Autor : María del Pilar Duplat Molano y Gabriela Mancero
The Superintendence of Industry and Commerce (hereinafter “SIC”) fined three of the major telecommunication companies in Colombia, Directv, Claro (Comcel) and Avantel. The SIC considered that the habeas data right of the customers was breached by these companies given that personal information of individuals was consulted without their prior authorization and, because there were leakages that led third parties to have unauthorized access to the personal information of the affected parties.
The regulation for the use and management of personal information in Colombia
Data protection law in Colombia provides people with an habeas data right whereby individuals may exercise, know, update, rectify and suppress their personal information collected in public or private databases.The Constitutional Court of Colombia considers the habeas data right as an expression and guarantee of the right of privacy of people.
Colombian laws and regulation are very strict regarding the powers of those parties who manage or own databases. One of the paramount aspects in Colombian rule of law regarding habeas data is the principle of consent, whereby, people decide which personal information they wish to reveal and under which terms (for instance, purposes for which they authorize a third party to use their personal information).
Parties responsible for the management of personal information must inform the owner of such information about the purposes for which their personal information will be used and must obtain a prior authorization from the owner of said information so the third party cannot use that information for purposes different from the ones authorized to them.
Nowadays, information is one of the most important assets, especially in the telecommunication sector; thus, it is paramount to have robust mechanisms not only from a technical standpoint but also from the legal perspective to prevent the unauthorized use of the personal information of customers or the leakage of information to unauthorized third parties.
Directv, Claro an Avantel’s breaches
Due to complaints filed by customers of Directv, Claro and Avantel, the SIC decided that these three companies breached habeas data regulation by: (1) having consulted the credit score of the denouncing parties without their prior authorization; and (2) allowing unauthorized third parties to have access to personal information of their customers.
Consequently, the SIC fined these companies with sums that together amounted to a total of COP 864.000.000, i.e. USD 240.000, and it also ordered them to adopt measures to strengthen the security in the use of personal information of their customers.
Breaches in Financial Habeas Data
The SIC found that, both, Avantel and Claro, had consulted the credit score records of people without their prior consent or without having a legitimate reason to access said information pursuant to Law 1266 of 2008.
Article 15 of Law 1266 of 2008 provides that the legitimate reasons for accessing financial data information by the users are the following:
- As an analysis element to create or sustain a contractual relationship.
- To evaluate the risks derived from a current contractual relationship.
- As an element to carry out market research studies, commercial investigations or statistics.
- To carry out a procedure before a public authority or any other person under which it is necessary to collect said information.
Nonetheless, none of said reasons existed to justify the companies’ access to the credit score records of the customers without their prior authorization.
The case of Avantel
The SIC determined that Avantel had consulted the credit score records of an individual without his prior authorization; consequently, the SIC ordered the company to pay a fine of 133 minimum monthly legal wages (MMLW), plus 80 MMLW because it is a reiterated breach of the Company, amounting to a total of COP 176,388,708 (approx. US 55,220). Additionally, the SIC ordered Avantel to:
- Abstain from consulting the credit score records of its customers without their prior consent or without existing a legitimate reason pursuant to financial habeas data law; and
- Adopt suitable security measures to control the verification of the credit score records of its customers through policies of allocation of usernames and passwords.
The case of Comcel (Claro)
The SIC fined the company with a sum of COP 215,310,160 for having breached the financial habeas data regulation, considering that, even though there was an authorization from the customer to the Company for it to consult its credit score records, said authorization did not cover the purposes for which said information was consulted by the Company.
Consequently, the SIC determined that, due to the dimension of the damage caused to the financial habeas data right, the fine must be of 220 MLMW (COP 182,185,520, approx. USD 57,000). In addition, since this is a reiterated breach of Claro (Comcel), the SIC increased the sanction with an additional 100 MLMW (COP 82,811,600, approx. USD 26.,00). Nonetheless, since Claro (Comcel) pleaded guilty for the breach in the closing arguments, the SIC mitigated the sanction to 260 MLMW (COP 215,310,160, approx. USD67,200).
Leakage of Personal Data to unauthorized third parties
The SIC also fined Claro (Comcel) and Directv because it found that both companies breached the principle of security of the personal data managed by them, since they allowed non-authorized third parties to have access to said information.
The Case of Directv
The SIC fined Directv with a sum of COP 223,913,320 (approx. USD70,000) because it found that the company had breached the principle of security of the information when it sent one of its customer’s information to a third party’s e-mail.
The case of Claro (Comcel)
The SIC fined Claro (Comcel) because it found that the Company provided disproportionate information of a customer to answer a request of information of an administrative authority in a contractual dispute.
Consequently, the SIC determined that Claro (Comcel) had breached the financial habeas data regulation, and thus, sanctioned the company with a fine of 300 MMLW (COP 248,434,800, approx. USD 77,600), and ordered it to undertake adequate, useful, effective and verifiable measures to:
- Prevent situations such as the one that triggered the investigation from happening again.
- Respect and guarantee the protection of the rights of the owners of the data.
- Strictly comply with the data protection regulation.
- Apply the accountability principle with a special emphasis in control and supervision mechanisms to guarantee the exercise of rights of the owners of the data and the principles of access and restricted circulation, confidentiality and necessity of access to personal information.
Data protection regulation in Colombia is perhaps one of the most thorough and developed in Latin America. Even though there are therefore mechanisms in place to protect personal information, the truth is that companies are still not familiar with them and do not place any importance on establishing actual measures for its protection or safety.
The decisions presented in this article show that there is a deficiency regarding the safety of personal data (including financial information), particularly in: (1) which information may be revealed, (2) who may access this information, (3) when can they access to the information, (4) the terms of the authorization; and (5) double-checking of the authorization with the user in case of doubt.
Efforts by the SIC to enforce data protection regulation by fining abusive companies are welcome but fines seem to be small if compared to the breach and at the end of the day affected parties are left with their personal information leaked and no compensation available at this administrative level.