/ Publicly accesible sources in the data privacy bill of law

Jaime Urzúa
Associate Attorney
Alessandri Abogados

The sources accessible to the public (SAP) have been one of the most questioned causes when referring to the processing of personal data. These are defined by law 19,628 on Privacy Protection as “records or compilations of personal data, public or private, of unrestricted or reserved access to applicants” and are considered an exception to consent and purposes. This means that when there is no consent expressly authorizing the processing of personal data by its holder, it is lawful to process such data if they come from or are collected from SAP.

Article 4 of Privacy Protection Law provides that the processing of personal data coming from or collected from sources accessible to the public does not require such authorization. This is a very controversial legal provision, since, together with the low fines for infringement and the almost non-existent supervision, it is the reason why in Chile personal data circulate freely and without major limitations. It is currently believed that the processing of data collected from these sources would not be governed by the principle of purpose. This implies that the data could be used for any purpose, even if it is not related to the original design of the source consulted.

The bill that governs the protection and processing of personal data and creates the Personal Data Protection Agency (bill 11,144-07) (the Bill) changes the rules of the game. First, it replaces the definition of SAP by calling them “sources of public access” (which for these purposes we will continue to call them SAP), and adds as examples the Official Gazette, the media or the public registries provided by law.

Article 13 of the Bill creates other sources of lawfulness of data processing other than consent, among which letter b) corresponds to the law, i.e., it is lawful to process data without consent provided that such processing is authorized by law or is necessary for the execution or fulfillment of a legal obligation.

The most relevant change is in the obligations of the data controller. Article 14 of the Bill establishes that the data controller is obliged to ensure that personal data are collected from lawfully accessible sources for specified, explicit and lawful purposes, and that their processing is limited to the fulfillment of these purposes. This implies that the collection of data from SAPs is no longer a mere source of lawfulness, but now requires that (1) the processing of data has a lawful basis – not everything public is lawful; and (2) the processing must be limited to the purposes for which such sources were created (think of the contact data available on public websites: the purpose of such sites must be observed, prohibiting such data from being collected to enrich other databases with different purposes). In this matter the Bill follows the EU GDPR, in which case the processing of data from SAP is framed within the framework of legitimate interest, which is essentially exceptional and requires a detailed analysis that justifies it, duly supported.

One of the areas that will certainly be affected by the Bill is web scraping. This refers to a process that allows large-scale data extraction from web pages through the use of automated tools. Obviously the regulatory change will mean a major transformation of the business model of many companies that currently operate based on this technique (think fintech, bureaus, digital subscribers, among others), as they will be legally restricted in the way they will be able to process the data they continuously extract.

In short, (1) SAPs will cease to be a source of lawfulness; (2) data from SAPs will require a source of lawfulness, in which it will no longer be enough that the source of origin has no access restrictions, but that it is also lawful (there are cases in which the information resides publicly and without restrictions due to a simple oversight or ignorance of those in charge of data processing); and (3) SAPs will cease to be an exception to the purpose principle. Likewise, data processing will have to be subject to the purposes of the source from which they will be extracted.

Although the development of these questions will require further discussion and will be settled by the data authority, it is time to think about new ways of developing data-based businesses that comply with the rules governing their processing.