Colombia’s Superintendence of Industry and Commerce (SIC) Instructs Google to Comply with National Data Protection Regulation

Colombia’s Superintendence of Industry and Commerce (SIC), in its capacity as the country’s Data Protection Authority, has published an order instructing GOOGLE LLC to implement new measures to comply with the national standard on Habeas Data.

The decision was taken in Resolution 53593, with the SIC having previously determined that the Data Processing Policy used by GOOGLE LLC, a company domiciled in the USA, failed to comply with 52.63% of the criteria required under Colombian regulation.

The SIC was able to ascertain that the company uses “cookies” to collect or process personal data in Colombian territory, which means that Law 1581 of 2012 is applicable to GOOGLE LLC, who have been found to collect or capture personal data via a tool that is installed on mobile devices and computers located in Colombia.

The SIC took the decision to:

  • INSTRUCT GOOGLE LLC that any personal data that they collect or process in territory pertaining to the Republic of Colombia, about persons resident or domiciled in the country, must be subject to a new appropriate, effective and demonstrable mechanism or procedure whereby at the moment that authorization is requested from each person, they will be informed of the following in a clear and simple manner:
    • The way in which personal data will be handled and used.
    • Where responses to particular questions are optional, when the data is sensitive or relates to the data of young people.
    • The Owner’s rights with regard to their data.
    • The ID, physical or electronic address and telephone number of the party responsible for the handling of the data.

GOOGLE LLC as the Responsible party for the handling of data must retain proof of compliance with the above and provide a copy of this proof upon request.

  • INSTRUCT GOOGLE LLC to draw up an Information Handling Policy which complies with all of the requirements defined in Article 13 of Decree 1377 of 2013 (incorporated within Decree 1074 of 2015), and make it known to the data holders domiciled or resident in Colombian territory.
  • INSTRUCT GOOGLE LLC to implement an appropriate, effective and demonstrable mechanism or procedure in order to comply with the specific requirements demanded within Article 12 of Decree 1377 (incorporated within Decree 1074 of 2015) on the collection and handling of personal data pertaining to young people (under 18 years of age).
  • INSTRUCT GOOGLE LLC to register its databases in the National Database Registry, which is administered by the Superintendence of Industry and Commerce.
  • INSTRUCT GOOGLE LLC to present before the Superintendence of Industry and Commerce proof of prior, express and informed authorization issued by the legal representatives of young people (under 18 years of age) whose data has been collected or handled after the enactment of the Statutory Law 1581 of 2012.

GOOGLE LLC must certify their compliance with these orders with the certification issued by a third party, independent, impartial, professional company that is specialist in the handling of personal data.

This investigation was launched ex officio by the Superintendence of Industry and Commerce to verify whether GOOGLE LLC complied with Colombian regulation with regard to the collection and use of the data of 38.962.184 Colombian adults and 1.847.592 minors, whose personal data is currently owned and handled by GOOGLE LLC.

Failure to comply with these orders will result in administrative sanctions and fines to the value of up to 2000 current legal minimum wages.

Appeals for reinstatement can be made to the Director of Data Protection Investigations and the Superintendent Delegate for Data Protection.