Digital Compliance Triad | Data, Cybersecurity and Artificial Intelligence.

Main changes to the Personal Data Protection Law:

1. New bases of lawfulness for data processing are incorporated, modifying the requirements of legally based consent, and eliminating data from publicly available sources as an autonomous enabling basis.

2. The principles that must be safeguarded in the processing of personal data are expressly typified.

3. The rights of the owners are non-transferable and non-waivable and cannot be limited by any act or convention: Access, rectification, suppression, opposition, portability.

4. Obligation to incorporate security measures.

5. New supervisory authority (the National Data Protection Agency is created).

6. Duty to report violations.

7. Infringement Prevention Model as a liability mitigating factor.

8. International transfers are regulated.

9. New sanctioning and infringement regime.

10. Obligations are imposed on data processors.

The law affects all entities that process personal data, regardless of their size or nature, both as data controllers and data processors. This includes both small and large companies and individuals.

Although SMEs will have an additional 12-month “grace period” to comply, all, including individuals, will eventually have to comply with the provisions. Failure to comply with the regulations could result in significant penalties, even for small businesses and individuals handling personal data. There are hypotheses of extraterritorial application, such as the case of controllers and processors located outside Chile, in which it will apply if the processing is carried out on data subjects located in Chile.

Categories of infractions (minor, serious and very serious) are defined, together with their corresponding associated sanctions, and a sanctioning procedure before the Agency is created. In situations of recidivism, the suspension of treatment operations for a period of up to 30 days is contemplated.

– Minor Infringement: From 1 to 5,000 UTM. (e.g.: failure to comply with the duty of information and transparency).

– Serious infringement: From 5,001 to 10,000 UTM. (e.g.: processing of personal data without a legal basis for the processing).

– Very serious infringement: From 10,001 to 20,000 UTM. (e.g.: fraudulent processing).

In addition, it establishes the possibility for the affected owner to sue for damages in civil court.

The National Data Protection Agency is created as an administrative body of a technical nature. Its main function will be to formulate guidelines related to data processing. In addition, it will oversee compliance with the regulations and will have sanctioning powers (infringement proceedings will be processed before it).

The aim of the project is to encourage the creation, development, innovation and implementation of artificial intelligence systems that benefit people, while ensuring respect for democratic principles, the rule of law and fundamental rights.

– It regulates the risks of AI systems, but with a view to fostering economic growth, foreign investment and the protection of users’ fundamental rights.

– Institutional consistency: Risk associated with the data they process.

– Prudent, adapts the standard and maintains a preventive rather than restrictive approach.

Proposes an amendment to the Intellectual Property Law No. 17. 336, incorporating Article 71 T, which establishes that any act of reproduction, adaptation, distribution or communication to the public of a lawfully published work shall be lawful, without remuneration or obtaining authorization from the owner, when such act is performed exclusively for the extraction, comparison, classification, or any other statistical analysis of language, sound or image data, or other elements of which a large number of works or a large volume of data is composed, provided that such use does not constitute a disguised exploitation of the work or of the protected works.

It classifies the IA according to the associated risk:

a) Unacceptable-risk AI systems: These are AI systems that are incompatible with respecting and guaranteeing the fundamental rights of people, and therefore their introduction on the market or putting into service is prohibited.

b) High-risk AI systems: These are autonomous AI systems or product safety components that may adversely affect the health and safety of people, their fundamental rights or the environment, as well as the rights of consumers.

c) Limited-risk AI systems: This groups together AI systems that present non-significant risks of manipulation, deception or error, resulting from their interaction with natural persons.

d) AI systems with no evident risk: Groups all other AI systems that do not fall into the categories mentioned in the preceding paragraphs.

The Law applies to suppliers (entity that develops the system) and implementers (entity that uses the system) of AI systems, whether domiciled in Chile or abroad, but whose output information is used in Chile. It also applies to importers and distributors of AI systems, together with their representatives. Excluded:

– AI systems for national defense purposes.

– Research, testing and development of AI systems prior to their introduction in the market.

– AI components provided for the purpose of free and open source licenses.

– Minor infringement (non-compliance with transparency obligations): Fine of up to 5,000 UTM.

– Serious infringement (non-compliance with rules imposed on high-risk systems in Article 8): Fine of up to 10,000 UTM.

– Very serious infraction (putting into service or use of an unacceptable risk system): Fine of up to 20,000 UTM.

The bill mainly defines two institutions that will apply in the safeguard and compliance of the obligations:

1) Artificial Intelligence Technical Advisory Council: integrates other industry stakeholders. Representatives of the government (different ministries), people from academia, representatives of the technology industry and civil society organizations.

2) National Agency of Personal Data: To supervise, determine infringements and non-compliances, exercise the sanctioning power and resolve requests and claims made by the affected persons.

Note that it is the same authority that oversees personal data, due to the fact that due to the nature of many AI systems being closely linked to personal data, it is considered beneficial that the same entity is the one that regulates them.

Its objective is to establish the institutional framework, principles and general regulations to structure, regulate and coordinate the cybersecurity actions of government agencies and private individuals that provide essential services for the country’s operation. It establishes its own model of cybersecurity governance. The regulatory framework will be applicable to both the public and private sectors, insofar as operators can be defined as essential service providers and/or vital operators.

Depending on how they are classified, they will be assigned the duties and obligations established by the Law and, at the same time, the penalties applicable in case of non-compliance. Specialized institutions are created to oversee compliance with the law, without prejudice to the cybersecurity regulations issued by the sectoral authorities, which in general will prevail over the regulations and general guidelines of this law.

The provisions of the law apply to:

(a) State agencies and State enterprises and companies in which the State has a shareholding of more than 50% or a majority in the Board of Directors.

b) Essential services: Those provided by State Administration agencies and by the National Electric Coordinator; those provided under public service concession, and those provided by private institutions performing the following activities: – Generation. – Transmission or distribution of electricity. – Transportation, storage or distribution of fuels. – Supply of drinking water, sanitation or telecommunications. – Digital infrastructure, digital services and information technology services managed by third parties. – Land, air, rail or maritime transportation, as well as the operation of their respective infrastructure. – Banking, financial services and means of payment. – Administration of social security benefits. – Postal and courier services, institutional health services provided by entities such as hospitals, clinics, doctor’s offices and medical centers. – Production and/or research of pharmaceutical products. It is not exhaustive: The Agency may qualify other services as essential.

c) Operators of Vital Importance: The Agency will establish by means of a resolution issued by the Director or the National Director the providers of essential services that are also qualified as operators of vital importance. Provided that the requirements set forth in the law are complied with. In addition, companies that do not have the quality of essential service providers may be qualified as Operators of Vital Importance, if they comply with special requirements.

The sanctions and sanctioning procedures will be those that correspond to the sectorial authority in accordance with its regulations. In other cases, the Agency will be in charge of supervising, knowing and sanctioning the infringements.

General Penalties:

– Slight infraction: Fine of up to 5,000 UTM. (e.g.: late delivery of information required when it is not necessary for the management of a cybersecurity incident).

– Serious infraction: Fine of up to 10,000 UTM. (e.g.: Failure to implement the protocols and standards established by the Agency to prevent, report and resolve cybersecurity incidents).

– Very serious infraction: Fine of up to 20,000 UTM. (e.g.: Providing the Agency with manifestly false or erroneous information, when it is necessary for the management of a cybersecurity incident).

Special Sanctions-Vital Operators:

– Slight infraction: fine for tax benefit of up to 10,000 UTM.

– Serious infringement: Fine of up to 20,000 UTM.

– Very serious infringement: Fine of up to 40,000 UTM.

1) The National Cybersecurity Agency is created, a technical entity, which will be in charge of overseeing the application of the law, and before which infringement procedures will be processed. Notwithstanding this, the sectorial authorities (e.g. CMF) will be fully competent to supervise and hear infringements to the sectorial norms on cybersecurity that they have issued. Within this Agency, the National Computer Security Incident Response Team (National CSIRT) will be created, whose central function is to combat cyber-attacks or cybersecurity incidents of significant effect.

2) The Multisectoral Council on Cybersecurity is created, which is advisory in nature and whose function will be to advise and make recommendations to the National Cybersecurity Agency in the analysis and periodic review of the country’s cybersecurity situation, in the study of existing and potential threats in the field of cybersecurity, and to propose measures to address them.

3) The Secure Connectivity Network of the State is created, which will provide interconnection and Internet connectivity services to the Ministries, Regional and Provincial Presidential Delegations, Regional Governments, Municipalities, Armed Forces, Law Enforcement and Public Security Forces, public companies created by law, and public bodies and services created for the fulfillment of administrative functions.

4) The National Defense Information Security Incident Response Team is created as the body responsible for the coordination, protection and security of the networks and systems of the aforementioned Ministry and of the essential services and operators vital to national defense, in addition to fulfilling such tasks as may be entrusted to it, for the purpose of safeguarding national defense and security.

5) The Interministerial Committee on Cybersecurity is created, which will have the purpose of advising the President of the Republic on cybersecurity matters relevant to the functioning of the country. It will be composed mainly of representatives of the Government.