/ In a year marked by the pandemic and the digital: Why the personal data protection project is relevant

January 13, 2021

We appreciate the extreme urgency that the executive branch has given to data privacy bill. It is expected that with this we will provide the legal certainty and competitiveness that our country needs to be once again an attractive market to invest in and a reliable provider of technological services.

Macarena Gatica

Partner Alessandri

2020 is a year we will never forget. The pandemic, the traceability of infections, the artificial intelligence applied in the diagnosis and research of the Covid-19 vaccine, the exponential growth of e-commerce, teleworking, telemedicine, online education and digital transformation. As never before, we have learned the meaning of the word resilience: society has changed and adapted to this new reality.

The power of change also encompasses data privacy and cyber security. Despite the fact that the bill that modifies Law 19,628 on the protection of private life in Chile has not presented any progress in its legislative process, every day related issues are becoming more relevant. The personal data of infected people and its traceability, of the consumers of the e-commerce, of the teleworkers, of those who study online and of the patients who receive health care through telemedicine still do not have a real protection. Just one example: In a few days.

the personal data of the passenger who arrived by plane from London at the end of December and was positive for Covid-19, with the new strain, was public in all social networks and become trending topic.

In the absence of a general rule regulating the processing our data, legislation has begun to be passed in isolation in certain industries. This is remarkable as a response to the intention to protect citizens, especially in data privacy and information security management systems. However, this concern and uncoordinated regulation attracts legal uncertainty, since many authorities and several regulations will have competence over the same fact, with different focuses.

The computer attack on BancoEstado this year is an example of the above. With the data privacy bill, Ran 20-10, Ran 20-8 and the bill modifying the consumer protection act (which requires notification in the event of security breaches) in force, to whom should BancoEstado have reported what happened? Certainly, to the CMF from the point of view of operational risk; to the CPLTPD, Sernac and eventually also to a Cybersecurity Agency. And that’s not all. Each standard establishes different programs or compliance models in terms of the protected asset and its risks, which the Bank should have implemented.

By holding a working table at Alessandri in relation to national AI policy, the most relevant issue was the development of technology with adequate data protection, with people at the center.

Last, but not least is how attractive and competitive our country can be in services and technologies involving the processing of personal data, when these have been developed outside the international trend?.