Updates from the Superintendence of Industry and Commerce regarding Personal Data Processing

At the end of August 2024, the Superintendence of Industry and Commerce (SIC), the main authority for the protection of personal data in Colombia, issued two key circulars that reinforce the regulation of personal data processing. These regulations focus especially on artificial intelligence (AI) systems and the responsibilities of social administrators.

External Circular No. 003, issued on August 22, establishes that social administrators, including legal representatives, members of the shareholders’ assembly, and board members, can be jointly responsible for complying with obligations related to personal data protection. This requires administrators to identify and manage risks that may threaten the rights and freedoms of data subjects.

Among the obligations included in this circular, administrators must implement adequate security measures, classify risks, and incorporate technologies that ensure the protection of personal information. It is also essential that they include a risk management component in their internal policies that allows for a continuous assessment of vulnerabilities, allocating the necessary resources to mitigate potential incidents. Furthermore, it is established that privacy impact assessments must be detailed and reflect both risk evaluations and data processing operations, ensuring their proper management and security.

On the other hand, External Circular No. 002, issued on August 21, 2024, focuses on the regulation of personal data processing in artificial intelligence systems. Recognizing the influence of AI in multiple social spheres and the dependence on this technology for large volumes of data, many of which may be personal, the SIC has established a series of guidelines aimed at ensuring appropriate and secure handling of this information.

Following recent jurisprudence from the Constitutional Court, the SIC emphasizes that both Law 1266 of 2008 and Law 1581 of 2012 are technologically neutral. This means that the use of new technologies such as AI requires additional guidance to prevent risks in personal data processing that may compromise the consent of data subjects and their right to privacy.

In this regard, the SIC establishes a series of determinations for data processing in AI:

1. Treatment Principles: Data processing must be suitable, necessary, reasonable, and proportional, always ensuring that the benefits do not outweigh the drawbacks regarding the restriction of the right to privacy.
2. Preventive Measures: In situations of uncertainty about potential harms, preventive measures must be adopted to protect the rights of data subjects or refrain from processing the data.
3. Risk Management: Administrators must implement risk management systems that allow for the identification, control, and monitoring of any threats to data protection.
4. Privacy Impact Assessment: Before developing high-risk AI projects, a detailed study must be conducted, including an assessment of risks and the necessary measures to avoid them.
5. Veracity and Accuracy: The data used in AI must be complete, accurate, and verifiable, prohibiting the processing of inaccurate or incomplete information.
6. Security Measures: These must cover technological, human, administrative, and physical aspects, and be auditable to ensure continuous improvement.

Finally, the SIC clarifies that information available on the internet is not freely accessible, so administrators must obtain the corresponding authorization to process private, semi-private, or sensitive personal data available online, ensuring prior consent from data subjects.

With these two circulars, the SIC strengthens the regulatory framework to guarantee the protection of personal data, both in the context of artificial intelligence and in the responsibilities assigned to social administrators. However, it is still not entirely clear the extent of the responsibility assigned to these administrators regarding personal data processing, especially concerning the legal implications of non-compliance. Future statements from the SIC are expected to provide greater clarity and legal certainty about the obligations and risks faced by administrators in this crucial area for privacy protection in Colombia.

Do not hesitate to contact Brick Abogados if you have any concerns or if you would like more information on the topic discussed above.

****

This document is for informational purposes only and does not constitute legal advice, nor does it engage the responsibility or professional opinion of Brick Abogados.