EU AI Act: high-risk obligations
The obligations applicable to high-risk artificial intelligence systems under Regulation (EU) 2024/1689 enter into force. This reaches Chilean exporters and subsidiaries of European parents.
Home / Practice Areas /AI & Companies
Artificial Intelligence and the Company: Legal Implications for Chilean Businesses
The use of artificial intelligence in the company triggers obligations under Law 21,719 on personal data protection, Law 21,663 cybersecurity framework and Law 21,595 on economic crimes. At the international level, Regulation (EU) 2024/1689 (EU AI Act) reaches Chilean exporters and subsidiaries of European parents, and the US CLOUD Act applies to vendors domiciled in the United States. Chile's AI Bill is advancing in the Senate with a risk-based approach.
Applied case: how to implement AI in your company under Law 21,719 →
Educational resource, not legal advice
This page presents general analysis on the legal implications of artificial intelligence inside a Chilean company. The content is educational and illustrative, grounded in Law 21,719, Law 21,663, Law 21,595 and applicable international regulation, and does not constitute legal advice on a specific matter. Each implementation requires a tailored review of contracts, data flows, impact assessment and risk matrix. For an evaluation applied to your organization, contact the firm.
What this page covers
Chilean regulatory framework
Law 21,719 on personal data protection, Law 21,663 cybersecurity framework, Law 21,595 on economic crimes and the AI Bill currently before the Senate.
Applicable international framework
Regulation (EU) 2024/1689 (EU AI Act) for Chilean exporters and subsidiaries of European parents, plus the US CLOUD Act in connection with AI vendors domiciled in the United States.
Board-level decisions
Duty of care and oversight over the use of artificial intelligence, compliance program, audit, impact assessment and reporting to the audit committee.
Operational support
Vendor review, data protection impact assessment, AI vendor contracts, incident management and traceability.
AI governance principles
Four governance standards that structure the board's duty of care regarding the use of artificial intelligence inside the company.
Human oversight
Any decision with legal effect or significant impact on individuals must be reviewable by a competent officer within a reasonable timeframe and with access to the records that supported the system's output.
Accountability
The data controller is accountable to the data subject, to the authority and to the board. Appointing the responsible party is a formal act, not an implied attribution.
Transparency and explainability
The data subject is entitled to understand the system's logic, the categories of data involved and the consequences of the processing. Internal documentation must allow the decision to be reproduced and audited.
Bias and discrimination mitigation
The compliance program must identify bias by gender, age, origin and other protected categories, define monitoring metrics and establish a documented remediation procedure.
Six legal fronts that coexist in an AI decision
A single artificial intelligence deployment activates obligations under several statutes. This section groups the six fronts that coexist on the Chilean board's agenda.
AI governance and board duties
The board is accountable for the use of artificial intelligence inside the company. Duty of care, oversight, internal policy, appointment of responsible parties and reporting to committees and external auditors.
View CorporateAutomated decisions and Law 21,719
Right of the data subject not to be subject to solely automated decisions with legal or significant effect, right to explanation, profiling, impact assessment, appointment of the data protection officer and record of processing activities.
View Law 21,719AI and cybersecurity (Law 21,663)
Vital importance operators and essential services under the cybersecurity framework. The threat model hardens when the organization uses artificial intelligence: deepfakes, prompt injection, model-channel exfiltration and dependence on foreign vendors.
View Law 21,663AI and computer crimes (Law 21,595)
Law 21,595 incorporates the computer crimes of Law 21,459 as second-tier economic crimes. The use of AI as the instrument of an offense, or as the object of the criminal conduct, requires updating the crime-prevention model.
View Law 21,595Ethics, transparency and reporting
Using artificial intelligence in marketing, human resources, customer service and corporate communications triggers consumer-information duties, the prohibition of AI washing and reporting to the CMF and SERNAC where the sectoral framework so requires.
View ComplianceInternational framework and sovereignty: EU AI Act, CLOUD Act, Chile AI Bill
Chilean companies that use AI vendors domiciled in the United States or that export to the European Union are exposed to Regulation (EU) 2024/1689 and to the CLOUD Act. Chile's AI Bill advances with a risk-based approach.
View International TransfersData subject rights in the face of AI
Law 21,719 recognizes specific rights when a decision originates wholly or partly from an automated system. The company must design the workflow so that these rights can be exercised without friction.
Right not to be subject to automated decisions
The data subject can object to being subject to a decision based solely on automated processing that produces legal effects or affects them significantly.
Right to explanation
The data subject is entitled to meaningful information about the logic applied, the categories of data involved and the foreseen consequences of the processing.
Right to human review
Where an automated decision is upheld, the data subject can request the intervention of a competent person, express their point of view and contest the decision.
Right to object to profiling
The data subject can object, at any time, to the processing of their data for profiling purposes, subject to legal grounds that justify continuation.
Regulatory calendar
Three clocks Chilean companies need to synchronize.
Aug 2, 2026
Dec 1, 2026
Law 21,719: full force
Law 21,719 on personal data protection enters into full force. Controller obligations, data subject rights regarding automated decisions, the appointment of the data protection officer and the powers of the Personal Data Protection Agency become enforceable.
In progress
Chile's AI Bill
The Senate is debating a risk-based bill, close to the European model. Companies should begin mapping their AI systems and classifying them by risk level before its approval.
The regulatory cost of using AI
Maximum penalties currently declared by the rules that already apply to the use of artificial intelligence inside a Chilean company.
20,000
UTM per very serious infringement
Maximum fine under Law 21,719 on personal data protection for legal entities (approximately USD 1.55 million at the current UTM).
4%
Of annual turnover
Aggravated sanction for recidivism under Law 21,719 on personal data protection, applicable to larger companies.
7%
Of global turnover
Maximum sanction under Regulation (EU) 2024/1689 (EU AI Act) for prohibited AI practices. Applies to those operating in the European Union.
5 years
Of imprisonment
Maximum penalty associated with the computer crimes set out in Law 21,459, incorporated as second-tier economic crimes by Law 21,595.
Obligations, deadlines and risks
The regulatory framework applicable to the use of artificial intelligence in the company is structured around the controller's material obligations, statutory deadlines and sanction risks under Law 21,719, Law 21,595, Law 21,663 and Regulation (EU) 2024/1689.
Obligations
- Build an inventory of the artificial intelligence systems in use, including vendors, data involved and purposes.
- Classify each system by risk level under the standard of Regulation (EU) 2024/1689 and under the approach of the Chilean bill.
- Appoint the data controller and, where applicable, the data protection officer.
- Run a data protection impact assessment for processing activities involving automated decisions.
- Document the human review process and the data subject's channels to contest the decision.
Deadlines
- August 2, 2026: high-risk obligations of the EU AI Act enter into force.
- December 1, 2026: Law 21,719 enters into full force.
- Before the Chilean bill is approved: complete the inventory, the classification and the contractual review.
Risks
- Administrative fines up to 20,000 UTM under Law 21,719, with aggravated recidivism sanctions by the Agency.
- Corporate criminal liability of the legal entity under Law 21,595 if a computer crime is committed for its benefit.
- Product blocking for non-compliance with the EU AI Act in European markets and exposure to the CLOUD Act through vendors domiciled in the United States.
Frequently asked questions
What duties does the board have regarding artificial intelligence?
The board is accountable for the duty of care and the effective oversight of AI use inside the company. This translates into internal policy, appointment of responsible parties, impact assessment, reporting to the audit committee and periodic vendor review. Omission can trigger civil, corporate criminal and administrative liability.
How does Law 21,719 affect automated decisions and profiling?
Law 21,719 recognizes the data subject's right not to be subject to decisions based solely on automated processing with legal or significant effect, as well as the right to explanation, to human review and to object to profiling. The controller must design the decision workflow to allow the exercise of these rights without friction and must document it.
What does Law 21,663 require when a company uses artificial intelligence?
Vital importance operators and essential services are subject to reinforced risk management, reporting and continuity obligations. AI use hardens the threat model: deepfakes, prompt injection, model-channel exfiltration and dependence on foreign vendors. The program must identify these vectors and define compensating controls.
When does an AI use become a computer crime under Law 21,595?
Law 21,595, in article 2 numeral 20, incorporates the computer crimes of Law 21,459 as second-tier economic crimes when committed in the exercise of a position or for the company's benefit. Using AI as the instrument of a computer crime triggers the crime-prevention model under article 4 of Law 20,393. The board must update the risk matrix.
What ethics and transparency standards should a company apply when using AI?
Chilean companies must inform consumers when a decision originates from an automated system, avoid unsupported advertising claims about the system's capabilities (AI washing) and report to the Financial Market Commission and to the National Consumer Service where sectoral rules so require. The minimum standard combines Law 21,719, the Consumer Law and corporate-communication rules.
What international rules should a Chilean company that uses AI know?
Regulation (EU) 2024/1689 (EU AI Act) reaches Chilean exporters and subsidiaries of European parents, with reinforced obligations for high-risk systems from August 2, 2026. The US CLOUD Act allows authorities to compel information from AI vendors domiciled in the United States, which generates tension with Law 21,719. Chile's AI Bill is advancing in the Senate with a risk-based approach.
Related reading
Practice areas and regulatory analyses that intersect with artificial intelligence inside the company.
Implementing AI in the company: a case study
Contractual framework, impact assessment and technical architecture applied to deploying Claude and ChatGPT inside a Chilean organization.
Law 21,719 on personal data protection
Data subject rights, automated decisions and controller obligations.
Law 21,595 on economic crimes
Crime-prevention model and computer crimes as a second-tier economic-crime category.
Law 21,663 cybersecurity framework
Vital importance operators, incident management and reporting to ANCI.
Corporate and corporate governance
Board duty of care, governance and reporting to the audit committee.
Venture Capital and startups
AI clauses in startups, technical due diligence and model intellectual property.
Mergers and Acquisitions
AI-assisted due diligence, vendor risk and technology-transition clauses.
Data protection impact assessment
Article 15 quinquies methodology for high-risk processing, including systematic use of artificial intelligence.
Data protection officer (DPO)
Appointment, duties and independence regime under Law 21,719, with a focus on systems that process personal data through AI.
Data subject rights
Access, rectification, erasure, objection, portability and the right not to be subject to solely automated decisions.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
ContactMeet the Team→
