Legal and regulatory framework
How can the government’s attitude and approach to internet issues best be described?
The Chilean government’s attitude and approach to internet issues is very proactive, positive and concerned with fostering the use and growth of new technologies. The government developed a special public policy (its digital strategy) to develop and increase the use of technology as the key to the progress of Chile. The purpose of the digital strategy is to increase the use of technologies by companies, the government and universities, and to establish the adequate legal framework to assist in reaching these goals.
What legislation governs business on the internet?
There is no single piece of legislation regarding business on the internet. Legislation has been enacted on e-signatures, data protection, computer crime, intellectual property, internet neutrality and other internet-related issues such as consumer protection. In addition, general provisions in Chilean law govern business on the internet, such as the Constitution, the Civil Code and the Commerce Code.
Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?
There are no specific regulatory bodies directly responsible for the regulation of e-commerce, but there are agencies in charge of supervising specific fields related to e-commerce. The consumer protection agency (SERNAC) checks the compliance of protective provisions on B2C electronic agreements.
The Government Agency of Telecommunications (SUBTEL) considers internet services as complementary telecommunications services where there is no need to have a licence or permit to render internet access services. Notwithstanding that, SUBTEL supervises internet service providers’ compliance with the Telecommunications Act, but ISPs may freely set the tariffs and charges for their services.
Data protection in Chile is governed by Law No. 19,628 (the Privacy Protection Act). This law regulates the automatic and non-automatic processing of personal data by government or private entities in data registries. Currently, there is no data protection agency or authority.
On 26 August 2011, a net neutrality law was approved in Chile establishing the net neutrality principle, by which content cannot be discriminated by ISPs, and minimum conditions to be fulfilled by ISPs in the provision of internet access services (website mandatory disclosure to the level of service provided, including speed of the service, service-level agreements, use of actions for network managing and traffic control, local and international connection quality standards). This is supervised by SUBTEL.
What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions or disputes in cases where the defendant is resident or provides goods or services from outside the jurisdiction?
Normally, a company with only an online presence in Chile would not be subject to Chilean law nor to the jurisdiction of Chilean courts, unless the parties agree to submit the dispute to Chilean law or to Chilean courts, which is valid in Chile. However, it is important to mention that certain acts and contracts, as a matter of Chilean public policy, will be subject to Chilean law regardless of the agreement of the parties (eg, when goods are located in Chile, local law applies).
Establishing a business
What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?
If a digital business company wants to physically establish in Chile, it will have to comply with all regulatory and procedural requirements governing the establishment of brick-and-mortar businesses. Chilean law does not differentiate between the two types of companies because it could be interpreted as favouring one over the other.
Contracting on the internet
Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?
Yes, it is possible to form and conclude contracts electronically. Contracts can be formed using electronic documents and signatures. ‘Click wrap’ contracts are enforceable as long as their formation is in compliance with consumer protection provisions, which require, inter alia, that the consumer receives an integral, clear and readable copy of the executed agreement. In this case, it is important that the consumer has an expedited access to all the relevant information to conclude the agreement.
Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?
Yes, together with general provisions there are particular laws governing contracting on the internet, such as the Law on Electronic Documents, Electronic Signature and Electronic Signature Certification Services (the E-Signature Act) and the Consumer Protection Act, which contains special provisions for contracting on the internet. The E-Signature Act provides that contracts entered into with electronic signatures shall be equally valid and effective as those executed on paper.
The E-Signature Act applies to business-to-consumer (B2C) and business-to-business (B2B) contracts. The Consumer Protection Act generally applies to B2C contracts, not B2B contracts. The Consumer Protection Act will be applicable to businesses if they acquire, use or enjoy, as final recipients, goods or services.
How does the law recognise or define digital or e-signatures?
The E-Signature Act recognises two electronic signatures: the electronic signature and the advanced electronic signature. The electronic signature is defined as any ‘sound, symbol or electronic process that allows the recipient of an electronic document to at least formally identify its author’. On the other hand, advanced electronic signature is defined as one ‘created using means controlled exclusively by the holder so that it is linked to it and to the data to which it refers, allowing the detection of any alterations, the verification of the identity of the holder and the prevention of the repudiation of its integrity and authorship’. This signature must be certified by a registered third party.
Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?
No, there are no data retention or software legacy requirements in relation to the formation of electronic contracts in Chile.
Are any special remedies available for the breach of electronic contracts?
The remedies available for the breach of electronic contracts are the same as for non-electronic contracts. This equality is expressly manifested in the law on electronic signatures by recognising the principle of equivalence of media. This principle imposes the recognition of the same effects of the act or contract consisting of electronic means as it would have if it were made by other traditional means. Its application is no more than the materialisation of the principle of equality before the law and its objective is non-discrimination in relation to the media, in terms of legal effects, validity or binding force.
What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?
There are no specific regulations regarding the security of internet transactions applicable to companies or ISPs. Banks are subject to specific requirements to guarantee the security of internet transactions that require encryption of the data (eg, for wire transfer or data processing of their clients). Aside from the specific rules for banks, encryption is not mandatory for companies or ISPs.
Government intervention and certification authorities
As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?
Courts can require private keys to be made available. Certification services may be freely provided by domestic or foreign legal entities, upon compliance with certain conditions and obligations, without prior authorisation. However, only those certification service providers domiciled in Chile and registered before the Undersecretary of Economy, Promotion and Reconstruction may issue advanced electronic signature certificates.
Certification service providers not established in Chile may issue advanced electronic signature certificates (as if issued by an entity domiciled in Chile), provided such certificates are homologised by a certification service provider established in Chile, under its responsibility after compliance with certain requirements contained in the E-Signature Law, its regulations or international treaties to which Chile is a party. The E-Signature Law regulates the liability of certification authorities.
Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?
The financial sectors, especially the banking sector, in Chile are vigorously regulated. However, in the area of electronic payment, Chile has not made much progress. The law on means of payment (Law No. 20,950) introduces for the first time the figure of non-banking service providers. The law authorises the issuance and operation of means of payment with provision of funds or any other similar system (prepaid cards) by non-banking companies, which imply that the issuer or operator habitually contracts obligations of money with the general public or with specific sectors or groups of it.
Are there any rules or restrictions on the use of digital currencies?
Digital currencies are not regulated in Chile. However, the Chilean Internal Revenue Service (SII) has pointed out that ‘according to Chilean legislation, they cannot be considered a currency’, as the Central Bank of Chile proposed at the time, since for that they require legal recognition as such. The SII defined cryptocoins as ‘monetary assets agreed between private individuals’. The Court for the Defence of Free Competition decided to reject the application of banks operating in the country, which had required the annulment of the precautionary measure that forced them to keep open the accounts of the firms operating digital currencies in the country.
What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?
Network Information Centre Chile (NIC) is the entity in charge of the registration of .cl top-level domain names that identify Chile on the internet. In this role, it is responsible before the local and global internet community for its secure and efficient operation, to allow persons, enterprises and institutions to build their identity on the internet under the .cl domain. NIC authorisation originates from the Internet Assigned Numbers Authority. The process for registering a domain name must be made exclusively by electronic means, either by email or via the NIC web page. NIC will automatically send a statement confirming that the applicant complies with the terms and conditions of NIC. NIC will charge a registration fee of US$40. Following payment, NIC publishes the application on its website for 30 days to allow third parties to acknowledge it and challenge the applicant’s right to the domain name. If the domain name goes unchallenged during those 30 days, the applicant will receive notification that the domain name has been registered. If the domain name is challenged or two or more applications for the registration of the same domain name are being processed, the dispute will be resolved by an arbitration panel.
NIC rules provide that all individuals currently domiciled in Chile, as well as legal entities, whether public or private, that were incorporated in Chile or that are properly authorised to operate in Chile, can request the registration of a domain name. As regards foreign applicants, they can apply for a .cl domain name through a third party domiciled in Chile and the application must state that the third party is acting as an agent.
Do domain names confer any additional rights beyond the rights that naturally vest in the domain name?
Under the NIC regulations, domain names do not confer any additional rights in relation to trademarks or passing off beyond the rights that are naturally vested in the domain name. Additionally, Chilean trademark regulations are based on civil law, so common law rights do not arise from use of a domain name.
Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?
Chilean law protects trademarks by recognising a property right over the expressions and distinctive signs. However, this is limited to products and services protected by the corresponding registry, thus the owner of a trademark cannot pretend to have a per se right over a denomination on the internet just by virtue of having the registration of a trademark. A challenge to an existing domain name will only be effective if it infringes the scope of the trademark’s protection. There are two ways in which a trademark may interfere with a domain name:
- as foundation of a preferential interest to an early revocation request of a domain name within the 30-day period when the application is published; and
- as one of the elements to file a late revocation request of a domain name after the 30-day period since the application is published.
In those cases, NIC rules establish that the registration will be suspended until the arbitration panel resolves the dispute.
Once the process is initiated, no new applications for the domain name in dispute will be received. NIC does not have any participation in the arbitration stage other than the designation of the arbitration panel. The registration may be revoked if the arbitration panel determines that the relevant applicant was in fact violating the trademark rights of the challenger by the use of the domain name, when its registration is abusive or was performed fraudulently (similar to the Uniform Dispute Resolution Policy of the Internet Corporation for Assigned Names and Numbers).
The existence of this procedure within the NIC rules does not prohibit parties from suing through ordinary procedures that Chilean law provides, such as those for trademark infringements, or making a complaint to the antitrust authorities.
How are domain name disputes resolved in your jurisdiction?
Any conflict arising in connection with the revocation of a .cl domain name shall be resolved according to the .cl Domain Name Dispute Resolution Policy. All disputes shall be submitted, resolved and processed in accordance with the arbitration procedure established in said policy.
The parties may appoint an arbitrator by mutual agreement. Failing such agreement, the parties expressly and irrevocably authorise NIC to appoint, on their behalf, an arbitrator selected from a list to be published on its website, and this arbitrator shall be deemed to have been appointed directly by each party.
The arbitrator’s decisions shall be final and cannot be disputed or appealed. All applicants and registration holders expressly waive their right to dispute or appeal said decisions. The arbitrator is especially authorised to resolve all matters relating to his or her competence and jurisdiction.
Except for appointing the arbitrator according to procedure and enforcing the arbitration award, NIC shall not be involved in the arbitration in any manner.
What rules govern advertising on the internet?
There are no special rules governing advertising on the internet in Chile. Therefore, in the absence of specific legislation, general provisions of Chilean law will apply. Provisions governing advertising activities may be found in Law No. 19,733 on freedom to report, the Consumer Protection Act and the non-binding rules imposed by the Council of Self-Regulation and Advertising Ethics (Conar), an advertising industry ethics commission. However, the Regulation of Law No. 20,606 on nutritional composition of food and its advertising establishes some special rules regarding online advertising addressed to children under 14 years old of products that fail to satisfy the requirements of such law.
How is online advertising defined? Could online editorial content be caught by the rules governing advertising?
There is no definition of online advertising in Chilean legislation. However, there is a broad definition of advertising in the Consumer Protection Act: ‘The communication that the provider directs to the public by any appropriate means for the purpose, to inform and motivate them to purchase or hire a good or service, meaning incorporated into the contract the objective conditions contained in advertising until the time of concluding the contract.’ Therefore, there are two elements:
- a subjective element (motivation or inducing the consumer to hire); and
- an objective element (information about the good or services promoted).
Conar defines advertising as: ‘any activity or form of communication to the public or a segment thereof, in order to influence their opinions or behaviours, through any means, including promotions, placement and other activities or events held promotional, commercial and/or to compete with other alternatives’. Online editorial content is not the kind of content that could be encompassed in the definitions because there is no interest in promoting a certain good or service.
Are there rules against misleading online advertising?
Yes, the Consumer Protection Act establishes a series of cases of misleading advertising, such as:
- when the advertised product shows amounts, percentages or components that it does not contain therein;
- when the good or service is not suitable for the purposes offered;
- when important features of a good or service are advertised or highlighted but it does not have them;
- when the price, form of payment or the cost of credit differs from the product or service advertised;
- when the warranty conditions offered are different from those actually delivered;
- when a product in contrast to what is advertised is capable of producing damage to the environment, quality of life, or does not have the status recyclable or reusable; and
- when through advertisements the provider produces confusion over the identity of the company offering the product, brand names or logos of competitors.
By such misleading advertising cases, the provider could face fines ranging from US$4,000 to US$60,000, or US$80,000 if the misleading advertising results in environmental damage.
According to the Consumer Protection Act, the advertising claims must be substantiated and testable. Therefore, if an advertiser claims a certain feature of a product or a service, he or she must keep on record all the evidence that supports such a feature. These rules apply centrally.
Are there any products or services that may not be advertised on the internet?
There are no specific regulations that refer to advertising or content on the internet. However, under the general principles of Chilean law, courts can rule that certain indecent content (whether shown on the internet or elsewhere) is prohibited. The same is the case for food product advertising addressed to children under 14 years old. There are also certain restrictions regarding some electronic products (such as kettles), drugs, weapons, etc.
What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?
In Chile, there are no rules regarding the liability of content providers and parties that merely host advertising content. The rules of liability of the ISP are established in regards of copyright infringement. By the same token, any infringement related to advertising rules and consumers will be governed by the liability rules established in the Consumer Protection Act.
Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?
General rules apply to the advertising or selling of financial services products to consumers or to businesses via the internet, since there is no special regulation. Therefore, in general terms, management of third-party assets, lending activities, money brokerage, insurance services and public offering of securities are restricted to legally authorised entities and advertisement must be done according to specific rules. In that sense, the Consumer Protection Act contains several provisions on the requirements to be met by financial services contracts.
Are ISPs liable for content displayed on their sites? How can ISPs limit or exclude liability?
There are no special rules regarding limitation of ISP liability for defamatory content. General rules apply to this matter and therefore an ISP may or may not be liable depending on whether the unlawful content was displayed with wilful misconduct or negligence.
Shutdown and takedown
Can an ISP shut down a web page containing defamatory material without court authorisation?
There are no safe harbours established in the law for defamatory material. An ISP may shut down a web page containing defamatory material based on the termination provisions of the user agreement, but at the same time the user may claim that the shutting down of his or her web page infringed consumer protection provisions.
Third-party links, content and licences
Can a website owner link to third-party websites without permission?
The website owner may link to a third-party website without permission, provided that it does not infringe copyright, trademark or unfair competition laws.
Provisions on ISPs’ limitation of liability contained in the Chilean Copyright Law (No. 17,336) provide as follows:
- ISPs will not be obliged to compensate for damage derived from third parties’ copyright infringements (safe harbours) committed through systems or networks controlled or operated by a service provider, provided that the service provider complies with the specific conditions requested (ISPs may only be subject to the remedies established in law, which in all cases will require a previous resolution issued by a court); and
- ISPs must forward the infringement notices sent by copyright holders to their users (forward of infringement notice system).
Service providers fulfil their obligation just by forwarding infringement notices; they are not compelled to take content down or authorised to provide personal data from their users to copyright holders without a court resolution. This system establishes requirements that infringement notices of copyright holders must comply with to ensure that they are sent by responsible entities with representation in Chile. In this way, the new provision deprives infringement notices sent automatically from different parts of the world of legal validity.
It is important to note that a website owner may link to a third-party website without permission, if such activity is covered by the copyright exceptions contained in the Copyright Law; for example, linking for purposes of information or comment, indicating the name of the website.
Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?
Website owners cannot use third-party content on their websites without permission from the third party, unless the content is in the public domain or the use is covered by one of the copyright exceptions contained in the Chilean Copyright Law. Otherwise, the website owner could face civil or criminal liability according to the Copyright Law.
Can a website owner exploit the software used for a website by licensing the software to third parties?
If the website owner is the copyright holder of the software or is entitled to sub-license the software, the website owner may license the software to third parties. If the website owner is not the copyright holder of the software or has no right to license the software used for the website, the website owner is not entitled to license the software to third parties.
Are any liabilities incurred by links to third-party websites?
There are no special regulations on this matter, but general provisions may apply if a copyright, trademark or unfair competition infringement is committed by the link to third-party websites.
Is video content online regulated in the same way as TV content or is there a separate regime?
No, video content online is not regulated in the same way as TV content. Regarding intellectual property rights, general rules apply. Hence, if the content is unlawful, the ISP could be liable.
IP rights enforcement and remedies
Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?
According to Law No. 19,912, one way to protect intellectual property is the issuance of border measures by a court. The copyright holder may apply before Chilean civil courts for the suspension of release of goods at customs, when on simple examination it is clear they are counterfeit goods or goods infringing trademark or copyright.
In addition, according to the Chilean Copyright Law, the copyright holder may request the court to enact injunctions, such as:
- immediate suspension of the sale, circulation, exhibition, performance, representation or any other form of allegedly infringing exploitation;
- the prohibition of agreements and contracts on certain goods, including the prohibition to advertise or promote products or services involved in the alleged infringement;
- retention of allegedly unlawful copies;
- retention or seizure of the materials, machinery and implements that have been intended for the production of allegedly illegal, or allegedly infringing activity copies when necessary to prevent future violations;
- removal or withdrawal of devices that have been used in unauthorised public communication, unless the alleged offender ensures it will not resume the infringing activity;
- the appointment of one or more auditors; and
- the impounding of the proceeds of recitation, representation, reproduction or execution, to the amount corresponding to copyright prudentially set by the courts.
All injunctions proceed with a previous resolution by a court.
What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?
In addition to the remedies available under the Copyright Law, the copyright owner is entitled to recover the actual damages suffered by him or her as a result of the infringement and any profits of the infringer that are attributable to the infringement.
Data protection and privacy
Definition of ‘personal data’
How does the law in your jurisdiction define ‘personal data’?
Personal data is defined by the Privacy Protection Act as ‘any data related to any information concerning identified or identifiable natural persons’. It is not clear whether expression of opinions and intentions are within the scope of the law and, consequently, whether they may be processed by data users. It seems that the definition of ‘any information’ includes both objective facts as well as subjective opinions.
There is a category of ‘sensitive personal data’, which is defined as data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, beliefs or religious convictions, conditions of physical or mental health and sex life. Sensitive data may not be processed, unless, the law so authorises, there is consent from the subject or the data is necessary for the determination or granting of health benefits to the data subject.
In this jurisdiction, ‘to anonymise personal data’ can be considered as a ‘data dissociation process’, which is defined by the law as ‘any data processing by which the information obtained cannot be related to an identified or identifiable individual’. The data dissociation process requires written authorisation from the data subject. This authorisation as any other authorisation can be obtained by electronic means.
Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?
No, a website provider does not have to register with any regulator in order to process personal data. However, databases managed by public bodies must be recorded in a public registry maintained by the Civil Registration and Identification Service. The records kept by the Service must be made public. Additionally, each record must include statements that explain the legal grounds for its existence, the purpose and type of data stored within and a description of the scope of persons that the data covers. This information must be provided by the responsible government agency to the Service. Furthermore, any changes to the information contained in the data must be reported to the Service within 15 days of their occurrence.
Personal data may only be used for the purposes for which it was compiled, unless it originates or has been compiled from sources accessible to the public. Therefore, a website provider may not sell personal data about website users to third parties when the personal data was provided directly from the user to the website provider. Notwithstanding the above, the website provider may sell personal data about website users to third parties when the personal data originates or has been compiled from sources accessible to the public when such data is:
- economic, financial, banking or commercial in nature;
- contained in lists relating to a class of persons and limited to indicating information such as that of belonging to a particular group, the person’s professional or business activities, educational degrees, address or date of birth; or
- necessary for a direct response to commercial communications or the direct sale of goods and services.
The Chilean Privacy Protection Act does not prescribe the appointment of an in-house data protection officer.
Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the jurisdiction?
The Privacy Protection Act does not contain a specific provision in this respect. However, considering that transfer of data is deemed as data processing according to the Privacy Protection Act, it will be required to inform the individual about the purpose of the data processing, the potentially public communication of the data and obtain the authorisation of the individual, unless exceptions covered by the same Act apply, in which case no authorisation is needed. Such exceptions are:
- when the personal data has been originated or has been gathered from sources available to the public when such data is:
- of an economic, financial, banking or commercial nature;
- contained in listings relating to a class of persons and is limited to indicating information such as the fact of belonging to a particular group, the person’s profession or business activity, educational degrees and address or date of birth; or
- necessary for direct response commercial communications or direct sale of goods and services; and
- when the personal data has been processed by private legal entities for their exclusive use or the exclusive use of their associates and entities that are affiliated with them, for statistical or rate-setting purposes or other purposes of general benefits for the associates and entities mentioned in the Privacy Protection Act.
The protection granted to a foreign national is the same as the protection granted to a Chilean citizen; the Act does not distinguish between national and foreign individuals.
Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing?
The grounds for data processing, contained in the Privacy Protection Act, are those regarding the authorisation or consent of the individual, the finality principle (personal data must be used only for the purposes it has been collected for, and those purposes should be permitted by the Chilean legal system) and the requirement to inform about the potential communication of the data to the public. There are no opt-in or opt-out requirements for data protection in the Privacy Protection Act. Therefore, the most common mechanism to obtain consent from the individual is by subscription to data protection agreements (by traditional or electronic means).
Sale of data to third parties
May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users?
Yes, a party involved in the processing of data may sell personal data to third parties. However, such transfer is considered as data processing and, therefore, the data subject must be informed of the purpose of the data processing, the potential communication of the data to the public and must provide authorisation. Such authorisation must be stated in writing (traditional signature or by electronic means).
If a website owner is intending to profile its customer base to carry out targeted advertising on its website or other websites visited by its customers, is this regulated in your jurisdiction?
There is a bill aiming to modify the Consumer Protection Act and the Privacy Protection Act, introducing an opt-in mechanism for targeted advertising in which all the targeted advertising communication must be expressly authorised by the consumer. We are not aware of any laws or judgments that have been passed on profiling.
Data breach and cybersecurity
Does your jurisdiction have data breach notification or other cybersecurity laws specific to e-commerce?
No, Chile does not have data breach notification laws. We are not aware of other cybersecurity laws specific to e-commerce.
What precautionary measures should be taken to avoid data breaches and ensure cybersecurity?
In 2018, the Superintendency of Banks and Financial Institutions (now the Financial Market Commission) made a series of regulatory changes on cybersecurity that aim to have more and better information on cybersecurity incidents in financial institutions. The changes improve the incident reporting system, establishing the required mechanism and information. From now on it will be an obligation to inform users and customers in a timely manner about incidents that affect the quality or continuity of services, the security of their personal data or are a fact of public knowledge. The changes also establish the obligation to maintain a cybersecurity incident alert system among industry members, so that they share part of the incident information, so that other entities can take the necessary measures.
From the government, the President signed a presidential instruction on cybersecurity that establishes a series of measures for state agencies to improve the level of preparedness for the possibility of incidents that affect the security of their systems and platforms, namely:
- the duty of each head of service to designate a high-level cybersecurity officer;
- the development by the General Secretariat of the Presidency of up-to-date technical standards in the areas of cybersecurity, electronic documents, network security and information security;
- the duty to assess the vulnerabilities of each service within 60 working days, and the proposal of internal measures and a short-term plan to address them;
- in the case of bodies that manage critical infrastructure, they must produce a report within 30 consecutive days, in which they must analyse in detail their internal cybersecurity policy;
- verification of compliance with existing cybersecurity measures by the Government Entity Coordination Centre (CCEG), and the establishment of monitoring mechanisms, in conjunction with service chiefs;
- the duty to report security incidents as soon as they are known to the CCEG;
- in addition to the measures available to each service chief in the event of an incident, the CCEG shall have the duty to adopt measures to ensure the continuity of the operation of public service networks and platforms in the event of an incident; and
- a transitional governance on cybersecurity issues is established by a National Cybersecurity System Coordinator under the Ministry of the Interior and Public Security.
Is cybersecurity insurance available and commonly purchased?
No, cybersecurity insurance is not currently available in Chile.
Right to be forgotten
Does your jurisdiction recognise or regulate the ‘right to be forgotten’?
No, the right to be forgotten is not regulated, despite the fact that the Privacy Protection Act establishes that personal data must be deleted or cancelled when its storage lacks legal basis or the term for which it is allowed to be stored has expired. There are at least two bills in Chile regarding the right to be forgotten, although both bills are in Congress with no movement.
What regulations and guidance are there for email and other distance marketing?
The Consumer Protection Act contains a provision regarding email and distance marketing. The provision states that all promotional or advertising communication sent by email must indicate the subject or matter to which it relates and the identity of the sender, and contain a valid address to which the recipient may request the suspension of advertising communication, which must be stopped from that point onwards. Providers that direct promotional or marketing communications to consumers via post, fax, telephone calls or messaging services shall indicate an expedited way the addressees may ask the suspension thereof.
In 2020, the consumer protection agency (SERNAC) implemented the regulation for the Do Not Disturb system. The Do Not Disturb system provides that consumers registered in the Consumer Portal, provided by SERNAC, can indicate the company and the specific communication channel (eg, phone calls, WhatsApp messages, emails) they wish to block for promotional communications. This information will be made available to the companies registered in the Supplier’s Portal in their account, and at the same time, they will receive a daily report from SERNAC with the information of the suspension requests.
What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?
According to the Privacy Protection Act, the individual has:
- the right of information (to demand information about his or her personal data, its origin and addressee, the purpose of the storage and the identification of the persons or agencies his or her data is regularly transmitted to);
- the right of modification (if the personal data is erroneous, inexact, equivocal or incomplete, and such situation has been evidenced, the individual shall have the right to have it amended);
- the right of blocking (to request the blocking of personal data when the individual has voluntarily provided his or her personal data or the data is used for commercial communications and the individual does not want to continue to appear in the respective registry, either definitively or temporarily);
- the right of cancellation or elimination (notwithstanding legal exceptions, the individual may also demand the elimination of personal data if the storage of such lacks legal grounds or if the data has expired and when the individual has voluntarily provided his or her personal data, or the data is used for commercial communications and the individual does not want to continue appearing in the respective registry, either definitively or temporarily);
- the right to a free copy (the information, modification or elimination of personal data shall be absolutely free of charge and a copy of the pertinent part of the registry that has been changed shall also be provided at the individual’s request. If new modifications or eliminations of data are made, the individual may obtain a copy of the updated registry entry without cost, as long as at least six months have passed since the last time he or she made use of this right); and
- the right of opposition (the individual may oppose the use of his or her personal data for purposes of advertising, market research or opinion polls).
Breaches of data protection caused by improper processing of data may eventually lead to fines determined by the law. Fines are reviewed and determined in a summary procedure before courts.
In addition, the Privacy Protection Act establishes a general rule under which both non-monetary and monetary damages that result from wilful misconduct or negligence in the processing of personal data shall be compensated. In those cases, the amount of compensation shall be established reasonably by the civil judge, considering the circumstances of the case and the relevance of the facts.
Finally, the aforementioned rights are not limited to citizens; they are extended to foreign individuals.
Is the sale of online products subject to taxation?
Yes, it is subject to tax, although the rate may vary depending on the transaction. The general rule is that payments by a local company to a foreign provider for software licences are subject to a 15 per cent income withholding tax. The withholding must be carried out by the licensee.
What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?
We are not aware of any public ruling of the Chilean Internal Revenue Service on this subject. However, placing the server in Chile may expose the company to local taxation if the Chilean tax authorities determine that such placement configures a permanent establishment of the foreign company in Chile.
When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?
Only individuals or entities with a domicile in Chile are obliged to register as local value added tax (VAT) taxpayers. Individuals or entities with their domicile abroad are not allowed to do so. Registration and invoice stamping must be done before commencing taxable activities. Local sales through the internet do not have a special regulation, so they follow regular rules.
As of 1 June 2020, digital service providers without domicile or residence in Chile must comply with their obligation to declare and pay the VAT incorporated in Law No. 21,210. Therefore, the Internal Revenue Service indicated that a platform is already available on its website that allows them to register, obtaining a Tax ID Number and a key to comply with the new obligation. In the application, taxpayers can select the currency (euro, dollar or pesos) and periodicity with which they will make the payment, which can be monthly or quarterly.
If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?
Chilean law regulates re-exportation, or the procedure whereby goods imported into the country are returned to the foreign provider. This procedure is destined to obtain a refund of customs duties and VAT levied on the importation. However, it is too complicated for it to be used by consumers on sporadic purchases of goods, especially if they are not expensive enough to justify the formalities and requirements of such a procedure. If the goods are returned to a local branch of the foreign provider, then no taxes should be triggered on the transfer, but this would not allow a refund of taxes paid on the importation. The activity of the branch as a deputy of the foreign provider may also be considered by the Chilean tax authority as a form of permanent establishment in Chile, triggering Chilean taxation on the foreign income of the foreign provider.
Is it permissible to operate an online betting or gaming business from the jurisdiction?
Gambling is illegal in Chile on two fronts:
- in civil matters, debts contracted in games of chance have an illicit object; and
- in criminal matters, the holders of gambling casinos and bettors are punished with deprivation of liberty.
Games of chance are only legal in the cases authorised by the government, according to Law No. 19,995 (the Gambling Casinos Act). The Act has two peculiarities:
- scope: Law No. 19,995 only applies to casinos; and
- online games of chance or gambling: the Act expressly states that in no case will the operation of online gambling be permitted.
Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?
According to the Gambling Casinos Act, online gambling is forbidden in Chile.
Key legal and tax issues
What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?
Labour laws establish that the principal remains liable for paying full compensation and benefits to outsourced employees, including the obligation to withhold taxes should the contractor default on payments.
What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, and do the rules apply to all employees within the jurisdiction?
According to Chilean labour law, employees keep the same rights as they had before their jobs were outsourced. For the same reason, if they lose their jobs because of the outsourcing of their work, they should be compensated according to the general labour laws of Chile. In that sense, the principal remains liable for paying full compensation and benefits to outsourced employees should the contractor default on payment. The principal may withhold payment to the contractor if the contractor does not provide evidence of compliance with labour laws.
When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability? Is it required or advised to post any notices in this regard?
There is no strict liability in Chile in this case. Strict liability is exceptional in Chile and some specific cases. A website would be liable for mistakes only if the information is or was provided with wilful misconduct or negligently. It can avoid liability by proving the absence of wilful misconduct or negligence in the provision of the mistaken information.
If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?
Yes, if the databases are protected by copyright. If they are not, computer crime legislation or website terms and conditions shall apply to stop others from using or reproducing data from those databases. The trespass of chattel theory has not been tested by local courts.
Are there any specialist courts or other venues in your jurisdiction that deal with online/digital issues and disputes?
For domain names dispute, Chile has the Network Information Centre. For trademarks and patents disputes, Chile has the National Institute of Industrial Property and the Industrial Property Court. For other disputes, there are no specialist courts, only general courts.
What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?
Arbitration is always available in Chile. The Santiago Arbitration and Mediation Centre (CAM Santiago) is a non-profit institution founded in 1992 by the Santiago Chamber of Commerce with the backing of the Chilean Bar Association and different areas of the Chilean Confederation of Production and Commerce. CAM Santiago has made available arbitration and mediation assistance aimed at the resolution of domestic and international disputes, the purpose being to provide legal certainty and efficient solutions to the business and legal communities in Chile and abroad. With more than 1,500 arbitrations already conducted by the arbitrators of CAM Santiago involving more than 2,000 companies and law firms, CAM Santiago has become a benchmark for dispute resolutions within the country.
Update and trends
Key developments of the past year
Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?
Do Not Disturb system
The consumer protection agency (SERNAC) has a tool called the Do Not Disturb system, an electronic, expeditious and safe system that allows consumers to register and request the suspension of all unwanted promotional or advertising communications sent by suppliers via email, postal mail, phone calls or text messages, exercising their right not to be contacted by suppliers for advertising or promotional purposes, according to the Consumer Protection Act. This system also allows suppliers that have voluntarily registered in the system to access the suspension requests made by consumers.
The use of the Do Not Disturb system by suppliers does not relieve them of their obligation to include in their communication an email address or an expeditious form, as appropriate, by which the consumer can request the suspension of promotional or advertising communications.
If a consumer has requested the suspension of unwanted promotional or advertising communications directly to a supplier not registered in the Do Not Disturb system and continues to receive said communications after the request, the consumer can inform SERNAC of the infringement through the means available in the Consumer Portal.
VAT on digital services
In January 2020, a tax reform was passed in Chile requiring companies with no domicile or address in Chile providing services to be used in the national territory by natural persons to:
- register in Chile (simplified registration);
- collect and withhold VAT; and
- pay the VAT collected to the Chile Treasury.
For those foreign companies that do not register in Chile, the local Internal Revenue Service will request the withholding to local financial institutions including issuers of payment cards with provision of funds, debit, credit or other analogous payment systems. The following remunerated services performed by providers domiciled or residing abroad will be subject to VAT when provided to individuals:
- the intermediation of services rendered in Chile, whatever their nature, or of sales made in Chile or abroad, provided that the latter give rise to an import;
- the supply or delivery of digital entertainment content, such as videos, music, games or other analogous content, via download, streaming or other technology, including for texts, magazines, newspapers and books;
- the provision of software, storage, platforms or computer infrastructure; and
- advertising, regardless of the medium or the medium through which it is delivered, materialised or executed.
It will be presumed that the service is used in the national territory if, at the time of contracting said services or making the corresponding payments, at least two of the following situations occur:
- that the IP address of the device used by the user or another geolocation mechanism indicates that it is in Chile;
- that the card, bank account or other payment method used for payment is issued or registered in Chile;
- that the address indicated by the user for billing or the issuance of payment vouchers is located in the national territory; or
- that the subscriber identity module (SIM) card of the mobile phone through which the service is received has Chile as a country code.
Law stated date
Give the date on which the information above is accurate.
1 June 2020.