same requirements as those that exist today? We do not know, but it is highly probable that differences will exist, which will negatively affect e-commerce by requiring revision of procedures that were thought to comply with local regulations.

Sernac’s action is due to the legal gap that exists in relation to the data privacy regulation. Many may even praise its tutelage until the National Data Protection Agency is established.

The problem is not with Sernac, but with the legislative delay in approving the new data privacy regulation. However, this should not justify the action of an agency, which, no matter how well intentioned, is not the best suited to overseeing data privacy. Rather than trying to amend with a patch that does not fit, the underlying problem should be solved, and the data privacy bill should be approved.