/ 2023 legislative summary regarding data privacy and technology
January 24, 2024Maria Ignacia Ormeño Sarralde
Associate Attorney
Alessandri Abogados
In 2023, bills and various regulations related to personal data protection, cybersecurity and technology raised compliance standards of the subjects bound by these regulations, which will mean a great challenge for some industries. Below is a summary of the main developments in this area.
Information: this bill almost completely reforms Law 19,628 (Privacy Protection Law) on the protection of private life and creates the Personal Data Protection Agency, which will be the institution in charge of supervising and sanctioning compliance with the new rules.
Status: the bill is in its last constitutional stage.
The articles of the bill that will be reviewed in the Joint Commission are as follows:
1. Article 1: | Scope of application of the law. |
2. Article 2 letter f): | Definition of personal data. |
3. Article 2 letter g): | Definition of sensitive data. |
4. Article 3 letter b): | Principle of purpose. |
5. Article 7: | Right of erasure. |
6. Article 8 bis: | Automated decisions. |
7. Article 8 ter: | Right of blocking. |
8. Article 9: | Right of portability. |
9. Article 10: | Ways and means of exercising the rights of the holders. |
10. Article 11 paragraph 2: | Complaint procedure. |
11. Article 13: | Other sources of lawfulness (Sources of public access). |
12. Article 15 bis: | Processing of data through a proxy. |
13. Article 16 ter: | Biometric data. |
14. Article 24: | Special regimes. |
15. Article 27: | International transfer. |
16. Article 28: | Suitable countries and other applicable rules. |
17. Articles 34, 34 bis and 35: | Classification of infringements and fines. |
18. Article 41: | Administrative process for the protection of rights. |
19. Article 54: | Autonomous constitutional bodies. |
Information: Regulations published on January 4, 2023 and throughout the year 2023, the Financial Market Commission (CMF) organized several remote and face-to-face consultative meetings to discuss the content of the nearly seventy regulations (“NCG”) that this body must issue.
The NCGs that the CMF has issued to date are as follows:
- NCG No. 491 governing the registration of Insurance Sales Agents.
- NCG No. 492 which amends NCG No. 30, in the terms indicated therein.
- NCG No. 493 governing the registration in the Registry of Financial Service Providers.
- NCG No. 494 which establishes the procedure for requesting authorization to provide investment advisory services (repeals NCG No. 472 of 2022).
Information: The purpose of this circular letter is to improve information security aspects in the processing of electronic arbitration and administrative claim files. Specifically, it refers to the access of insurance companies (Isapres) to an “extranet” platform set up by the Superintendence of Health in its institutional portal for communications generated on the occasion of a claim and restricting its access only to authorized persons designated by the insurance company. In this sense, the circular letter obliges the Isapres to draw up confidentiality agreements and an internal policy aimed at the correct and safe use of personal and sensitive data in the processing of arbitrations and claims, in accordance with Law 19,628.
Information: This bill seeks to establish the conditions and requirements for the authorization, operation, management and oversight of platforms that allow online betting, in order to protect public faith and the rights of players, and prevent access by minors and the development of addictive behaviors.
The bill indicates that online bets may only be made on the basis of orders issued by a user from a betting account, with payments only through the means of payment authorized by the Superintendence of Gaming Casinos.
Status: the bill is in its second constitutional stage in the Senate’s Economy, Promotion and Development Committee and has the highest urgency.
Information: This bill seeks to establish the institutional framework, principles and general regulations that allow structuring, governing and coordinating the cybersecurity actions of State agencies and between them and individuals, as well as establishing the requirements for the prevention, containment, resolution and response to cybersecurity incidents.
This bill will apply to institutions that provide services qualified as “essential” and those that are qualified as “vital operators”.
Essential services are considered to be those provided by the State Administration Bodies and by the National Electric Coordinator, as well as those provided under a public service concession; and those provided by private institutions that perform certain activities (among others, transportation, storage or distribution of fuels; supply of drinking water or sanitation; telecommunications, banking, financial services, means of payment, institutional health services, among others indicated in the bill).
Status: Awaiting enactment and subsequent publication in the Official Gazette.
Information: This new policy is established with the purpose of guiding the actions of the State in the field of cybersecurity, establishing an action plan, goals and objectives in order to address the multiple challenges and obstacles faced by the country in this field.
The novelties included in this new policy compared to the previous one are related to: (i) specific measures to address main objectives; (ii) inclusion of cross-cutting dimensions; and (iii) the relationship with other national objectives.
Information: The bill establishes that suppliers may make promotional communications once a day, from Monday to Friday, from 9:00 a.m. to 6:00 p.m., being prohibited to direct emails, text messages or telephone calls for these purposes during Saturdays, Sundays and holidays.
It also states that if the consumer does not express its will regarding the suspension of promotional or advertising communications, within three days from the first contact made by the supplier, it will be understood that it has requested such suspension.
Status: The bill is in its first constitutional stage in the Chamber of Deputies.
- Bill No. 15,766-03 governing the collection and processing of personal data through the use of electronic devices.
Information: The bill prohibits any company, corporation, person, software, mobile application or other analogous to use microphones, cameras, GPS and any component of mobile devices, electronic devices, smart speakers or other analogous to obtain, access, store and use personal information of users.
Status: The bill is in its first constitutional stage in the Senate Economy Committee.
Information: The bill aims to establish a legal framework regarding the development, commercialization, distribution and use of artificial intelligence systems, ensuring the protection of fundamental rights guaranteed by the State.
Status: First constitutional stage in the Future, Science, Technology, Knowledge and Innovation Committee of the Chamber of Deputies.