Bill of law to enhance the protection of consumer rights: a new data protection authority in Chile

The current Chilean regulations on data protection, Law No 19,628 on privacy protection (DPL), enacted in 1999, has become outdated and it does not properly regulate new scenarios that the development of legal relationships between participants of an economic system creates.

It is vital to adjust our current legislation to the changes that have been triggered by the growing use of the internet, as well as to the constant technological evolution. These changes include, among others, the emergence of new forms of contracting, mostly in the field of consumer law, which are not contemplated in our existing regulations and require a legal framework that provides security and legal certainty regarding data privacy issues.

A bill of law is currently under discussion at the Chilean Congress, which aims to modify the DPL (Bulletin 11092-07) in order to insert in our data privacy regulatory environment, the legal trends included in, for example, GDPR. However, no substantial progress has been achieved and said bill of law is far from being enacted as a new law.

Within the framework of the modernisation of the Chilean Consumer Law, on 15 January 2019 began the processing of the bill that ‘establishes measures to enhance the protection of consumers’ rights’ (Boletín 12.409-03), which is now being discussed by a mixed committee in congress. This bill indicates a series of amendments to the existing Law No 19,496 on Consumer Rights Protection (CRPL), which proposes a series of various new obligations to providers in several markets and areas.

The bill contemplates the incorporation of a new Article 15 bis, which states that the rules in relation to the processing of any type of personal data of consumers, and other related rules, will be considered special rules for the protection of consumer rights.

The implications of this rule can be summarised as follows:

  1. In relation to the functions of the National Consumer Service (SERNAC), this bureau will be able to exercise all its faculties in relation to providers who process consumers’ personal data in the context of a consumer relationship. This would include, among others, the faculty to audit compliance with the DPL; to establish the meaning and scope of the rules on personal data (administrative interpretation); and to carry out the procedure initiated by consumers’ complaints and actions against conducts that affect their data subjects’ rights. Even though these powers have been exerted by the SERNAC so far, this new bill of law entails an express recognition of SERNAC’s role in the protection of consumers’ privacy rights.
  2. In connection with the current Article 58 bis of the CRPL, SERNAC must keep a record of all rulings and resolutions handed down on consumers’ personal data.
  3. Providers must implement the necessary measures to ensure security and confidentiality in the processing of personal data, especially regarding the purposes for which they were authorised by the data subjects to process their personal data.
  4. If providers report a security violation of their databases which contains information on their customers or users, it will be mandatory to communicate to consumers the occurrence of this security breach within 24 hours from the referred report. This communication shall be made digitally and shall include the security measures adopted before and after the occurrence of the event. If this means of contact fails, this same information will be communicated to the consumer through physical, telephone or other suitable means that ensure speed, within 72 hours from the report referred to in the preceding paragraph.

Based on the foregoing, from a data protection point of view, this bill establishes a series of obligations that significantly modify the legal relationships between providers and consumers (as data subjects).

These amendments to the current regulations on this matter imply an improvement in the scope of consumer rights protection, as well as a strengthening of SERNAC’s role. However, it is worth to mention that data privacy matters exceed the scope of the CRPL. Moreover, if the Bulletin 11092-07 (which also creates a data privacy authority) is approved, we may expect some tensions between two co-existing data privacy bureaus. It will be necessary to constantly monitor the progress of this bill in order to be prepared for the challenges that its eventual entry into force will present.

This article was submitted on early July 2021, so it addresses the status of the bill of law until that date.