Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Colombia: The reshaping of the SIC
Decree No. 092 of 2022 ('the Decree') was published, on 24 January 2022, in the Colombian Government Gazette, substantially modifying the structure of the Colombian data protection authority ('SIC') by determining new and more articulated functions of its departments. More specifically, the Decree amended the structure and the tasks of several SIC offices and, among other things, created an additional office called the Directorate of Habeas Data, which will carry out data protection functions inside the SIC. In this insight, OneTrust DataGuidance addresses some of the main provisions of the Decree in this respect.
Main provisions of the Decree
The SIC is a complex and multifaceted entity: it is the national authority for the protection of competition, personal data, and consumer rights, but is also responsible for monitoring various regulated activities and supervising the national intellectual property system through the exercise of its administrative and jurisdictional functions. The versatility and wide spectrum of competences of the SIC makes it a crucial and fundamental entity for the country, which is why it is worth analysing and fully understanding the changes produced by the Decree.
In this respect, Andrés Felipe Ángel Posada, CEO and Founder of SL Seguridad Legal Colombia S.A.S., explained that "this Decree responds to the challenges demanded by the new legal scenarios in areas in which the SIC is considered a national authority; particularly significant is the creation of the Compliance Directorate, which is part of the Delegation for the Protection of Competition, and the Directorate of Habeas Data, which is part of the Delegation for the Protection of Personal Data."
In particular, regarding the area of protection of personal data, Posada detailed that "the main provisions of the Decree are those related to the modification of [certain Articles under Statutory Law 1581 of 2012 (October 17) Which Issues General Provisions for the Protection of Personal Data ('the Data Protection Law'), namely] Article 16 on functions of the Deputy of Personal Data Protection, Article 17 on functions of the Directorate of Investigation of Personal Data Protection of Decree No. 4886 of 2011, and the addition of Article 17A on functions of the Habeas Data Directorate; this means that the Deputy now has two Directorates". Such Directorates include the Directorate of Investigation on Personal Data Protection and the Directorate of Habaes Data.
Introducing the new Directorate of Habeas Data
Undoubtedly, due to what it entails for the data protection regime, the creation of a new office is one of the main provision of the Decree. In fact, the new Directorate of Habeas Data will serve multiple functions. In relation to these functions, Posada outlined that "the most important functions are:
- processing any complaints or claims filed to protect the fundamental right of Habeas Data;
- advancing the administrative actions related to protecting the fundamental right of Habeas Data;
- verifying compliance with the orders and instructions issued to protect the right of Habeas Data; and
- transferring to the Directorate of Personal Data Investigations warnings of non-compliance with orders and instructions or possible violations of data protection laws."
Organisation of the data protection section of the SIC
Posada noted that "Previously, the Director of Investigations of the SIC had two internal working groups, where one of them, created through Resolution No. 54004 of 2012, was called the Internal Working Group of Habeas Data, whose functions were: to process complaints or claims related to the power to order the correction, updating or removing personal data from a database, and projecting the administrative acts necessary for the protection of the right of habeas data, among others."
The creation of a new Directorate within the data protection section of the SIC, endowed with some functions that were partially the responsibility of other offices or working groups, will mean a rethinking of the division of work. However, Posada noted, "It is still too early to know how the SIC will reorganise the internal working groups to create the new management of Habeas Data. Article 115 of Law No. 489 of 1998 empowers the SIC to reassign and distribute the competencies in the different dependencies, so it will be necessary to wait in order to know if the internal working group is eliminated from the Directorate of Investigations, or which groups will create the new office of habeas data."
Will the SIC be strengthened by the provisions of the Decree?
The Decree is notable as a regulatory update, seeing as the previous law on the same subject, Decree No. 4866 of 2011, was issued prior to the Habaes Law No. 1581 of 2012 ('the Habaes Data Law'). Thus, the Decree updates the relevant terminology in line with the Habaes Data Law.
Moreover, in relation to the Decree and its impact, Posada stated, "Hopefully, these changes will strengthen and enable the SIC to deal with the growing number of complaints and violations on data protection. During 2021, the SIC received 28,610 citizen complaints about the protection of personal data (a monthly average of 2,384), 74.49% more than the number of complaints received during 2020; 90% of the complaints were filed for alleged violations of Statutory Law No. 1266 of 2008 on financial habeas data, where the main complaint was the 'breach of the principle of truthfulness or quality of information' (namely where the data are not true or are outdated); the remaining 10% of the complaints are for violations of the Data Protection Law, where the main complaint was the 'lack of authorisation to collect and use the data'."
Conclusion
The Decree, as we have seen above, significantly modifies the structure of the SIC and, with regard to data protection, broadens its scope of action and better defines its tasks.
On this note, Posada remarked that "It is still too early to see in practice the changes brought about by the Decree or to know what plans, strategies, and administrative capacity the SIC will have to meet its obligations of guaranteeing that public and private entities comply with the principles, rights, and guarantees in the processing of regulated personal data according to Law No. 1266 of 2008 and the Data Protection Law." Nonetheless, the enactment of the Decree itself represents a clear sign of the Colombian legislature's commitment to promoting the ever-expanding data protection sector and, in general, to building a strong culture of privacy and a shared understanding of how personal data can and should be processed.
Marcello Ferraresi Privacy Analyst
[email protected]
Comments by:
Andrés Felipe Ángel Posada CEO and Founder
[email protected]
SL Seguridad Legal Colombia S.A.S., Bogotá