New Data Protection and Cybersecurity Legislation: A Leap Towards Enhanced Digital Security

Over the past decade, there has been a significant increase in tech regulations on a global scale. Against this background, Chile introduced a series of new laws in recent years to address these evolving challenges.

Among the most notable are the new Cybersecurity Framework Law (Law No. 21,663) and the comprehensive overhaul of the data protection framework with Law No. 21,719. This new legislation amended the existing Law on the Protection of Private Life (Law No. 19,628), elevating the standards to align with the EU General Data Protection Regulation (GDPR). 

Both pieces of legislation, while establishing more stringent rules around cybersecurity and data protection, have also made a significant change in the way these matters are treated in Chile by establishing new oversight authorities dedicated exclusively to ensuring compliance with these matters with sanctioning powers in case of breaches.

Cybersecurity Framework Law

In January 2025, Law No. 21,663 (the “Cybersecurity Framework Law”) came into force, with some provisions due to enter into force in March 2025. This piece of legislation establishes a comprehensive legal framework on cybersecurity in Chile and introduces a higher resilience standard against cyber threats for the protection of critical information systems.

The Cybersecurity Framework Law aims to protect the confidentiality, integrity, and availability of information systems and data. Although its main targets are public entities, it is also applicable to private sector entities that manage critical infrastructure, including telecommunications, finance, energy, and healthcare providers, as well as any other entity responsible for the operation and maintenance of infrastructure deemed essential for the functioning of society and the economy, such as water supply, transportation and emergency services. These regulations may also apply to third party suppliers who provide services to these entities.

From a planning standpoint, the Cybersecurity Framework Law mandates the development of a National Cybersecurity Strategy, which sets out the government's approach to managing cyber risks and responding to incidents. This strategy includes measures for the prevention, detection, response, and recovery from cyberattacks. It also emphasizes the importance of international cooperation and information sharing to combat global cyber threats.

Under the Cybersecurity Framework Law, organizations are required to implement appropriate cybersecurity measures to protect their information systems. This includes:

• Conducting regular risk assessments.
• Developing incident response plans.
• Ensuring security of third-party service providers.
• Reporting significant cyber incidents to the National Cybersecurity Agency within a specified timeframe.

A key feature of the Cybersecurity Framework Law is the creation of the National Cybersecurity Agency. This agency is responsible for coordinating cybersecurity efforts across different sectors, providing guidance and support to organizations, and ensuring compliance with cybersecurity standards. The agency also has the authority to investigate cyber incidents and impose sanctions on entities that fail to adhere to the law.

Non-compliance with the Cybersecurity Framework Law can result in significant penalties, including fines and other sanctions. The National Cybersecurity Agency has the authority to enforce these penalties and ensure that organizations take necessary actions to mitigate cyber risks.

Additionally, the Cybersecurity Framework Law includes provisions for the protection of personal data, aligning with the principles set out in the Data Protection Law, and requiring organizations to ensure that their systems and technologies process personal data securely.

New Data Protection Law

In December 2024, Chile enacted Law No. 21,719 (the “New Data Protection Law”), a groundbreaking piece of legislation that amended the existing Law No. 19,628 and is designed to protect personal data and enhance privacy rights. This law will enter into force on December 1, 2026, and marks a significant advancement in the protection of personal data, representing a major shift in how such data is handled. 

By aligning Chile's standards with international norms, such as the European Union's GDPR, the law transitions from merely protecting private life to a comprehensive framework for the protection of personal data.

The main goal of the New Data Protection Law is to safeguard the personal data of individuals, ensuring that their information is processed lawfully, fairly, and transparently. The law applies to all entities, both public and private, that process personal data within Chile (regarding private individuals). It also covers data processing activities aimed at offering goods or services to individuals in Chile or monitoring their behavior, regardless of where the data controller or processor is located.

One of the most significant aspects of the New Data Protection Law is the enforcement of the ARCO rights, consisting of:

• Access: Individuals can request access to their personal data held by an organisation.
• Rectify: Individuals can request corrections to inaccurate or incomplete data.
• Suppress (Cancel): Also known as the "right to be forgotten", individuals can request the deletion of their data under certain conditions.
• Oppose: Individuals can object to the processing of their data for specific purposes.

Additionally, the New Data Protection Law considers data portability, under which individuals can request the transfer of their data to another service provider in a structured, commonly used, and machine-readable format.

To ensure compliance with the new regulations, the New Data Protection Law created the Data Protection Agency, a public authority which is responsible for overseeing data protection practices, investigating breaches, and imposing sanctions on entities that fail to comply with the law. The Agency will play a crucial role in promoting transparency and accountability in data processing activities.

Regarding the international transfer of personal data, the New Data Protection Law restricts the transfer of personal data to countries or international organizations outside Chile, only allowing such transfers to recipient countries or organizations that provide an adequate level of data protection, ensuring that individuals' privacy rights are not compromised.

As a measure for limiting liability in the processing and storage of personal data, data processors and controllers may implement an infraction prevention model. This model aims to prevent infractions, detect errors, correct problems and ensure compliance with the New Data Protection Law by including rules, procedures and internal controls to avoid the incorrect use of personal data within their organization.