The race to comply with Chile’s Data Protection Law

Chile’s legal and corporate community has had a busy start to 2026. With less than 11 months until the new Data Protection Law (Law 21.719) comes into force, preparing for the landmark reform is now a race against time to avoid incurring sanctions. 

Although something of a regulatory leader in the region, Chile had not fully enforced its previous framework under Law 19.628. The now much-stricter data privacy regime has organisations – and their legal counsel – working overtime to bring standards into line with the new requirements. 

The government clearly sees this as a major strategic step. Through the new framework, Chile will be harmonising its data protection laws with global standards, strengthening individuals’ rights over their personal data and placing greater responsibilities on organisations. 

At its core, the law recognises and enforces key individual rights, such as access, rectification, erasure, objection and portability of personal data, echoing much of the European Union’s (EU) General Data Protection Regulation (GDPR). It extends to any activity involving the handling of personal data in Chile, whether for delivering goods and services or monitoring user behaviour, irrespective of where the controller or processor is based. 

Requirements for businesses include robust data governance, maintenance of an up-to-date inventory of processing activities and implementation of strong security measures. These include the updating of privacy policies and the establishment of clear procedures to handle data requests from individuals. 

The new law also establishes the Personal Data Protection Agency (PDPA). This will have broad powers to oversee compliance, investigate potential violations and enforce sanctions, including substantial fines for non-compliance.  

There is an added peril for company directors.  

Mishandling of data will become a potential breach of the Economic Crimes Law (Law 21.595), covered in this article. Shareholders, regulators, or affected parties may pursue directors under Chilean corporate and civil liability rules or regimes. A systematic failure to implement controls may either aggravate sanctions or be considered evidence of negligent governance in parallel proceedings.

Chief Legal Officer, Major Real Estate Company 

Compare Chile’s data protection approach with other jurisdictions in our global practice guide on Data Protection & Privacy.

Law 21.719 marks a legal and economic milestone for Chile, aligning the country with international data protection standards and boosting trust in its digital economy.  

Closely modelled on Europe’s GDPR, the regulation is designed to ease and encourage economic links between the two jurisdictions. As the government states, “This reform, in turn, will allow Chile to be declared by the European Commission as a country with an adequate level of personal data protection, which will facilitate the international transfer of data between our country and the European Union, a very important trading partner of Chile.” 

The new data privacy law is driving greater demand for data protection expertise and prompting law firms to expand their capabilities in privacy and compliance services. Legal professionals will be more and more instrumental in helping clients understand and exercise their rights, ensure compliance with the law, and navigate interactions with the new Data Protection Agency (PDPA). 

Conversations with our contacts in Chile reveal a flurry of activity. Many companies are hiring data privacy lawyers to help navigate the transition and guard against the risk of fines. Large companies are hiring internal data controllers, while some smaller ones are turning to external counsel to fulfil the role of data protection officer (DPO), required under the new law. 

Company policies and processes are being examined, revised and rewritten. New frameworks are being created, with different sectors, services and goods calling for specific considerations and approaches. Organisations are relying on legal expertise to map which specific parts of the law apply to them and how best to ensure compliance.  

Law firms are increasingly cross-skilling and upskilling, branching out from corporate law and IP to data privacy work. The immense volume of activity is likely to continue throughout the year until the law takes effect on 1 December 2026. At that point, the focus will shift from preparation to application as the new law begins to be tested.

Partner, Global Law Firm

Data privacy compliance now looks set to be a growing area of high legal activity for Chile. Once 2027 dawns, we expect to see cases emerge as the legislation beds in and the new regulator flexes its muscles. The expected expansion of regulatory and enforcement work would certainly mean more defence work for lawyers, more investigations and more appeals to sanction organisations for breaches. Over time, greater specialisation and differentiation may then emerge in the legal market. For example, we could see certified privacy experts, data protection officers with legal backgrounds and multidisciplinary teams combining legal, technical and risk expertise. 

Chile’s new alignment with the global gold standard in data protection will allow greater access to international data transfer. Chilean lawyers will increasingly work on cross-border data transfer issues, adequacy assessments and multinational compliance programmes. This can only strengthen the role of Chilean firms in regional and international matters and raise expectations for comparative and international legal knowledge.

Chambers has launched a new rankings table to highlight practitioners leading clients through this complex regulatory landscape. The list reflects the leading role of women lawyers in this growing legal field.  

View Rankings