COLOMBIA Trends and Developments Contributed by: Maria Carolina Pardo and Carlos Ignacio Arboleda, Baker McKenzie
Considering that the regulatory definitions above are very broad, and that the location of the ser - vice supplier or infrastructure is not considered, it is not easy to determine in certain cases if a specific service or feature is regulated and, thus, if the supplier is considered a PRST under local regulations. Traditional services such as internet service provider (ISP), voice over Internet Proto - col (VoIP), Internet Protocol television (IPTV) and mobile voice and data are not only straightfor - ward in nature as regulated services, but are also explicitly included in the ITC registry. However, services offered online or through the cloud, where the supplier has no physical or corporate presence in Colombia and the tel - ecommunications component is less clear, have proven to be especially challenging. It is very common for cloud services to be offered by sup - pliers not located in Colombia, with infrastruc - ture also being located abroad and not invoiced locally. If these services fall under the regulatory defini - tions, suppliers are deemed as PRSTs and thus are required to register in the ITC registry prior to offering services. Failure to do so would imply that unauthorised regulated services are being offered in Colombia, with potential sanctions from MinTIC. However, it is also arguable that such services are not being rendered in Colom - bia and that no local entity is supplying them locally; thus, no local entity would be invoicing the services, and the effective royalties payable to regulators would be zero. There is still little guidance on these matters. Publicly available information from the ITC reg - istry does not appear to show that global cloud service suppliers have a local entity incorporated in the ITC registry, and there is no precedent on enforcement on foreign services suppliers by
MinTIC. This would suggest that these servic - es are not treated as locally regulated services but, considering the broad definition, it is not clear-cut that this is necessarily the appropriate approach. Enforcement of local data protection law on foreign entities The Colombian Data Protection Law, Law 1581 of 2012, defines “processing” as any action involving personal data, including its collection. The scope of application of the law is restricted to any processing that takes place in Colom - bia, which implies that the collection of personal data in the country triggers all legal obligations, regardless of whether any processing beyond collection occurs abroad. This has led the data protection authority, the Superintendence of Industry and Commerce (SIC), to consider Colombian law applicable to foreign entities that either have no local corpo - rate presence or do not collect personal informa - tion from Colombian data subjects through their local entity in Colombia. The SIC, in at least three decisions, has taken the view that the collection of personal data through cookies or similar mechanisms that are installed or accessed locally through personal devices (eg, mobile phones) amounts to the collection of personal data in Colombia. Therefore, according to the SIC, these entities, despite being entirely based abroad, are considered to be processing personal data in Colombia and subject to com - pliance with all obligations of local law. In this sense, the SIC issued administrative orders requiring companies to: • modify their privacy policies and consent forms to ensure compliance with the require -
51
CHAMBERS.COM
Powered by FlippingBook