On August 21, 2024, the Superintendence of Industry and Commerce (SIC) issued Directive No. 002 of 2024 instructing on the processing of personal data in the use of AI, in accordance with the Colombian personal data protection regime, contained in laws 1266 of 2008 and 1581 of 2012 and their regulatory decrees (“CDPR”).
The Directive applies to data controllers, data processors and users that develop or use AI based on information containing personal data. Failure to comply with the Directive may lead to fines.
The SIC provides instructions on ten points:
- The processing must meet criteria of suitability, necessity, reasonableness and proportionality, in order to safeguard the principles established in the CDPR.
- Scenarios where there is no certainty about potential damage should be avoided, and preventive measures are warranted.
- In line with the accountability principle, risks associated with personal data must be identified, measured, controlled and monitored.
- If, prior to the design and development of the AI system, a high risk of harm to data subjects is identified, a privacy impact study must be implemented.
- Personal data must be truthful, complete, accurate, updated, verifiable and understandable.
- Differential privacy, a set of mathematical techniques that allow data analytics without revealing information about the individuals providing the data, is proposed as a way of complying with privacy by design and by default.
- Data subjects should be able to obtain information about the processing of their data.
- Security measures should be implemented to protect the confidentiality, integrity, and availability of personal data.
- Personal information that is “publicly accessible” is not, per se, information “of a public nature”, so such information should not be taken and processed without the prior, express and informed consent of the data subject.
- The rights of data subjects must be ensured.
Colombia has developed various regulatory instruments related to AI, such as CONPES 3975 of 2019, the current draft National Policy on AI, Decree 1263 of 2022, Presidential Directive 03 of 2021, among others. There have also been judicial precedents such as Decision T-323 of 2024, in which the Constitutional Court specified that any AI system must ensure compliance with the CDPR.