By means of External Circular Letter No. 005 of August 10, 2017, the Superintendence of Industry and Commerce (SIC) issued a pronouncement with regard to the countries that in opinion of this entity offer an adequate level of protection for transfers of personal data, as well as the criteria for determining that a given country meets the protection standards set by this entity.

In this regard, the SIC established a list of 36 countries that in consideration of this entity have an adequate level of protection of personal data, among which the United States was included as a novelty. Other countries included are; Germany, Spain, France, Mexico, Peru and the United Kingdom.

In accordance with Article 26 of Law 1581 of 2012, it is prohibited to transfer personal data to countries that do not provide adequate levels of data protection. In this sense, when transferring personal data to a country that is not included in the list established by the SIC in External Circular Letter No. 005; the Responsible of the processing of the personal information to be transferred shall request from this entity a declaration of compliance, in case the international transfer does not fall within the exceptions established in the mentioned article.

Since its enactment, External Circular Letter No. 005 of August 10, 2017, has been subject to extensive discussions between the private sector and part of the academic sector, as the latter considers that the inclusion of some countries has been precipitate and little studied. On the other hand, this inclusion grants celerity to private companies and public entities that have data management projects in a global level, using services denominated cloud.