The Superintendence of Industry and Commerce, through its Office for the Protection of Personal Data, issued Resolution Nº 12129 of April 1st 2020 by which it resolved the appeal filed by Facebook Inc (company based in the United States).
The decision not only ratifies the administrative order that had been issued in January 2019 towards Facebook Inc. to increase its security measures, but it also concludes that the Colombian law applies to foreign companies that, without being based in the territory of the Republic of Colombia, use technologies in said territory to collect and process data from Colombians.
The following are the primary conclusions of the resolution of the Colombian DPA Nelson Remolina Angarita:
FIRST: The Statutory Law 1581 of 2012 of the Republic of Colombia does apply to Facebook Inc. (company based in the United States) because said company collects personal data in the territory of the Republic of Colombia through web cookies that it installs in the computers and devices of people residing or domiciled in Colombia.
SECOND: The Statutory Law 1581 of 2012 is applicable, among others, when:
- The Processing of personal data is carried out by the Controller or Processor, based or not in Colombian territory, who directly or indirectly, through any means or procedure, physical or electronic, collects, uses, stores or processes personal data in the territory of the Republic of Colombia; and
- The Controller or Processor is not based in the Republic of Colombia nor process personal data within Colombian territory. But there are international standards or treaties that oblige them to comply with Colombian regulations.
THIRD: Although Facebook Inc. is not physically based in Colombia, it uses electronic tools within the territory of that country to collect personal data. Therefore, Facebook Inc. performs personal data Processing in Colombian territory to which Statutory Law 1581 of 2012 is applicable;
FOURTH: Facebook Inc. is the Controller of the processing of the personal data that is collected in the Colombian territory through web cookies. Therefore, Facebook Inc. must comply with Statutory Law 1581 of 2012 and its regulatory provisions;
FIFTH: The principle of Accountability regarding the Processing of personal data, imposes on Facebook Inc. the duty to prove that it has adopted appropriate and effective measures to guarantee the security of the information of its users;
SIXTH: An administrative order is not a sanction, but a preventive measure so that, among others, the security in the Processing of personal data that carries out Facebook Inc. is guaranteed. The sanctions for violating Statutory Law 1581 of 2012 - fines, suspension of activities, temporary or permanent closure- are provided for in article 23 of said regulation. There it can be seen that the orders are not sanctions;
SEVENTH: A company as decisive in the cybersecurity of the world as Facebook Inc is, due to the number of users (more than 2.4 billion people) and the quality of the information it collects and processes, it has the duty to be more than diligent in the Processing of personal data, in order to guarantee the protection of people and their privacy.
Facebook Inc has the enormous responsibility to guarantee the security of the information of all its users, which forces it to be extremely diligent in this work and not to spare efforts to respond for the security of the personal data of billions of users.
Without security there is no such thing as a correct Processing of personal data. Consequently, Facebook Inc must be responsible, diligent and very professional with a secure Processing of the personal data of the users it carries out.
EIGHTH: In the cyberspace, people's rights do not disappear or diminish. Cyberspace has been characterized by being a global scenario not delimited by geographic borders where activities take place within the technological architecture of the Internet. Although it is a "virtual world", its citizens are billions of real people located almost anywhere in the "physical world" whose activities have an impact and consequences in the "real world".
Despite the fact that the Internet's field of action goes beyond national borders, for the Constitutional Court of the Republic of Colombia the new technological scenario and Internet activities are not detached from their obligations regarding the constitutional mandates. For this reason, said Court concluded that "in the Internet (...) there may be virtual reality, but this does not mean that rights, in that context, are also virtual. On the contrary, they are not virtual: they are express guarantees for whose effective enjoyment in the so-called "cyberspace" the constitutional judge must also ensure". Said Corporation emphasizes that "no one could sustain that, because it is the Internet, users can suffer a decrease in their constitutional rights". (Republic of Colombia. Constitutional Court. Judgment C-1147 of October 31, 2001).
The official and complete text of the resolution can be found here.