Colombia ranks 58th within a group of 63 countries in the IMD World Digital Competitiveness Ranking 2019, which measures the capacity of an economy to adopt and exploit digital technologies that transform government practices, business models, and increase opportunities for value creation in the future.
The Colombian government has promoted digital transformation since 2000 when the National Council for Economic and Social Policy (CONPES) published its Connectivity Agenda. However, only since 2015 has digitalization in Colombia had a real push. The National Development Plan 2018-2022 prioritizes digital transformation as a prerequisite of the economic and social development of the country.
In this article, we analyze:
- how the Colombian government promotes digital transformation;
- how private and public companies are adopting digital transformation;
- how well the current legal framework is ready for these new scenarios; and
- how the authorities have approached the gap between the new realities and existing regulation.
Public policy to promote digital transformation in Colombia
For 20 years, the Colombian national government has been trying to develop an efficient, transparent, and participatory state using technology. We set out some of the most relevant public policies and laws adopted by the Colombian government and public entities in a table at the end of this article.
We view 2018 as the turning point in the 20-year journey of Colombia towards digital transformation. Since then, national governmental entities and other public entities have developed policies on three fronts (i) transformation in public entities, (ii) transformation in the provision of public services and (iii) promotion of the digital transformation in the private sector.
In 2018, the Online Government Strategy existing since 2015 evolved into the Digital Government Policy, which established guiding principles for the operation of public entities and the interaction between the state and society. In addition, in the same year, the National Data Exploitation Policy (Big Data) was approved. The main purpose of this policy is to encourage the use of data as an asset that can generate social and economic value in Colombia.
The National Development Plan 2018-2022 (PND) is the first national plan to grant a leading role to the digital transformation of society within the economic and social development of the country. In the PND, Colombia´s transformation has two complementary paths for digital transformation:
- the extension of broadband internet and digital inclusion for the entire Colombian population; and
- digital transformation focused on the implementation of disruptive technologies such as blockchain, the internet of things (IoT), artificial intelligence (AI) and others.
Its main purpose is to promote the digital transformation of public administration and promote the development and management of talent for digital transformation. Additionally, the PND advocates the development of public innovation in the design, formulation and implementation of digital initiatives that seek to respond to public challenges of high complexity and uncertainty.
In 2019, the national government issued Presidential Directive 02, simplifying the digital interaction between citizens and the state, with the purpose of improving the quality and the trustworthiness of digital services. In this same year, Law 195512 of the National Development Plan 2018-2022 set a goal in article 205 to use applications and platforms to improve the conditions and modalities of social security provision.
Also in 2019, the national government developed Document CONPES 3975, which sets out the national policy for digital transformation and AI. This policy aims to enhance the generation of social and economic value in the country through the strategic use of digital technologies in the public sector and the private sector, to boost productivity and promote the wellbeing of citizens, as well as generating cross-enablers for digital transformation by different sector.
Digital transformation in public entities
Here is an example to illustrate how the efforts made by the government translate into the changes in operation of public entities.
The National Planning Department identified that the low digitization and low interoperability between entities are one of the key challenges for digital transformation in Colombia. In response to these challenges, the Superintendence of Industry and Commerce (“SIC”) published External Circular No. 04 of 2019, which outlines guidelines to protect personal data, while promoting the digitization and interoperability of public entities and individuals exercising public functions, in order to prioritize the use of information technologies for the benefit of the general interest.
The guidelines of this Circular contains the following legal framework; we consider them of relevance due to their emphasis on prioritizing the use of new technologies:
“Thus, interoperability, among other things, contributes to compliance with Article 209 of the Political Constitution, allowing the administrative function to satisfy general interests, be effective, prompt and impartial, benefiting all citizens. (…) Law 1955 of 2019 incorporated as an obligation for state entities of the national order, the duty to include in their respective action plans the component of digital transformation ‘taking as one of its principles the full interoperability of public information systems’.”
Digital transformation in public services
The digital transformation in public services is illustrated by Law 2015 of 2020, which aims to regulate the interoperability of electronic medical history, allowing the exchange of relevant clinical elements seeking effective access and proper exercise of the rights to health and information.
This statute covers the providers of health services such as health service providers (IPS), independent health professionals, entities with different social purposes (which, among other activities, provide health services) and special patient transport services.
One of the relevant provisions included in this Law is the prohibition on modifying the information when recorded in the medical history, even when such a modification is an amendment to correct an error. In this sense, and in order to comply with the applicable regulations, the use of certain types of technological tools to ensure a higher level of protection for the integrity of the information may be required.
In addition, according to this Law, companies are obliged to establish information security and privacy, digital security and continuity of services plans, for which companies must create a strategy of periodic review and risk assessment.
This law also requests entities such as the General Archive of the Nation, the Ministry of Health and Social Protection, and the Ministry of Information and Telecommunications Technologies, to regulate the specific provisions and administer the correct implementation by obligated companies.
Digital transformation in the private sector
The Colombian Financial Superintendence (“SFC” in Spanish) published the Circular Externa 005 of 2019, entitled Rules relating to the use of cloud-based computing services. The scope of this document extends to accounting, financial and corporate fulfilment processes for entities monitored by the SFC that want to support their services with cloud computing technologies.
The Circular establishes clear requirements on these types of contracts (cloud services). Some of the most important are listed below:
- Minimum requirements about provider certifications, such as having a certified ISO 27001, 27017 and 27018.
- Verification of the places where information will be processed, with it being necessary to comply with local law requirements regarding data transfer and transmission.
This Circular is a positive sign, in the sense that it creates a general permission to use cloud-based computing solutions for the provision of financial services, while also establishing clear guidelines for the requirements to do so.
In general terms, it is evident that in recent years the government has invested significant efforts in promoting and creating a regulatory framework for the digital transformation of its entities, industry and citizens, which is adapted for current technological tools.
How companies in Colombia are adopting digital transformation
The Digital Transformation Survey carried out by the National Association of Entrepreneurs of Colombia (ANDI) in 2017 identified a number of barriers to successful digital transformation in the private sector, including:
- lack of digital culture (74.1%),
- low level of digital skills (61.6%),
- lack of budget (56.3%); and
- lack of mindset (50.9%).
On the other hand, a survey carried out in 2017 by the Ministry of Information Technology and Communications among 3,011 companies in the industrial, commerce and services sectors nationwide found that 66% of companies do not have a specific area, unit or person in charge of IT issues because:
- there is no need for this (69.7%),
- businesses do not see the utility (16.8%); and
- the cost of having it (15.6 %).
Therefore, one of the barriers for the adoption of digital technologies in the private sector in Colombia is the lack of culture and the lack of knowledge regarding the use of digital technologies. Another barrier is the low capacity of the sector to use and take advantage of technologies and tools that facilitate digital transformation, including a low focus on the use of advanced and disruptive technologies.
The adoption of new and disruptive technologies is designed to solve a problem, improve a process, or implement efficient alternatives to the current state of the art. This is mainly achieved through the correct formulation of a question, which is intrinsically linked to self-knowledge and recognition of the potential of how a company’s resources can be used efficiently. In our daily role as legal advisors of information technology and other kind of companies, we have seen that the companies in Colombia are overcoming these barriers and an increase in the adoption of technology is imminent. In our experience, this has been reflected in commercial strategies that include:
- A transformation of a company’s business model from a traditional goods model to one of services – which is seen most widely in the case of collaborative economies.
- When a company stops investing its resources in an area that is not the center of its business and strengthens those core areas that are. An example of this effect is the adoption of cloud computing services, which allows, as an illustration, that a company dedicated to the transportation business invests in better vehicles and stops investing resources in administration and maintenance of a fixed asset (such as technological infrastructure), leaving a suitable and specialized third party to provide the service.
We are confident that the combination of the regulatory framework developed by the government and the change of mindset that we have seen in our clients will launch Colombia’s digital transformation. This relationship is fundamental, since the development of the government´s technological strategy depends on the products and skills available in the market, and at the same time, the market growth depends, among other things, on the promotion of these kind of services from the government.
The current legal privacy framework
In addition to the legal framework explained above, the “gas” of most of the technologies that support digital transformation is data. One of the main challenges under local law is that, in parallel to having our national government promote the adoption of new technologies, the legal framework applicable to data protection can be to a certain extent inflexible in non-traditional scenarios.
To make efficient use of the data, it is essential (1) to formulate a particular question to be answered, and (2) to organize the data in such a manner that the question can be correctly answered. A series of considerations should be addressed in order to properly perform the use of the data. The most relevant are the following: (1) the quality of the processed data, (2) the social and ethical responsibility derived from the treatment of the data and, (3) the compliance with the applicable regulatory environment.
We believe that the first challenge above is being addressed by the Colombian government as reviewed above, i.e. by promoting programs for digitalization, interoperability and the use of platforms. Meanwhile, the second consideration is being addressed by self-regulation from the companies that are more and more aware of the importance of adopting internal measures to ensure the company´s functioning under ethical foundations. The last consideration may be very challenging in an environment of local digital transformation, where the re-invention of how things are being performed is part of the DNA. Before providing an example of this, we consider it necessary to perform a brief introduction on our local law on personal data processing.
Colombian regulation understands data privacy as a fundamental right (article 15 of the Political Constitution). Law 1581 of 2012 establishes the eight principles for data privacy as follows:
- Legality: The processing of personal data is a regulated activity that must be subject to what is established in this law and any other provisions that further develop, regulate or modify it.
- Purpose: The processing must arise from a legitimate purpose in accordance with the Constitution and the Law, and the data subject must be informed.
- Freedom: The data processing may only be exercised with the prior, express and informed consent of the data subject. Personal data may not be obtained or disclosed without prior authorization or in the absence of a legal or judicial mandate releasing consent.
- Veracity: The information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. Processing of partial, incomplete, fragmented or error-inducing data is prohibited.
- Transparency: In the data processing, the data controller and data processor must guarantee the data subjects’ right to obtain information regarding the existence of data related to them, at any time and without any restrictions.
- Restricted circulation: The processing is subject to the limits derived from the nature of the personal data, the provisions of this law and the Constitution. In this regard, the data processing may be carried out by persons authorized by the data subject and/or by third parties entitled by this law.
- Security: The information subject to processing by a data controller or a data processor must be handled with the necessary technical, human and administrative measures in order to provide security and prevent adulteration, loss, or unauthorized or fraudulent review, use of or access to it.
- Confidentiality: All persons involved in the processing of personal data that is not public by nature are required to ensure confidentiality over the information, even after the end of any of the tasks included in the processing; they will be able to provide or communicate personal data only if related to the development of the activities authorized by this law and under the terms thereof.
The main subjects involved in data protection according to Statutory Law 1581 are:
- data subject: the individual whose personal data is subject to processing;
- data controller: the natural or legal person, of a public or private nature, that by itself or in association with others, decides on the database and/or the data processing; and
- data processor: the natural or legal person, public or private, that by itself or in association with others, performs the data processing on behalf of the data controller.
Under local law, data can be shared with third parties in two main ways, through a data transfer or through a data transmission, which at the same time can be either locally or international. Transfer is the one performed by a data controller to another data controller. Transmission is performed by a data controller to a data processor to process the data on behalf and by the instructions of the data controller. As a general rule, international data transfer is prohibited to third countries that do not provide an adequate level of data protection guarantees, except when it is expressly authorized by the data subject or it is performed under the scope of a data processing agreement between a data controller and a data processor.
Challenges to adopting disruptive technologies
Considering the above, we have identified some particular challenges in the adoption of disruptive technologies.
- Incremental reproduction of the data:
The constant generation of information on a person on a daily basis is often even undetectable by the same person and this makes it even more difficult to recapture it or apply the principles previously studied, such as freedom, veracity and restricted circulation.
- Incremental reproduction of the data:
The Constitutional Court on different occasions has reiterated that individuals have the right to determine the data they want to be known and have the right to determine what is called the “digital image”. This brings a challenge for (i) the principle of purpose, because is not clear to the data holders how far the analysis carried out through these technologies will reach their data. On the other hand, (ii) the principle of freedom may be violated, while the quality of the authorization that a holder is granting in these scenarios hardly reveals a prior, express and informed consent for treatment. Since Colombian law is a consent-based regulation, where legitimate interest is not a legal basis for processing, any activity performed on the data must be carried out under the scope of the authorized purposes.
Finally, the principle of veracity may also be affected, since the lack of awareness of the profiles that companies develop on the data holder make it almost impossible for the holders to demand their rectification and exercise other legal rights.
- Appropriate security measures:
According to local law, data must be handled with the necessary technical, human and administrative measures in order to provide security. This may generate a challenge when defining the necessary measures applicable to disruptive technologies, because it requires a high understanding of how the systems works and what is the appropriate procedure for guaranteeing the security, including the application of a data privacy assessment for all the processes. Also, we have seen that there is a constant need for educating the IT teams and the individuals in general on what may constitute a data breach, and according to this, what would be the necessary measures to adopt to contain its effects.
- Applicable jurisdiction for processing performed abroad:
Local regulation defines personal data as any information linked to or that may be associated with one or more specific or determinable natural persons. Although Colombian data protection laws generally state that the scope of protection is limited to treatment of personal data performed in Colombian territory, or whenever Colombian law is applicable to the controller or processor not established in Colombian territory, the Superintendence of Industry and Commerce has stated in recent decisions that any operation performed to fragments of information that is linked or that may be linked to an individual resident or domiciled in Colombia is protected under Colombian data protection laws. Therefore it is not entirely clear what is the applicable jurisdiction for data processing regarding the scope of such decisions, particularly with respect to overseas companies operating outside Colombia.
How data protection authorities have already approached these challenges
Below and for easy reference is a summary of relevant considerations included in the decisions of the Superintendence of Industry and Commerce, our Data Protection Authority (DPA), regarding the application of local data protection law in IT scenarios.
Case 1: Social media platform
The main purpose of the analysis performed by the authority was to identify if the company failed to comply with Colombian data protection regulation, regarding the Security Principle and Accountability Principle, in the events related to a security incident. The DPA concluded that in fact, the company failed to comply with its obligations to provide the necessary measures to avoid security infringements and unauthorized access to personal data and, therefore, violated Colombian regulation. In addition, the DPA considered that both the local company and the foreign company processing personal data came under the scope of Colombian regulation and therefore such processing must comply with local legal requirements. This decision ordered the company to develop, implement and maintain the necessary measures to avoid unauthorized access, even when it is performed by commercial allies, related companies, and applications developers. The DPA also ordered the company to adjust the agreements with third parties, including commercial allies, related companies, and applications developers, to secure that those documents comply with Colombian regulation regarding data protection requirements.
The DPA did not impose penalties but ordered the company to adopt the necessary measures to comply with Colombian data protection regulation.
Case 2: Social media platform
The main purpose of the analysis performed by the Data Protection Authority was to decide the appeal filed by the company against a prior decision performed by the DPA. On the appealed decision, the DPA concluded that the company failed to comply with Colombian data protection regulation, ordering it to develop and implement measures that complied with the existing regulation. The arguments of the appellant can be summarized in the following three main points: (i) the investigation performed by the DPA was not notified to the company, restricting its right of defense and due process, (ii) The appellant, as the local subsidiary, is not responsible for the services provided by the foreign company and thus does not have the ability to comply with the measures regarding data protection, and (iii) the appellant is a simplified stock company which is independent from the other companies that form the company’s business group, so it cannot be responsible for the actions of other companies that make up the same group. The DPA dismissed the arguments raised by the appellant, arguing that the investigation performed by the DPA was conducted complying with the administrative process established by law, allowing the appellant to exercise its right of defense and notifying it that an investigation was taking place. The appellant chose not to take part in the investigation until its later stages. Regarding the second point, the DPA understands that even though the appellant does not have the same ability to manage user data as the foreign company, it is responsible of collecting the data of Colombian users and offering it to third-party companies that utilize it in their marketing campaigns, thus the appellant does take part in the management of the user´s data on Colombia. Finally, the DPA establishes that even though the appellant is an independent company, its actions depend on the decisions taken by its sole shareholder, which is subordinated to the foreign company, meaning that there exists a relationship between them, that the appellant is an extension of the activities performed by the foreign company on Colombian soil, managing user data and offering it to third parties.
The DPA confirms the decision ordering the appellant to adopt the necessary measures to comply with Colombian data protection regulation.
Case 3: Collaborative platform – transport
The main purpose of the analysis performed by the authority was to identify if the company fails to comply Colombian data protection regulation related to the Security, Restricted Circulation and Accountability Principles, as a result of the security breaches that occurred in 2016 and 2017 and were reported by the company. The DPA concluded that the company failed to comply with its obligations to provide the necessary measures to avoid security infringements and unauthorized access by third parties to personal data protected under local regulations and, therefore, violated Colombian law. In addition, the DPA considered that, as both the local subsidiary and the foreign company processed personal data under the scope of Colombian regulation, such processing must comply with local law requirements and therefore falls under the DPA´s enforcement actions.
The DPA did not impose penalties but ordered the company to adopt the necessary measures to comply with Colombian data protection regulation, especially related to security measures to prevent security breaches.
Case 4: Collaborative platform – e-commerce
The main purpose of the analysis performed by the authority was to identify if the company had violated data protection regulations by unsatisfactorily responding to a claim filed by one of the users of its digital platform. The DPA concluded that the company had violated data protection regulations for two main reasons: (1) it did not secure the effective exercise of the user´s right to delete his personal data from the databases involved, considering that the user filed a claim directly before the company and it took more than four months for the company to stop sending advertising to the user. (2) The company did not comply with its obligation to keep evidence of the user’s consent in order to demonstrate compliance before the authorities and data holders. The DPA says this evidence is not only regarding the collection of consent, but that it must also prove that the user was duly informed when such authorization was provided. In this particular case, the DPA considered that the company failed to prove (i) that the user checked the box to accept his data processing, (ii) that notwithstanding the fact that the user kept using the application, this could not be considered as unambiguous authorization because there was no evidence that the user was duly informed per the legal requirements and, (iii) no measures were taken by the company in order to determine the identity of the user as the holder of the personal data being provided.
The authority imposed a penalty on the Company of around US$90,000 and ordered it to comply with data protection regulation.
The Colombian regulatory framework has evolved during recent years to provide an appropriate environment and incentives for both, public and private entities to adopt digital transformation..
Although this regulatory framework supports the adoption of new and disruptive technologies, the strict application of prior regulation may be one of the most important challenges and disincentives for innovation. This is especially important with regards to the data protection regime, as data may be considered as the “gas” of most of the technologies that support digital transformation. In these sense, local privacy law may be in certain ways inflexible in non-traditional scenarios.
At this point it has become highly important that the central government develops a regulatory framework that promotes digital transformation, focused on the review and update of prior regulations that may not be state of art. It is necessary to structure this regulation to be flexible enough to evolve and be applicable to non-traditional scenarios. Yet, it is also important to recognize the importance of data privacy and protection as a fundamental right under the Colombian Constitution.
Some relevant regulation adopted by the Colombian government to promote digital transformation in public entities:
|CONPES Document 3072 “Connectivity Agenda” approved in 2000.||Spread the use of information technology and thereby increase the competitiveness of the productive sector, modernize public and government institutions, and democratize access to|
|Decree 1151 of 2008.||Established the Online Government Strategy|
|CONPES 3650 “Strategic Importance of the Online Government Strategy”.||Set the basis to improve the services offered to citizens, increase the efficiency and effectiveness of public management, and raise transparency and citizen participation.|
|In 2015, Decree 10789 further updated the Online Government Strategy.||This regulation proposes a more unified vision of digitization, by enabling the spread of government services online.|
|Digital Government Policy of 2018.||Principles of innovation, competitiveness, proactivity and information security. This policy shows a more unified vision of digital transformation.|
|Document CONPES 3920 “National Data Exploitation Policy (Big Data)” of 2018.||The main purpose of this policy was to encourage the use of data as an asset that can generate social and economic value in Colombia.|
|The current National Development Plan 2018-2022 (PND)||Grants a leading role to the digital transformation of society within the economic and social development of the country.|
|Presidential Directive 02 of 2019||Simplifies digital interaction between citizens and the state, with the purpose of improving the provision of digital services of trust and quality.|
|Document CONPES 3975 of 2019 “National policy for digital transformation and artificial intelligence”.||This policy aims to enhance the generation of social and economic value in the country through the strategic use of digital technologies in the public sector and the private sector, to boost productivity and promote the wellbeing of citizens, as well as generating cross-enablers for digital transformation by sectors.|