Aims and Basic Principles
Confusing Provisions
Contradictory Provisions
After nearly 15 years of discussion, on August 27 1999 Congress approved Law 19,628 on the Protection of Privacy, which came into force on October 27. The law, although welcome, appears to be more of a compromise between rival political views than a well thought out plan for protecting privacy in the processing of personal data.
The basic goals of the law are (i) to provide legal protection for the privacy of individuals when personal data is processed and (ii) to grant all individuals and entities the right to process data within the limits of the law.
To accomplish these goals, the law provides several fundamental rights for individuals whose data is processed (data subjects) and duties for individuals who process data (data users). The following principles apply to most data processing:
- Data subjects' consent must be obtained before any personal data is processed;
- Data may only be used for the purposes for which it was compiled, unless it originates or has been compiled from sources accessible to the public; and
- Data subjects shall be able to request, free of cost, (i) the blocking or rectification of inaccurate data, (ii) the sources of data, and (iii) the purposes for which the data is being collected.
These principles are weakened by other provisions in the law that create contradictions and confusion.
The Chilean data processing law, unlike many of those being enacted in other parts of the world, does little to limit who may process data, how such data shall be processed, and what sort of data is included within the law's scope of protection.
First, the law's definition of 'data' includes "any data related to any information concerning identified or identifiable persons". A literal reading of such a broad definition could include all objective facts as well as subjective opinions. The only limiting factor that saves the public from a law that regulates every statement and opinion, is the data subject's right to block any data that cannot be substantiated (and in most cases opinions and intentions cannot be substantiated).
Second, confusion arises from the definition of 'data processing' which includes:
"any operation or transaction or aggregate of operations or transactions or any technical procedure, whether automated or not, which makes it possible to gather, store, record, organize, prepare, select, retrieve, compare, interconnect, disassociate, communicate, assign, transfer, transmit or delete personal data or to use such data in any manner."
Chilean lawyers who have analyzed the law see this definition as potentially covering any form of processing, whether manual or automatic. The danger of this is that 'data processing' could be construed to include any action associated with personal data, such as organizing personal letters and conversations.
Furthermore, because the definition does not distinguish between transferring, gathering and organizing data (except in the case of credit data), there is risk that any collection of data may result in the transmission of that data as well. But here, once again, the only possibility to narrow this excessive definition is to consider that all types of processing, including transferring and disclosure, require the consent of the data subject. Therefore, the only area where the data subject's privacy is placed at risk is where the law specifically does not require consent, for example, in the processing of credit data, data obtained from sources accessible to the public, and data processed by public bodies.
But, it is precisely this last exception that collapses the protection of data subjects' privacy. By granting a broad definition of 'processing' that includes transmission and then exempting public agencies from the obligation to obtain data subjects' consent, the law denies individuals protection when data is processed by a public body. This exception to the privacy provision is so great that it must be seen as an incongruity in the law.
But the more concerning elements of the law are those that create contradictions and reveal the internal conflict that the legislature confronted in promulgating the law. The law includes provisions regarding the processing of credit data that appear to negate the general goal of privacy protection. Particularly, the law provides that data subjects' consent is not necessary for the processing of credit data that is evidenced in loans, checks and negotiable instruments. In this regard, it seems as though privacy has been pushed aside in the interest of protecting third-party creditors.
Additionally, various health-provider interest groups have influenced the drafting of certain provisions. Generally, the law prohibits the processing of sensitive data except where it is necessary for determining and granting health benefits. However, the law also adds a new article to the Public Health Code that prohibits the disclosure of "any medical prescriptions, clinical laboratory analyses and exams, and all health-related services" without the consent of the data subject. These two provisions clearly contradict each other as to whether a data subject's consent is required for the processing of his or her data.
Given these weaknesses in the law, it could fall well short of providing the full privacy protection that its title contemplates.
For further information on this topic please contact Ricardo Peña at Carey y Cía by telephone (+56 2 365 7259) or by fax (+56 2 633 1980) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.