State of Privacy Colombia
Table of contents
- Right to Privacy
- Communication Surveillance
- Data Protection
- Identification Schemes
- Policies and Sectoral Initiatives
Key Privacy Facts
1. Constitutional privacy protection: The constitution contains an explicit protection of the right to privacy (Article 15 of the 1991 constitution).
2. Data protection law: Colombia has a data protection law, Law 1518 of 2012.
3. Data protection authority: Colombia's data protection authority is the Superintendencia de Industria y Comercio (SIC).
4. Recent scandals: In 2016, the police in Colombia were accused of spying on a journalist investigation a prostitution ring scandal involving the police.
5. Identity systems: Since 2011, the Colombian government have been developing a cellphone registry system.
Right to Privacy
The Colombian legal framework provides a number of essential protections for the right to privacy, both in the text of the 1991 Constitution, and in the constitutional instrument (bloque de constitucionalidad) in accordance with Article 92 of the Colombian Constitution. This article incorporates Colombia's international human rights obligations into Colombian law and confers upon them the status of constitutional law, meaning they take precedence over statutory provisions. Article 15 of the 1991 Constitution provides that everyone has the right to personal and family privacy. It states:
"Correspondence and other forms of private communication are inviolable. They may only be intercepted or recorded pursuant to a court order, following the formalities established by law."
Regional and international conventions
Colombia is party to a number of international human rights conventions related to the right to privacy, including:
- The Universal Declaration of Human Rights;
- The International Covenant on Civil and Political Rights;
- The International Convention on the Protection of the Rights of All Migrant Workers and Members of Their Families;
- The American Convention on Human Rights; and
- The International Convention for the Protection of all Persons from Enforced Disappearance.
Colombia, with an estimated population of 49.5 million in 2017, had 60.7 million mobile subscribers according to the Ministry of Information Technology and Communications (MINTIC). There were 14.6 fixed-telephone subscriptions per 100 inhabitants in 2016. MINTIC also reported 16.6 million internet subscriptions in 2017, representing a penetration rate of 33.7%.
YouTube, Facebook, Twitter, and Instagram were among the most popular social media sites.
The interception of communications in Colombia is regulated primarily by the Constitution, the Criminal Procedure Code and a number of intelligence laws. The Constitution empowers the Office of the Attorney General (Fiscalía General) to "[c]onduct searches, house visits, seizures and interceptions of communications" subject to judicial control (Article 250).
Criminal Procedure Code
The Criminal Procedure Code provides further details. It begins with a reiteration of the right to privacy, stating in Article 14:
"Everyone has the right to respect for his/her privacy. No one shall be disturbed in his/her private life.
No records, searches and seizures at home, residence or workplace can be made but by written warrant of the Attorney General or his/her delegate, in accordance with the forms and for the reasons previously defined in this code, excluding In flagrant situations as well as other situations authorized by law.
The same process is applicable when it is necessary to conduct a selective search in computerized, mechanized or any other form of database, which are not freely available, or when necessary to intercept communications.
In these cases, within thirty-six (36) hours there shall be a respective hearing before the supervisory judge, in order to determine the formal and material legality of the action."
Article 235 of the Code stipulates the conditions under which the Fiscalía can order the interception of communications. The Article states:
"The prosecutor [Fiscalía] may authorize, with the sole purpose of seeking probatory material and physical evidence, the interception, by tape-recording or similar, of telephone or radiotelephone communications or similar that use the electromagnetic spectrum, whose information have relevance for the purposes of the action. In this sense, the entities responsible for the technical operation of the respective interception are required to undertake it immediately after the notification of the warrant.
In any case, the order shall be in writing. Persons involved in these proceedings are obliged to keep the proper confidentiality. Under no circumstances the communications of the defending counsel shall be intercepted.
The warrant will be in effect for a maximum of three (3) months, but may be extended for the same period, if in the opinion of the prosecutor the reasons that originated it persist."
The provision stipulates that the prosecutor may only lawfully order the interception of communications being transmitted via the electromagnetic spectrum ('EMS') (telephone, radio or fibre optic cable) for the sole purpose of seeking evidence. The order must be made in writing and is valid for three months.
In April 2013, a new Intelligence Law was adopted, stipulating that intelligence and counter-intelligence activities "include monitoring the electro-magnetic spectrum". Article 4 of the Law provides that information may only be obtained for a lawful purpose. Those purposes are: ensuring national security; sovereignty; territorial integrity; the security and defence of the nation; the protection of democratic institutions and the rights of Colombian residents and citizens; and the protection of natural resources and economic interests of the nation. Such broad and vaguely defined purposes allow for an expansive interpretation of the instances in which communication surveillance can be undertaken, failing to meet the tests of legality, necessity and proportionality.
Article 17 of the Law is entitled "Monitoring the Electromagnetic Spectrum and Intercepting Private Communications" and states:
"Intelligence and counter-intelligence activities include monitoring the electromagnetic spectrum when this is duly established in operational orders or work assignments. Information gathered during such monitoring in the context of intelligence and counter-intelligence activities that does not serve to achieve the aims established in this Law shall be destroyed and may not be stored in intelligence or counter-intelligence databases. Monitoring does not constitute interception of communications.
Intercepting private mobile or land-line telephone conversations, as well as private data communications shall be subject to the requirements established in Article 15 of the Constitution and the Criminal Procedure Code and may only be conducted in the context of legal proceedings."
The term 'monitoring' the electromagnetic spectrum is not defined anywhere in the Colombian law. Without any definition provided, 'monitoring' the electromagnetic spectrum could include analyzing and monitoring e-mails, text messages and phone calls that are carried upon the electromagnetic spectrum. Those acts constitute 'interception' of the communication and thus interfere with the privacy of the person sending and receiving the information.
The second paragraph states clearly that the interception of communications is not authorised by the Intelligence Law, but rather must only occur under the lawful authority of the Criminal Procedure Code, on a targeted basis, in accordance with the procedures stipulated in the Code. Nevertheless, this assertion leads to a significant legal loophole that raises serious concerns related to the protection of the right to privacy. This loophole in the law is particularly problematic given the kind of surveillance technologies employed by the Colombian security and law enforcement forces. As noted in the Concluding Observations on the Seventh Periodic Report of Colombia released under the auspices of the UN Human Rights Committee, there are concerns that "instances in which private communications conveyed via the electromagnetic spectrum are intercepted without the benefit of a rigorous assessment of the legality, necessity and proportionality of such interceptions".
Indeed, a report published by Privacy International in August 2014 set out the logical inconsistencies in the government's interpretation of the Intelligence Law as relates to electromagnetic spectrum monitoring and lawful interception.
Code of Police and Coexistence
In January 2017, a National Code of Police and Coexistence (Código Nacional de Policía y Convivencia para Vivir en Paz) entered into force. The new code expands police powers thorugh a number of provisions designed to "solve the conflicts that affect the coexistence" of Colombians. It includes several provisions that have particularly negative implications with regards to the right to privacy and their collective interpretation, which can lead to a state of surveillance. These include article 163 of the Code, which states that the police can enter without a court order a private or public establishment, under conditions including certain emergencies. The provision has since been challenged in court.
Moreover, Article 327 contains an unduly narrow definition of privacy. By defining the right to privacy as the right of people "to meet their needs and develop their activities in an area that is exclusive and therefore considered private", the provision seems to confuse the right to privacy with the right to unhindered development of personality as well as with the right to the inviolability of the home. Therefore, by linking the right to privacy with the existence of private physical spaces, it excludes from privacy protection any person or assets (such as cars, or electronic devices like portable computers or cellphones) placed in public places, including bars, restaurants, etc, while also leaving in a legal grey area private acts that may take place in a public space.
Conversely, Article 139 defines public space in a very broad way, including notably "the electromagnetic spectrum". The combined result of these definitions is of significant concern to the protection of privacy, particularly when considering that Article 237 could be interpreted to mean that communications travelling through the electromagnetic spectrum would be excluded from privacy protection.
Lastly, the new Police Code does not seem to take into consideration the complex technological changes which affect modern communication. Hence, it is unclear how the privacy of digital communications and of online spaces is protected given the very restrictive definitions of privacy and public space included in the Code.
This shortcoming of the law was raised by the Human Rights Committee which highlighted concerns that the new Policy Code defines "the concept of 'public areas' in a very broad sense that includes the electromagnetic spectrum, and by the fact that all the information and data gathered in public areas are considered to be in the public domain and to be freely accessible (art. 17)".
In Colombia, the Police and Army are two branches of the 'public force' that come under the control of the Ministry of Defence. The armed forces of Colombia also carry out significant interception and monitoring activities in the course of operations against armed groups. Below are the main law enforcement and security agencies, outside of the military, who conduct communications surveillance.
Police Intelligence Directorate (Dirección de Inteligencia Policial, DIPOL)
DIPOL is the police directorate responsible for producing strategic and operational intelligence related to disturbances in public order, security and defense. It is mandated to conduct national counterintelligence activities. It is one of eight Police directorates accountable to the General Directorate under the Ministry of Defense. DIPOL is also responsible for leading technological development plans with regard to intelligence activities within the Police. DIPOL officers have been accused of illegal surveillance against journalists.
The Directorate of Criminal Investigation and Interpol (Dirección de Investigación Criminal e Interpol, DIJIN)
DIJIN is the police directorate in charge of judicial investigation. It is one of eight police Directorates accountable to the General Directorate under the Ministry of Defense. Its role is to support criminal investigation in technical, scientific and operational areas, of its own initiative or according to orders from the Fiscalía. DIJIN officers have lent forensic expertise to the investigations of illegal interceptions.
The Office of the Attorney General (Fiscalía General de la Nación)
The Fiscalía is not a security and law enforcement agency, but it does carry out communications surveillance. Rather it is an entity of the judicial branch of government with full administrative and budgetary autonomy with responsibility for the effective administration of justice. Established in 1991, it is mandated to carry out criminal investigations for the purpose of judicial prosecution, to ensure the protection of victims and witnesses, and to direct and coordinate the functions of the judicial police. The Fiscalía is responsible for administering the Esperanza platform, reviewing and approving interception orders from other agencies including the DAS and the Police. The Fiscalía leads the ongoing investigation into the DAS' illegal surveillance in the mid-2000s, reportedly by abusing access privileges to the Esperanza platform.
The National Intelligence Directorate (Dirección Nacional de Inteligencia, 'DNI')
In 2011 a new agency, the National Intelligence Directorate (Dirección Nacional de Inteligencia, 'DNI'), was established to head the intelligence and counterintelligence sector within the overall structure of the state. According to Decree 4179 of 2011, this intelligence agency is in charge of: i) Developing strategic intelligence and counterintelligence activities under the principles of necessity, suitability and proportionality, in compliance with the legal framework and missionary objective; ii) advancing international cooperation agreements on issues related to intelligence and counterintelligence; iii) developing its intelligence and counterintelligence activities in cooperation with other national and international intelligence agencies, as well as with other entities of the State; and, iv) other functions related to intelligence and counterintelligence activities that may be assigned by the President in accordance with the Constitution and the law.
Colombia both hosts and attends a number of surveillance and security technology trade shows. Intelligence Support Systems World (ISS World) is one of the largest trade shows. The Colombian police attended ISS World in 2012 where three Colombian companies exhibited their products: Biotekne SAS, Colombia ASOTO Technology Group, and the supplier to the Fiscalía of their Esperanza surveillance system STAR Colombia Inteligencia & Tecnología (STAR). The annual Cibercolombia trade show and conference where primarily Israeli surveillance products are displayed is sponsored by the Israeli embassy in Bogotá.
Much of the security equipment in Colombia is provided by international, especially American, companies. Over the past decade, the American funds, equipment and training supplied to elite units of the Colombian intelligence services were reportedly used to spy on Supreme Court justices, then-President Alvaro Uribe's political opponents and civil society groups. Intercepted communications were vital in covert Colombian and US Central Intelligence Agency (CIA) operations against the FARC. While Colombian contracting law (Ley 80 de 1993) accords priority to security and national defence products made in Colombia by local manufacturers, the National Treatment caveat of the 2006 United States-Colombia Bilateral Trade Agreement allows American companies to be treated as locals when they participate on public bids. Israel is also a significant military supplier. Israeli-American company Verint Systems provided critical interception infrastructure used by the DAS, DIPOL and DIJIN from at least 2005. Verint Systems Ltd, is the Israeli sister company to US- headquartered Verint Systems Inc.
In July 2007, the DAS published technical specifications for a tender for equipment that would allow them to copy and inspect targets' devices. Although the bid was ultimately cancelled in December 2006, the DAS acquired the technology before 2010. La Curacao won a maintenance contract, beating out competitors Internet Solutions Ltda and SF International. The software the DAS used was Forensic Toolkit (FTK), a computer forensics software made by US-based AccessData. The 3.0 FTK software specified in the 2010 contract allows the analyst to not only 'preview a target's machine from across the network to determine relevancy prior to acquisition, but ... also acquire and fully analyse the data on the system, including the system's RAM [random access memory]'. A remote drive feature enables analysts to forensically analyse live data — such as system memory, logical volumes, physical devices — on a remote device from the analyst system. The software could also be used to decrypt PGP-encrypted disks.
Many companies offer IMSI catcher mobile surveillance devices in Colombia, according to a Privacy International investigation. New Zealand-based Spectra Group via Colombian company Maicrotel Ltda provided its Laguna IMSI catcher to DIPOL in September 2005. The Laguna system is designed to monitor and record telephone conversations and data in mobile communication systems and could be mobile or assembled in fixed stations. Bulldog and Nesie, manufactured by UK surveillance company Smith Myers, are two other popular IMSI catchers sold in Colombia. In 2010, the DAS was preparing to purchase a Bulldog interception system for over US$ 250,000 and a Nesie system for over US$ 320,000. The Fiscalía was also planning to buy a Bulldog system for just over US$ 280,000 as was the sectional division of DIJIN in Bogotá. In 2014, the Finnish branch of Canadian telecommunications company Exfo exported its NetHawk F10 IMSI catcher to Colombia.
Intrusion malware and hacking
Hacking Team, an Italian company, produces an intrusion system that was acquired by the Colombian police. The company's Remote Control System (RCS) can be used to hijack computer and mobile devices while remaining undetectable to users, as it is designed to bypass common antivirus programmes and encryption. By infecting a target's device, the RCS suite can capture data on a target's device, remotely switch on and off webcams and microphones, copy files and typed passwords. In 2014, Hacking Team had a Colombia-based field engineer and an active contract with the Colombian police. The Colombian government's use of offensive Hacking Team malware products had been suspected since researchers at the Citizen Lab identified a command and control server for the RCS suite in Colombia. Hacking Team supplied its technology to the DEA, which according to internal emails was reportedly using the spyware to conduct surveillance from the U.S. embassy in Bogotá.
A 2014 investigation by the Citizen Lab at the University of Toronto, concluded that since 2012 those technologies have been identified and associated with attacks on journalists, activists and human rights defenders, and showed evidence confirming suspected deployment of those technologies in at least 21 countries, including Colombia.
Hacking Team also had two projects with the Colombian police, one of which appears to relate to the PUMA surveillance system.
The Colombian army has also employed hackers, as revealed in the Andromeda spying scandal. The army also trains cadets to hack in the Army Intelligence and Counterintelligence School (Escuela de Inteligencia y Contrainteligencia), as seen by Privacy International.
The nation's most visible communications interception system is Esperanza (Sistema Esperanza); it is heavily supported by the US Drugs Enforcement Agency (DEA). The Office of the Attorney General (Fiscalía General de la Nación, 'Fiscalía') manages and administers the platform, which can obtain mobile and fixed-line call data and content. Esperanza, to which various law enforcement agencies have access, is connected to the nation's telecommunications operators. It is used to obtain evidence for judicial prosecution on a case-by-case basis. It requires that a Fiscalía agent physically request that an individual phone line or record be intercepted. Other safeguards built in to the Esperanza system include an electronic warrant submission system and supervisory judges (jueces de control de garantías). However, a Privacy International investigation showed, Esperanza suffered from various security vulnerabilities and its restriction to accessing data only for pre-defined individual targets on the basis of a warrant was a point of friction for other law enforcement agencies.
The Police Directorate of Criminal Investigation and Interpol (Dirección de Investigación Criminal e INTERPOL, 'DIJIN') has built the Single Monitoring and Analysis Platform (Plataforma Única de Monitoreo y Análisis, 'PUMA'), a phone and internet monitoring system linked directly to the service providers' network infrastructure by a probe that copies vast amounts of data and sends it directly to DIJIN's monitoring facility. PUMA is capable of intercepting and storing potentially all communications that pass through its probes. Communications service providers know of its existence and cooperated in its installation but are excluded from its day-to-day operation. The PUMA system is outlined in a Privacy International report.
PUMA was acquired in 2007 using technology from Israeli surveillance company Verint Systems Ltd and maintained by Compania Comercial Curacao de Colombia, a Colombian firm. In 2013, the Police put forward proposals to extend the system, claiming that an expanded PUMA would be capable of capturing three times more phone calls and data. The expanded PUMA was to include a monitoring module for internet service providers (ISP) and up to 700 workstations throughout the country. The contract for the expansion was concluded with NICE Systems, another Israeli surveillance company, in partnership with Colombian company Eagle Comercial. Yet disagreement between the Fiscalía and the Police over its management stalled the expansion, and the project was put on hold. Nonetheless, new contracts are still being settled and the revamped system was supposed to be operational by the end of 2015. It is unclear as to the current situation.
Additionally, the Police Intelligence Directorate (Dirección de Inteligencia Policial, 'DIPOL') acquired and deployed its own mass, automated communications surveillance system, the Integrated Recording System ('IRS'). Established in 2005, the IRS monitors massive communications traffic across E1 lines and 3G mobile phone traffic. Like PUMA, it is set up with service providers' knowledge and monitoring is done without their knowledge. Privacy International's analysis of the technologies is that the system is capable of collecting 100 million call data records per day and intercepting 20 million SMS per day. This vast data store is then processed and combined with other types of data including images, video, and biometric details.
The technologies underpinning both the DIPOL and DIJIN systems automatically collect and store communications data passively via a set of probes linked to a monitoring centre. Nevertheless, whilst Decree 1704 (2012) requires telecommunications providers to set-up their infrastructure to enable "access and traffic capture" for crime investigation purposes, there is no explicit provision which either permits or prohibits measures of bulk surveillance as PUMA in the current legal framework which regulates the surveillance of communications in Colombia.
Open Source Intelligence
In 2012, DIPOL also negotiated over a potential purchase of powerful open source intelligence technology from Palantir, an American data analytics company, according to Privacy International. This would have allowed DIPOL to build on their existing databases to analyse and process vast amounts of data and communications. Palantir denied engaging in this contract, though it is likely that DIPOL procured the technology from another vendor.
Surveillance oversight, checks and balances
On one hand, the regulator for the telecommunications industry in Colombia is the Communications Regulation Commission (Comisión de Regulación de Comunicaciones, 'CRC'). Its role, among others, is to promote competition in the telecommunications industry, promote the use and deployment of ICT infrastructure sector, promote quality in the provision of ICT services, and regulate access and use of all the networks and access to markets for telecommunications services.
On the other, data protection statutory law (Law 1581 of 2012) establishes the Office of the Attorney General (Procuraduría General de la Nación) and the Superintendent of Industry and Commerce (Superintendencia de Industria y Comercio, 'SIC') as the national authorities in charge of controlling the correct management of databases. However, Law 1581 of 2012 does not apply to databases containing personal data that "have as a purpose and are related to intelligence or counterintelligence activities". Thus, even though the data protection law principles apply, there is no independent regulator to control and protect personal data held by or for intelligence purposes. As a result, the existing seven agencies with intelligence functions are not accountable to the data protection regulator of public agencies.
Finally, according to the Intelligence Law an independent commission was created within Congress in order to oversee intelligences activities. Nevertheless, despite the Intelligence Law came into effect on 17 April 2013, the Legal Monitoring Commission of Intelligence has been unable to carry out all the activities under its mandate due to alleged security and contracting procedures that mask a lack of political will.
Surveillance case law
We are not aware of any surveillance case law in Colombia. Please send any tips or information to: firstname.lastname@example.org
Examples of surveillance
Communications interception scandals (sometimes called by the Colombian Spanish term chuzadas) have been a feature of Colombian security politics since the 1990s. Authorities have been tapping phone lines since at least 1971 and surveillance has played an important role in military operations against the FARC in recent years. In 2011, intercepted phone calls were reportedly crucial to locating FARC's supreme leader, Alfonso Cano, subsequently killed in a military attack. The military reportedly used the Esperanza interception system to locate the FARC's military leader, Mono Jojoy, also subsequently killed.
However, stories of the illegal interception of private communications pervade accounts of extrajudicial disappearances and killings. Different agencies have been involved in these illegal interceptions. In one famous case, more than 2,000 phone lines were illegally tapped by the joint military-police Unified Action Groups for Personal Liberty (Grupos de Acción Unificada por la Libertad Personal, 'GAULA'), according to the Fiscalía in 2002. Targeted were a group representing families of the disappeared, ASFADDES, who had seen at least two of its own members disappeared that year. In 2007, eleven police generals from DIPOL were dismissed following revelations that the agency had tapped influential opposition politicians', journalists', lawyers' and activists' phones. In 2014, the Colombian weekly magazine Semana alleged that a Colombia army unit codenamed Andromeda was spying for more than a year on the government's negotiating team in ongoing peace talks with the country's FARC guerrillas.
Yet the most notorious of the interception scandals involves the DAS and was revealed by Semana in February 2009. Special strategic intelligence groups of the DAS conducted targeted surveillance of an estimated 600 public figures including parliamentarians, journalists, human rights activists and lawyers, and judges among others. According to files retrieved during an investigation by the Fiscalía, the DAS intercepted phone calls, email traffic and international and national contacts lists, using this information to compile psychological profiles of targets and conduct physical surveillance of subjects and their families, including children.
Communications surveillance was central to the DAS abuses. The phone lines of journalist Hollman Morris were under near-constant surveillance. Morris was later forced into exile on several occasions. Claudia Duque, a lawyer and journalist formerly working with the CCAJAR lawyers collective survived kidnapping attempts and received graphically violent phone threats; DAS files about her contained extensive evidence of communications and physical surveillance. Such was the scale of the illegal interception that seven Supreme Court justices were recused from the 2011 trial of the former DAS head because evidence suggested that even they had been illegally spied on.
Although the DAS had weathered previous abuse scandals by publicly purging its ranks, the Semana revelations were the last straw. In his first speech after the scandal broke, then-President álvaro Uribe announced that intelligence agency DAS was no longer allowed to intercept any phone conversation without Police authorization.
The scandal-ridden DAS was disbanded in October 2011. Several former DAS heads were convicted for illegal interception and associated crimes. Fernando Tabares, former DAS director, was convicted for illegal wiretapping of government opponents in 2010. Maria del Pilar Hurtado, who headed DAS in 2008, is the highest-ranking official to have been convicted for illegal surveillance. In 2011 a new agency, the National Intelligence Directorate (Dirección Nacional de Inteligencia, 'DNI'), was established to head the intelligence and counterintelligence sector within the overall structure of the state.
In December 2015, La FM accused officials of the Police Directorate of Intelligence (DIPOL) of running a major gay prostitution ring. Previously, La FM editor-in-chief Vicky Davila had filed a complaint with the Attorney General's office with evidence that the Police had been spying on her, her team, and other journalists investigating irregularities within the National Police.
In the Concluding Observations on the Seventh Periodic Report of Colombia, the UN Human Rights Committee said that the government should "expedite the investigations being carried out into suspected illegal surveillance activities allegedly conducted by officials of the former Administrative Department of Security and ensure that all responsible parties are held accountable for their acts".
Data protection laws
Financial data in Colombia is protected by Law 1266 of 2008. This law was originally intended to be the general legal framework applicable to the management of personal information, according to analysis by Brigard & Urrutia Abogados. After a revision by the Constitutional Court (Decision C-1011 of 2008), its scope was reduced to be applicable only to financial, credit, commercial, and services information (and to such information coming from abroad for us in financial risk and credit risk assessment ("Financial Personal Data").
In 2013 the Intelligence and Counterintelligence Law (Statutory Law No 1621 of 2013) created a commission of private and public authorities to formulate criteria for purging the intelligence archives. It was noted that the Commission should consider various elements including the fundamental rights of citizens. Whilst the process was concluded and a set of criteria were finalised, the Colombian government and the chairman of the Purging Commission did make these public, arguing confidentiality. If these criteria are not available to the public, it will hinder the ability to assess whether processing of personal data by intelligence agencies was lawful or not and, in case of unlawful processing, whether their actions have been corrected and citizens compensated.
In 2012 the Colombian Congress enacted Law 1581 of 2012 as the general legal framework applicable to the management of personal information. This law was reviewed by the Constitutional Court in Decision C-748 of 2011, and regulated by Decree 1377 of 2013. Bill 106 of 2015 aimed to amplify the scope of Law 1581 of 2012 in order to cover international collection and processing of personal data. Despite the bill being withdrawn by its sponsor on 16 June 2016, it was later presented again as Bill 87 of 2017. As of January 2018, its second debate is currently pending.
Law 1581 of 2012 is the general legal framework applicable to the management of personal data. Basically, it is intended to protect individuals' right to know, update and rectify information gathered about them in databases or files. In Colombia this right is known as habeas data. Besides, financial data is protected by Law 1266 of 2008. This law is applicable to financial, credit, commercial, and services information (and to information of the same characteristics coming from abroad) destined to financial risk and credit risk assessment ("Financial Personal Data").
Colombia has two statutory laws on regulating access to public information. There is Law 1712 of 2014, which seeks to regulate the constitutional right of access to public information, as well as the procedure by which ordinary citizens can obtain information from the government, and the exceptions that the government can cite to refuse to publish information. This law includes a figure called "request for access to public Information", a request that any person can file in oral or written form, including electronic means, in order to have access to public information.
On the other hand, the Colombian Congress also enacted Law 1755 of 2015 which seeks to regulate the constitutional right of petition. This law includes a procedural guarantee called "right of petition", by which, for reasons of general or particular interest, any person can file to the authorities a respectful request in order to obtain a prompt, full and substantive reply.
Public entities as well as the rest of subjects bound by Law 1712 of 2014 are required to disclose any information requested under the two previous figures, unless it falls under one of the exceptions which protect interests such as personal privacy and national security. Specifically, Law 1712 of 2014 authorizes the denial of information when its access may cause damage to (i) third party's rights to life, health, security or privacy, or (ii) commercial, industrial and professional secrecy. Additionally, authorities can also deny access in order to protect (i) the defense and national security; (ii) public safety; (iii) international relations; (iv) the prevention, investigation and prosecution of offenses and disciplinary offenses; (v) the due process and equality of parties in court proceedings; (vi) the effective administration of justice; (vii) the rights of children and adolescents; (viii) the macroeconomic and financial stability; or (ix) public health.
Moreover, according to Law 1755 of 2015, the government can deny access to public information related to (i) defense or national security; (ii) instructions regarding diplomatic matters or negotiations reserved matters; (iii) matters involving privacy of individuals (data included in resumes, curriculum vitae, pension records and medical records); (iv) matters concerning the financial conditions of public credit operations; (v) data on financial and business information: (vi) information protected by commercial or industrial secrecy and strategic plans of public utilities; (vii) information covered by professional secrecy; or (viii) genetic data.
Data breaches: case law
Since 1991, the Colombian Constitutional Court has issued numerous decisions regarding data protection. Initially, judicial decisions addressed cases related to personal financial data gathered by credit bureaux. Within these cases, ruling T-414 of 1992 firstly addressed financial data protection as a new social dimension of an individual freedom, diverse from other classic manifestations of freedom, called "information processing liberty". Afterwards, ruling T-022 of 1993 considered the collection and circulation of personal financial information as a problem of privacy. Finally, since 1995 habeas data has been addressed as an autonomous right, clearly differentiated from the right to privacy, and its core was initially composed of the right to information processing self-determination as well as freedom, in general, and economic freedom, in particular.
In recent years, court rulings have tackled other topics, such as the processing of personal data in social networks. For example, ruling T-260 of 2012 decided the case of a father who created a Facebook account for his 4 year-old daughter. In this case the Court declared that the principle of freedom in the handling of personal information had been breached. Therefore, given that the child was not aware of the creation of the account on Facebook, the Court considered that her right to data protection had been violated, and ordered her father to delete the account. Thereafter, the Court reviewed the case of a creditor who decided to publicly denounce her defaulting debtor on Facebook. In ruling T-050 of 2016 the Court decided that the message published on Facebook violated the right to privacy of the defaulting debtor, not only because it exposed part of her personal data, but also because the debtor did not give authorization for such information to be revealed. Although the right that was finally protected in this ruling was the right to privacy, the reasoning of the Court took particular account of the right to data protection of the debtor involved.
The Court's position has not been as clear in regards to personal data disseminated by mass media. In the rulings that have been recently adopted about personal data published on media, the Court has addressed the problem as a conflict between the right to freedom of expression and access to information, on the one hand, and the right to honor and a good name of the person involved, on the other hand. Therefore, it has not mentioned the right to habeas data, nor has it declared that the right to habeas data is not applicable to the case, since the discussion focuses on journalistic information disseminated by media in the exercise of freedom of expression, and not on information gathered in databases (T-040 of 2013).
In relation to the work of the data protection authority, in Colombia, the Office of the Attorney General is the national authority in charge of controlling the correct management of public databases. When it comes to private databases, the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio, 'SIC') is the Colombian data protection authority.
Regarding the latter, there are three pronouncements that are worth mentioning. On 24 November 2014, the SIC published a legal concept stating that the processing of personal data on social networks does not fall within the purview of Law 1581 of 2012 (the general legal framework applicable to the management of personal data), as in these cases the collection, use, circulation, storage or suppression of personal data is not made within the Colombian territory (since social networks are domiciled abroad). Nevertheless, on 3 March 2016, the SIC revised its position, arguing that the processing of personal data is carried out in Colombian territory not only when the data collector is domiciled in Colombia, but also when, in order to undertake the collection, use, circulation or storage of the personal data, it uses "means" that are located in the Colombian territory.
Finally, and in exercise of its legal obligation to guarantee the adequate protection of our data in international transfer of information (articles 21 and 26 of Law 1581 of 2012), the SIC issued the External Circular 005 of August 10, 2017, by which it defined the standards for international transfer of data. The Circular establishes a list of countries that Colombia considers to have an adequate level of data protection, including the countries of the European Union (which have been approved as adequate by the European Commission), Mexico, the Republic of Korea, Costa Rica, Serbia, Peru, Norway, Iceland and the United States. Nevertheless, the SIC does not explain why are these countries considered adequate and, above all, how does it justify the inclusion of the United States, which has been citicised by Human Rights Watch for not offering foreigners the same guarantees that its nationals have. Moreover, it does not define how the adequacy of these countries will be maintained (as the laws change over time), nor how the level of protection of other countries will be evaluated in the future. By last, and contrary to the European model, the Circular does not provide a procedure to dispute the decisions of "adequate data protection".
Examples of data breaches
In 2014 it was revealed that a network of individuals managed to unlawfully access the database managed by the Unit for Comprehensive Care and Reparation for Victims. It was reported that these individuals managed to access the database using authorisation codes which had been leaked to them. This data was sold in order to enable unscrupulous people to impersonate real victims, to accelerate the payment of compensation to certain applicants, or to know the personal data of the complainants, among other offences.
On 26 January 2016, the journalist Daniel Coronell wrote an op-ed on the digital magazine Semana.com in which he released some intimate photos of the Colombian Ombudsman, which would prove an alleged sexual harassment committed by him against his assistant. This scandal, which turned on issues of the right to privacy of public servants, resulted in the resignation of the Ombudsman.
On 16 February 2016, the journalist Vicky Dávila, director of "La Fm" radio station, disclosed a recording in which a Colombian vice-minister appears holding a conversation of a sexual nature with a Police officer. According to the journalist, who alleged being tapped by the Police, this recording is part of the records that would evidence the vice-minister's relationship with a prostitution network that is operating within the Police. This scandal ended up both in the resignation of the vice Minister and in the dismissal of the journalist.
On 3 April 2016, 11.5 million documents of the Panamanian law firm Mossack Fonseca & Co., which detail financial information of more than 214,488 off-shore entities, were leaked, exposing hundreds of people who have used Panama as a tax haven to evade taxes in their own countries. This scandal, commonly known as "Panama Papers", involved more than 850 Colombians. Therefore, based on this information the Colombian tax authority (DIAN) expects to open at least 500 formal processes to rule out or confirm tax evasion practices.
ID cards and databases
Established in 1938, Colombia's population registry is administered by the National Civil Registry (Registraduría del Estado Civil). The registry is composed of three main sections: birth, marriage and death. The birth registry, besides general identification information such as name, date of birth, parents' names and identification, their professions and the physician in charge of the medical procedures at birth, for example, records the footprints of the newborn. Those footprints with the collection of the full ten-print later on for the identity card are the only biometric information stored. The registry is the most important proof of the information it contains and will be demanded by any state agency accordingly. The registry information feeds the National Identification Archive (Archivo Nacional de Identificación) and the Civil Registry Database (Base de datos del Registro Civil). Even though the registry is public, the legislation imposes restrictions on issuing copies or certificates of it to protect privacy rights. However, the National Identification Archive can be consulted by public and private parties upon agreement with the National Civil Registry.
Since 1970, every newborn in Colombia has been assigned a unique identifier number. Until 2000, that number was composed of two parts: the first one was the date (for example, 840701 for a person born on 1 July 1984) and the second part is a 5-digit number that differentiates between all the people born the same day and allowed gender identification. Since 2000, the identifier is a 10-digit number. Many of these numbers are assigned to each registry office which then assigns them to anyone registered there at birth or when the person asks for an identity card.
The age of majority in Colombia 18 years which means that the person has full legal capacity and can vote in public elections. The medium to validate this circumstance is the identity card ("cédula de ciudadanía").
In order to secure the quantity and number of identity cards needed for a vote, the National Civil Registry takes the last electoral census and adds the identity cards of the people over the legal age that do not appear in the census and the people who have acquired the Colombian nationality. The Registry also removes the identity cards of the deceased, of people who are part of the Military Forces abroad, and of other people who are unable to exercise public rights due to a confirmed criminal sentence and other irregular identity cards.
The census contains only the identity card number.
SIM card registration
SIM card registration is not currently mandatory in Colombia but there is a IMEI registration system.
Since 2011 the Colombian government has been developing a cellphone registry system that aims to avoid and deter cellphone theft. The system has two main parts: IMEI databases and a verification scheme.
There are two kinds of databases: positive and negative.
The positive database contains the IMEI allowed to work on Colombian mobile networks. Besides registering imported devices, this database connects IMEI with user identity. Thus, users are required to handle telecom operator personal information such as:
- Full name;
- ID type and number;
- Address; and
- Contact phone number.
Telecommunications operators are required to verify this information on any of the following sources or databases:
- National ID Archive;
- Civil State Registry;
- Credit History and Risk databases; and
- Data gathered by the operator.
Only one ID may be associated with a specific IMEI, even in the cases of corporate accounts.
The negative database contains IMEIs that are not allowed to operate on Colombian networks because:
- the device was reported as stolen or lost;
- the device's IMEI was recognized as irregular: it without a format, or without a certificate of conformity ('homologation process' as is known in Colombian regulatory language) or is duplicated; or
- the device was not registered in the positive database.
Police and judicial authorities as well as administrative authorities such as the Ministry of ICT and the telecommunications regulator may access the databases containing this data. There is no oversight of any kind upon this access.
Each operator should have its own positive and negative databases. This is called an "operative database". All operators should select a third party to manage the "administrative database", which contains the information of all the operative databases and syncs them in order to prevent an IMEI reported in one operator from working on the networks of other operators. Currently the operator of the administrative database is Informática El Corte Inglés, which is part of the Spanish corporation El Corte Inglés.
These databases are populated also with reported IMEIs from the GSMA IMEI database and other national databases with which operators have agreements.
Because IMEIs can be reprogrammed, the positive and negative databases are not a sufficient measure for the regulator and the government to prevent cellphone theft. In order to debug the databases and ultimately guarantee that each legitimate IMEI is registered in the positive database (which implies user identification), a verification system was put in place.
The verification system demands all operators take note of each IMEI activity on their networks. This is achieved through Call Data Record (CDR, voice and data) analysis. The process takes place in three steps:
- intra network analysis: each operator analyzes its CDR;
- inter network analysis: each operator sends its CDR to a third party chosen by the operators, which analyzes them to find duplicates across all networks; and
- control measures: for each type of irregular IMEI (without format, not homologated, duplicated) the operators take measures as defined by the regulator.
The regulator requires an analysis of both voice CDR and data CDR, with the latter being required from July 2017.
Specifically, the following information — metadata — should be analyzed by the operator:
- IMSI, which comprises the MCC (mobile country code), the MSIN (mobile subscription identification number) and the MNC (mobile network code);
- Date and time of beginning of the event;
- Type of event: voice call or data session; and
- MSC - Mobile Station Classmark: in case the operator needs to check the coherence of the information provided by the device.
To counter concerns that collection of this data was a potentially massive privacy violation, the regulator stated that since the MSISDN number is not required, the line number is not part of this analysis. However, it must be noted that the positive database contains an association of IMEI, user real identity and telephone number.
For the "inter network" phase of the analysis, the operators would provide the third party with the geographic coordinates of all their stations.
Besides the CDR information listed above, the operators must provide Cell Identity and Location Area Code fields which according to the regulator may contain "location", "location extension", "location estimate", LAC, "user location information", "cell identifier", or "user location info".
For the control phase, all irregular IMEI would be blocked. It is noteworthy that for the case of duplicates, the user must prove the legitimacy of the device, which is to be determined using the information of the CDR (metadata recorded by the operator should match the device features and capabilities). When the legitimate owner of a device with a duplicated IMEI is found, the operator should record the pair IMEI-IMSI in order to allow only that specific pair to work on their networks.
An in-depth policy and technical analysis of this registry conducted by Fundación Karisma found several problems from a human rights perspective.
The system was not set by Law but was instead put in place by the telecommunications regulator (Comisión de Regulación de Comunicaciones). The positive and negative databases were sketched by Article 106 of Law 1453 (2011). Decree 1630 (2011) developed that article and specified that every IMEI should be tied to an identification. Resolution 3128 (2011) of the telecom regulator set out the system in greater detail. Also, the verification system was not present in any of those legal documents and was instead set by the regulator through Resolution 4813 (2015).
Intelligence services can access the information produced by the operators, specially the CDRs, thus giving meaning to the obscure provision of the Intelligence Law (Law 1621/2013) that required operators to hand over the "history of communications" of its customers (Article 44). Intelligence organisms lack proper control and the only mechanism of oversight, which is under Congressional authority, is currently inoperative.
Even though the association of personal data with IMEI is problematic in itself, article 9 of Resolution 3128 (2011) grants total freedom to authorities of almost any kind to access this information. Specifically, it provides that administrative authorities "such as" Ministry of ICT (and others) "as well as" police and judicial authorities may query the updated information of the negative and positive databases "entry by entry". There is no oversight mechanism, and no motivation that these authorities must declare in order to access the database or any registry of such queries.
As for the verification system, the main concern is that regulator and government, by setting this system, overlooked the protection of communications ordered by Article 15 and 235 of the Constitution — judicial orders in the context of a criminal investigation. When these concerns were raised during the regulatory process, the regulator asserted that the system is considered to be in compliance with Data Protection Law and thus, they argue, no constitutional privacy protections of any kind were bypassed.
The whole system, databases and verification, is in hands of third parties not selected by the regulator or the government. The selection of the administrator of all this information and these processes is systematically left to the operators, which they complete through private agreements. That hinders accountability and dilutes responsibility for any abuse of the system.
There are various scenarios as to when this system may come into play, deepening the risks to privacy. The customary (and sometimes arbitrary) police street search includes checking cellphones' IMEI. This search allegedly aims to catch blacklisted devices but the system has the capability to identify the user, its cellphone number and address in the database. Also, the constitutional grounds on which the search of the cellphone is based are dubious at best. Other scenarios may include the use of IMSI catchers to extract information and the request of cellphone tower information that may be correlated with the cellphone registry.
In short, every of the 52 million estimated devices in Colombia would be associated with an individual, whose identity must be verified. At first look, any authority can access this database and is not required to provide reasons for doing so nor is the authority subject to any control in this access. Also, the system forces operators to produce information on Colombians' mobile communications which can later be required by authorities to analyze patterns, including geolocalization information. A system to prevent cellphone theft such as the one described above and implemented by the Colombian government is unlawful in the sense that it was not set by formal law as required for such a massive potential compromise of privacy.
Policies and Sectoral Initiatives
Since 2011, the Colombian government has been developing a cybersecurity policy with the help of the OAS' Inter-American Committee against Terrorism. Up until 2014 Colombia has approved, enacted or promoted:
- the ISO-27001 Standard on information security management system
- Law 1273 of 2009 to include cybercrime on the Criminal Code
- Law 1581 of 2012 and Decree 1377 of 2013 on data protection
- The data protection authority inside the Superintendency of Industry and Commerce (Superintendencia de Industria y Comercio)
- The Online Government Strategy lead by the Ministry of ICT which sets out some security requirements.
Most importantly, in 2011 CONPES 3701 recommended and secured financial resources to create four institutions which form the basic structure of cybersecurity in Colombia. These are:
- Intersectoral Commission, embodied in the State Information Digital and National Commission created in January 2013;
- the Colombian Cyber Emergency Response Team (colCERT), created in June 2013;
- the Armed Forces Joint Cyber Command (Comando Conjunto Cibernetico in Spanish), created in October 2012; and
- the Cyber Police Centre (CPC).
In spite of major illegal wiretapping scandals (See Examples of Surveillance), the cybersecurity policy was renewed in 2016 without addressing the flaws that allowed the abuse of security and surveillance capabilities.
Although the new strategy (CONPES 3854), heavily influenced by the OECD, changed part of its name from "cyber security" to "digital security" and included the protection of human rights as one of its pillars, it still contains a call to increase the capacities of intelligence and law enforcement agencies without a corresponding call to increase controls and transparency duties. The effects of the new strategy are yet to be assessed as it will be implemented over the next four years.
Law 1273 of 2009 created new categories of offenses relating to cybercrime and data protection. These include abusive access to a computer system (modifying the Penal Code); unlawful obstruction of the computer system or telecommunications network; interception of computer data; computer damage; use of malicious software; theft using computers; violation of personal data; phishing to capture personal data and unauthorized transfer of assets.
The law also extended protection to systems that use information technologies and communications. Law 1273 of 2009 concretely created new criminal offenses related to computer crimes and the protection of information and data, with imprisonment penalties up to 120 months and fines up to USD 1,500 minimum statutory monthly wages.
In 2011, Colombian agencies — including the Ministry of the Interior and Justice, Ministry of Foreign Affairs, Ministry of Defense, Ministry of Information and Communication Technologies, and Department of Security Administration National Planning Department, Office of the Attorney General — issued a policy guideline on cybersecurity and cyberdefense. The overall objective of the policy was to "to strengthen the capabilities the state to confront threats that undermine its security and defense in cyberspace (cybersecurity and cyberdefense), creating the necessary environment and conditions to provide protection therein." It proposed a new collaborative coordination model overseen by an Intersectoral Committee with the Cyber Emergency Response Team (ColCERT) coordinating cybersecurity and cyberdefense nationwide.
In late 2014, the Colombian police released a report claiming that cybercrime levels had increased significantly.
In August 2017, the Ministries of Foreign Affairs, Defense, Justice and ICTs presented before Congress a draft Law to ratify the Budapest Convention on Cybercrime. For the time being, the proposal is being discussed in the Senate and it must pass another two debates, Presidential approval and the revision of the Constitutional Court.
In Colombia, the discussion about the legitimacy of using encrypted communications must start from the fact that there is already legislation on the matter. Initially, Law 104 of 1993 prohibited sending "encrypted messages or in unintelligible language" in "all communication devices using the electromagnetic spectrum". In ruling C-586 of 1995 the Colombian Constitutional Court reviewed this law and found it compatible with the Constitution. Four years later the text of this statute was revived in article 103 of Law 418 of 1997, which regulates the use of the electromagnetic spectrum. Thereafter, this disposition has been continuously renewed, with Law 1738 de 2014 extending its validity until 2018.
Therefore, according to these multiple laws, sending encrypted messages or in unintelligible language is banned in all communication devices using the electromagnetic spectrum. However, it is unclear whether these laws would also cover encrypted communications on the internet. Besides, this total ban has an exception. Law 1621 of 2013, by means of which intelligence activities are regulated, provides that telecommunications services providers must offer encrypted voice call service to high government and intelligence officials.
Licensing of industry
In 2014, nine operators provided mobile services in Colombia: Comcel, Movistar, Tigo, Uff Móvil, Une EPM, Avantel, ETB, Virgin Mobile, and éxito. Of these, Comcel commanded 56.61 % of total subscriptions, followed by Movistar with 23.97 % and Tigo with 15.42 %.
The main internet providers in Colombia are Telecom/Telefónica, ETB, EPM, Coldecon, and Telmex Colombia S.A.
According to the Colombian government, Colombia is the e-government leader in Latin America and the sixth country in the world in terms of e-participation. In 2010 no local authority had a high level in e-government standards.
The Online Government Program is the Colombian e-government strategy intended to build a more efficient, transparent and participatory State through ICT. The strategy focuses on the following 4 specific topics: (i) ICT for Open Government: looking to build a more transparent and collaborative State, where citizens are actively involved in decision-making through ICT; (ii) ICT in services: aims to create the best online procedures and services to meet the most pressing needs of citizens; (iii) ICT for public administration: intends to make public administration more efficient through ICT; and (iv) Security and privacy of information: seeks to ensure information security for citizen's data.
Another project developed as part of the Online Government Program is the Urna de Cristal, an initiative intended to foster citizen participation and government transparency. This initiative was launched in 2010 and is composed of a multichannel platform that integrates traditional communication channels (such as television or radio) with digital ones (such as social networks, SMS and a website). According to the government, through these channels Colombians can know the developments and results of government initiatives, pose questions and queries to the authorities and directly engage with public affairs. The user does not have to log in to access to the information that is available in the website. However, if the person wants to ask a question to a public entity, she must log in with her facebook/twitter account, or directly register at the website by providing an email address and a username.
In addition, there is another project called called "No + Filas" (previusly Sí Virtual), a website intended to host procedures and integrated online services, with a unified interface to improve the user experience when performing transactions. The website includes a search engine that helps the user to find the procedures for everyday situations. The website also offers a map service, which assists the user with the location of public entities, as well as with the best routes to get there.
The Colombian data protection standards compiled by Law 1266 of 2008 and Law 1581 of 2012 are applicable to private and public databases. Therefore, any databases created by or hosted in any of the aforementioned platforms should comply with those standards.
Proposed in 2015, article 45 of Law 1753, in a very complicated and unclear language, states that public institutions must use ICTs for offering public services. One of those services is the Citizen Folder, which finally became created by Decree 1413 of 2017. Along with the authentication and interoperability services, this integrates the Digital Citizen Services platform. In short, the model allows private parties to provide different services such as Citizen Folder or electronic authentication, under the conditions set by an entity called "articulator".
Even though the Decree was issued in 2017, no information on implementation of this decree has come to light as of January 2018.
Health sector and e-health
In November 2017, the Ministry of ICTs presented for public discussion a draft regulation on medical and labor records on the Digital Citizen Services platform. Answers to comments by interested parties and a final Decree are pending as of January 2018.
Decades of insecurity and armed conflict have given rise to a burgeoning surveillance technology industry in Colombia, particularly for CCTV, video surveillance and biometric technologies.
In October 2016, it was announced that Medellin city had purchased biometric facial recognition technology from the Japanese company NEC. The arena operator has reportedly created a blacklist of disruptive football fans, which the NEC system will use to compare against the faces captured by surveillance cameras at the entrances.
More generally, during 2017 the private entity that is responsible for organizing, managing and regulating the Colombian Professional Soccer Championships (DIMAYOR) pushed forward its strategy for security in the stadiums of the country. This strategy includes introducing photo ID cards for fans, as well as the installation of facial recognition cameras and gates with biometric control and fingerprint recognition devices.
We are not aware of any privacy issues related to transportation in Colombia. Please send any tips or information to: email@example.com
We are not aware of any smart city initiatives in Colombia. Please send any tips or information to: firstname.lastname@example.org
We are not aware of any privacy issues related to migration in Colombia. Please send any tips or information to: email@example.com
We are not aware of any privacy issues related to emergency response in Colombia. Please send any tips or information to: firstname.lastname@example.org
Humanitarian and development programmes
We are not aware of any privacy issues related to humanitarian and development programmes in Colombia. Please send any tips or information to: email@example.com
On July 20, 2017 a Congresswoman filed a bill that seeks to prohibit the creation of false or anonymous accounts on social networks used to insult, slander or violate the privacy of another person, or to spread false news that may generate confusion or panic in the population. The bill is still pending for debate. Later on, on July 28 another Congressman filed a bill intended to formulate public policy guidelines for the prevention of crimes carried out against children and adolescents through computer or electronic means. The bill was already published in order to have its first debate.