Privacy & Information Security Law Blog

On October 7, 2011, the Constitutional Court of Colombia approved a landmark omnibus data protection law.  According to its press release, the Court approved almost all provisions in the legislation, known as Ley estatutaria No. 184/ 10 Senado, 046/10 Cámara, but it took issue with Article 27 (which addresses the government’s processing of certain data), Article 29 (which addresses the expunging of certain criminal records) and Articles 30 and 31 (which both address intelligence and counterintelligence databases).  Many of the remaining provisions reflect a strong European influence.  Some highlights include:

• With certain exceptions, the law prohibits the processing of personal data without the data subject’s prior consent.  When the personal data are sensitive data (e.g., health data), the consent must take the form of an explicit authorization.
• The law permits cross-border transfers of personal data to countries that lack adequate data protection laws only in specified circumstances, such as (1) when the data subject has given express and unequivocal consent for the transfer (2) the transfer is necessary for the performance of a contract between the data subject and the data controller, or (3) with the approval of the Superintendence of Industry and Commerce.
• The processing of children’s personal data is generally prohibited.
• Data subjects have access rights.

Unlike other EU-style data protection laws that place obligations primarily on data controllers, this law would also directly regulate data processors.  Under the legislation, a data processor would need to comply with a long list of requirements, including:

• Informing the Superintendence of Industry and Commerce when there are violations of security rules or there are risks in the administration of personal data.
• Developing an internal manual containing policies and procedures to ensure compliance with the law, with special emphasis on addressing data subjects’ inquiries and claims.
• Facilitating data subjects’ access requests and guaranteeing the right of hábeas data.
• Indicating in its database when information is subject to certain disputes or judicial processes.
• Refraining from circulating information that is subject to certain disputes.
• Protecting personal data against fraud and security threats.
• Updating its databases within five days to reflect new information received from the relevant data controllers.

We will update this post with a link to the Court’s decision when it becomes available.