Current regulatory context v/s Data Protection Bill
One of the main critics to Law No. 19.628 is the lack of precise obligations with respect to security measures. The following table illustrates the above:
| Law No. 19.628 | Data Protection Bill |
|---|---|
| The duty of security is implicit in article 11, which imposes a duty on the data controller to “take care of the data with due diligence”. | The Bill contains the following considerations: i) Security principle. ii) Obligation to adopt security measures. iii) Obligation to report and record breaches of security measures. iv) Security obligations for the data processor (mandatario or agent) in the processing of personal data. |
Law No. 19,628 does not expressly regulate the security principle; however, it can be derived from different provisions of this law, and in particular, from article 11 that provides for a general obligation of security of personal data, which imposes on the data controller the duty to take care of them with due diligence and be liable for the damages[1].
Contrary to the current regulatory framework, the Bill, in its aim to adapt the regulations to international standards, introduces security obligations in the processing of personal data.
Security principle and new security obligations
Article 3º letter f) of the Bill defines the principle of security as follows: “In processing of personal data, the party responsible shall guarantee suitable security standards, protecting them from unauthorised or unlawful processing, and from their loss, leakage, accidental damage, or destruction. Security measures applicable shall be suitable and fitting to the processing to be carried out, and with the nature of the data”.
This duty is related to various provisions of the Bill, particularly with article 14 quinquies, which establishes the duty to take security measures. This article obliges the data controller to adopt the necessary measures to assure the compliance with the security principle set forth by law, considering the current state of the art and the costs of implementation, as well as the nature, scope and purposes of the processing, probability of the risks and the severity of the effects related to the type of data being processed.
Thus, the article specifies that the measures implemented by the data controller must secure the confidentiality, integrity, availability and resilience of the data processing systems, preventing their destruction, alteration, loss or any type of unauthorized processing.
Among the measures indicated by the Bill are: (i) the pseudonymization and encryption of personal data, (ii) ability to secure the cybersecurity of processing systems and services, including their confidentiality, integrity, availability and permanent resilience, (iii) ability to restore availability and access to personal data promptly in the event of a physical or technical incident, and (iv) constantly verify and evaluate the effectiveness of technical security measures.
Duty to report
In addition, the Bill imposes on the data controller a duty to report to the Agency any breach of security measures.
Not complying with the duty of security, i.e., breaching it or violating it, is a serious infringement under the new law (art. 34 ter), and having jeopardized the security of the rights of the data subjects is considered an aggravating circumstance when assessing the fine for the infringements (art. 36 letter c).
[1] BENUSSI DIAZ, C. 2020. Security obligations in the processing of personal data in Chile: current scenario and pending regulatory challenges. Chilean Journal of Law and Technology, 9(1), 227–279. https://doi.org/10.5354/0719-2584.2020.56660