Through Resolution 38281 of July 14th, 2020 the Superintendence of Industry and Commerce, Colombian Data Protection Authority, concluded the following:
Statutory Law 1581 of 2012 on the protection of Personal Data is technologically and thematically neutral. This means that it applies to any Processing regardless of the techniques, processes or technologies (current or future) that are used for said effect. Therefore, it must be taken into account in the collection, use and Processing of Personal Data for various purposes (marketing, political, portfolio collection, etc.) through the use of techniques or tools such as, among others, "predictive dialing", "robocalls", "nuisance calls" and artificial intelligence (AI).
According to the DPA, Nelson Remolina, the regulation regarding the Processing of Personal Data must be applied regardless of the procedures, methodologies or technologies ("predictive dialing", "robocalls", artificial intelligence, among others) being employed to collect, use or Process this type of information. Colombian law allows the use of technologies to Process data but, at the same time, requires for it to be done in a manner that is respectful of the legal system. Those who create, design or use "technological innovations" must comply with all the rules on the Processing of Personal Data.
The Processing of Personal Data (telephone numbers) regardless of the methodology or technology being used is lawful, such as, for example, "predictive dialing", "robocalls", "nuisance calls", artificial intelligence, as long as the data subject Consent has been obtained prior to the Processing, explicitly and informed.
Predictive dialers, "robocalls" and "nuisance calls" effectiveness have been improved with artificial intelligence and, in some cases, it has helped hiding the fact that the subject is talking to a machine. Predictive algorithms are also used in call center campaigns to identify and contact the subjects with whom there is a greater probability of selling a product or service.
In addition, it was specified that artificial intelligence involves the collection, storage, analysis and Processing of enormous amounts of information (including Personal Data) that are used to generate various results, actions and behaviors by machines. In other words, Personal Data is the food or fuel of AI and through the Processing of said information that is carried out, it must be respectful of Law 1581 of 2012 and its regulatory standards.
Remolina recalled that on this topic, in June 2019 the RED IBEROAMERICANA DE PROTECCIÓN DE DATOS -RIPD- issued the "General Recommendations for the Processing of personal data in artificial intelligence", where the following suggestions were made to those who develop AI products, in order to help them comply with the following requirements, since the design of them: I. Comply with local regulations on the Processing Personal Data; II. Conduct a Privacy Impact Assessment; III. Incorporate privacy, ethics and security by design and by default; IV. Materialize the Principle of Accountability; V. Design Appropriate Governance Structures in Organizations Developing AI Products; VI. Adopt Measures to Guarantee the Observance of Data Protection Principles; VII. Respect the Subject Rights and Implement Effective Mechanisms for the Exercise of Said Rights; VIII. Ensure Data Quality; IX. Use anonymization tools; and X. Increase subjects trust and transparency towards the project.
Finally, it was also highlighted that marketing, advertising and e-commerce activities are lawful as long as they comply with the regulations on the Processing of Personal Data. During 2019, the Superintendence of Industry and Commerce issued the following (2) guidelines in order for them to be taken into account by those who carry out such tasks:
- Guidelines regarding the Processing of Personal Data in e-commerce.
- Guidelines regarding the Processing of Personal Data for marketing and advertising purposes.
The full text of Resolution 38281 of July 14th, 2020 may be consulted in the following link.