Colombia enacted Law No. 1581 to regulate personal data law after years of delay. The law is effective immediately, but the Colombia Industry and Commerce has until April 2013 to create a data protection authority (DPA), which will be responsible for enforcing the law. The law requires covered entities (i.e., companies subject to the Colombian law) that maintain databases of information to register with the Colombian DPA by April 2013. The specific information that must be provided to the Colombian DPA at the time of registration will not be finalized until October 2013, however. While the focus of the law appears to be on making a list of companies that collect and use information publicly available to Colombian citizens, it also contains provisions for processing children's data, special requirements for entities possessing individual's personal information, and obligations for service providers. The law also contains restrictions on sharing personal information with companies outside of Colombia unless the DPA determines that they are located in a country that has personal data protections equal to those in Colombia, or if there has been consent, or in the case of certain financial transactions. Violation of the law could result in fines up to $590,000 and up to a six month database suspension.
TIP: Colombia joins many other countries that have passed data protection laws that include registration requirements, as well as restrictions on transferring personally identifiable information outside of the country unless certain thresholds are met.