Colombia May Designate U.S. as Data-Transfer-Safe Destination

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By David Haskel

Colombian business interests are reacting favorably to a government proposal to make data transfers to the U.S. easier by finding its privacy laws adequate to protect personal data, privacy attorneys tell Bloomberg BNA.

The draft amendments to Colombia’s privacy rules aim for a more market-friendly approach that could ease the flow of low-level personal data to other nations and help attract investment, particularly by U.S. companies. Allowing U.S.-based multinationals to more easily move information in the global digital economy would make Colombia a stronger prospect for business investment, attorneys said.

The Industry and Trade Superintendence (ITS), the country’s privacy regulator, offered the draft proposal for public review July 18. In it, the ITS added the U.S. to the list of acceptable jurisdictions for receiving transfers of personal data from Colombia. The U.S. wasn’t included in the previous draft proposal issued in February.

Having the U.S. on a privacy adequacy list is significant because the European Union and countries that rely on privacy protection adequacy findings to allow broad data transfer approvals haven’t added the U.S. to their lists. The EU only recognizes U.S. privacy adequacy in the context of specific pacts to share airline passenger name records with law enforcement and national security officials, and to allow companies in the EU-U.S, Privacy Shield data transfer program to accept data transfers out of the bloc if they self-certify to the U.S. Department of Commerce their compliance with EU privacy principles.

The ITS added the U.S. after being pressured by industry groups, Heidy Balanta, head of the Escuela de Privacidad information technology law firm in Bogota, told Bloomberg BNA. “Corporate circles see it in a positive light and are happy with the proposed rules,” she said.

Dionisio de la Cruz, a business law senior partner with the Archila Abogados law firm in Bogota, told Bloomberg BNA that the country’s 2012 framework data protection law hews to EU standards. Putting the U.S. on the safe data destination list isn’t a full departure from European standards because it would only cover “data transmissions” of nonsensitive information among units of a company located in separate jurisdictions, or merely for storage purposes, such as in cloud computing, he said.

The more comprehensive term “data transfer” involves giving the recipient data-use rights, de la Cruz said. Data transfers would involve stricter privacy requirements, such as individual consent, he said. The distinction should facilitate business by simplifying procedures for the cross-border flow of low-sensitive data, Balanta and de la Cruz agreed.


The amended rules would allow a large measure of self-regulation. They would establish a presumption that data transfer contracts are in compliance with Colombian privacy law, with ITS notification being the only requirement before undertaking the transfer. The regulator would retain the right to verify the details of such contracts and take enforcement measures as necessary.

“Self-regulation is a healthy approach,” Balanta said. “Markets know that they cannot operate efficiently without flexible rules that allow for the free flow of information.”

Corporations, in particular large multinationals, should have no problem adapting to the planned new requirements, De la Cruz said.

The Colombian government has said it plans to approve and publish the final amendments as early as September.

To contact the reporter on this story: David Haskel in Buenos Aires at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The proposed rules amendments are available, in Spanish, at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security