Chile’s new data protection law: Expanded scope, more flexibility, and much higher fines

Back in 1999, Chile enacted one of Latin America’s first comprehensive data protection frameworks with Law 19,628. The law provided a set of rights and principles similar to other data protection legislation inspired by the Council of Europe’s Convention 108.

But Law 19,628 also lacked the flexibility required to properly support and regulate the data-processing activities of modern businesses.

In enacting Law 21,719, Chile’s legislature has provided for, among other things:

• A broader territorial scope
• New obligations for businesses
• A stricter enforcement regime

Expanded extraterritorial scope

Law 21,719 extends the reach of Chilean data protection law. The law applies to the processing of personal data when one or more of the following applies:

• The controller or processor is established or incorporated in Chile
• A processor processes personal data on behalf of a controller established or incorporated in Chile
• The controller or processor is not established or incorporated in Chile, but processes personal data with the intention of:
  • Offering goods or services (paid or free) to data subjects in Chile
  • Monitoring the behaviour of data subjects in Chile
• The controller is not established or incorporated in Chile but is subject to Chilean law due to a contract or international law

This broader scope explicitly applies to non-Chilean companies conducting “analysis, tracking, profiling, or prediction” using personal data about people in Chile, which should include many common behavioural advertising and analytics techniques.

Combined with the rules on consent, Law 21,719’s expanded extraterritorial scope suggests that businesses whose websites are accessible in Chile should consider implementing a cookie consent mechanism.

Consent and other lawful grounds for processing

Chile’s data protection law established consent as the primary lawful basis for processing personal data. Law 21,719 expands upon the conditions for consent and adds new lawful bases as exceptions to consent.

Consent is only valid if it is:

• Free, informed, specific, and unequivocal
• Given in advance
• Revocable at any time, for free

Consent is not valid if it is obtained in the context of collecting unnecessary personal data as a prerequisite for performing a contract or delivering a service—unless consent to data processing is the only requirement to use that service (this might include social media and similar free platforms).

Law 21,719 also establishes that personal data may be processed without consent under the following lawful bases:

• To fulfill obligations of an “economic, financial, banking, or commercial nature”
• To meet a legal obligation
• When necessary to perform or enter into a contract with the data subject
• When necessary for the controller’s specified legitimate interests (subject to a balancing test as under the GDPR)
• When necessary to “formulate, exercise, or defend” a legal right before the court or a public body

The controller is accountable for the lawfulness of data processing.

Special rules for processing sensitive personal data

Like the GDPR, Law 21,719 establishes an additional set of conditions for processing sensitive personal data, which under the Chilean law include “physical or moral characteristics of individuals” or “facts or circumstances of their private life or intimacy”, revealing the following:

• Ethnic or racial origin
• Political, union, or trade union affiliation
• Socioeconomic status
• Ideological or philosophical convictions,
• Religious beliefs
• Data relating to health
• Human biological profile
• Biometric data
• Information relating to the sex life or sexual orientation
• Gender identity

Note that the definition includes “socioeconomic status”, which is often revealed or inferred by advertising technology (adtech) and digital marketing companies for targeted advertising purposes.

Sensitive personal data may only be processed with consent or under one of the following conditions:

• If the data subject has manifestly made the sensitive data public and the processing is related to the purposes of publication.
• For the internal and legitimate activities of certain non-profit bodies with a political, philosophical, religious, or trade union aim, concerning only their members and affiliates.
• To safeguard the life, health, or physical/psychological integrity of the data subject or another person, especially if the data subject is incapable of giving consent (“vital interests”).
• Where necessary for formulation, exercise, or defense of rights.
• Where necessary for obligations in the labour or social security field.
• Where expressly authorised or mandated by law.

Additional rules apply to certain types of sensitive personal data, such as human biological profile data.

Stronger enforcement powers

Law 21,719 moves Chile from a data protection regime with very limited “teeth” to one that aims to be much more robust, deterrent, and aligned with modern international standards like GDPR.

The law achieves this shift in the following ways:

• Creating an independent Chilean Personal Data Protection Agency.
• Substantially raising the potential fines on organisations that violate the law.
• Adopting clearer definitions of minor, serious, and very serious breaches.
• Clarifying the pathways for complaints and investigations within the Agency.
• Creating direct sanctions for heads of public bodies.
• Introducing Data Protection Officers (DPOs), certified prevention models, and impact assessments.
• Creating a public registry of sanctions.

As in other Chilean administrative laws, fines are issued in “monthly tax units” (in Spanish: “Unidad Tributaria Mensual” or UTM): An inflation-indexed unit of account, updated monthly, used to express financial obligations like fines and taxes so they maintain their real value despite inflation.

• Minor: Written warning or fine up to 5,000 monthly tax units (UTM).
• Serious: Fine up to 10,000 UTM.
• Very serious: Fine up to 20,000 UTM.
• For repeat offenders (especially larger companies), fines can be up to three times the amount or up to 2% (serious) or 4% (very serious) of annual income, whichever is higher.

Law 21,719 drastically increases fines compared to the penalties available under the old law (which typically ranged from 1 to 50 UTM).

Shifting Chile to a modern data protection regime

Organisations in Chile should welcome some of the changes brought about by Law 21,719, including its broader range of lawful bases and clearer definitions. The expanded territorial scope also levels the playing field by capturing the many foreign businesses operating in Chile.

But the law’s establishment of a new regulatory regime and expansion of legal powers show that Chile is taking data protection and privacy seriously—and businesses operating in the country should do so as well.