The law will come into force in 2026 and will introduce a Personal Data Protection Agency that will safeguard users' rights.

2024 ended with good news for Chilean users: on December 13, Gabriel Boric's government made Law 21,719 on the Protection of Personal Data official. This is a regulation that establishes new rules for the processing of data in Chile. Perhaps its most notable measure is the creation of the Personal Data Protection Agency, an autonomous body responsible for ensuring the protection of data and the rights of its owners.

Under the premise that every citizen or person with personal data requires special protection, the law introduces certain categories. These include sensitive data relating to health and biological profile: biometric data; data on minors; financial, commercial and economic obligation data; criminal history data, among others.

The new regulation takes as a reference the General Data Protection Regulation (GDPR) of the European Union and replaces the old regime established in Law No. 19,628 on the Protection of Private Life. Based on this rule, users have access to a series of rights, including deletion, requesting the elimination of their data; opposition, refusing the processing of their data; or portability, receiving a copy of their data in a structured format.

Although its application is not planned overnight: officially, the law will come into force on December 1, 2026. Subsequently, companies that do not comply with the rules will be sanctioned with million-dollar fines that can reach 20,000 UTM (approximately US$ 1.39 million), a fact that would put business operations at risk.

For Raimundo Díaz, a lawyer at Auditeris, a business outsourcing consultancy , there is an explanation for this delay in the law's implementation.

“This two-year period is for companies and organizations that process personal data to take action now. Because the day after the law is applied, many things will be required that will be audited and have been in place for a long time. We are talking about changing security measures, creating platforms so that people can request their personal data and implementing models of protection against violations,” Díaz told AméricaEconomía .

The Auditeris representative is aware that some multinationals could underestimate the fine of US$ 1.39 million and could run the risk of breaching the new regulations. However, the law also includes an extraordinary sanction that suspends the use of data for up to 30 days. This, in general terms, would be more damaging than a financial penalty.

“I think the new law seeks a cultural change regarding how data is treated and stored. The data protection agency can constantly monitor, but there must be a change in society and that includes the owners of personal data. We must know the value of our data and that today, it is extremely valuable for companies. Therefore, we must exercise our right against companies if they want to block, delete, modify or deliver data without permission,” adds Díaz.

Under the old legislation, it is not clear where Chileans should go to report misuse of their personal data. Responsibility was divided between ordinary courts of justice and the National Consumer Service (SERNAC). Now, following the introduction of the new law, the Data Protection Agency will be the recipient of all user complaints, albeit for extreme cases.

“The first option will be for the owners, who will be able to approach the companies and demand their rights. The law imposes a 15-day deadline on the employer to respond to the claim and correct the error. Otherwise, the agency will intervene with the corresponding sanction. Obviously, this does not prevent any of the parties from appealing in court or even the Supreme Court,” says the Auditeris spokesperson.

The debate and approval of the Personal Data Law took place in the context of a wave of cyberattacks in Chile. For example, a report by Fortinet, the multinational cybersecurity services company, states that the southern country was the victim of 6.4 billion attempted cyberattacks during 2024. July and August were the months with the greatest activity and industrial sectors such as health, manufacturing, transportation and logistics were the most affected.

Many ordinary users were not spared from hackers ' tricks either . In August, during Cyber Security Week 2024, held in Cartagena de Indias (Colombia), antivirus developer Kaspersky revealed that 133,043 attacks on cell phones and tablets had been recorded in recent months.

This represents an alarming increase of 213% compared to the same period between 2022 and 2023. Notably, the main threats include apps that display unwanted advertising. It remains to be seen whether the advent of the new law will encourage companies to adopt responsible stances regarding data management, which will reverse these negative reports.