Chilean bill on personal data protection is a setback for people and businesses

by Digital Rights LAC on June 10, 2013

Datos Personales_Chile

The bill attempts to solve deficient protection for the right to privacy, to remove barriers for international transference of data, and to harmonize domestic law with international standards. But, the bill fails each of its purposes.

Por Alberto Cerda, ONG Derechos Digitales.

In 1999, Chile became the first Latin American country having a comprehensive law on personal data protection. Through time, the law proved inefficient at protecting people, facilitating international transference of data, and adjusting to international standards. This led to new bills on the matter, like the one introduced in Congress in January 2011 by the Executive, after an opaque process of public consultation.

The bill remained frozen for two years because of criticism by experts and lawmakers, until last January, when the Executive achieved an agreement with the Congress. This agreement will allow advancing the bill through the legislative process, by limiting the effects of the law to just a few years, after which the Executive will evaluate achievements and allow Congress to discuss new legislative steps. In fact, however, this bill will delay adopting an actual solution and, meanwhile, it will diminish people’s rights and put in jeopardy competitiveness of local businesses.

In spite of its negative effects, the bill gets some points right. For instance, the bill sets forth that the purpose of the law is protecting people’s information that is being used by private and public entities in order to safeguard their right to privacy. The bill explicitly includes internationally recommended principles on the matter, and improves the right to information and requirements of people’s consent in order to allow personal data processing. Additionally, the bill resolves legal issues related to personal information about deceased persons and establishes responsibility of entities that process personal data by themselves and those that process data on behalf of someone else.

There are several issues in the bill that raise concern, however, because of its ambiguity, which may diminish people’s rights and create legal uncertainty. For example, the concept of “personal data” differs from both international instruments on the matter and foreign laws, which prevents international harmonization of Chilean law, erodes protection to people, and risks increasing barriers for international transferences of personal data to Chile. The same problem happens with an ambiguous concept of “public accessible source”, that allows processing personal data without knowledge or consent by people.

The bill assures compensation in favor of people affected by illegal processing of their personal data, but requires them to prove illegality, which is beyond actual capabilities for most people and ignores information asymmetries between companies that process personal data and data subjects. This makes compensation of damages almost impossible. It would be better setting forth strict liability on companies or, at the very least, reversing the burden of proof by requiring entities that process personal data to prove they act diligently.

The bill adopts a system of “Do Not Call” lists that allow people to inform they don’t want to receive information through their phone, e-mail, or another means. But, there is not empirical evidence that this kind of system works and, on the contrary, it has been a failure in countries it has been implemented. There is no reason to believe this system will work properly in Chile.

The two main problems with the bill, however, are, on one side, that it will aggravate barriers for international transference of data into Chile and, on the other side, that it lacks actual enforcement regarding to the private sector.

A serious inconvenience for Chilean companies providing online services is they cannot do so with the European Union, which demands clear rules on how and where to export personal data. Other countries within the region have adopted that kind of rules, such as Argentina (2000), Uruguay (2008), Mexico and Colombia (2010), Peru and Costa Rica (2011). Meanwhile, Brazil has a similar bill under discussion in its Congress. In other terms, if Chile does not adopt a legal framework that provide an adequate level of protection, local companies will face more obstacles for doing businesses not only with Europe but also with other economies in Latin America.

The bill tries to solve the problem of international flow of data through an expensive and complex contractual mechanism. Other countries have tried that solution, with limited and questionable outcomes. Making things even worse, the bill creates unnecessary costs for local innovation and business. Achieving adequacy requires a proper institutional enforcement, but, unfortunately, the bill lacks it. Adequacy supposes recognizing rights of data subjects, imposing obligations on those who process data, and the existence of mechanism of enforcement. The latter is the most deficient point in the bill.

The bill proposes an inadequate system for supervising the private sector. According to the bill, enforcement against private entities that process personal data would take three forms. First, through civil actions, a mechanism that is insufficient and does not guarantee adequate enforcement. Second, through reclamations before the local consumer protection agency, a toothless institution that does not have power to supervise, neither to sanction nor to prosecute infringers. And, third, through mechanisms of self-regulation and certification that have failed in the United States and in Mexico. They also failed in Chile, where both the National Chamber of Commerce and the Chamber of Commerce of Santiago attempted for over eight years similar mechanisms among their members, with poor results.

Most countries have adopted an independent, public enforcement authority, which has broad powers for supervising, sanctioning, and prosecuting infringement. Unfortunately, all those powers are absent in the bill, or they are absolutely diminished. As a result, the bill will neither improve protection of people for processing of their data, nor remove obstacles for free flow of information in order to encourage investment and to promote providing services of personal data processing from Chile to the world.

Far from 1999, having the experience of other countries on data protection and with several bills under legislative discussion for improving our legal framework, today we face a bill that does not make any progress on the matter, but, on the contrary, presents a serious setback that will diminish people’s rights and put in jeopardy the competitiveness of local businesses.

Alberto Cerda Silva es director asuntos internacionales de ONG Derechos Digitales.
E-mail: alberto (at) derechosdigitales.org