State of Privacy Chile
Table of contents
- Right to Privacy
- Communication Surveillance
- Data Protection
- Identification Schemes
- Policies and Sectoral Initiatives
The State of Privacy in Chile is the result of an ongoing collaboration between Privacy International and Derechos Digitales.
Key Privacy Facts
1. Constitutional privacy protections: Article 19 of Chile's constitution protects the right to a private life.
2. Data protection laws: In 1999 Chile became the first South American country to pass a comprehensive data law.
3. Data protection agency: Chile has no data protection authority. A bill to modify Law No 19.628 on the protection of private life mandates the creation of a data protection authority. The lower house passed the bill and as of June 2017, it is being considered by the Senate.
4. Recent scandals: Chile's security services have been accused of unlawfully exercising their powers of surveillance.
5. ID regime: Since 1973, Chile's national identification regime principally comprises the "Rol Único Nacional" (unique national number).
Right to Privacy
The right to privacy is referred to in article 19 (Chapter 3) of the Chilean constitution:
"The Constitution assures to all persons: […]
4. The respect and protection of private life and the honour of the person and their family. [...]
5. The inviolability of homes and all forms of private communication. The home may only be searched and private communications and documents intercepted, opened or inspected in the cases and forms determined by the law [...]"
Regional and international conventions
Chile is a signatory to a number of international conventions with human rights implications, including:
- The Universal Declaration of Human Rights;
- The International Covenant on Civil and Political Rights;
- The International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families; and
- The American Convention on Human Rights.
According to the World Bank, in 2016 there were approximately 22.97 million mobile subscriptions in Chile representing a mobile penetration rate of 127%. According to the Pew Research centre, approximately 65% of Chileans owned a smartphone in 2016. Facebook and Twitter are popular social media platforms in Chile, according to the report.
There is one internet exchange point in Chile, located in Santiago. It is owned by a company called NAP Chile. Fibre optic cables are implemented by private companies and supervised by the telecommunications regulator, SUBTEL.
Criminal Procedure Code
The Criminal Procedure Code regulates the communications interception procedure.
Article 218 allows for the seizure of all forms of correspondence, including email.
Article 222 establishes how interception takes place and how companies must comply with interception orders. It also states that "communications between the accused and his attorney cannot be intercepted, unless the judge so orders if he has reasons to believe that the lawyer is involved in the crime under investigation." The article also establishes that "the order for the interception must indicate the name and direction affected by the measure and indicate the form of interception and duration thereof, not exceeding sixty days. The judge may extend this period for up to an equal duration."
Data retention mandate is regulated by Decree No. 142, which is now being replaced by Decree Nº 866, which tries to expand the retention mandate to a long list of personal data points, for at least two years. Currently under review by the General Comptroller, civil society group Derechos Digitales filed a brief in that process (followed by many other organisations and persons) to have the regulations rejected.
A 2005 amendment to Article 222 requires companies to comply with law enforcement interception orders: "The telephone and communications companies must comply with this measure by providing relevant officers the facilities needed to carry out interceptions as needed."
A 2004 amendment to the same article had previously required that: "Communication providers shall maintain an updated confidential list for prosecutors of its authorised IP address range and a record of the IP connections performed by their subscribers for at least the past six months". A 2011 law on child pornography then extended the retention mandate to a year.
Article 222 of the Criminal Procedure Code ends by asserting that communication companies required to carry out interception must do so secretly and not disclose it or report it to their customers.
Law No. 19.974
Law No. 19.974, which regulates intelligence services, also refers to the interception of communications. Article 24 allows for "the interception of telephone, computer, radio communications and correspondence in any form", in the context of investigations related to national security and organised crime matters. Article 25 clarifies that "the directors or heads of intelligence agencies shall request, personally or through an official subordinate expressly authorised to do so, the court authorization to use [that] procedure."
The interception of communications must only be done in order "to detect, neutralise and counter the actions of terrorists, national groups or international, and transnational criminal organizations or counter intelligence activities developed by national or foreign groups".
Telecommunication companies are referred to in Article 30: "Natural or legal persons are required to allow the performance of [interception of communications] upon display of court order. They shall accede to such request immediately or as indicated in the judicial authorisation".
The Penal Code
The Penal Code makes multiple references to the unauthorised interception of communications data, which it classifies as a felony.
Article 156 makes it a jailable offense for employees of postal and other communication services to intercept and access communications.
Article 161-A establishes as a crime punishable with imprisonment the capturing, interception, or unauthorised recording of any private conversation, and the dissemination of such conversation.
Security and law enforcement agencies
The ministries in charge of national security are the Ministry of the Interior and Public Security and the Ministry of National Defence.
Among its functions, the Ministry of the Interior and Public Security is mandated to:
- Propose to the President rules and actions on domestic policies to maintain public order, security and social peace;
- Promote and coordinate measures to prevent and control crime, violence and recidivism;
- Define and evaluate measures aimed at controlling crime and police response to violations of criminal law; and
- Set up contracts with public or private institutions, including municipalities, pertaining to the development, implementation and evaluation of policies, plans and programs for internal security and public order.
The main functions of the Ministry of National Defence are:
- Proposing and evaluating defence policy, military policy and national defence planning;
- Studying, proposing and evaluating policies and rules applicable to the defence sector and ensuring compliance;
- Studying the financial needs and budgetary sector and submitting the draft annual budget;
- Assigning and managing resources appropriate in accordance with the law;
- Supervising the activities of the defence sector and ensuring their efficient management in the organs that compose it;
- Reporting to Congress on policies and plans for national defence; and
- Supervising the investment of resources, services and institutions in the defence sector.
The main intelligence agency in Chile is the Agencia Nacional de Inteligencia (National Intelligence Agency, ANI), which is under the Ministry of the Interior. It was created in 2004, and is the head of the Sistema de Inteligencia del Estado (State Intelligence System), which coordinates the efforts of military intelligence and police intelligence.
Other military and law enforcement bodies have their intelligence units that are part of the State Intelligence System, including:
- Dirección de Inteligencia de Defensa del Estado Mayor de la Defensa Nacional (DID) — created in 1942;
- Dirección de Inteligencia del Ejército (DINE) — created in 1891;
- Dirección de Inteligencia de la Armada (DINA or DIRINTA) — created in 1965;
- Dirección de Inteligencia de la Fuerza Aérea (DIFA) — created in 1976;
- Dirección de Inteligencia Policial de Carabineros (DIPOLCAR, Police Intelligence Directorate), which is under the Ministry of the Interior; and
- Dirección Nacional de Inteligencia, Drogas e Investigación Criminal de Carabineros — created in 2014.
The function and mandate of the ANI is defined by Law 19.974, which regulates intelligence agencies. The National Intelligence Agency is a centralised public service dependent on the President of the Republic through the Minister of the Interior. It aims to produce intelligence to advise the President and the various higher levels of leadership of the State.
The functions of the ANI are:
- To collect and process information from all areas at the national and international level, with the purpose of producing intelligence and providing global and sectorial judgments, according to the requirements of the President;
- To create periodical intelligence reports, secret in nature, to be sent to the President and the ministries or entities he determines;
- To propose rules and procedures to protect the State's critical information systems;
- To request from the intelligence bodies of the Armed Forces and the Forces of Order and Public Security, as well as the National Directorate of the Gendarmerie, the information of the scope of their responsibility and in the competence of the (National Intelligence) Agency, through the corresponding technical channel. The aforementioned entities will be obliged to provide the documentation and reports in the same manner as requested;
- To request from the services of the State Administration included in article 1 of Law No. 18,575 (about the general framework of the administration of the State) the documentation and reports deemed necessary to fulfil their objectives, as well as from the corporations or institutions where the State has equity, participation or majority representation. The aforementioned entities will be obliged to supply the documentation and reports in the same manner as requested, through their respective senior leadership or management body;
- To provide for the application of intelligence measures in order to detect, neutralise and counter the actions of national or international terrorist groups, and transnational criminal organisations; and
- To provide for the application of counterintelligence measures, in order to detect, neutralise and counter intelligence activities developed by national or foreign groups, or their agents, excluding the second paragraph of Article 20.
The function and mandate of military intelligence are also defined by the same law:
"Military intelligence is a function that belongs exclusively to the intelligence services of the Armed Forces and the DID.
It includes intelligence and counterintelligence necessary to detect, neutralise and counter, inside and outside the country all activities that may affect national defence. [...]
Military intelligence is controlled by the institutions on which they depend.
The objectives of military intelligence of the Armed Forces shall be determined by the heads of their respective institution, based on the national defence policy, established by the Minister of National Defence.
The objectives of military intelligence of the Intelligence Directorate of the General Staff of National Defence shall be fixed by the Minister of National Defence."
The mandate and function of police intelligence is also defined by the same law:
"Police intelligence is a function that belongs exclusively to Carabineros and the Investigative Police of Chile, subject to the provisions of the second paragraph of Article 20.
It includes processing information related to the activities of individuals, groups and organizations that in any way affect or may affect the conditions of public order and domestic security.
The conduct of police intelligence services corresponds to the control of the institutions on which they depend."
In 2003, an investigation by the centre for investigative journalism Centro de Investigación Periodística (CIPER) revealed that police were engaged in intercepting communications data using a car equipped with an antenna and a laptop computer running a software whose logo was "a sparrow on a stick." According to the investigation's source, this permitted police to listen and record phone calls. One possible provider of this equipment, if the source's observation is correct, could be surveillance technology company Almenta.
An earlier article on the legal procedures governing interception described an interception process involving capturing IMEI numbers provided by telecommunication companies from within police offices. The officers were equipped with recording gear.
The surveillance and security technology tradeshow Sicur Latino America is usually held in Chile around October each year. The Chilean government officially sponsors the event.
A number of national and international surveillance technology companies operate in Chile. Deep-packet inspection manufacturer Blue Coat has offices in Chile. The German government has also sold surveillance technologies to Chile, according to a German parliamentary inquiry. A local company known as Mipoltec has served as an intermediary for the acquisition of surveillance technologies from companies such as Hacking Team. Global Systems Chile SpA, an affiliate of Rebrisa from Israel, has sold surveillance baloons to the commune of Las Condes in Santiago province, and recently won the contract to provide ankle bracelets to monitor prisoners with the prisons authority.
Surveillance oversight, checks and balances
Following the description of what is expected from telecommunication companies in terms of carrying out interception in Article 222 of the Criminal Procedure Code, Article 223 describes the measures in place to limit the privacy violations. The files are sent out directly to the prosecutor who is in charge of sealing them and guaranteeing their confidentiality. If the files are no longer relevant, a copy is sent to the people involved in the communications and the prosecutor's copy is then destroyed.
According to both the Criminal Procedure Code and the Law regulating intelligence services, data collected from surveillance can be used in court but not presented by the ANI. Other internal and external checks on intelligence agencies' powers are contained in Law No. 19.974. This law states that:
"The internal controls include, among others, the following:
a) The proper administration of the human and technical resources in relation to the tasks and institutional missions.
b) The proper use of funds allocated to the service so that they are rationally used to achieve their own tasks.
c) The adequacy of the procedures used to respect constitutional guarantees and legal and regulatory standards."
A parliamentary committee is responsible for carrying out external checks on the intelligence agencies' powers. This model of review by parliamentary committee, however, has been called relatively weak as the committee lacks investigative powers. The committee's sessions, as well as their records, are not made public.
Surveillance case law
The Supreme Court decision on video surveillance balloons in Santiago has had implications for surveillance in Chile. In September 2015, Derechos Digitales, along with local residents and fellow civil society organisations Fundación Datos Protegidos, ONG Fundamental and Libertades Públicas A.G., filed a suit against the two municipalities for their use of surveillance balloons alleging that these violated the constitutional rights to privacy and the sanctity of home. The Court of Appeals of Santiago banned their use in a first ruling in March 2016. The Supreme Court overturned the ban on appeal in June 2016. The Court recognised that such a sweeping surveillance mechanism did indeed pose a threat to fundamental rights but allowed their continued use with some conditions.
According to the Supreme Court, "given the characteristics of the surveillance system, that has been installed in mostly residential areas, we cannot but admit that those who live within its reach may feel observed and controlled, encouraged to change certain habits or avoid certain behaviours within a sphere of privacy such as domestic life". However, this meant the need not for a ban, but for safeguards that the Court itself provided, as no previous rules exist for massive surveillance schemes. The authorisation regime set by the Supreme Court includes: recording only over public spaces, supervision by a municipal inspector against recordings of private spaces, deletion of content after 30 days, and recorded access to the images by authorised persons.
Examples of surveillance
Though it is difficult to identify clear instances of surveillance, the most widely surveilled groups are reportedly drug dealers, anarchist groups and indigenous communities in the southern region of the country. The indigenous communities have also reportedly been targeted by surveillance drones.
Digital rights NGO Electronic Frontier Foundation reported that trade union community website Huelga.cl was approached by the Cyber Crime Police. The police required the website to hand over confidential data on its users. As the police came without a warrant, Huelga.cl refused to hand over the data. The article from the investigative outlet CIPER mentioned above revealed that the police was illegally intercepting conversations for which it had not obtained warrants.
In May 2015, police arrested Bryan Seguel, a student, accusing him of having assaulted a police officer. It was eventually demonstrated that the video that had captured the image of the assault had wrongly linked it to his Facebook profile picture, and the Carabineros police held a list of likely culprits of disorderly conduct during student protests.
In June 2017, the commune of Las Condes announced it was installing surveillance cameras with facial recognition capacities.
In September 2017, eight members of Mapuche indigenous communities were arrested and placed in prison awaiting trial for terrorist activity based on a report by the Dirección Nacional de Inteligencia, Drogas e Investigación Criminal de Carabineros that allegedly included their WhatsApp and Telegram conversations. The operation was called Operation Hurricane (Operación Huracán). A habeas corpus petition was filed by their public defenders, and the Supreme Court liberated the eight men on appeal as the ruling that imprisoned them was found to lack sufficient justification. It is currently unknown if the police intercepted the communications, and if so, how.
Data protection laws
In 1999, Chile became the first South American country to pass a comprehensive data law. The law is, however, weak as it does not grant data the same protected status as "private life" or "private communication", the fundamental rights to which are protected by the Constitution. Therefore, constitutional actions cannot be carried out against state or private companies in case of breaches in data protection. According to the civil society group Derechos Digitales, the law exists to provide a legal framework to the current processing and treatment of data.
Despite the data protection law, Chile has no data protection authority. A new data protection law, which would mandate a new data protection authority was announced in 2014, and the draft bill was placed in public consultation. Two years later, a new announcement was made that the bill would be reviewed by Congress during the second half of 2016.
In March 2017, President Michelle Bachelet eventually signed the new Data Protection bill to establish a data protection authority. Following discussion with members of the Senate, the presidential bill was fused with a Senate bill in August 2017.
Freedom of information
Law 20.285 allows for access to government-held information. The exceptions to this law are:
"1. If the publication or the knowledge of that information could affect the proper performance of the executing authority, particularly:
a) If it is at the expense of prevention, investigation and prosecution of a crime or offence or in the case of information necessary for legal and judicial defences.
b) Prior to the adoption of a decision, action or policy deliberations, notwithstanding that those fundamentals are public once they are adopted.
c) If those are generic requirements, or referring to a large number of administrative acts or their background, as treating those requests would require an inadequate amount of work for the civil servants in charge.
2. If the publication or the knowledge of that information could affect the rights of people, particularly in the case of their safety, health, sphere of privacy or commercial and economical rights.
3. If the publication or the knowledge of that information could affect the security of the nation, particularly if it relates to national defence or the maintenance of public order or public safety.
4. If the publication or the knowledge of that information could affect the national interest, especially if they relate to public health or the international relations and economic or commercial interests.
5. In the case of documents, data or information that a law of qualified quorum declared confidential or secret, according to the grounds mentioned in Article 8 of the Constitution."
Data breaches: case law
In October 2015, documents containing many persons' sensitive personal information were found thrown away near a highway not far from the Santander bank that had gathered the information. In November 2015, the civil society organisation Datos Protegidos filed a lawsuit in civil court accusing the bank of failing to exercise due diligence in the handling of the personal data. There are neither specific provisions on data breaches nor on notification of individuals that their personal information has been breached.
The Lower Court's ruling on the case was rendered in December 2016. The court ruled that as a data bank, the Santander bank fell within the scope of application of Law 19.628, which obliges it to observe due diligence with respect to the data it collects. The court also found that Santander had been negligent in the handling of the personal data.
Examples of data breaches
We are not aware of any examples of data breaches in Chile other than the above. Please send any tips or information to: firstname.lastname@example.org
ID cards and databases
In 1969, the Internal Tax Service introduced a new way to identify taxpayers by providing identification cards with a number correlated with the inscription number at the Civil Registry Service. This number, the Rol Único Tributario (tax number), was extended in 1973 as the "Rol Único Nacional" (unique national number) to all persons to facilitate participation in all areas of commerce and relations with the State. The Civil Registry Service assigns a number to all Chilean citizens upon registration of their birth. Identity cards with a duration of up to 10 years are issued by the same entity.
Identity cards are also issued for foreign nationals, who are required to register and obtain a RUN number if they wish to be residents, even if only temporarily. Until 2014, RUN numbers were also the same as passport numbers.
Chile was one of the first countries to have a fully functional border control kiosk based on facial recognition biometric technology. Passports are scanned in one of 60 kiosks in Santiago airport and the passport picture is compared to a picture captured by a digital camera. Once the identity is confirmed, the facial image is checked against an Interpol facial database and a local Chilean database. The Investigations Police (Policía de Investigaciones) has access to this system.
The electoral roll for each election must be published 90 days before the election takes place, according to article 33 of Law No. 18.556. It includes the address from the electoral registry. The roll cannot be used for commercial purposes; however, it is legally a publicly available source of personal data from which new databases can be constructed. Because of the lack of security measures for access to that information, such databases are easy to produce, for example.
SIM card registration
Policies and Sectoral Initiatives
The Ministry of the Interior announced the creation of the Interministerial Committee on Cybersecurity in July 2015. Soon afterwards, the Committee held a series of consultations with key stakeholders from government, the armed forces, police and prosecutors, academia and civil society. After the series of meetings, a draft Proposal for a National Policy on Cybersecurity was announced and circulated for public consultation from February to April 2016.
The new cybersecurity policy was launched in April 2017. It includes several statements in favour of encryption and considers surveillance by state actors a threat to cybersecurity.
There is a cybercrime law in Chile (Law 19.223) but it does not contain provisions allowing for access to and collection of data by law enforcement.
Chile has acceded to the Budapest Convention on Cybercrime in April. The government also announced also a new cybercrime bill to replace the current one which would facilitate its compliance with the Budapest Convention.
There is no explicit mention of encryption in Chilean law. However, mentions of encryption in the 2017 cybersecurity policy could lead to future bills or policies being enacted that regulate encryption.
Licensing of industry
Chile's telecommunications regulatory body is the Undersecretariat of Telecommunications (Subsecretaria de Telecomunicaciones, SUBTEL).
Communications Service Providers
According to statistics from SUBTEL, in the first trimester of 2017, the main mobile operators in Chile were Entel PCS (owned by Entel), with 32.9 % of the market share, followed by Movistar (owned by Telefónica) with 32.2%, Claro (owned by América Móvil) with 25.5%, and others like WOM (6.7 %), Virgin (1.5 %), and VTR (0.7 %). The most significant broadband providers in Chile are VTR (37.5 % market share) and Movistar (35.5 %). Others include Claro (13.2 %), GTD (8.7 %), and Entel (1.2 %).
All companies are now privately owned and, for the majority, by foreign companies, though Entel was formerly a state-owned company before being entirely privatised in 1992. Telefónica is headquartered in Spain, and América Móvil is Mexican.
The most recent digital agenda, Agenda Digital 2020, was unveiled during the first trimester of 2016 following a series of consultations and meetings held during 2014.
The plan consists of 60 measures and policies, from connectivity to e-commerce and personal data protection. It has been strongly criticised for its lack of detail and because it did not appear to incorporate an evaluation of previous processes also called "digital agendas", particularly regarding digital rights including privacy.
Health sector and e-health
Currently, a national ID number is required to access many healthcare services in Chile. Certain medical data enjoys a slightly higher level of protection.
In 2016, CORFO (the Chilean Economic Development Agency) launched "Salud más Desarrollo" ("Health + Development"), a strategic national programme aiming to reinforce the development of an industry of services, technology and health management. The objective of the program is to collaborate to improve Chile's public health system and the quality of the service. It has been suggested that in order for the programme to succeed, it must have centralised systems to hold patients' information that are subject to more stringent legal protections.
We are not aware of any privacy issues related to smart policing in Chile. Please send any tips or information to: email@example.com
Transportation cards were introduced in Santiago in 2003 as a payment option for the subway train system. Their use was expanded with the launch in 2007 of Transantiago, a completely renewed set of city bus routes that has been modified several times in recent years, when the new Bip! card was introduced.
The system keeps information on the last 90 days of each prepaid transportation card's data, including the current amount of money, the time the card was used to validate a trip, the bus route or the subway station used, and each time the card has been topped up. This information can be checked with the card's unique number on a website.
Primary, high school, and university students can benefit from a reduced-fee transportation card. The card (Tarjeta Nacional Estudiantil) serves also to identify its holder as a student for other purposes, and holds information about its owner.
The government has installed closed-circuit television cameras (CCTV) in many public places. At least one company based in Chile offers governments solutions for "smart city" initiatives. NEC offers a range of sensing, monitoring and control smart city technologies with privacy implications.
We are not aware of any privacy issues related to migration in Chile. Please send any tips or information to: firstname.lastname@example.org
We are not aware of any privacy issues related to emergency response in Chile. Please send any tips or information to: email@example.com
Humanitarian and development programmes
We are not aware of any privacy issues related to humanitarian and development programmes in Chile. Please send any tips or information to: firstname.lastname@example.org
In 2011, the government was harshly criticised for announcing that it would contract the company BandMetric to monitor public perception of the government as expressed over social networks. Evidence suggests that BandMetric is still being used by the current government of President Bachelet.