Many countries aspire to an adequacy decision from the European Commission. However, only a handful of countries have achieved that goal.
In order to obtain an adequacy decision, a country needs to evaluate whether its data protection framework meets the new EU standards rather than focus on the novelties of the EU General Data Protection Regulation such as privacy by design, data protection impact assessments, the right to be forgotten or the right to data portability. The appropriate focus, then, is on the list of criteria as established in Article 45 of the EU GDPR.
Article 45 establishes the factors the European Commission will use to determine whether a third country ensures an adequate level of protection (or essential equivalent to that of the EU on the basis of the Schrems case), including: the specific processing activities, access to justice, international human rights norms, data protection regulation (compressive or sectoral), legislation concerning national security and criminal offenses, monetary fines for onward transfers in violation of data protection regulation, among others.
Although local rules exist for data protection, Colombia does not yet have adequate standing. Here are some key elements of the Colombian data protection framework:
- Colombia respects the rule of law, privacy and data protection rights and fundamental freedoms.
- The Colombian Constitution provides a special judicial remedy for the protection of personal data, known as “habeas data.” This is a fundamental and directly applicable right before any judge.
- Colombia has two data protection statutes. One relates to credit reporting information (Law 1266 of 2008). The other ensures the protection of information about an identifiable individual recorded in data files, registers, databanks or other technical means (Law 1581 of 2012). Together they constitute a common legal regime providing for the protection of personal data.
- Laws 1266 and 1581 cover personal data protection in relation to public authorities or bodies and the private sector.
- The exemptions to the scope of laws are those necessary in a democratic society (these are similar to those listed in the EU GDPR).
- Law 1581 lists a number of principles, which constitute the core of the protection of personal data in Colombia. These principles are directly enforceable before both judges and the data protection authority.
- Law 1581 ensures high standards of protection for personal data, with more stringent protections for sensitive data and children’s data.
- Law 1581 contains provisions relating to the rights of data subjects, such as access, rectification, update and deletion, the obligations of data controllers and data processors.
- Although the data protection authority (Superintendence of Industry and Commerce, or SIC) is integrated within the structure of the Ministry of Industry, Trade, and Tourism of Colombia, Law 1581 provides the SIC with the power to impose sanctions, and powers and tasks necessary for the compliance with the objectives and other provisions of the law, e.g. inspections.
- Law 1273 of 2009 establishes a number of criminal offenses around how personal data is used. These include: computer system access, obtaining or disclosing personal data and selling, or offering to sell, personal data.
- The access of personal data by the Attorney General of Colombia is subject to a prior review carried out by a criminal judge. The decision of that judge should be made following a reasoned request by the Attorney General of Colombia submitted, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime.
- The access of personal data by Colombian public authorities for national security, law enforcement, and other public interest purposes is only allowed when it is relevant to matters falling with their scope of authority and have to respect the data protection principles listed in Law 1581.
- The Colombian Constitution contains specific rules to avoid unlawful processing operations by public authorities. This point has been confirmed by court rulings.
However, one thing that may threaten Colombia's ability to obtain EU adequacy is the Data Protection Authority’s decision to declare to certain third countries — such as Australia, Costa Rica, the United States of America, Mexico, Peru, Serbia and South Korea — adequacy standing under Law 1581.
Article 44 of the EU GDPR prohibits the onward transfer of personal data to third countries that do not have the necessary EC declaration (e.g., the U.S. Australia, Costa Rica, Mexico, Peru, Serbia and South Korea). Accordingly, Colombia could be seen as a loophole, a way to circumvent the measures for the protection of personal data received from the EU.
The European Commission, in assessing adequacy, is not simply interested in the existence of local satisfactory rules for data protection, it also seeks to ensure that when the personal data of Europeans are transferred abroad, the protections provided under the GDPR travels with the data, including for onward transfers of personal data from a third country or an international organization to another third country or to another international organization (Articles 44 and 45).
Colombia has two potential solutions:
The first solution is that the Colombian authority prohibits the onward transfer of personal data received from the EU. This was New Zealand’s solution to obtaining adequacy standing under EU data protection regulation.
Specifically, The Privacy (Cross-Border Information) Amendment Act 2010 of New Zealand establishes that the commissioner may prohibit a transfer of personal information from New Zealand to another state when satisfied, on reasonable grounds, that the information has been, or will be, received in New Zealand from another state and is likely to be transferred to a third state where it will not be subject to a law providing comparable safeguards to the act, taking into account the Directive 95/46 CE, replaced by the EU GDPR.
The second solution is for Colombia to require that organizations evaluate, under the accountability principle, that the onward transfer of those personal data received from the EU is not prohibited or restricted by the EU GDPR.
If breached, such an operation may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in the Law 1581. The fine could be equivalent to 2,000 legal monthly minimum wages in force when imposing a sanction. In Colombia, this is a significant penalty.
The adoption of either solution would provide an optimum outcome in Colombia’s bid for adequacy standing.
In the meantime, the Colombian DPA must implement some measures under Law 1581, including, but not limited to:
- Handling and resolving complaints from EU citizens related to the personal data transferred from the EU to Colombia, especially regarding access to their data by Colombian public authorities.
- Taking all the necessary measures to ensure the effective enforcement of the accountability principle.
- As mentioned, issuing strict rules for the onward transfer of personal data of European citizens to third countries that have not been declared adequate by the EC.
- Monitoring legal developments concerning access to personal data by public authorities.
- Addressing laws and practices related to national security and law enforcement.
- Improving sanctions or other supervisory measures applicable to data controllers and data processors for failing the compliance of Laws 1266 and 1581.
Implementing these measures and changes will help Colombia in its bid to achieve adequacy status.
If you want to comment on this post, you need to login.