Under Colombia’s data protection framework, any country outside of Colombia is classified as a “third country.” Personal data can only be transferred to another country when an adequate level of protection is guaranteed under Law 1581 of 2012.
The first option to show adequate data protection is for the Colombian Superintendencia of Industry and Commerce (the authority) to make an “adequacy decision” so that personal data can flow from Colombia to third countries. The second option includes that the case is considered an exception as laid down in paragraph 2 of Article 26 of Law 1581 of 2012. The third option is for the authority to issue a statement regarding a data transfer operation or set of data transfer operations. The fourth is to make use of binding corporate rules.
The draft regulation on cross-border flow of personal data submitted by the Authority establishes a new option for controllers to be able to recognize, in accordance with the accountability principle, that a data transfer operation ensures an adequate level of data protection equivalent to that ensured within Colombia. This could be, for example, to conclude agreements or memorandums of understanding, which involve the transfer of personal data, including the provisions relating in particular to compliance with the general principles and procedural/enforcement requirements. In any event, the controller must consult the Colombian Supervisory Authority before the international transfer. This above requirement would be a condition required before the transfer of data would be permitted to take place.
The new rule will, therefore, increase the transfer of personal data to international organizations. However, data transfer based on such accountability principles requires that controllers assume a risk in order to determine the level of protection provided by the recipient of the information (i.e., the exporter must demonstrate that the importer has adopted a breach policy, security policies, data protection policies, which are implemented by controllers to facilitate the exercise of data subject rights). Otherwise, such an operation may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in the Law 1581 of 2012. The fine could be equivalent to 2,000 legal monthly minimum wages in force when imposing a sanction.
There is another important factor to note. When a controller decides to adopt the principle of accountability, which is implicit in the existing rules (see Guidelines for the Implementation of the Accountability Principle), to transfer personal data outside of Colombia, it should have previously evaluated whether the intended third country controller offers consistency and convergence of data protection principles and practices. This assessment includes taking into account all the circumstances of the case, such as the nature and purposes of the processing, the type of personal data and categories of data subjects, the time limits for retention, the risk to the rights and freedoms of natural personal, technical and organizational measures, the advisory function of the supervisory authority, and the legislation in force in the country of final destination. In fact, the Article 29 Working Party also stressed the importance of this in Opinion WP12/1998, saying, “When a contract is used in relation to data flows to third countries it must do much more: It must provide additional safeguards for the data subject made necessary by the fact that the recipient in the third country is not subject to an enforceable set of data protection rules providing an adequate level of protection.”
In order to demonstrate compliance with Law 1581 of 2012, controllers located in Colombia should consult their data protection officers or external lawyers from the outset and obtain their advice. This should be sufficient to ensure a reasonable level of compliance with the substantive data protection principles. Similarly, special precautions need to be taken when personal data is transferred to controllers outside Colombia that do not provide Colombian-standard data protection.
Finally, it is important to clarify that the Colombian draft regulation will only apply to the transfer of personal data between a controller and another controller. In other cases of cross-border data transfer (i.e., the flow of personal data between a controller and a processor), the legal mechanism is a transmission of personal data contract laid down in Article 25 of Decree 1377 of 2013.
The text of the draft regulation may be approved by the authority, with or without amendment, by September.
If you want to comment on this post, you need to login.