Opinion — AI: APDP, ANCI and the Senate's institutional question
Spain's bill replicates the AEPD model; Bulletin 16821-19 assigns AI enforcement to the APDP. The APDP does not operate; ANCI does. Three paths for the Senate, read from Chilean reality.
Spain's Council of Ministers sent the Organic Law Bill on AI governance to Parliament on 26 May 2026. Chile's Bulletin 16821-19 continues before the Senate Commission on Future Challenges. The institutional question for the Senate is not one of speed, but of which authority should anchor AI enforcement: the APDP being installed, a new agency, or an expanded ANCI, in line with the consolidation tradition embodied by the CMF.

The opinions expressed in this column belong to its authors and do not constitute legal advice on a specific matter. The opinions are those of the firm, not of any individual author. Contributors to this analysis: Eduardo Anguita Osorio, María Victoria Smith and Ángel Anguita Osorio.
Two bills on the table and an institutional question
Spain's Council of Ministers approved on 26 May 2026 the submission to Parliament of the Organic Law Bill for the Proper Use and Governance of Artificial Intelligence. The text was published in the Official Gazette of the Spanish Parliament on 12 June (BOCG-15-A-97-1) and opened an amendment window until 30 June in the Commission on Economy, Commerce and Digital Transformation of the Congress. In the same period, Chile's Bulletin 16821-19, introduced by the Executive in May 2024 and approved by the Chamber of Deputies, continues its second procedure before the Senate Commission on Future Challenges, Science, Technology and Innovation, with technical hearings ongoing during 2026.
Both texts share a skeleton: four risk tiers inspired by Regulation (EU) 2024/1689, known as the AI Act; a designated national authority; a separate sanctions regime. That said, the institutional choices in the Spanish bill presuppose an architecture Chile does not yet have. Spain assigns market surveillance to the Spanish Agency for the Supervision of Artificial Intelligence (AESIA); enforcement over systems involving personal data to the Spanish Data Protection Agency (AEPD); enforcement in the administration of justice to the General Council of the Judiciary (CGPJ). Bulletin 16821-19 replicates the centre of that scheme: it assigns enforcement to the Personal Data Protection Agency (APDP) created by Law N° 21,719. The editorial question is whether that replication solves a Chilean problem or whether it imports a solution designed for a different context.
Three paths for the Senate, and why the choice is not trivial
The Senate has three plausible paths to anchor AI enforcement in Chile: keep the APDP as Bulletin 16821-19 proposes, create a new agency designed with comparative input, or expand ANCI. Each path is best read against the actual state of national institutionality, not against the European manual.
The APDP, created by Law N° 21,719, does not operate. On 20 May 2026 the Senate rejected the Executive's nominees by 19 votes in favour and 12 against, falling short of the required two-thirds threshold. The Advisory Commission chaired by Romina Garrido called the assigned budget "clearly insufficient" and proposed a minimum staffing of fifty officials and an initial budget close to CLP 4,178 million, against the CLP 1,721 million actually assigned. Law N° 21,719 enters into force on 1 December 2026, and the APDP would reach that date with no governing council, no operative budget and no regulations issued. Adding AI enforcement to that structure means asking an agency yet to be installed to assume a new technical function without the operational base to do so.
The second path is to create a new agency, drawing on what international comparison teaches. That option has merit if the legislator concludes that neither the APDP nor ANCI is prepared to assume AI enforcement. Its cost is real: installing an agency from scratch requires budget, staffing and regulations, and adds one more entity to a Chilean regulatory map that has historically tended to consolidate rather than proliferate.
The third path is to expand ANCI, the National Cybersecurity Agency created by Law N° 21,663 Cybersecurity Framework, enacted in 2024. ANCI operates, has designated operators of vital importance (OIV) under Resolutions 50/2025, 85/2026 and 076/2025, maintains working relations with the CSIRTs, sectoral regulators and ministries, and has demonstrated capacity to issue technical rules. This path presents three concrete advantages for Chile.
First, institutional reality. ANCI exists, enforces and has an operative technical team, while the APDP is still being set up. Anchoring AI enforcement in a functional authority reduces the risk of a normative entry-into-force with no real enforcement, the scenario in which the rule is in place but no body can apply it.
Second, the Chilean regulatory tradition of consolidation. The Financial Market Commission (CMF) consolidated in a single authority what was previously done by the Banking Superintendency, the Securities and Insurance Superintendency, and, from Law N° 21,521 (Fintech), the supervision of new financial service providers. That logic produced an authority with technical critical mass and real enforcement power, in place of several small superintendencies in administrative competition. The same logic applies to cybersecurity and AI, two technically convergent domains that are not well understood in isolation.
Third, technical convergence. AI systems are information systems, and the risks they activate intersect with cybersecurity risks: model integrity, inference security, robustness against adversarial attack, traceability and audit of the system in production. An authority that already supervises the security of critical systems is better prepared to understand the AI system, not just the data the system processes.
That does not mean handing everything over to ANCI. Enforcement over personal data will remain with the APDP once installed, and sectoral enforcement will continue with the CMF, the Superintendency of Health, the National Energy Commission and other regulators. It means that AI enforcement coordination, today, is better anchored in an operative technical authority than in one yet to be installed.
Five design questions in Chilean terms
With the central institutional question identified, the remaining four design choices in the Spanish bill deserve the same treatment: not what Spain decided, but what fits the Chilean architecture.
First, the sanctions regime. Spain aligned its fines with the AI Act ceiling: up to 35 million euros or 7% of worldwide turnover for prohibited practices; 15 million or 3% for serious infringements; 7.5 million or 1% for less serious ones; and 500 thousand euros or 0.5% for minor ones. Bulletin 16821-19 proposes fines that can scale up to 20,000 UTM for the most serious infringements. For AI providers headquartered outside Chile, a percentage of worldwide turnover tends to have greater deterrent effect than a fixed UTM amount, which is diluted in the group's global income. It is worth recalling, moreover, that Law N° 21,719 itself already provides, for recidivism, fines equivalent to a percentage of annual revenues from sales in Chile. The Senate could consider whether to introduce that percentage alternative, already familiar in the national legal order.
Second, the regulatory sandbox. Spain set up a mandatory national sandbox operated by AESIA, with the option of additional sectoral sandboxes. The Chilean bill mentions regulatory experimentation but without a comparable institutional architecture. The concrete question is who operates it in Chile: if enforcement is anchored in an expanded ANCI, the natural choice is for the same authority to operate the sandbox; if it remains with the APDP, the country must wait for that agency's installation. The other operational questions follow from that first definition: which projects may apply, what duration the admission has, and what temporary regulatory immunity is granted.
Third, the public inventory of AI systems used by the public sector. Spain requires the public sector to inventory and disclose its use of AI systems in administrative procedures, with specific fields deferred to royal decree, and also creates the figure of an AI delegate within the administration. Chile already has Law N° 20,285 on Access to Public Information and an active practice of proactive disclosure. It would be advisable for the Senate to assess whether a specific field in proactive disclosure suffices, which would keep enforcement with the Council for Transparency, or whether an independent registry anchored in the AI authority is preferable.
Fourth, the single complaints window and whistleblower protection. Spain creates a single window for infringements of the Regulation, with whistleblower protection. Chile has Law N° 21,643 (Karin Law) for workplace complaints, the general anonymous complaint system of the Public Prosecutor for economic crimes, and the complaint procedure before the Council for Transparency. The question for the Senate is whether complaints to the AI enforcement authority require a specialised channel or whether existing routes suffice.
Lastly, the articulation with sectoral authorities. Spain includes in its design sectoral authorities for regulated products such as machinery, toys, medical devices and automotive. Chile has an active regulatory map: the CMF in banking, securities, insurance and fintech; the Superintendency of Health in providers and devices; the National Energy Commission in the power sector; the Public Health Institute (ISP) in medical devices and medicines. The coordination between the transversal AI authority and those regulators deserves to be articulated within the text itself, rather than deferred to subsequent administrative coordination.
What comparison suggests and why the sectoral model is set aside
The international spectrum is broader than Spain. Brazil follows the same data-agency-as-AI-authority path: PL 2338/23, postponed to 2026 amid political impasses, leaves enforcement with the Autoridade Nacional de Proteção de Dados (ANPD). China consolidated cybersecurity, data and generative AI regulation under the Cyberspace Administration of China (CAC). Singapore, through the Infocomm Media Development Authority (IMDA), consolidated telecommunications, content, data and, more recently, AI systems under its Model AI Governance Framework. The United Kingdom and the United States opted for sectoral dispersion: CMA, ICO, FCA and MHRA in the former; NIST, FTC, sectoral regulators and state-level initiatives in the latter.
Each model reflects the institutionality of its country. Chile, given its tradition of consolidation and the actual state of its APDP, sits closer to the technological-consolidation model than to sectoral dispersion. The UK/US model in particular rests on sectoral agencies with budgets, staffing and technical autonomy that the Chilean regulatory apparatus does not replicate to the same depth. Setting aside sectoral dispersion as a Chilean route is not a risky opinion; it is the recognition that regulatory critical mass in Chile has been built historically through consolidation.
It is also worth bearing in mind that having a supranational regulation does not guarantee timely or uniform implementation. Directive (EU) 2022/2555, known as NIS2, set a transposition deadline of 17 October 2024. As of June 2026, 20 months past the deadline, 20 of the 27 Member States have adopted national transposing legislation. France, Ireland, Luxembourg, the Netherlands and Spain itself remain in procedure. The European Commission opened infringement proceedings against 23 Member States in November 2024 through letters of formal notice, and issued reasoned opinions against 19 of them in May 2025. The Executive Vice-President responsible for Technological Sovereignty, Henna Virkkunen, acknowledged in September 2025 the operational complexity of harmonising reporting under NIS2, the General Data Protection Regulation (GDPR) and the DORA framework. That reinforces the central point: importing the European scheme wholesale does not ensure its sound operation; it is worth observing, but it is also worth observing Chilean reality.
What is enforceable for the board, regardless of the Senate
Regardless of the progress of Bulletin 16821-19 and of the institutional choice the Senate makes, the material duties triggered by an AI system in Chile continue to be governed by existing laws and by the extraterritorial reach of the AI Act.
Law N° 21,719 enters into force on 1 December 2026 with duties that are not extinguished by merely signing a contract with a technology provider: records of processing activities, data protection impact assessment for automated and high-risk processing, designation of a data protection officer (DPO) in the cases required, the data subject's right not to be subject to solely automated decisions with legal or similarly significant effect, and a sanctions regime that can scale up to 20,000 UTM with aggravated recidivism.
Law N° 21,663, for its part, imposes duties on OIV: criticality classification, incident management plan, reporting of cyber incidents to ANCI within short deadlines, and cybersecurity governance with responsibilities documented at the board.
Law N° 21,595, in turn, brings computer crimes into the second category of economic crimes. If a computer crime is committed for the benefit of the legal entity and the prevention model fails in its design or operation, the legal entity bears criminal liability.
The AI Act, in addition, reaches Chilean companies that export AI systems to the European Union, Chilean subsidiaries of European parent companies, and companies that place in the Union products whose output is used in EU territory. Furthermore, for DNS services, cloud infrastructure, data centre, online marketplace, search engine or social network, NIS2 requires the appointment of a representative in the Member State of main establishment even where national transposition remains pending, by direct application of its Article 26.
Some closing considerations
The institutional decision the Senate must take does not admit an imported answer. Spain decided in favour of its data agency, in a country where that agency has three decades of consolidated experience. Brazil follows the same path. China and Singapore consolidated into technology and communications authorities already in operation. Each choice reflects a national architecture. The Chilean choice has to honestly recognise that the APDP created by Law N° 21,719 is not yet in place, and that ANCI does have operational capacity, technical critical mass and enforcement power. The Chilean tradition of regulatory consolidation embodied by the CMF suggests that expanding ANCI deserves serious consideration, without ruling out the option of a new agency designed for the task, drawing on what comparative analysis offers.
While the Senate decides, the board can scarcely afford to wait. Law N° 21,663 already enforces, Law N° 21,719 enters into force on 1 December and the AI Act already reaches Chilean exporters. There is therefore reason to install specific governance over the use of AI inside the company, without postponing the decision. That governance means the board approves an AI use policy, defines vendor-selection criteria by data sensitivity, designates an internal owner with a cross-functional mandate over legal, technology and security, and demands periodic reporting on systems in production. Once embedded at board level, that governance tends to draw the line between an exposed company and a company that is defensible before the Agency, before ANCI, before the board itself and before the data subject.
Extended analysis of the regulatory framework at AI & Company and applied case study on the use of Claude and ChatGPT at Implementing AI in the Company. Analysis of Law N° 21,663 Cybersecurity Framework at Cybersecurity Law and of the status of Operators of Vital Importance at OIV. For a review applied to your organization, contact the firm.
Stay Updated with Legal Insights
Get the latest legal analysis and regulatory updates delivered to your inbox.