Chile Ley 21.719: A New Data Regime by December | TLY

AI Regulation Tracker  /  National law

Chile's Ley 21.719 takes full effect December 1, 2026, creating a national data-protection agency

Chile's comprehensive data-protection law reaches full force on December 1, 2026, creating an enforcement agency, granting ARCO rights plus portability, and setting fines reported up to 20,000 UTM. Any firm processing Chilean personal data, including AI teams, is in scope.

Chile's Ley 21.719 takes full effect December 1, 2026, creating a national data-protection agency regulation briefing
The Leveraged Years AI Regulation Tracker

Chile has replaced a data-protection statute that dated to 1999 with a comprehensive law that reaches full force on December 1, 2026. Ley 21.719, published in the Diario Oficial on December 13, 2024, creates the Agencia de Proteccion de Datos Personales (Personal Data Protection Agency), a dedicated regulator with power to investigate, order corrective measures, and impose fines. For any organization that handles the personal data of people in Chile, the compliance question is no longer whether a regulator exists. It is whether the organization can show its work when the Agency asks.

What the law establishes

The law modernizes the ground rules for processing personal data. It requires a lawful basis for each use, gives individuals the ARCO rights of access, rectification, cancellation, and opposition, and adds a right to data portability. It defines sensitive data, profiling, and anonymization, and it holds controllers accountable through measures such as record-keeping and, in defined cases, data-protection roles and prevention programs. These duties are continuous. They assume an organization maintains dated evidence of how it processes data, not a one-time policy document filed away. In practice, that evidence takes the form of processing inventories, registries, and logs that record what data is held, why, on what legal basis, and for how long. The standard rewards organizations that can reconstruct a decision after the fact and penalizes those that cannot show how a given dataset was collected, used, or shared.

The enforcement agency and the penalties

The new Agency anchors the regime. Under the tiered penalty structure, minor infractions can draw fines up to 5,000 UTM, serious infractions up to 10,000 UTM, and very serious infractions up to 20,000 UTM. The UTM, or Unidad Tributaria Mensual, is a monthly inflation-indexed unit used across Chilean law, so the peso value moves over time. For repeat offenders, penalties can scale to a share of annual revenue from sales and services in Chile, reported at up to 2 percent or 4 percent depending on the conduct. The Agency can also suspend or prohibit processing for defined periods and publish sanctions in a public registry, a reputational cost that can outlast the fine itself. Reporting indicates that smaller firms face a softer first year, with warnings rather than fines during an initial adaptation window, though organizations should confirm the exact terms against the statute and any implementing rules. The Agency has been standing up ahead of the full-force date, so the run-up to December 2026 is a period to prepare against, not a grace period to wait out.

Breach reporting and the evidence burden

The law requires controllers to notify the Agency of security breaches that create a reasonable risk to individuals. The operative standard in the statute is notification by the most expeditious means and without undue delay, and to affected individuals when sensitive, children's, or economic data is involved. Practitioner guidance commonly frames this as a target near 72 hours, but the law's own phrase is "without undue delay," so firms should treat a fixed 72-hour clock as a planning benchmark rather than a verified statutory deadline. Either way, the practical requirement is the same: detection systems and a documented, dated response procedure that can be produced as evidence.

The AI and neural-data angle

This is a data-protection law with strong implications for AI, not an AI-specific statute. Its reach into AI runs through personal data. Systems that profile individuals or make automated decisions process personal data and fall inside the regime, which means AI teams using Chilean data must account for lawful basis, transparency, and individual rights. The law also treats neural data as sensitive, connecting to Chile's earlier neurorights measure, the 2021 constitutional reform Ley 21.383, which directs special protection for brain activity and information derived from it. Organizations working with neurotechnology or biometric signals should treat that category with the heightened controls sensitive data requires.

What it does not do

The law does not regulate AI systems as such, set model-testing requirements, or create an AI licensing regime. It governs personal data. For a US reader, the cross-border point is direct. A US firm that processes the personal data of people in Chile can fall within scope even without a local entity, and the law's shape, an independent agency, ARCO-style rights, portability, and revenue-linked fines, tracks the global template set by the European Union's GDPR. Compliance built for that template travels reasonably well here, but the specific Chilean definitions, the UTM-based penalties, and the neural-data treatment need local checking.

Frequently Asked Questions

What changed with Ley 21.719?

Chile replaced its 1999 data-protection law with a comprehensive regime that creates the Agencia de Proteccion de Datos Personales, grants ARCO rights plus data portability, sets duties to keep records and report breaches, and establishes fines up to 20,000 UTM. It was published December 13, 2024, and reaches full force December 1, 2026.

Who is affected?

Any organization that processes the personal data of people in Chile. That includes companies, hospitals, banks, insurers, and public bodies, and it can include firms based outside Chile that handle Chilean personal data. Privacy officers, legal teams, and AI or data teams are the internal owners.

Does the law regulate artificial intelligence?

Not directly. It is a data-protection law. Its AI relevance comes from personal data: profiling and automated decision-making process personal data and fall within scope, and neural data is treated as sensitive, linked to Chile's neurorights reform, Ley 21.383. There is no separate AI licensing or model-testing regime in this statute.

How fast must a data breach be reported?

The statute requires notification to the Agency by the most expeditious means and without undue delay, and notice to affected individuals when sensitive, children's, or economic data is involved. Some guidance benchmarks this near 72 hours, but the law's operative phrase is "without undue delay," so treat 72 hours as a planning target rather than a confirmed deadline.

What are the penalties?

Fines are tiered by severity, reported at up to 5,000 UTM for minor, 10,000 UTM for serious, and 20,000 UTM for very serious infractions. Repeat violations can scale to a share of annual Chilean revenue, reported at up to 2 percent or 4 percent. The Agency can also suspend or prohibit processing and publish sanctions.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.