Development of Data Protection Regulation in Colombia
Jan 06, 2014 QuickCounsel Download PDF
By Lloreda Camacho
With the globalization and the new forms of commerce, data protection has become an issue for most of the law makers and an interesting matter for companies. Therefore, personal data is now taken into account by companies and even states when taking decisions. Personal data and information are even considered as "the new petroleum from Internet and the new currency from the digital world"1. The European Union has developed regulation on data protection from long before. Spain for example has a strong data protection system.
Latin-American countries have started to worry about data protection matters, because of the importance of protecting the rights from the data subjects. Also companies see an interesting market to be developed: data storage, but in order to be a suitable market for that business, the country needs to have strong regulations on data protection. This Quick Counsel will focus on commenting the new data protection regulation in Colombia and its implications for the companies that handle data. It is worth saying that almost all companies and public offices manage data and therefore have data bases, which makes them subjects of the applicability of the regulation. It is important to mention that Colombian regulation is strict and requires that companies and public sector comply with it and that they adapt its internal procedures to the new regulation. This has implied a change in the corporate culture and in the behavior of its employees and all people related with the data handling.
The habeas data right in Colombia was recognized as a fundamental right by article 15 of the Colombian Constitution, and its protection has been guaranteed by judgments from constitutional courts, since there was no other binding regulation that protected the habeas data right. The habeas data right includes the right of the people to know, rectify and actualize its personal information.
On 2008 the National Government considered that it was necessary to issue a law that protected the rights related to the use of personal data on financial services, this was materialized by issuing Law 1266 of 2008. Law 1266 included general provisions of habeas data, focused on financial and credit services. It did not apply to the handling of data performed in order to offer services, personal data used in commercial relations, personal data handled by the public sector, etc.
Relevant Aspects Of Law 1581 Of 2012
On October 18, 2012 the Government issued Law 1581 of 2012 (hereinafter referred as the "Data Protection Regulation") in which the general provisions for personal data protection were established, in order to protect principally the data subject and guarantee its rights. It is worth mentioning that the discussion in order to issue the law was preceded by a judgment from the Constitutional Court regarding the constitutionality of the law, and many of the matters regulated by it were interpreted by the constitutional judges (Sentence C- 748 of 2011). Some of those matters are the handling of children´s data, the applicability of the law to a legal person, among others. The Constitutional Court established that children and adolescents´ personal data can be treated by those in charge or responsible for data bases, as long as it does not jeopardize the prevalence of rights and unequivocally pursuits a superior interest.
The Data Protection Regulation establishes that its dispositions will be of no application to the personal data contained in the following databases: (i) personal or domestic, (ii) security and national defense, and the prevention, detection, monitoring, and control of money laundering and terrorism financing, (iii) intelligence and counter-intelligence, (iv) journalistic information, (v) financial and credit information (Law 1266 of 2008), and (vi) population censuses (Law 79 of 1993).
As we mentioned before, there is also a regulation regarding data protection for the financial sector (Law 1266 of 2008), the Data Protection Regulation, being the general disposition on data protection, established that its general principles will in any case apply to the financial and credit information databases.
Law 1581 includes the rights from the data subjects and the duties from data controllers and data processors. Data subjects are able to exercise its rights at any time, even those related with requiring its elimination from the data base, regardless of the authorization that she/he gave for handling the personal data. Regarding sensitive data (such as data related with gender, sexual orientation, political and religious views, clinical history, among others), it is established that sensitive data can only be handled in the cases contemplated by the law, which include, among others, that the data subject authorizes its use. The authorization given in this regard must be express and previous and it is important that it establishes the data to which the authorization applies to. A great variety of aspects regarding data protection were left to be regulated by specific rules which we will comment.
Specific Regulation Of Law 1581 Of 2012
Therefore, if any substantial change to the purpose occurs, it must be informed to the data subject in order to obtain a new authorization that suits the new purpose, nonetheless when dealing with sensitive data, as it was mentioned before, the authorization must identify the sensitive data that the subject is authorizing to handle and the purpose must be express.
The Regulatory Decree brought into attention the matter related with data bases that were in operation before June 27 of 2013, and the way authorization for the use of such data should be obtained by the data controllers. According to the Regulatory Decree, the data base controllers could choose either of the following options, in order to obtain the authorization from data subjects included in those databases:
(i) To ask for an individual authorization from each of the data subjects, using mechanisms normally used in this type of relationship (i.e. emails); or
(ii) In case the previous option implies high costs, or it is impossible to contact the data subject alternative communication mechanisms may be used (such as newspapers, companys web page, and magazines). This option could be used only until July 27, 2013.
One of the most important aspects regulated by the decree was the international transfer and transmission of data, since most companies have its head office or subsidiaries outside of Colombia or some of them have hired data processors outside the country since here they do not have all the technical capacity. Therefore the Regulatory Decree requires that in order to transfer or perform the international transmission of personal data; the data controller has an express authorization from the subject to do so. The decree allows that in order to not require an authorization from the subject, the data controller and the processor subscribe a data transmission agreement in which the purposes of the treatment are clearly established.
Data transfer will take place when the data is sent from a controller or a processor to another controller out of the country, for example when the subsidiary sends personal data to its controller out of the country. Transmission of data happens when the processor uses or sends data in order to process it, in this case the data will not be sent to a controller, and the processor will be performing activities related with processing the data. The figure of the data transmission agreement will allow companies belonging to a corporate group to perform the data transfer without the need of a specific authorization from the data subject, when the companies from the group subscribe the agreement, and until the regulation regarding Binding Corporate Rules is issued.
The Regulatory Decree also dealt with the accountability matters and it established obligations for controllers in order to guarantee compliance with the Habeas Data Regulation. Therefore, controllers must be able to give SIC information about the procedures of collecting data, description of the purpose and an explanation about the relevance of the collected data.
Data Protection Authority
According to Law 1581 of 2012, the SIC will be the authority in charge of enforcing the Habeas Data Regulation. These functions will be carried out specifically by the Delegate for Data Protection. Law 1581 of 2012 establishes that the SIC will be in charge of the National Registry of Databases once the registry is created. Currently there is a project of regulatory decree under study regarding the creation of the National Registry of Databases.
Since the SIC is the authority that makes the Habeas Data Regulation enforceable, they will be responsible for ensuring the compliance with the Habeas Data Regulation, and are able to impose sanctions in case of breach of the regulation. The applicable sanctions are the following:
* Personal and institutional fines up to 2000 monthly legal minimum Colombian wages at the time of the sanction (for year 2013, COP$1.179.000.000 - approximately US$594,000).
* Suspension of activities related to the processing of data for up to six (6) months.
* Temporary closure of the operations related to data processing, once the term of suspension has been completed and no corrective measures were taken.
* Immediate and definitive closing of the operation involving sensitive data.
What Is Missing?
As we mentioned before the implementation of the National Data Base Registry has not been regulated, also the authority is still trying to develop the regulation related with the implementation of Binding Corporate Rules, being this an important development in order to certify Colombia as country with an appropriate level of protection and to allow corporate groups to perform international data transfers inside the group to other countries in which there is companies from the group even if those countries do not meet appropriate levels of protection. Also the implementation of Data Protection Regulation requires a big effort from the companies. Since we mentioned that the Data Protection Regulation is very strict, companies are starting to implement measures in order to avoid sanctions.
The Data Protection Regulation implies big changes in the companies, starting by changing its internal policies, and the behavior of its employees when dealing with personal data. Therefore, the biggest challenge for companies will be to instruct its employees in the compliance with all the duties that companies have regarding data protection, an especially those related to security and confidentiality of data, since the breach of those duties will be the ones that could cause more risk to the companies. Also, the new regulation implies that the data subject is more aware of its rights and therefore requires more protection from the data controllers and processor and demands for more privacy of its rights, and in it will demand from the data subject more knowledge of its data and the way it has been given away; and since Colombia did not had a culture regarding data protection which needs to be created, this will be a huge obstacle since the understanding of regulation and its application will be different for each company, employees, authorities and data subjects.
Additional ACC Resources
Aspects on Data Protection That Your Company Should Take Into Account When Establishing a Business in Colombia
ACC Resource Library - Top Ten - Sponsored by Lloreda Camacho & Co.
ACC Resource Library - QuickCounsel
ACC Resource Library - Top Ten
Have an idea for a quickcounsel or interested in writing one?
This resource is sponsored by:
Table of Contents