Colombia’s Congress and one of the country’s top courts are reconsidering decrees that complicate consumer efforts to keep personal information private and mandate companies to share client data with the justice authorities.
Reports released Wednesday by Caracol Radio indicate that Colombia’s State Council is days from officially suspending a year-old decree mandating telecommunications firms to share private consumer data with military and police authorities.
Controversy regarding Decree 1704 has died down since it was placed under review by the Council last August, but the debate over the rights of citizens to protect their personal information from the government is gaining new relevance in light of efforts in the Colombian Senate to challenge another government decree relating to consumer privacy.
On Tuesday, Senator Luis Fernando Vasco summoned the Superintendent of Industry and Commerce to appear on the Senate floor and explain for the record the logic behind regulations giving companies potentially limitless discretion to use and share Colombians’ personal data.
At issue is government Decree 1377 regulating the implementation of Vasco’s Habeas Data Law, the statute passed in 2012 to protect the private information of Colombian citizens.
Every Colombian has a “fundamental right to know, update and rectify all types of information that have been collected about him in the archives of public and private entities or have been subject to ‘processing’ in banks or databases in general,” explains intellectual property and information technology legal expert Wilson Rafael Rios in a paper published after the passage of the law.
The ability to tightly control the flow of one’s personal information, he writes, “has strong backing” in Article 15 of the Colombian Constitution and various Constitutional Court rulings.
Every individual has the right to personal and family privacy and to his/her good reputation, and the state will respect them and have these rights and ensure they are respected. Similarly, individuals have the right to know, update, and rectify information gathered about them in data banks and in the records of public and private entities.
Article 15, Colombia’s constitution
With the intent of strengthening existing statutes, lawmakers in 2012 expanded the 2008 law that previously regulated consumer data sharing. While Law 1266 only protected consumers’ commercial and financial data, Law 1581 expands protections across the board, including protections for “private” information (e.g., salary and sexual preference), “public” information (name and title), and “semi-private” information (address and phone number) that is, in principle, private but can be made open to the public (via, for example, the act of registering in a phone book).
The new law is essentially all-encompassing. It gives Colombians complete control over the use of information ranging from health records to religious beliefs, to organizational affiliations, to spending patterns.
In that sense, a decree passed in June by the Trade Ministry dilutes Colombians’ constitutional rights, at least in the eyes of privacy advocates like Senator Vasco, who called the interpretation of his Habeas Data Law “unconstitutional, illegal and impractical.”
According to Vasco, the new government policy “generates a tacit authorization for [entities] that have access to Colombians’ personal information to use that information however they want to (…) that is contrary to the fundamental rights of Colombians and against the spirit of laws [1266 and 1581].”
The decree in question requires citizens to explicitly deny any database the right to share or use their information in ways not specifically authorized. Most Colombians have been getting emails recently, for example, asking permission to continue using personal data in one way or another. What many don’t realize, though, is that a lack of response is considered an affirmative.
The problems, according to Vasco, are twofold.
The first has to do with the nature of information sharing. “When we as citizens present information to a database,” he said, “we are not ceding them the data. We are simply allowing that database, under express terms of authorization, to use that information toward a specific end.” The government’s interpretation, in other words, reverses the default legal assumption the law was intended to make.
The other objection is more oriented to practical considerations. “How many people,” asks Vasco, “know how many databases [their information] is in?”
“Every time [a Colombian] registers in a hotel, they are placed in a database with absolutely all their personal information. Are we supposed to know how many hotels we’ve stayed in, to keep track of how many hotels we’ve registered in? Everytime we make a purchase, we are put into a database. Every time we initiate a credit activity, we are put into a database. Every time we buy a telephone landline, a cellphone line, we are put into a database. An average citizens can easily find themselves in 30 databases without even knowing it.”
“In a world and a medium in which commerce is increasingly becoming virtual, those databases obviously have value, and those companies are going to profit off of them while affecting the peace of the citizenry.”
Vasco’s arguments pertain specifically to the marketplace and basic economic activity, but the question of “the peace of the citizenry” has more direct meaning in light of the degree passed last June by the Justice, Defense and Communications Ministries.
Decree 1704 ordered telecommunications and internet providers to disclose the personal data of their clients — including names, billing addresses and connection types — to the Public Prosecutor’s Office and other “relevant bodies,” and renewed fears related to past revelations of extensive, and targeted, illegal wiretappings of union leaders, judges, journalists and opposition leaders by now-defunct security agency DAS.
Caracol Radio reported Wednesday that the State Council will soon enact an official suspension of the decree, to remain in effect until the high court has had time to consider the measure’s legality.
It is unclear why the Council delayed almost a year in enforcing a suspension originally announced last August, and whether the government has been able to collect private consumer data in the meantime. Neither government officials nor Senator Vasco were available for comment because of Wednesday’s bank holiday.
- Suspende provisionalmente decreto que permitia aceso a bases de datos (Caracol Radio)
- Comisión Primera del Senado abre debate político por las bases de datos (CM&)
- Comentarios y precisiones sobre la normatividad vigente en colombia sobre proteccion de datos personales — Habeas Data (Universidad Externado de Colombia)
- Chuzudas legales: mas preguntas que respuestas (Dejusticia)