Did the government of Colombia make a mistake to include the United States in the list of countries with an adequate level of protection for the transfer of personal data?
In the recent Internal Order 5 of 2017, the Superintendency of Industry and Commerce (the Data Protection National Authority) designated the United States among the list of countries with the adequate level of protection for the transfer of Personal Data of Colombian citizens to third countries.
This decision has sparked controversy in the country since in an earlier project that was even available for public comments, the United States had not been included in such list.
The question arises whether the essential change of position was the result of a thoughtful analysis or if we are rather in a serious error of judgment of the Superintendency.
I do not know the reasons or motivations of the change of position. It is therefore impossible to determine from our point of view whether we are in the presence of an ungrounded decision or a correct public policy.
The discussion of the adequate level of protection is such a heated discussion that it has given rise to two international wars between the United States and the European Union. Both conflicts have ended in temporary truces characterized as Safe Harbor and Privacy Shield.
The Superintendency could have considered, like the European Union, to establish draconian conditions (some would say human rights guaranteed) for the transfer of personal data but did not do so. Nor was this public entity obliged to accept the same value judgment as the European Data Protection Authorities.
We presume that, as in other actions within its competence, the Superintendency has acted with juridical and scientific rigor. In any case it will be interesting to know the specific reasons and grounds for the change in its initial position.
Which are the main consequences of this government decision?
It seems to me that the Colombia, which undoubtedly has an obligation to guarantee the protection of personal data of Colombian citizens, has sent an unequivocal signal of recognition about the adequacy of the United States as a jurisdiction suitable for the transfer of personal data.
This is a fundamental basis of legitimate expectation for Colombian citizens, title holders of personal data and a basis of a potential State liability in case there are damages and losses caused to those title holders of data protection rights beyond the Colombian borders. It seems evident that not only those who transfer the personal data could damage their title holders and could be responsible, but most likely the Colombian State in making the decision of general scope about the adequacy level of data protection that facilitated the transfer of personal data. In any case the Colombian judges in a future case of data protection breach will be those that define the liability of Colombian State.
The future will tell us if the most important public policy decision that has been taken by the Colombian Government regarding the transfer of personal data was right or wrong