/ Legislative summary of the year in privacy and technology

January 9, 2023

In 2022, bills and various regulations related to privacy, cybersecurity and technology raised the compliance standards for those subject to the laws, which will mean a great challenge for some industries. The following is a summary of the main advances in this area.

Maria Ignacia Ormeño Sarralde
Associate Attorney
Alessandri Abogados


Bill No. 11,144 which governs the protection and processing of personal data and creates the Personal Data Protection Agency.

Information: this bill completely reforms law 19,628 (LDPVP) on the private life of individuals and introduces the creation of the Personal Data Protection Agency, which will be the institution in charge of supervising and sanctioning compliance with the new rules.

Status: the bill is in the second constitutional stage in the Constitution, Legislation, Justice and Regulation Committee of the Chamber of Deputies. During 2022 the Executive Branch presented indications related to changes to the fine regime.

Law No. 21,521 that promotes competition and financial inclusion through innovation and technology in the provision of financial services (Fintech Law).

Information: published on January 4, 2023, the so-called Fintech Law. This law creates a regulatory framework for the provision of technological financial services, incorporating Fintech companies into the Financial Market Commission’s (CMF) scope of oversight. Among other things, it governs crowdfunding platforms and promotes competition through a system of open banking.

Interpretative Circular Letter on consumer protection against the use of artificial intelligence (“AI”) systems in consumer relations.

Information: The circular letter includes the criteria to be applied by the National Consumer Service (Sernac) to seek the protection of consumers given the potential impact derived from the use of AI systems in affecting their rights as consumers.

Interpretative Circular Letter on fairness criteria in the provisions contained in standard-form agreements referring to the collection and processing of consumer personal data.

Information: In this document, Sernac determines the parameters for oversight in this matter and explains that suppliers incorporate provisions relating to the processing of personal data, either in the terms and conditions or in the privacy policies generally published on their websites or online sales channels. According to Sernac, these provisions constitute standard-form agreements, as established in the consumer protection law, so there is an asymmetry of information and imbalance of bargaining power of consumers.

Bill No. 14,743 which creates a Consolidated Debt Registry.

Information: this bill seeks to expand the information on financial obligations of individuals, so that the system not only reflects negative information or past due debts, but also information on good payment behavior, so that they can make use of their reputational capital and access the credit market under better conditions. It also creates a Consolidated Debt Registry in charge of the CMF, which will have the necessary powers to regulate and supervise the agents of the commercial information system.

Status: the bill is in its first constitutional stage in the Economy and Development Committee of the Chamber of Deputies and currently has the highest urgency.

General Applicability Rule (“NCG”) No. 461 of the CMF.

Information: this rule amends NCG No. 30 regarding the content of the annual report of issuers of securities. Specifically, this rule states that risk management must describe how entities integrate information security risks in their activities, especially in relation to the privacy of their clients’ data.

Status: This amendment will become effective for corporations according to their assets or type of company on different dates, ranging from December 31, 2022 to December 31, 2024.

Bill No. 14,838-03 which governs the development of online betting platforms.

Information: it seeks to establish the conditions and requirements for the authorization, operation, management and control of the platforms that allow online betting, in order to protect the public faith and the rights of players, and prevent access by minors and the development of addictive behaviors.

The bill indicates that online bets may only be made on the basis of orders issued by a user from a betting account, with payments only through the means of payment authorized by the Superintendence of Gaming Casinos.

Status: the bill is in its first constitutional stage in the Committee of Economy and Development of the Chamber of Deputies and has simple urgency.

Opinion No. E288163N22 of the Comptroller General of the Republic regarding that audios or screenshots of conversations, messages or images from social networks may be used and valued as evidence in administrative proceedings.

Information: published on November 15 after the Unit for the Protection of Civil Servants’ Rights of the Comptroller’s Office requested a pronouncement on the possibility that messages sent through instant messaging applications may be presented in an administrative summary as evidence. As a result of the above, the Comptroller’s Office determined that they can indeed constitute evidence for one of the participants in a conversation in the case of complaints of labor or sexual harassment. Likewise, the opinion states that it will only constitute evidence to the extent that it is voluntarily given by one of the intervening parties.

Decree No. 273 2022 establishes the obligation to report cybersecurity incidents.

Information: this decree establishes that the heads of services of the ministries and other agencies of the centralized and decentralized administration of the State (hereinafter “obligated agencies”), must report cybersecurity incidents affecting them to the Ministry of the Interior and Public Safety, through their notification to the Computer Security Incident Response Center (CSIRT). Such notification must be carried out as soon as the event is detected, without exceeding a period of more than three hours from the time it becomes known.

Exempt Resolution No. 489 that approves the procedure for the processing of requests for the exercise of rights under Law No. 19,628 on privacy protection.

Information: on December 17, 2022, this resolution was published in the Official Gazette, which governs the way in which the Transparency Council must receive, process and resolve the requests for the exercise of the rights recognized in the LDPVP. Regarding the procedure to exercise them, this regulation is applicable from the entry of the request before the Council until its complete review.

Law 21,504, which establishes the prohibition of reporting debts contracted to finance health services and actions in Law 19,628.

Information: the provisions of this law refer to debts contracted with public or private health care providers and related companies, whether they are financial institutions, commercial houses or other similar ones. The regulation is framed in outpatient, inpatient or emergency health care and may be medical appointments, procedures, examinations, programs or surgeries.