As a product of a democratic consultation built on a process that included some instances of dialogue with citizens, the proposal for a new Constitution in Chile takes important steps in the protection of crucial rights in the digital environment.

Thus, in addition to guaranteeing universal access to digital connectivity, the text approved by the Constitutional Convention proposes new supra-legal rules that strengthen privacy and the protection of personal data, which are essential for meaningful, free and secure access to the network.

The measures are largely in line with the citizens’ expectations mapped by Derechos Digitales in a series of dialogues around the constituent process: scams, sale of private data, and digital violence, were some of the main problems identified by the participants, who noted that the current regulatory framework in Chile is insufficient to protect citizens against situations of violence on the Internet and the rights of individuals in the digital environment.

New rules on privacy (Article 70) and personal data protection (Article 87) associated with the creation of a supervisory authority, digital education and the promotion of the exercise of rights in digital spaces (Article 90), cybersecurity (Article 88) and more, pose a new scenario for the discussion of these rights at the legislative level.

Consolidating limits to surveillance

Privacy guarantees appear in Article 70 of the text and bring interesting novelties such as the idea of community privacy, in addition to personal and family privacy, aiming at a collective right.

It also highlights the explicit inclusion of metadata among the objects of the inviolability of documents and private communications. Metadata is generated in an automated way from our communications or interactions with digital devices and can reveal extremely sensitive information about our most intimate habits. That is why they require high levels of protection, such as those established in the Chilean proposal, which clears up any doubts about requiring a prior court order for their interception, capture, opening, search or review. The measure should guide the actions of law enforcement authorities, the judiciary and companies in the moment of handing over or not this type of information to governments.

In addition, it helps to prevent legislative developments that point in the opposite direction, including those related to the retention of such data. In Brazil, the drafting of the constitutional article on the inviolability of communications has resulted in decades of controversy over the interpretation of the issue. In countries such as Argentina and Mexico, it was also the judiciary that was responsible for standardizing protections for metadata and content.

The Chilean constitutional proposal could be legally complemented to make explicit the standards of necessity and proportionality recognized by the Inter-American Human Rights System (IAHRS) that must be observed in matters of interception of communications. The changes in the latest version left out the explicit mention that judicial decisions should be issued “in the form and for the specific cases” provided by law, a relevant specification to avoid abuses such as broad, generic and unfounded interception orders.

However, on the one hand, the requirement of legality is maintained and, on the other, the criteria for the regulation and execution of interceptions are established at the regional level and must be observed by the legislative and judicial powers, as well as by law enforcement authorities, regardless of the constitutional specification.

The way towards strengthened personal data protection

Since 2018, Chile recognizes data protection as an autonomous right at the constitutional level. In the regional context, we can see that in Brazil this recognition came after the approval of a General Data Protection Law, which consolidated for the first time in the country a set of rights, principles and procedures for data processing. The Brazilian measure also gave greater weight and coherence to a right that is increasingly fundamental to citizenship and democracy, as also recognized by the Brazilian Supreme Court in a 2020 decision.

In the Chilean case, the current proposal for a constitutional text offers a set of specific parameters that should be observed in a law. Although the country already has a pioneering law on the subject, it is obsolete in the face of the technological and regulatory advances of recent decades and a reform has been under discussion for years.

The fact that the Convention has chosen to create an autonomous body responsible for data protection at the constitutional level (Article 376) strengthens the protection provided for in Article 87 and delimits the way in which the law will regulate the supervision and monitoring of personal data processing operations. The existence of an independent body for such a function is a key point for the effectiveness of data protection, an effectiveness that is absent not only in Chile, which does not have such an institution, but also in several countries in the region.

The absence of a similar provision in the Brazilian Constitution, for example, hindered the creation of an independent data protection authority by law in 2018. The text approved by Congress after extensive public consultation processes proposed a model that ended up vetoed under the constitutional argument that the creation of public administration bodies would be of exclusive presidential initiative. The measure resulted in the creation of an agency dependent on the Presidency of the Republic, which directly appoints its members, with Senate approval.

In the same way, the specification of the expected functions for the data protection authority at the constitutional level in the Chilean proposal avoids situations such as the decision that annulled the incorporation of sanctioning and investigative powers to the National Consumer Service (Sernac), under allegations of unconstitutionality.

The paths still to be explored

The Chilean Constitutional proposal suggests important advances in terms of privacy and data protection, but the legislative discussion will have to deepen several of the issues it raises.

Regarding the data protection authority, there are fundamental issues related to its composition still to be defined such as how the members will be identified and elected; and what criteria must be observed in such selection. What is known is that there should be gender parity, foreseen for all autonomous bodies in the proposal in a key achievement in the possible future Constitution that responds to a historical debt of Latin American democracies.

However, there are still many aspects to be considered in the creation of the body. The independence necessary for a data protection authority involves, for example: guaranteeing the exclusive dedication of its members; the provision of sufficient human, technical, financial and infrastructure resources for its operation; autonomy in the hiring of personnel and a degree of financial autonomy. These are challenging points in the Latin American context.

Furthermore, although it has been definitively decided to separate the data protection agency from the Council for Transparency (which would also obtain constitutional recognition), the law must, as stated in Article 167, consider mechanisms to harmonize and balance the fundamental rights of citizens to data protection and access to public information and transparency.

Both bodies must find mechanisms for dialogue and cooperation to avoid tensions in interpretation or decisions that, under the guise of privacy or data protection, promote secrecy and the restriction of public information, as has been the trend in other countries.

Although the possible Constitution has generated an obligation for the legislature to move forward with the discussion on the creation of the Agency, it has not established a deadline for this. This seems to acknowledge the difficulty that has been encountered in the discussion for a new personal data protection law in Congress and creates a point of concern about the outcome of that discussion.

The development of the privacy and personal data protection framework in Chile is far from over with the vote on the constitutional text. If the proposal is approved, this development may now be based on new foundations and more certainties, in principle favorable to the protection of privacy, personal data and communication in digital environments. Whatever the outcome is, the way in which the discussion has recognized these issues poses a very different scenario for their future legal regulation.