Colombia: TMT

N/A

Yes, telecommunications networks and services are regulated in Colombia, mainly, by Law 1341 of 2009, Decree 1078 of 2015, Resolution 5050 of 2016 of the Communications Regulation Commission (“CRC”) and different Resolutions of the Information and Communications Technologies Ministry (“ICT Ministry“).

Telecommunications regulation applies in general to the provision of telecommunications networks and/or services.

Article 2.2.6.2.1.2 of Decree 1078 of 2015 defines the provision of telecommunications networks as “the obligation of supplying to third parties a set of nodes and physical, optical, radio or other electromagnetic systems that allows the emission, transmission, and reception of information of any nature”. Similarly, it defines the provision of telecommunications services as “the obligation of supplying third parties with the emission, transmission and reception of information of any nature through its own or third parties’ telecommunication networks”.

In accordance with the above, the following three criteria must be met  to consider that there is a telecommunication network or service being provided: (a) an obligation; (b) for the provision to third parties; (c) of a telecommunication network and/or service -as the case may be.

Article 10 of Law 1341 of 2009 provides a general authorization for the provision of telecommunication services in Colombia, which is considered granted once the registration of the company in the Information and Communications Technologies Registry (the “ICT Registry“) has been made. This means that, except for certain services such as the satellite services and the authorizations for the use of the spectrum, a company is authorized to provide a telecommunication service in Colombia once it is registered in the ICT Registry, providing a general description of the services to be provided. The registration process is free of charge.

Yes, the ICT Ministry and the CRC are the Colombian Telecommunications regulators. The ICT Ministry, on one hand, is in charge of the design, adoption and implementation of policies, plans, programs and projects for the sector, as well as manage the ICT Registry and the radio spectrum. Furthermore, the CRC is the authority that provides the technical rules and requirements for the provision of telecommunication services, and ensures the competition in said market and the users’ social wellbeing.

The ICT Ministry is subject of government control and act as spoke person of the Government as all the Ministries. The head of the ICT Ministry is directly appointed by the President of Colombia, directly. Meanwhile, the CRC, despite being an administrative authority, has technical, administrative and financial independence, and its head o is a commission composed by the head of the ICT Ministry and 4 commissioners elected for a period of four (4) years.

Not from a telecommunications perspective. In fact both the CRC and the Colombian National Planning Department have determined that OTT services are not considered telecommunications services and are not covered by telecommunications regulation.

However, they are regulated from other areas such as data privacy.

As mentioned before, platforms providers are no subject of the telecommunications regulation. Nonetheless, from a data privacy point of view,  the Colombian Data Protection Authority (the Superintendence of Industry and Commerce) has assumed the position that it has extraterritorial scope.

In principle, Colombian Data Protection Law only applies:

• To the processing (i.e., the collection, storage, use, circulation, suppression, etc.) of personal data made within the Colombian territory; or
• When the data controller or data processor, even if not located in Colombia, is subject to Colombian laws due to international law or treaties.

No, Colombian Telecommunications Regulation does not expressly provide that only Colombian companies may register in the ICT Registry, and therefore be authorized for the provision of telecommunication networks or services. Nonetheless, in practice the documents required for such registration include the Tax Sole Registry (Registro Único Tributario);, therefore, any foreign or local entity can be registered in the ICT Registry and therefore can be authorized for the provision of telecommunication networks or services.

Moreover, in accordance with commercial law, if a foreign entity intends to have permanent activities in Colombian, it needs to incorporate at least a branch in Colombia.

In principle, no. Nonetheless, please consider that, according to Law 671 of 2001, in companies that provide certain telecommunications services (such as local and extended telephone services, mobile phone services, and satellite services, among others) foreign investment is allowed up to a maximum of 70% of the capital of the company.

Yes, interconnection services between operators are regulated in Colombia by Title IV of Resolution 5050 of 2016 of the Communications Regulation Commission. All providers of telecommunications services have the right to request and receive interconnection services from other providers of telecommunications services.

The regulation per se is not different. The abovementioned Title IV of Resolution 5050 of 2016 includes a chapter that refers exclusively to interconnection related to power infrastructure. Moreover, the fees regulated in said Resolution might vary in accordance with the regulation and criteria issued by the regulatory commission for the power sector.

The principal consumer protection regulation that applies specifically to telecoms services is included in Resolution 3066 of 2011 of the CRC. However, the general consumer protection regulation, namely Law 1480 of 2011, applies in the matters not specifically regulated by Resolution 3066 of 2011.

As per Colombian IP Law, computer software is protected through the regime of copyrights. Therefore, the protections granted to creators of computer software are those of copyrights law, including the prerogatives and powers creators have. It is important to highlight that in Colombia, protection over creative works as software is granted since the moment of the creation, and registration is not required for its protection. Moreover, Colombian IP Law distinguishes between moral rights, which are the ones that recognize the author as such (or the developer in the case of software) and the economic rights, which are the ones that allow the exploitation of the software. Only the last ones can be subject of licenses and assignments.

Only if the database has been created in an original way. A database that lacks an original organization and content is not protected by copyrights (unlike other jurisdictions). The latter means databases aren’t protected per se by IP Law, but only the originality in their contents and organization.

The processing of personal data in Colombia is supported on the recognition of habeas data as a fundamental right of all individuals in Colombia. Such right is mainly regulated by Law 1581 of 2012, Decree 1377 of 2013, Decree 90 of 2018, Decree 1074 of 2015 and Law 1266 of 2008.

The main requirements set under Colombian law for the processing of personal data are the following:

• Data controllers must obtain  prior, explicit, and informed consent from the data subject before collecting and processing their personal data. Data controllers must store proof of such consent and must be able to demonstrate to the authority that the consent was granted by each and every one of the data subjects.
• Before, or at the latest at the moment of obtaining such consent, the data subject must be informed of the following:
  • The Processing to which the personal data will be submitted and its purposes;
  • The optional nature of the answer to the questions related to sensitive personal data or data of children and adolescents;
  • The rights to which the Data Subject is entitled to;
  • The mechanisms enabled by the Data Controller to consult its privacy policy; and
  • The identification, physical or electronic address and telephone number of the Data Controller.
• All Data Controllers must implement a privacy policy in Spanish that includes, at a minimum with the following requirements:
  • Name or company name, domicile, address, email and phone number of the data controller;
  • The type of processing to which the data is going to be subject to and its purpose;
  • The rights to which the Data Subject is entitled to;
  • The information regarding the person or area in charge of processing requests, inquiries and complaints, by means of which the data subject may exercise its rights to know, update, rectify and delete the data and revoke the authorization;
  • A description of the procedure available to the data subjects to exercise their rights to know, update, rectify and delete information and revoke the authorization; and
  • The date in which the Privacy Policy will enter in force and the term of the databases.
• Additionally, any substantial change of the privacy policies shall be reported efficiently to Data Subjects, before implementing new policies.
• Data Controllers must implement an Internal Manual of Procedures detailing the internal principles and procedures for the collection and processing of personal data of the controller, including security measures to protect the data from unauthorized or fraudulent access, modification or deletion.
• Data Controllers must also designate either a person or an area within the company to act as a Data Protection Officer, in charge of processing the requests of the Data Subjects for the exercise of the rights granted to them by Colombian law.
• Data Controllers must implement transfer and/or transmission agreements for transferring/transmitting personal information to either another data controller or a data processor.

Yes, Colombian regulation contemplates two different types of data sharing categories in Colombia, the Transfer of personal data (controller to controller) and the Transmission of personal data (controller to processor). The transfer requires both controllers to obtain data subjects´ prior, express and informed consent, while the transmission only requires the data controller to obtain prior, express and informed consent for (i) processing the personal data and (ii) transmitting the data to third parties for a specific purpose (processors do not need to obtain additional consent). However, transmission agreements must have certain minimum requirements established by Colombian law (i.e. processor has to apply the controller’s privacy policy). In both cases, a transfer/transmission agreement for documenting the sharing of the information is needed and specific requirements must be considered.

Moreover, transfer of personal data can only be made either with the prior, informed and explicit consent of the data subject, or to countries that have adequate levels of data protection. In this regard, the CDPA has set a list of countries that comply with such levels. In order to transfer data to countries not included in said list, it is needed to request an authorization from the CDPA to recognize that such country does have adequate levels or that adequate measures will be implemented as part of the transfer.

The maximum fine that can be applied for breach of data protection laws is currently 2,000 monthly legal minimum wages (corresponding for 2021 to COP 1,817,052,000 / USD 473,286 at current exchange rates).

Other penalties include:

• Remedial measures ordered by the CDPA.
• Forced suspension of activities related to the data processing for a period of six months.
• Forced closure of operations if the foregoing remedial measures are not adopted.
• In the case of sensitive personal information, permanent closure of operations.

It is important to bear in mind that  strictly speaking, the CDPA does not consider remedial measures to be a sanction. However, remedial measures may have bigger implication than fines, as the company may be forced to comply with the measures as established by the CDPA.

The main differences between Colombian data protection regulation and the GDPR are related to the valid legal basis, requirements for international data transfer and the exercise of data subjects rights.

Unlike the GDPR, Colombian data protection regulation is based on consent. This means that as a general rule, data controllers must obtain a prior, explicit, and informed consent from the data subjects before collecting and processing their personal data. Data controllers must keep proof of such consent and must be able to demonstrate to the authority that the consent was granted by each and every one of the data subjects.

Regarding international data transfers, unlike the GDPR, there are no standard contractual clauses established under Colombian law. Depending on the nature of the transfer certain specific requirements must be met. In the case of transfers both controllers must obtain data subjects´ prior, express and informed consent, while the transmission only requires the data controller to obtain prior, express and informed consent for (i) processing the personal data and (ii) transmitting the data to third parties for a specific purpose (processors do not need to obtain additional consent). However, transmission agreements must have certain minimum requirements established by Colombian law (i.e. processor has to apply the controller’s privacy policy). In both cases, a transfer/transmission agreement for documenting the sharing of the information is needed and specific requirements must be considered.

Regarding data subjects rights, unlike the GDPR, there are no exceptions established under Colombian law  for complying with requests for the exercise of data subjects rights.

Finally there are formal requirements regarding the privacy policy and the privacy notice that shall be complied with, such as including the name, ID, address, email, and contact number within said documents.

Yes, the Colombian CDPA recently issued some Guidelines for the processing of personal data through cloud computing services. Such Guidelines are available, in Spanish, in: https://www.sic.gov.co/sites/default/files/files/2021/Guia%20cloud%20computing%202021.pdf

Yes, Colombian laws establishes two different kinds of electronic signatures: (i) basic electronic signatures, which fits under the definition of simple electronic signature; and (ii) digital signatures that may be considered under the definition of qualified electronic signature. For such signatures to be valid under Colombian law, the following requirements must be met:

a) Basic electronic signatures:

Colombian law provides that whenever a person’s signature is required, this requirement will be understood to be fulfilled by the use of an electronic signature when such signature allows the identification of the originator of the message, and the signature is both reliable and appropriate for the purposes for which it is used.

The electronic signature is considered to be reliable when it fulfils two requirements:

1. the signature creation data is attributable solely to the signatory; and
2. any unauthorized change or modification of the message made after the signature of such message is detectable.

b) Digital signatures:

The digital signature is defined as a numerical value that is attached to a message, which, after a mathematical procedure, makes it possible to verify the identity of the originator of the message and that the message has not been modified since it was signed.

The digital signature will be valid if the following four requirements are met. If these requirements are met, the digital signature will also have, from a legal point of view, the same validity as a handwritten signature in Colombia:

1. it is unique to the person using it;
2. it can be verified;
3. it is under the exclusive control of the person using it; and
4. it is linked to the message in such a way that if the message is changed, the signature is invalid.

It is necessary to mention, however, that in order to evaluate compliance with these characteristics the digital signature must be certified by a Certification Entity authorized by the Superintendence of Industry and Commerce.

Colombian IP Law establishes a presumption of transfer of copyrights in favour of the employer, which in this case, corresponds to the outsourcing supplier. Therefore, the copyrights of the employees would be automatically transferred to the outsourcing supplier. If it is desired that the copyrights are assigned to the company that is beneficiary of the outsourcing services, it is possible to (i) include a clause in the employment contract establishing in writing a transfer of the copyrights in favour of the beneficiary company, or to (ii) simply sign an assignment of the copyrights between the outsourcing supplier and the company that is beneficiary of the outsourcing services, assigning the acquired copyrights.

Colombian law does not provide a specific liability regime related to the use or license of a software program, therefore, it depends of the terms agreed by the parties. Commonly, software license agreements, and particularly the ones that have any A.I. component, provide service levels or criteria to determine in which cases the licensor is breaching the agreement.

Moreover, as any other agreement, it is possible to include indemnities and assign liabilities and risks as long as they are not contrary to the public order regulation, for example, if the assignment previously condones gross negligence or wilful misconduct.

a) obligations as to the maintenance of cybersecurity;

From a data privacy perspective, data controllers must implement the necessary technical, human, and administrative measures necessary to provide security to the personal data avoiding their unauthorized or fraudulent adulteration, loss, consultation, use or access, there are no mandatory specific measures that must be applied. Additionally, the CDPA has recently issued some guidelines regarding security incidents: https://www.sic.gov.co/sites/default/files/files/Publicaciones/Guia_gestion_incidentes_dic21_2020.pdf and has also published a study of the implementation of security measures in Colombia:  https://www.sic.gov.co//sites/default/files/files/Proteccion_Datos/Estudio%20de%20seguridad%202020%20SIC%20RNBD.pdf

b) the criminality of hacking/DDOS attacks?

Related to hacking, the Colombian Criminal Code (CCC) provides as crimes the following offenses:

• Illegal access to a computer system, when committed intentionally, to the whole or any part of a computer system without right (CCC, art. 269A). Criminal liability for this offense leads to a punishment of up to 96 months of imprisonment, and fines of up to 1,000 statutory monthly wages (USD $ 240,000, approx. as of 2021)
• Illegal interception, when committed intentionally, without prior court order, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data (CCC, art. 269C). Criminal liability for this offense leads to a punishment of up to 72 months of imprisonment.
• Data interference, when committed intentionally, the damaging, due to the deletion, deterioration, alteration or suppression of computer data without right (CCC, art. 269D). Criminal liability for this offense leads to a punishment of up to 96 months of imprisonment, and fines of up to 1,000 statutory monthly wages (USD $ 240,000, approx. as of 2021).
• Use of malicious software (CCC, art. 269E). when committed intentionally and without right: through the production, sale, procurement for use, import, distribution or otherwise making available of a computer program, designed or adapted primarily to cause harmful effects. Criminal liability for this offense leads to a punishment of up to 96 months of imprisonment, and fines of up to 1,000 statutory monthly wages (USD $ 240,000, approx. as of 2021).
• Forgery of websites (phishing) (CCC, art. 269G), when committed intentionally, with illicit purpose, without right, through the design, development, traffic, sale, use, programming or submission of websites, links, pop-up windows. Criminal liability for this offense leads to a punishment of up to 96 months of imprisonment, and fines of up to 1,000 statutory monthly wages (USD $ 240,000, approx. as of 2021).

Related to DDOS attacks, the Colombian Criminal Code (CCC, art. 269B) provides as crime the system interference, when committed intentionally, without right, of the functioning of, or normal access to, a computer system, the data therein, or a telecommunication network. Criminal liability for this offense leads to a punishment of up to 96 months of imprisonment, and fines of up to 1,000 statutory monthly wages (USD $ 240,000, approx. as of 2021)

Although this matter was greatly accelerated by the COVID-19 pandemic, digital attention channels will create a significant legal change in Colombia. Most public authorities have been providing digital attention to carry out autocratic procedure, and even judicial and administrative procedures have been carried out digitally.

We have even seen that authorities have carried out digital daw raids in Colombia, and some have even issued formal regulations specifically aimed at virtual dawn raids, which, in our opinion, will remain in place for the foreseeable future.

Cyber security and AI  regulations may come within the next year.

Recently, Colombian regulation has been moving towards requiring foreign companies to establish a corporate presence, or at least a registration, in Colombia in order to provide their services. For example, the recently issued General Tourism regulation requires that digital platforms that provide lodging services register themselves in the National Tourism Registry, and in a recently published draft modification to the Colombian satellite regime, the ICT Ministry aims to establish that only companies duly incorporated in Colombia may register themselves as Satellite Operators in the country.

We believe Colombian legal system is broad enough to cover different technologies and creates an environment that allows authorities to work in hand with technological developments. However, in certain situations, Colombian authorities tend to be very formalistic and impose restrictions that are not consistent with an approach of the so called Orange economy policy.

By being so formalistic, Colombian authorities sometimes try to apply the same requirements to different type of companies or technologies, without analysing if the particularities of the services offered by such companies require a different approach from a regulatory perspective.

Colombia regulation, specifically regulation related to technological matters in Colombia is in our opinion broad enough to encompass issues associated with artificial intelligence. The Colombian CDPA has already issued certain guidelines for the processing of personal data in artificial intelligence^[1], and other governmental bodies such as the Presidential Council for Economic and Digital Transformation matters issued the ethical framework for artificial intelligence in Colombia.

Reference

^[1]Available in Spanish at: https://www.sic.gov.co/sites/default/files/files/pdf/1%20RIPD%20(2019)%20RECOMENDACIONES%20GENERALES%20PARA%20EL%20TRATAMIENTO%20DE%20DATOS%20EN%20LA%20IA.pdf and in English at: https://www.sic.gov.co/sites/default/files/files/pdf/2%20RIPD%20(2019)%20GENERAL%20RECOMMENDATIONS%20FOR%20THE%20PROCESSING%20OF%20PERSONAL%20DATA%20IN%20ARTIFICIAL%20INTELLIGENCE(1).pdf