CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
Furthermore, the new law recognises the princi - ple of data protection by design and by default, according to which the data controller must implement technical and organisational meas - ures from the design of the processing of per - sonal data and during its execution, taking into account the state of the art, the costs of imple - mentation, the nature of the data, the context and purposes of the processing, as well as the associated risks. Likewise, by default, only the specific personal data strictly necessary for the activity should be processed. The new law also includes various obligations related to information security and cybersecurity. Thus, the data controller must adopt the nec - essary measures to guarantee compliance with the security principle, ensuring the confidenti - ality, integrity, availability and resilience of data processing systems. They must also prevent the alteration, destruction, loss, processing or unau - thorised access to data. Security measures may include: • pseudonymisation and encryption of personal data; • guaranteeing the ongoing confidentiality, integrity, availability and resilience of process - ing systems and services; • ability to restore the availability and access to data quickly in case of incidents; and • regular processes for verification, evaluation and assessment of the effectiveness of secu - rity measures. In addition, the data controller must report to the Agency any security breach that results in the destruction, leakage, loss or unlawful alteration of data, or unauthorised access to it, especially if there is a risk to the rights of data subjects.
• These communications must be recorded, detailing the nature of the breach, its effects, categories of data, the approximate number of data subjects affected and the measures taken. • If the breach affects sensitive personal data, data of children under 14 years of age or relating to financial obligations, the data controller must notify the data subjects. If individual notification is not possible, it must be done through a mass media outlet with national reach. Finally, the data controller must prove the exist - ence and functioning of the implemented secu - rity measures in case of dispute. 6.2 Cybersecurity and AI On the subject of cybersecurity and AI, there are no specific regulations in Chile. Therefore, general rules apply, including the Cybersecu - rity Framework Law and any specific or gen - eral instructions that the National Cybersecurity Agency may issue in this regard. However, the National Consumer Service (SER - NAC), the – temporary – controlling authority for personal data protection in the context of con - sumer relations, issued an interpretative circular regarding AI systems and consumer safety. It is important to remember that these circulars are not generally binding but only apply to SERNAC officials in the context of supervisory activities, which could result in a complaint being filed with the courts (SERNAC does not have direct sanc - tioning powers). In the Interpretative Circular on consumer pro - tection against the use of AI systems – consumer safety, SERNAC has interpreted that, in view of the general obligation incumbent on suppliers to provide security to consumers, AI systems in the
89
CHAMBERS.COM
Powered by FlippingBook