Computers, Privacy & the Constitution
-- TomasHolguin - 27 Apr 2015

How Colombia adopted a so detailed Data Protection Regulation that ended up protecting Facebook

Introduction: Colombian Congress recently enacted Law 1581, ("New Data Protection Act" or "NDPA") establishing the regulatory framework for obtaining and processing personal data from the public and providing the legal framework for the safeguard of the constitutional right of privacy, taking into consideration the “new technologies that enable the electronic transfer of personal data.”

NDPA is part of the current trend in Latin America to establish broad regulations and ample definitions of personal data. In promulgating this new privacy law, it has been held that Colombia has finally joined the rest of Latin American countries with modern laws for the adequate protection of personal data.

In general terms, with this new legal framework owners of data enjoy greater protections of their personal information, and processors and final users are now required to comply with an extensive set of obligations with regards to the collection, use, and processing of personal data. NDPA provides for a set of sanctions (including criminal actions) that are worth taking into consideration.

Unfortunately, the law follows the same formalistic difficulties and is written in such a way that it pretends to regulate every single detail of every single transaction, focusing on procedural and formalistic discussions that, as already has happened, will make the enforcement of the law very difficult and will close the possibility of having any discussion as to the obligations of foreign companies to comply with Colombian standards when dealing with data collected in Colombia from abroad.

Overview of NDPA: Congress enacted NDPA after a long history of claims solved by the Constitutional Court (more than 200) protecting the constitutional rights of individuals who demanded entities administering credit-reporting databases to remove their personal data from their databases.

According to the above, NDPA was drafted in such a way that it imposes extensive requirements to ensure that entities collecting, processing or transferring personal data do so without compromising citizens’ privacy rights. To begin with, NDPA has a very broad definition of Personal Information, including such “information that by itself or in connection with other information may identify a particular individual” and a specific definition of Sensitive Data as data that, “due to its sensitive or confidential nature, is relevant only to the data owner”, such as data that pertains to the right to intimacy.

With this new legal framework, in principle data owners now have a much broader and greater protection of their personal information, and individuals and entities are now required to comply with new and extensive obligations with regards to the collection, use and processing of personal data.

In addition to the above, NDPA includes a list of the rights and duties of data subjects and data processors. Among the more relevant is the right of Data owners to exercise its right to be eliminated from the database, regardless of the prior authorization given to the receiver of the data, if it contains false, or outdated information.

Enforcement and sanctions: Following the trend of other Latin American countries, NDPA empowers the Superintendence of Industry and Commerce (“_SIC_”) as the administrative authority with jurisdiction for enforcement of NDPA and impose substantial fines. The SIC may impose fines of up to US$600,000, and the suspension or closure of the commercial activities of the person who breaches NDPA. In addition to the administrative fines, the NDPA provides for a new criminal conduct (prison from 4 to 8 years) resulting from “_obtain, gather, subtract, offer, sell, exchange, send, buy, intercept, divulge, modify or use personal data (...) for personal purposes or of third parties, without being authorized to do so_”.

Finally, data owners have the right to file a special Constitutional Writ of Protection to have their fundamental right to privacy, data protection or habeas data protected, when it believes has been violated.

To Whom the Law is addressed? In addition to the broad definition of Personal Information and Private Data, NDPA imposes various obligations on any “_responsible party_” that directly or indirectly processes personal data of third parties. To start with, NDPA defines the “_responsible party_” as the “_public or private individual or entity that processes the personal data or decides how the data should be processed or the database safeguarded_”.

In principle, NDPA was intended to apply at a national level, covering all persons that supply or processes personal data within the territory of Colombia. It was thought, as has been held in other Latin American jurisdictions and in Spain, that NDPA covered any act that had effects on the Colombian market, based on the so-called effect theory. Therefore, it was thought that foreign entities with commercial activities in Colombian, without having a direct presence, were bound by the NDPA and had to comply with all the obligations when collecting or processing personal data.

However, in a recent opinion issued by the SIC (Opinion 14-218349 of November 24, 2014) the entity in charged with the enforcement of NDPA held that “_the collection and processing of personal data published in social networks (such as Facebook) is not within the competence of the NDPA, since the recollection, use, processing, transfer and storage of personal data is not undertaken within the Colombian territory, taking into account that the social networks are not domiciled in Colombia” (…) “Accordingly, this Superintendence does not have competence regarding the use of personal information available in, since such entity is not domiciled in Colombia._”

The conclusion reached by the SIC is based on a very formalistic approach to the definitions contained in the NDPA. In few words, it forecloses the possibility of having the necessary discussions regarding the accountability of foreign entities such as Facebook or any other entity without a local subsidiary that obtains and processes personal data from Colombians.


Webs Webs

r2 - 30 Jun 2015 - 14:26:25 - MarkDrake
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM