The State of Communication and Privacy Law in Colombia (2020)

  1. Is there a data protection law?
    yes iconyes

    Colombia has adopted Law 1581 of 2012, also known as the General Data Protection Law (GDPL). It covers the protection of personal data by the public and private sector. Data protection is a fundamental right in Colombia. This law is regulated by Decree 1377 of 2013.

    SEE MORE
  2. Is there a data protection authority?
    yes iconyes

    The GDPL assigns the Superintendence of Industry and Commerce (SIC) as the Colombian Data Protection Authority. The SIC is not an independent agency since it’s under the Executive branch, and the Ministry of Industry, Trade, and Tourism of Colombia. The SIC can issue sanctions.

  3. Does the data protection law apply to law enforcement activities?
    yes iconyes

    Colombian data protection law applies to the personal data held by the public sector. However, the law also exempts databases whose purpose is national security, defense prevention, detection, and monitoring and control of money laundering and terrorist financing, as well as intelligence and counterintelligence activities. The Colombian Constitutional Court has stated that these exceptions are not excluded from the application of the data protection law but exempted from some of its provisions by virtue of their interests.

    SEE MORE
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?

    Colombia has adopted its own “adequacy” standards different from the EU standards. Article 26 of the RNBD prohibits the transfer of personal data to any country that fails to provide an adequate level of data protection comparable to Colombian standards. The Colombian Superintendence of Industry and Commerce (SIC) set the Colombian standards of “adequacy,” and they are considered a lower standard than the GDPR.

    SEE MORE
  5. The Constitutional Court has stated that, as a general rule in the Colombian legal system, a judge’s authorization is necessary if there is interference with a fundamental right of the investigated or accused. However, as an exception to the general rule, when the Office of the Attorney General is given the power to interfere with an individual’s rights for the purpose of collecting information relevant to a criminal investigation, these actions are subject to subsequent judicial review, and not prior authorization. This exception applies only in the cases of searches, house visits, seizures, and interceptions of communications. It must be strictly interpreted so that the safeguard of a prior judicial authorization is not superfluously bypassed.

    Interception of communication - It can be carried out upon prosecutor’s request with subsequent judicial review.

    Access to the content of communications - Upon prosecutor’s request with subsequent judicial review.

    Access to metadata - Treated like interception.

    Access to subscriber data - Upon prosecutor’s request.

    Location data - Treated like interception; real-time tracking can be granted upon prosecutor’s request.

    SEE MORE
  6. What’s the factual basis to access communications data?

    The factual basis for accessing communications data in Colombia includes:

    Article 250 of the Political Constitution of Colombia

    Article 235 of the Criminal Procedure Code

    Sentence C-540, Constitutional Court

    For details on the above articles and cases,

    SEE MORE
  7. For content and metadata in criminal investigations: the Office of the Attorney General of the Nation and other authorities that have Judicial Police powers.

    SEE MORE
  8. Does the country have provisions about access to data in cases of emergency?
    yes iconyes

    Article 38 (e) of Act 137 of 1994 allows the national government to intercept or record communications during situations of internal disturbance “with the sole purpose of finding judicial evidence or preventing the commission of crimes,” as long as there is judicial authorization. The authorization can be given verbally when there are “insurmountable circumstances of urgency and it is necessary to protect a fundamental right in grave and imminent danger.”

    SEE MORE
  9. Is there any data retention mandate?
    yes iconyes

    Decree 1704 of 2012 stipulates that “network providers and telecommunications service providers must keep their users’ information up-to-date and store subscriber data (identity, billing address, type of connection) and geolocation for at least five years.”

    SEE MORE
  10. Are there any rules that authorize the use of malware?

    There is no precise legal framework in Colombia that authorizes law enforcement use of malware to intrude or hack a computer or device. However, “hacking” (abusive access to an information system) is a criminal offense according to article 269 A of the Colombian criminal code.

  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?

    Resolution 912 of 2008 sets out that telecommunications services providers must allow the Directorate of Criminal Investigation and Interpol (Dijín, in Spanish) to make a remote connection to obtain subscribers’ data, such as names, home address, mobile number, and service activation date. The Resolution does not oblige telecom companies to grant any form of direct access to the companies’ internal infrastructure and servers, but it does grant Dijín the ability to carry individualized “queries” for each subscriber and compels telecom companies to provide a username and password for such individualized queries.

    SEE MORE
  12. Does the law compel companies to assist law enforcement agencies in their investigations?

    Article 2 of Decree 1704 of 2012 forces telecom and network providers operating in Colombia to provide the technical capability to intercept communications in “national defense, prevention of states of emergency, and public safety” cases. Companies must implement and guarantee the “technological infrastructure to provide interconnection points and access to communications data by the judicial police, following a Prosecutor’s Office’s request.” In case of intelligence and counterintelligence, Article 44 (1) of Law 1621 of 2013 forces telecom and service providers to provide the Attorney-General’s office and the Ministry of Information and Communication Technologies with the necessary equipment to allow them to intercept communications if the technology changes.

    SEE MORE
  13. Does the State report on the number of requests to access communications data?
    no

    To the best of our knowledge, the government of Colombia has not published reports on the number of requests to access personal data.

  14. Is there any legal limitation that prohibits companies from publishing transparency reports?
    no

    To the best of our knowledge, there is no normative framework that prohibits a company from publishing statistical data on the number of data requests made by the State in criminal or national security matters.

  15. Do telecommunication companies publish transparency reports?

    Telefónica-Movistar- YES

    Claro- NO

    ETB- YES

    AT&T-DirecTV- YES

    Millicom-Tigo- YES

    EMCALI- NO

    Telefónica-Movistar publishes yearly transparency reports. Millicom-Tigo also publishes periodic transparency reports, but only in 2018 provided specific statistical information for Colombia. AT&T-DirecTV publishes annual transparency reports, but with no country-level information for Colombia. Claro publishes a sustainability report with no statistical information on communications data requests. EMCALI does not publish transparency reports.

    SEE MORE
  16. Can companies notify users about States’ data requests?

    In Colombia, there is no legal provision that establishes a mandatory obligation to notify the user that their data was requested by the State.