Article 15 of the Colombian Constitution of 1991 sets forth the fundamental rights of every individual to intimacy and privacy. Furthermore, Article 15 acknowledges the right to know about, update and rectify personal information that has been collected in public or private databases. This right is considered to be a development of the right to intimacy and a dimension of individual freedom, and is widely known as the habeas data right.
Until 2008, the scope of the habeas data right was developed mostly by constitutional case law and some activity-specific regulation, but there were no general or industry-specific laws regarding the matter. In 2008, Congress enacted Law 1266, with the main purpose of regulating use of financial and commercial personal data and, particularly, the use of financial, credit and commercial data used with the purpose of credit scoring. The right developed by Law 1266 is known as financial habeas data.
More recently, in 2012, Congress enacted Law 1581 with the purpose of establishing a more comprehensive legal framework, applicable to almost all commercial, non-commercial and governmental activities. Law 1581 determines the definitions and principles that govern data processing, establishes the rights of data subjects and duties of data controllers and processors, sets forth requirements for international data transfers, creates the National Registry of Databases and designates the Superintendence of Industry and Commerce (SIC) as the data protection authority, among others.
Colombian data protection regulation is inspired and follows the principles of the European data protection regulation. However, Colombian data protection law is highly focused on consent and provides few exceptions to the general rule that all processing must be authorised by the data subject.
Before Law 1266 of 2008 and Law 1581 of 2012, few Colombian organisations were aware of the need to adopt measures to protect personal information or had implemented an organisational culture around privacy. Since the enactment of these laws, both public and private entities have begun the process of aligning formally and substantially with the requirements of the law. However, it is important to take into account that many aspects of the law and regulation remain unclear and are being still developed by the data protection authority, controllers and processors.
II THE YEAR IN REVIEW
During the past year there have been many developments in the data protection field in Colombia. In October 2018, Mr Nelson Remolina was appointed as the new Data Protection Delegate. Mr Remolina comes from the academic community and is known to have strong and conservative views on the protection of personal information.
Under his direction, SIC concluded many investigations on the infringement of data protection rules, imposing fines that exceeded the equivalent of US$550,000. Since the start of the new Data Protection Delegate's term, SIC has imposed fines on many large and renowned companies such as Claro (the largest mobile phone operator in the country), Directv, Avantel, Falabella Bank and Bancolombia Bank. These decisions were issued by the Directorate of Investigations on Personal Data Protection and were appealed by the interested parties before new Delegate.
SIC has also made other important decisions with international repercussions. In January 2019, SIC ordered Facebook Inc and its subsidiaries, Facebook Colombia SAS and Facebook Ireland Limited, to adopt new security measures and improve existing ones to guarantee the protection of the personal data of more than 31 million Colombian users of that network. Similarly, in July 2019, SIC ordered a multinational collaborative platform to develop and implement a comprehensive information security programme, which guarantees the security, confidentiality and integrity of the platform users. No fines were imposed in these cases.
On matters related to the National Registry of Databases, it is important to mention that on 31 January of 2019 the last deadline for controllers to register their databases in the Registry expired. This deadline had already been extended twice and in 2018, the government established a new threshold to limit registration to companies that have assets over approximately US$7 million. The next mandatory deadline to update the information included in the databases was 23 August 2019.
Finally, regarding data protection compliance within the government sector, the Attorney General's Office issued Resolution 462 of 2019, which assigned one of its departments the task of monitoring compliance by public authorities with data protection law.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The Colombian privacy and data protection legislation and standards are contained mainly in:
- Article 15 of the Colombian Constitution;
- Law 1266 of 2008 (financial privacy rules) and Law 1581 of 2012 (general privacy rules), together with the corresponding regulatory decrees;2
- instructions and guidelines issued by SIC, the data protection authority; and
- Resolution 462 of 2019, regarding compliance with data protection regulation by public authorities.
Law 1581 sets forth the main principles applicable to the processing of data,3 as follows:
- Legality: data processing is a regulated activity that must comply with the law and applicable regulation.
- Purpose: all processing must have a legitimate and constitutional purpose that has been notified to the data subject.
- Freedom (consent): personal data may only be processed after acquiring prior, express and informed consent from the data subject. Personal data may not be obtained or divulged without prior authorisation, or without a legal or judicial mandate that exempts processing from consent.
- Veracity or quality: information subject to processing must be truthful, complete, exact, updated, demonstrable and comprehensible. The processing of partial, incomplete or fractioned data that may be misleading is prohibited.
- Transparency: controllers and processors must guarantee data subjects the right to obtain information regarding all data that concerns him or her, at any time and without restriction.
- Restricted access and circulation: processing is subject to limitations imposed by the nature of the data and constitutional and legal provisions. Processing may only be carried out by persons authorised by the data subject or the persons permitted by law. Except for public information, personal data should not be available in the internet or any other massive communication or dissemination media, unless the access is technically controlled to provide access only to data subjects or authorised third parties.
- Security: data processing requires the adoption of all technical, human and administrative measures that are necessary to provide security and avoid unauthorised or fraudulent adulteration, loss, consult, use or access of the data.
- Confidentiality: everyone who intervenes in the processing of personal data not classified as public, is required to guarantee the confidentiality of the information.
Law 1581 sets forth the following definitions:
- Controller: a natural person or legal entity, private or public, that decides the database and the processing of the data, whether by itself or together with third parties.
- Processor: a natural person or legal entity, private or public, that performs processing on behalf of the controller, whether by itself or in association with others.
- Personal data: any information linked or that may be associated with one or more determinate or determinable natural person.
- Database: an organised set of data that is the object of processing.
- Data subject: a natural person whose data is the object of processing.
- Processing: any operation or set of operations regarding personal data, such as collection, storage, use, circulation or suppression.
iv Classification of data
Data privacy laws provide the following classification of data.
Personal data that is not semi-private, private or sensitive. Among others, the following data is considered to be public: data related to marital status, profession, qualification as a merchant or public servant, etc. Because of its nature, public data may be contained, among others, in public records, official bulletins or judicial decisions (not sealed).
Data that is only relevant to the data subject owing to its intimate and confidential nature.
Data that affects the intimacy of the data subject or that has the potential of generating discrimination against the data subject when unduly used. Examples of sensitive data is that which reveals the racial or ethnic origin of the data subject, his or her political orientation, religious or philosophical convictions, participation in unions, human rights organisations or political parties, as well as those data related to health, sexual health or biometric data.
Data that does not have an intimate, confidential or public nature, and knowledge or publishing of which interests not only the data subject but also a group of people or society in general.
ii General obligations for data handlers
According to the data protection regulation, data controllers must comply with the following general obligations:
- warrant the data subject its absolute and effective right to habeas data, at all times;
- request and keep a copy of each signed authorisation granted by the data subject;
- inform the data subject of the purpose of the data collection;
- store all information under the security conditions necessary to prevent it from being tampered with, lost or disclosed or accessed without authorisation;
- warrant that the information supplied to the processor is true, complete, accurate, up to date, verifiable and understandable;
- rectify the information when found to be inaccurate and inform the processor as necessary;
- demand processors adopt security and privacy conditions to safeguard the data subject's personal information;
- process data subject's requests and complaints within the mandatory legal terms;
- adopt an internal manual of policies and procedures in order to guarantee adequate compliance with the law; and
- inform the data protection authority when data breaches occur.
Although Law 1581 was passed almost eight years ago and many organisations and entities began complying with the law, it was not until a couple of years ago that most organisations started implementing a real culture around data protection. This change was fostered by the obligation to register databases in the National Registry of Databases, which requires companies to assess and declare the level of compliance with the law.
Furthermore, the legislation establishes that data subjects will be entitled to:
- know, update and rectify their personal data with data controllers and processors. This right may be exercised, inter alia, in relation to partial, inexact, incomplete, fragmented and misleading data, or whose processing is explicitly forbidden or has not been authorised by law;
- request proof of the authorisation granted to the data controller;
- be informed by the data controller about the use made of their personal data;
- file complaints with the Superintendence of Industry and Commerce for violations of the data protection regulation;
- withdraw the authorisation, or request data suppression when the data processing fails to comply with the principles, rights and legal and constitutional guarantees. The withdrawal or suppression will proceed when the Superintendence of Industry and Commerce determines that the data controller or data processor has acted against this law or the Constitution;
- access, free of charge, their personal data being processed; and
- if they believe a processor or controller is not respecting their rights or complying with the law, file a complaint with the Superintendence of Industry and Commerce, which may admonish the controller or processor, or decide to open an administrative investigation.
iii Specific regulatory areas
Although Law 1581 establishes the general regime applicable to most activities and industries, it expressly excludes processing of financial privacy matters, which is regulated by Law 1266 of 2008.
Law 1266 regulates data processing for the purposes of calculating credit risk, and establishes rights and duties for sources, operators and users of financial data related to monetary obligations.
Furthermore, Colombian law includes specific privacy provisions and rules applicable to certain sectors or activities, and which apply concurrently with the general regime. Regarding children's privacy, for example, Law 1581 sets forth special treatment for such data,4 and the privacy protection authority has issued a guideline specific to public and private education institutions. Also, there are sector-specific rules and case law related to the health sector5 (specifically, the social security system and medical history), and related to employment relationships.6
iv Technological innovation
In our opinion, the strict consent-driven approach of Law 1581 may unfortunately disincentivise technological innovation, owing to the constant change of purposes and uses that technological advances entail, which are sometimes difficult to foresee at the moment when consent is collected from the data subject.
It is important to note that Law 1581 specifically classifies biometric data (which includes facial recognition data) as 'sensitive' data, and provides specific requirements to acquire consent to use such data.
In 2015, SIC issued a guideline for using cloud computing according to the data protection regulation. This guideline establishes special recommendations for clients and providers when hiring or offering cloud computing services.
The National Council for Economic and Social Policies (CONPES), has recently issued a paper7 that recommends that the government makes a plan of action in order to: (1) increase the availability of data of public entities in order for the data to be accessible, usable and of quality; (2) provide legal certainty for the mining of personal data; (3) increase the available qualified professionals to process data; and (4) generate a data culture in the country.
Regarding the legal framework, the CONPES recommends that the country creates a better classification of personal data and defines more clearly the conditions of data processing in light of the new technological advances and the principle of accountability.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Regarding international transfers, Decree 1377 of 2012 differentiated between 'transfers' and 'transmissions' of personal data. Pursuant to Decree 1377, 'data transfers' take place when the data is shared with a controller, while 'transmissions' occur when the data is shared with a processor.
i International data transfers
According to Law 1581,8 international data transfers of personal data to countries that 'do not provide an adequate level of protection for personal data' is prohibited, unless:
- there is express consent from the data subject;
- the processing is done with the purpose of preserving the data subject's health and life (medical data);
- they are banking or stock exchange transfers;
- they are transfers agreed in international treaties;
- they are transfers for pre-contractual or contractual performance, as long as the data subject has consented; or
- the transfer is legally required in order to safeguard public interest or for the acknowledgment or defence in a judicial process.
Recently, the Colombian data protection authority issued a guideline that sets forth the standards that a country must comply with in order to 'provide an adequate level of protection of personal data', and has included a list of countries that already comply with such standards.9
In light of the above, transfers of data to countries included in the list published by SIC, or that provide an adequate level of protection of personal data, are permitted. Transfers sent to a country that does not provide an adequate level of protection of personal data require a declaration of conformity from SIC.
ii International data transmissions
V COMPANY POLICIES AND PRACTICES
The internal manual of policies and procedures, on the other hand, is expected to include the internal proceedings and policies that the company has put into place in order to comply with the data protection regulation.
Furthermore, organisations are expected to comply with the principle of accountability, set forth in Decree 1377 of 2013 that establishes that controllers must be able to demonstrate that they have implemented internal policies to comply with Law 1581 that are proportional to: (1) the organisation's nature, structure and size (2) the nature of the data that is being processed (3) the kind of processing being made and (4) the potential risks that processing may cause.
The internal policies must guarantee the existence of an administrative structure proportional to the structure and size of the company, the adoption of mechanisms to implement the internal policies, including implementation tools, training and education programmes, and the adoption of proceedings to answer any queries, petitions and claims made by data subjects.
Furthermore, the Superintendence of Industry and Commerce has issued the Guideline to Implement the Principle of Accountability, which serves as reference to organisations in order to implement the principle of accountability within their organisations.
Las 1581 requires companies to register the existence of their databases in a National Registry of Databases administered by SIC. Although the obligation exists since Law 1581 was enacted in 2012, the deadline for organisations to comply with this requirement has not yet ended. Owing to the novelty and cumbersomeness of the registration proceeding, the government has extended the term for registration several times.
VI DISCOVERY AND DISCLOSURE
Article 10 of Law 1581 establishes some processing of personal data that do not require consent of the data subject. Among them, Article 10 sets forth that controllers or processors are allowed to disclose or provide personal data to public or administrative entities that require it, as long as these entities are acting within their powers, or when the disclosure is requested by judicial order.
Discovery and disclosure of personal data to foreign administrative and judicial authorities should comply with international treaties signed by Colombia, and either be channelled through a rogatory letter or other proceedings included in The Hague Convention, of which Colombia is signatory.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
Colombia's data protection authority is SIC and, within it, the Deputy Superintendence of Personal Data Protection.
As the data protection authority, SIC is in charge of enforcing data protection regulation and has the power to carry out unannounced audits and raids, as well as investigate and penalise non-compliance with the law.
SIC has the power to open investigations against any organisation that is considered to be infringing the data protection laws and enforce the law. According to the results of the investigation, SIC has the power to:
- impose fines of up to 2,000 times the minimum wage;
- order the suspension of activities related to data processing for up to six months while corrections are implemented;
- order temporary closure of all operations related to processing when correctives are not implemented during the suspension; and
- order the immediate or definitive closure of operations related to sensitive data.
Since 2010, SIC has imposed more than 620 sanctions for a total of 21 million pesos.
iii Recent enforcement cases
Order aimed at strengthening security measures
Based on the investigations and actions of data protection authorities of eight countries in the world (Ireland, the United States, the United Kingdom, France, the Netherlands, Canada, Australia and New Zealand) and legal proceedings initiated by the District Attorney General from Columbia (United States), SIC ordered Facebook Inc and its subsidiaries, Facebook Colombia SAS and Facebook Ireland Limited, to adopt new, necessary, appropriate, useful, demonstrable and effective measures to comply the principle and duty of security. Compliance must be certified by means of an independent audit, which must be carried out within the four months following the execution of Resolution 1321 of 2019 and every year after this date during the next five years. The guidelines were issued on a preventive basis to prevent other security incidents from happening, so no monetary penalty was imposed.
Fine for failing to delete contact data from databases
Imposition of orders to demonstrate compliance with the principle of accountability
A multinational sharing economy company suffered a security incident in 2016 affecting the personal data of 57 million users (267,000 Colombian residents). According to the principle of accountability set forth in Colombian data protection regulation, data handlers must be able to demonstrate, at the request of SIC, that they have implemented appropriate and effective measures to comply with the obligations set forth in Law 1581 of 2012. In light of the above, SIC ordered the parent company and its subsidiaries to develop, implement and maintain a comprehensive information security programme, which guarantees the security, confidentiality and integrity of personal data, preventing adulteration, loss, consultation, use or unauthorised or fraudulent access.
Furthermore, SIC considered that the company had taken too long to report the incident, and therefore ordered the company to develop, implement and maintain a programme for the management of personal data security incidents, that contemplates procedures to inform said authority and the data subjects. The guidelines were issued on a preventive basis to prevent other security incidents from happening, so no monetary penalty was imposed.
Law 1581 does not provide for specific remedies or financial recovery for private plaintiffs. Other actions such as class contractual or tort actions are also available to data subjects, though they are still not common.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
According to Law 1581,10 the Colombian Data Protection law applies to data processing that is carried out within Colombia or when according to the law or international treaties Colombian law is applicable to the controller or processor located outside Colombia.
Jurisdictional issues for multinational organisations may arise owing to the interaction between local corporate vehicles and their mother companies, which may entail a transfer or transmission of personal data.
Colombian data protection regulation requires consent for almost any kind of processing and provides few exceptions to the consent rule. Therefore, it is advisable for multinational organisations to verify that their internal corporate policies (particularly those related to transfers and transmissions in and out of the country) comply with local standards.
IX CYBERSECURITY AND DATA BREACHES
i Criminal prosecution of cybersecurity and data protection infractions
The Colombian Criminal Code punishes several crimes related to cybersecurity and data protection infractions. Among them, the Criminal Code punishes abusive access to computing systems, illegitimate blocking or hindering of computing systems or telecommunication networks, interception of computing data, computing damages, use of malicious software, illegitimate use of personal data and phishing, among others.
ii Data breaches in the data protection regulation
Pursuant to Law 1581, controllers must report to the SIC any security incident that enables or threatens unauthorised access or use of personal data. Controllers must report the incident within 15 business days of learning of the incident, and include in the report the kind of incident, the date of occurrence and the date on which the organisation learned of the incident, the kind of data and number of data subjects affected, causes and potential consequences of the incident and correctives that the organisation has applied or will apply. Organisations may present the report directly to the SIC or through the National Registry of Databases platform.
Article 27 of Law 1581 established that the government must adopt a regulation regarding binding corporate rules. Although SIC has conducted a study on the matter, the government has not yet issued the regulation, but is expected to do so.
On the other hand, it is important to note that although the EU's new General Data Protection Regulation is not applicable in Colombia, many domestic organisations are interested in complying with such regime in order to be able to offer their products or services in the EU.
1 Natalia Barrera Silva is a partner at Márquez, Barrera, Castañeda & Ramírez.
2 Regulatory Decrees No. 1727 of 2009, 2952 of 2010, 1377 of 2013 and 886 of 2014.
3 Law 1581, Title II, Article 4.
4 Article 7, Law 1581 of 2012.
5 See, for example, Resolution No. 1995 of 1999 of the Ministry of Health, Decisions C-264 of 1996 and T-1105/05.
6 See, for example, Decisions T-768/08 and T-405/2007 of the Constitutional Court.
7 Council CONPES No. 3920 of 'National Policy of Data Exploitation', National Department of Planning.
8 Article 26, Law 1581 of 2012.
9 According to Circular No. 005 of 2017, the following countries are considered to have an adequate level of protection of personal data: Germany; Australia; Austria; Belgium; Cyprus; Costa Rica; Croatia; Denmark; Slovakia; Slovenia; Estonia; Spain; the United States ; Finland; France; Greece; Hungary; Ireland; Iceland; Italy; Japan; Latvia; Lithuania; Luxembourg; Malta; Mexico; Norway; the Netherlands; Peru; Poland; Portugal; the United Kingdom; the Czech Republic; the Republic of Korea; Romania; Serbia; Sweden; and countries that are considered to have an adequate level of protection by the European Commission.
10 Article 2, Law 1581 of 2012.