Monthly Archives: July 2013

New regulation in Colombia

Prof. Nelson Remolina data protection blog informed us that the Presidency of Colombia has enacted the Regulation of the Data Protection Act (see Decree 1377 of 2013). The Regulation supplements the Colombian Data Protection Act, that was enacted on the year 2012 (Law n. 1581 of 2012). The Law followed closely the European regulatory model on data protection matters. With this Regulation, Colombia is ready to apply its data protection law. The main characteristics of this new Regulation are:

–       Databases only for internal or domestic use are exempted from the data protection act when they are created by natural persons (thus, this exception does not apply to corporations).

–       Privacy notice is defined. This is important because this is the document to inform the data subject of his/her rights and for companies to demonstrate compliance with the data protection law.

–       Public data is defined as data that is not data that is not sensitive, nor private, nor semiprivate. This may include data obtained from public registries, official bulletins or judicial decisions. The definition is important because the Authorization (consent) from the data subject is not required for public data under the Data Protection law.

–       A new definition of sensitive data, that includes biometric data.

–       Companies must preserve the evidence to prove that they have obtained Authorization from the data subject.

–       Data should be preserved according to the purpose of the collection and later erased unless there is a legal or contractual duty to preserve it.

–       A special provision when data of children is collected provides that the superior interest of the child should be taken into account. Under the Data Protection Act, personal data from children is considered together with sensitive data as a special kind of personal data.

–       The Regulation requires to have a Privacy Policy and to make it available to individuals. The document should contain the purpose of the collection, name and other information of the data controller, rights of the data subject, and explain how to request access and correction.

–       The Regulations clearly provides that no consent is necessary from the data subject if there is an international transfer agreement. The registration of international transfer agreements is not regulated yet, although they are a requirement to transfer personal data.

–       The Regulation clearly established that companies must be able to show the DPA that all requirements of the Data protection Act are in place.

In sum, one more country in Latin America completes its regulation on data protection issues and is ready to be part of the data protection club. With this regulation, Colombia is on board with Argentina, Mexico, Uruguay, Peru, Costa Rica and Nicaragua as countries that have been following closely the EU model.


Surveillance debate

From Privacy International web page…

In the wake of revelations that the UK Government is accessing wide-ranging intelligence information from the US and is conducting mass surveillance on citizens across the UK, PI commenced legal action against the UK Government, charging that the expansive spying regime is seemingly operated outside of the rule of law, lacks any accountability, and is neither necessary nor proportionate.

The claim, filed in the Investigatory Powers Tribunal (IPT), challenges the UK Government on two fronts. Firstly, for the failure to have a publicly accessible legal framework in which communications data of those located in the UK is accessed after obtained and passed on by the US National Security Agency through the Prism programme.  Secondly, for the indiscriminate interception and storing of huge amounts of data via tapping undersea fibre optic cables through the Tempora programme. Continue reading