Contributed By Lloreda Camacho & Co
According to the International Telecommunications Union (ITU), cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications and services) that can be rapidly provisioned and released. It is composed of five essential characteristics, which are on-demand self service, ubiquitous network access, location-independent resource pooling, rapid elasticity and measured service, all of which are geared towards seamless and transparent cloud use.
Likewise, it has three delivery models, which are: application/software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).
In Colombia, the National Association of Businessmen (Andi) based on a Digital Transformation survey of 2017, revealed that eight out of ten Colombian companies indicate that the digital tool they most implement to streamline their processes is cloud computing. This technology is, therefore, greatly used in the country and in regards to its legal context, as it is happening worldwide its regulation involves different areas of law, as follows.
From the point of view of data protection the Colombian Constitution established as a fundamental right to the habeas data, which warrants the individuals the right of privacy and intimacy.
There is also regulation on the transfer of data to third countries; that is, the simple passage of data through one or several territories using the infrastructure composed of all the networks, equipment and services required to reach their final destination.
The Superintendence of Industry and Commerce, the entity in charge of monitoring compliance with the data protection regime, established that the transfer of data to the following countries is authorised: Germany, Australia, Austria, Belgium, Bulgaria, Cyprus, Costa Rica, Croatia, Denmark, Slovakia, Slovenia, Estonia, Spain, the United States of America, Finland, France, Greece, Hungary, Ireland, Iceland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Norway, the Netherlands, Peru, Poland, Portugal, the United Kingdom, the Czech Republic, the Republic of Korea, Romania, Serbia, Sweden and the countries that have been declared with the appropriate level of protection by the European Commission.
For other countries, the person responsible for data processing must verify if that country complies with standards such as the existence of regulations applicable to the processing of personal data; principles applicable to data processing such as legality, purpose, freedom, truth or quality, transparency, access and restricted circulation, security and confidentiality; normative disposition of data holders’ rights; normative disposition of duties of those responsible and in charge; existence of judicial and administrative means and means to guarantee the effective protection of the rights of data holders and to demand compliance with the law; existence of a public authority in charge of the supervision of the processing of personal data, compliance with the applicable legislation and protection of the rights of data holders, who effectively exercise their functions. If the above is not fulfilled, authorisation must be requested from the aforementioned Superintendence.
In addition, with respect to responsibility for the handling of data via cloud services, the onus is on the organisation for such usage. This entity is classified as being 'responsible' or 'in charge' of any data processing under the terms of Law 1581 of 2012.
If the data centres are outside the country, these 'responsible' entities must observe the rules of the international transfer or transmission of data, depending on whether the recipient of the data acts as a responsible entity or is responsible for the data processing.
Law 1273 of 2009 set a new legal framework for the protection of information and data. Through this law, information systems are protected against attacks on the confidentiality, integrity and availability of data and computer systems. The Law criminalises, among these attacks, the abusive access to computer systems, the interception of data, the execution of computer damage, the use of malicious software, the violation of personal data, the impersonation of websites to capture personal data, theft by computer and similar means and the non-consensual transfer of assets.
At a regulatory level, the Communications Regulation Commission through Resolution CRC 2258 of 2009 obliges the providers of telecommunications networks and/or services that offer Internet access to use technical and logistical resources that guarantee the security of the network and the integrity of the service, to avoid the interception, interruption and interference of the same. This is in accordance with the security frameworks defined by the ITU, with regard to:
Likewise, it states that the providers of telecommunications networks and/or services must ensure the principles (confidentiality, integrity and availability) and security services (authentication, authorisation and non-repudiation) of the information required to guarantee the inviolability of communications, the information that is transmitted through them and the personal data of the subscribers and/or users, in relation to the networks and/or services provided by the operators.
It also compels them to adopt mechanisms that guarantee the confidential management, integrity and availability of the data of the subscribers and/or users, which can only be exchanged with other providers for purposes of the prevention and control of fraud in telecommunications and compliance with regulatory obligations that so require.
On the other hand, Circular 052 of 2007 of the Financial Superintendence requests organisations monitored by this entity to take effective measures to ensure that the delivery of information to third parties is subject to verification and compliance with certain minimum requirements, such as keeping encrypted information classified as confidential in transit or in situ; using internationally recognised standards and algorithms; having communication channels with the cloud service provider; ensuring that delivery is independent and encrypted from end to end, and where possible using different routes.
This entity must establish, in accordance with External Circular 008 numeral 184.108.40.206.3 of 2018, that the entities subject to its application must provide that the sending of confidential information and the instruments for carrying out operations to its clients are secure. When such information is sent as part of, or attached to an email, instant messaging or any other form of electronic communication, it must be encrypted.
The World Economic Forum has defined blockchain as a tool that allows consumers and suppliers to connect directly, removing the need for a third party. Using cryptography to keep exchanges secure, blockchain provides a decentralised database, or 'digital ledger', of transactions that everyone on the network can see. This network is a chain of computers that must have an exchange before it can be verified and recorded. It also offers the ability to put agreements, rather than transfers of ownership, onto a blockchain. These are known as smart contracts.
According to the Superintendence of Industry and Commerce, it is possible to see the adoption of blockchain in Colombia in the incorporation of cryptocurrencies based on public protocols for the transfer of funds mainly as a substitute for traditional methods of sending remittances. In the financial sector there are initiatives focused on developing cases of application of blockchain protocols to facilitate international interbank payment and transfer systems. In the governmental sphere, tests have been carried out in relation to voting systems based on open blockchain platforms from Ethereum.
Blockchain in Colombia is considered as an emerging technology. The Antitrust Agency did not find any patents developed in Colombia and, at the scientific level, there is only one scientific article in one of the high-impact databases.
Thus, due to the disruptive nature of this technological development, in Colombia there are still no concrete rules that regulate its operation or application. Based on its definition and operation, it is possible to identify the current regulations that would apply to it.
Risk and Liability
One of the main issues affecting blockchain is the liability of the company managing the platform. The allocation and attribution of risk and liability in relation to a malfunctioning blockchain service must be thought of not just at the vendor or customer level, but also at the level of all relevant participants.
Within the Colombian contractual framework, the contracting parties can foresee an intensification or reduction of the debtor’s liability standards, since the law protects private interests.
In this regard, a breach of contract makes the contractor liable for debt, responsible for any direct damages that had been accounted for in the contract and for any unforeseen damages the debtor will also be liable in the case of fraud.
On the other hand, in terms of non-contractual civil liability, this is usually as a result of damage caused without there being any prior contractual relationship, or where despite the existence of any previous contract, the damage caused is completely oblivious to the contract’s object . This regime works under the assumption that those who have caused damage as a result of their conduct without any justification will have to rectify the issue to compensate for any loss caused. Only legally protected damage will be subject to this type of liability.
Likewise, with regards third parties that do not constitute any part of a contract but have caused damage, they will also be accountable. According to the Constitutional Court it suffices to show that the perpetrator of the damage/loss caused has behaved in a selfish, inconsiderate or negligent way in order to be held accountable for his or her actions.
Moreover, there are specific issues where the law assigns responsibilities, on the one hand to the handling of personal data, a subject that is developed later in the section on personal data, and on the other hand in the face of cybersecurity.
Regarding cybersecurity, under the current digital regulatory framework there are some rules that state that those who trade or perform some type of transaction via the Internet must comply.
At the financial services level, blockchain technology is not prohibited for financial entities. Financial entities are permitted to use technology to develop the activities that have been authorised to such entities (including the use of blockchain technology). However, the Colombian Financial Superintendence has issued the circular letter 052 of 2017 setting forth that supervised financial entities are not authorised to hold, invest, intermediate or operate with cryptocurrencies, nor allow the use of their platforms to carry out operations with cryptocurrencies. For this reason, financial entities cannot develop blockchain technologies aimed to facilitate operations with cryptocurrencies. However, the Colombian Financial Superintendence has implemented a supervisory sandbox, allowing financial entities along with fintech companies to structure new products and to lift some guidelines set forth by the supervisor. This may allow crypto-assets and blockchain technologies to be integrated into the financial system if a project proposes to lift this specific supervisor’s restriction pursuant to circular letter 052 of 2017.
On the other hand, circular letters 029, 042 and 052 of the Financial Superintendence and an annex to the Basic Legal Circular of the same entity, known as the Cybersecurity Circular 007 of June 2018, require financial institutions and other companies which trade online to meet the following requirements:
In addition, regarding telecommunications service providers and network providers, they must comply with the provisions of Resolution CRC 3067 of 2011 which establishes for providers that offer access to the Internet the duty to use technical resources to guarantee the security of the network and the integrity of the service, to avoid the interception, interruption and interference of the same.
No response provided.
Regarding blockchain technology and data protection, it should be noted that blockchain technology can contain the personal data of its participants and miners when they identify themselves with a public key and when additional data is added to a specific transaction, such as identification documents or financial information from a determined person. Colombian laws do not account for this technology specifically, but whenever blockchain contains or manages personal data it may be considered a database under Law 1581 of 2012 and legal data protection parameters will be applicable. Additionally, for Colombian corporations that are applying GDPR parameters because of their EU clients or because they have voluntarily decided to apply them they must comply with the GDPR analysis regarding identification of the data controller, enforcement of rights and the implementation of an appropriate security regime, following the security obligations set forth in the aforementioned guideline.
Levels of service are freely available and negotiable between the parties of a contract. Certified merchant custom does not even establish anything specific about service levels. In this sense, these will depend on the willingness of vendors to commit to performance assurances based on both their risk/reward profile and service delivery model.
No response provided.
Taking into account that big data, machine learning and artificial intelligence are still emerging technologies in Colombia, there is still no legislation or regulations that apply to them exclusively. Under this context, the regime of responsibility has already been explained in relation to blockchain. Responsibility for any contractual failures will correspond to the contractual agreement. In addition to this, there is a legal guarantee (Law 1480 of 2011, Article 7) that vendors must provide with respect to the quality, suitability, safety, condition and functioning of their products. With regards any services that the provider has an obligation to provide, the guarantee is given not in relation to the end result, but the level of quality in the provision of the service, according to those conditions established by mandatory regulations, as is the case for the rules governing cybersecurity and the protection of personal data or those conditions offered by the service provider.
Both producers and suppliers are jointly liable for this legal guarantee made to consumers. These may be exempted from this responsibility only by force majeure or fortuitous event; a third-party fact; the improper use of the goods by the consumer, and that the same has not complied with the instructions for installation, use or maintenance indicated in the product manual (Law 1480 of 2011, Article 16).
Thus, producers and suppliers would be responsible for only what has been agreed contractually on design defects, defects of manufacture, defects of information and failures concerning appropriate usage. In the case of services such as big data or software, in accordance with the current regulations, producers and suppliers would be accountable for the quality of services offered and agreed contractually.
In this sense, regarding errors or failures attributable to artificial intelligence in which there has been no human intervention, the onus of responsibility is on the producer or service provider. A machine or software failure is not yet regarded as constituting an exemption from liability.
In this regard, insurance in Colombia continues to deal with traditional forms of cover and does not yet account for claims related to AI, although some insurers are already looking into how to implement it.
Concerning intellectual property, the applicable IP regime – that is, Andean Decision 486/2000 – excludes from patentability discoveries, scientific theories, and mathematical methods, computer software as such and forms/manners of presenting information (Article 15). These exclusions pose a challenge to inventions that relate to big data or blockchain technologies as they may be considered as not patentable subject matter. It should be mentioned that trade secrets are the preferred IP tool for ICT developments.
Second, there is still legal uncertainty as to the ownership of patentable inventions developed by AI. Being such a new topic, there is no case law concerning inventorship rights with regards AI.
Third, although the Colombian Patent Office accepts computer-based inventions, the requirements for the same to comply with patentability criteria are still bonded by the ability of the software to interact with hardware and to solve a technical problem. In many cases this can be subjective and difficult to separate from a simple form to present information or from a mathematical formula such as an algorithm.
On the other hand, in Colombia, software is considered a work of art; hence, it is governed by Copyright law (Law 23 of 1982), and as such all the developments in this field have as their author the people who developed the software. This fact can be troublesome when software is built on third-party data that may be considered sensitive or when such developments are made by AI. Generally, AI can be seen as an author tool and for this reason its owner will be deemed as the author of any new developments; however, in practice these issues have not been solved by the courts.
Also, repertories of data can be considered a work of art, without them having to be 'artistic' or 'creative'. The sole compilation and organisation of the information will give the author rights over such work. Such dispositions have certain issues, mainly in regard to the ownership of the data since in Colombia personal and sensitive data is considered to be of the sole ownership of the person whom it is linked to. As a result, the owner of the data can request the exclusion of their information from the compilation and that work of art would not be the same. It will be changing constantly due to the addition and removal of data, giving no certainty whatsoever as to what information composes the work of art.
Those who wish to implement projects on the Internet of Things (IoT) in Colombia should refer to the regulations on data protection as a necessity. As discussed, there is a legal obligation to obtain express consent to handle the data of data subjects; to warrant the rights of the data subject; and to grant security and confidentiality measures, among others. However, the most important rule likely to affect IoT could refer to the transfer of data to third countries, which, as mentioned in the discussion on cloud computing, allows the transfer of data to certain countries and, for those that are not listed, the authorisation of the Superintendence of Industry and Commerce is required.
There is no particular restriction in Colombia regarding the provision of technology services beyond the aforementioned regulations on data protection and cybersecurity. In general, everything will correspond to the agreements that the contracting parties make. The mercantile custom certified by the Chamber of Commerce of Bogotá indicates with respect to this type of services that the merchant custom is (Chamber of Commerce):
No response provided.
Colombian authorities have issued specific regulations on personal data protection since 2012. The general regulation on personal data protection is established by Law 1581 of 2012 and its regulatory decrees (Decree 1377 of 2013, Decree 886 of 2014) (collectively, the 'General Data Protection Regulation'). Such regulation is only applicable to the processing and handling of personal data of individuals; however, it shall apply to legal entities in the case in which the handling of data from such entities affects rights or information of individuals that are related to the entity.
It is important to note that before the issuing of the General Data Protection Regulation mentioned above, the Colombian Constitution established as a fundamental right the habeas data, which warrants individuals the right of privacy and intimacy. Also, there is a specific regulation on financial data protection, which applies to individuals and entities, and it only relates to the protection of financial information and to the way in which such information may be reported on debt management entities. This regulation is specifically established by Law 1266 of 2008 and its Regulatory Decrees 1727 of 2009 and 2952 of 2010. Importantly, Decree 1074 of 2015 unified commercial regulations, including the regulations mentioned on data protection.
In general terms, when discussing personal data protection in Colombia one should refer to the General Data Protection Regulation, which does not establish distinctions between individuals and companies since it only applies to individuals; therefore, this regulation does not refer by any means to the data of entities. In fact, there is no protection (different from the confidentiality regulation) that should apply to data from companies, unless it is specifically related to the data of individuals and their rights are being affected.
The Superintendence of Industry and Commerce (SIC) is the entity in charge of enforcing the regulation on personal data protection and also will be in charge of the National Registry of Databases, which is a general registry in which specific information on each database shall be registered. The SIC will be responsible for ensuring the compliance with the Data Protection Regulation and of applying sanctions when there is a violation to the regulation. The following are the applicable sanctions in the case of breach of the regulation:
In addition, the above applies to the aforementioned regulations on the transfer of data to third countries.
Colombian regulations do not prohibit an employer to monitor and limit employees’ use of computer resources or any other working tool.
As computer resources are provided for employees to carry out their work activities, the employer is entitled to review and monitor the information related to computer resources and to establish the conditions for its use. Likewise, it is feasible to limit employees’ access to the Internet, private use of corporate email or any other condition the employer considers appropriate to safeguard its information and the appropriate use of computer resources.
Law 1341 of 2009 determines the general framework for the formulation of public policies that govern the ICT sector. According to Article 10, only providers of telecommunications networks and services are subject to this regime.
The Ministry of Telecommunications defined in Resolution 202 of 2010 telecommunications services as the services provided by network providers to meet the specific needs of its users. They differentiate these from the definition of content and applications.
In this context, currently those services that apply to the telecommunications regime are fixed and mobile telephony services, Internet service provision and sound broadcasting services.
For both telephony and Internet service provision, there are no prerequisites in terms of provision because these services can be offered by means of general authorisation, enrolling in the ICT registry. In this regard it is necessary to be registered in Colombia as a company or, in the case of individuals, to be tax registered. This does not include permission for use of the spectrum. The Ministry grants these permits through auctions and for those who wish to gain access, they must comply with the requirements established by the Ministry in each auction.
With respect to the provision of sound broadcasting services, those interested in offering these services must be registered in Colombia as a company and must sign a concession contract. To do so, they must comply with the requirements established by the entity for the hiring process. These contracts include permission for the use of the spectrum.
The television service is defined in Colombia as a telecommunications service that offers TV programming for the general public or a part of it, which includes the emission, transmission, diffusion, distribution, radiation and reception of audio and video signals simultaneously. It is a telecommunications service and not a content provider. What sets it apart from OTT video services is that they do not comply with the emission, transmission, diffusion, distribution, radiation and reception requirements established by law.
Those interested in providing television services must be registered in Colombia as a company and must sign a concession contract. In order to do so, they must comply with the requirements established by the regulatory entity for the contracting process within the public bidding process, or for the permission in the case of satellite television.
Once they sign the concession contract, as it is a regulated public service, they must comply with a series of special obligations regarding the quality of service provision, the protection of users, customer service and programming content, among others.
These requirements are not applicable to OTT video or online video channels.
No response provided.
There are no specific and transversal rules for any industry that regulates encryption. At a financial level, there are rules regarding the use of cloud computing services. In them, the Financial Superintendency establishes the obligation to keep encrypted information classified as confidential in transit or in situ, using internationally recognised standards and algorithms that provide at least the security offered by AES or 3DES.
It also requires having communication channels with the provider of services in the cloud, independent and encrypted from end to end, and where possible using different routes.
The Financial Superintendency sets out in External Circular Letter number 008 numeral 220.127.116.11.3 of 2018 (Congress of the Republic, Civil Law) that the entities subject to its application must provide that the sending of confidential information and the instruments for carrying out operations to its clients are both secure. When such information is sent as part of, or attached to an email, instant messaging or any other form of electronic communication, it must be encrypted.
On the other hand, in the case of negotiating a contract with the state, some entities may demand specific terms and conditions relating to information encryption in the contracting process.
No response provided.