Colombians enjoy broad personal privacy rights such as: (i) personal and familial privacy; (ii) protection of good name; (iii) protection of personal correspondence and other personal communications; and (iv) access to documents in public and private databases—and the right to correct them—under the Colombian Constitution. However, in practice, constitutional protection has not been able to guarantee an adequate level of protection for personal electronic data in Colombia. The inefficiency in preventing infringement and the lack of experience on various technical issues, among others, made evident the need to enact additional legislation in order to build this Constitutional precept. As a result, Colombia recently enacted a comprehensive regulation on personal data protection through law No.1581. This new law compiles the rulings of the Colombian Constitutional Court on the subject during the past twenty years.

Highlights of Colombia law No.1581

Private data defined. Article 3 of Law No. 1581 defines personal data as “any information relating to one or more individuals, identified or identifiable.”

Scope. Except for the matters previously regulated under Law 1266 of 2008 (which is limited to credit entities), Law No. 1581 applies to all data collection and the processing of individuals’ personal data within the Colombian territory and to the processing of personal data of Colombian residents who may live abroad.

Excluded databases. The new regulation will not apply to: (i) strictly personal databases, (ii) databases containing information regarding (a) national security; (b) money laundering, or financing of terrorism; (c) government intelligence and counter-intelligence; (d) databases containing journalistic and editorial information; and (e) information regulated by law 1266 of 2008 (which is limited to credit entities).

Consent required in Data Processing. Colombia has adopted a protectionist model. Any data processing requires prior, express and informed consent. It is critical to note that tacit or implicit consent is not an option.

International transfer of personal data. As a general rule, Article 26 expressly prohibits international data transfers except when it is done with countries that have adequate levels of protection. The adequacy of that protection should be determined by the Superintendence of Industry and Commerce (SIC), which also issues the appropriate certificates. However, this prohibition will not apply if (i) the data owner grants express and unequivocal authorization; (ii) the data transfer is related to medical information exchange that is required for public sanitary measures or health matters related to the data owner; (iii) the data transfer involves stocks and banking transfers; (iv) the data transfer is authorized under international treaties; (v) the data transfer is necessary for the performance of a contract between the data owner and the data controller; and (vi) the data transfer is of public interest.

Sensitive data expressly protected. The new law has a reinforced protection for so-called sensitive data, which is information that deserves special protection because of the high risk posed by its processing to citizen’s rights and freedoms. The incorrect use of this sensitive data might cause discrimination. Sensitive data includes people’s racial and ethnic origins; color and sexuality; their political, religious, philosophical, or other beliefs; their participation in a given association; or their membership in a trade union, among others.

Accessing personal information through the Internet. Article 4(f) expressly says, “…personal information, except for public information, shall not be available on Internet.”

The Data Protection Authority (DPA). Article 19 establishes that the SIC will have six months since the passing of the law – that is until April 2013 – to create a special unit within the institution that will be responsible for enforcing this law.

National Database. The law requires covered entities that maintain databases of information to register with the Colombian DPA by April 2013. 

Sanctions. Violation of the law could result in fines representing the value of up to 2,000 monthly minimum wages (US$650,000) and up to a six months database suspension.

Even though this new law demonstrates that Colombia is raising awareness of the importance of protecting private information, in some aspects, the adopted model is too protectionist. A clear example is the prohibition of making personal information available through the Internet. This rule is already obsolete and it overlooks the Internet’s multiple advantages and services.

Companies should have a plan in place to comply with these new regulations.