The FINANCIAL — Chile is drafting new data protection laws to get a Declaration of Adequacy from the EU. The draft law is likely to have an impact on direct marketing in Chile.
If this law enters into force market research companies may have to register their data sets containing personal data with the Chilean Data Protection Authority, according to ESOMAR.
In October 1999, Chile was the first country in South America enacting a data protection law. Incidentally, 1999 was also the year Chile regulated tariffs on services offered by the Chilean Telecommunications Company. As a result of the change to this tariff regulation, the number of new Internet users exploded: it almost doubled between August 1999 and October 1999.
Chile’s data protection law was already outdated by the time it entered into force. At the annual Computers, Privacy and Data Privacy Conference that ESOMAR attended as part of its monitoring service on behalf of members, experts commented that there aren’t a lot of good things to say about the current Chilean privacy law.
A law lacking biting power
The current law is not very effective with the highest fine being equivalent to 3,000 euro and not being imposed at the time of writing. Even though the Chilean privacy law is currently not enforced, violating the law would constitute a violation of the ICC/ESOMAR Code on Market and Social Opinion Research.
One of the major flaws of the current data protection law is that it does not cover data flows. This might be comfortable for market researchers, their clients and sub-contractors transferring data to each other, but it is also the main reason for the EU not to declare Chilean data protection laws as adequate.
Back in the race after data protection reforms
But this might soon change as Chile is now updating its data protection law and making it much more robust. The new effort isn’t simply a patch of the existing law, but it will have a completely new structure, based on Spanish law and the EU Data Protection Directive and further influenced by the OECD privacy principles currently underpinning most global data protection legislations. Read the first article in this series to find out why a declaration of adequacy from the EU is important to Latin American countries.
Consent, transparency, security and notification
The impact of this will be the necessity to get consent for any personal data you gather. It will also be important to not gather more information than is strictly necessary for the purpose of the research. Furthermore you must ensure the data is kept safe and that you are transparent to your respondents about what you do with their personal data. These requirements of course already echo requirements for researchers under the ICC/ESOMAR International Code on Market and Social Research.
Once this new bill enters into force, possibly some time later this year, companies processing personal data in Chile will have three years to notify the regulator of the data sets they create and the nature of the personal data they are keeping in those data sets.
A new Data Protection Authority (DPA) will be established and this authority will responsible for the register. This DPA will also have the power to levy fines up to $700,000. Its role will be similar to that of Data Protection Authorities in Europe.
Impact on direct marketing
This new law will impact direct marketers quite substantially. In any direct marketing message an opt-out has to be included. Furthermore, there will be an obligation for direct marketers to make available the source of their data set and the person responsible for processing the data. It is unclear if there will be an exemption for market research included in this bill. The bill has not been formally tabled to Congress and is still subject to further changes.
ESOMAR’s Government Affairs Team continues to monitor legal developments that are likely to impact our abilities to conduct and use market, social, and opinion research. If there is any update on this new law that is of concern to market research, the team will keep you informed.
For researchers in small and medium enterprises who do not have extensive legal and compliance resources, ESOMAR has published a Data Protection Checklist. The checklist is a good start when you are looking to improve the data protection processes in your organisation.
Discussion about this post