13 Mar Personal data protection and e-commerce: An analysis of the last decisions and guidelines issued by the Colombian Data Protection Agency
By Juan David Gutiérrez y Fery Daniel Cure
The Superintendence of Industry and Commerce (SIC), Colombia’s data protection agency, has increased its enforcment activities related to privacy rules in the conext of e-commerce. Two recent cases decided by the SIC (Res. 74828 and 76538 of 2019) and the issuance of the “Guideline for personal data processing for e-commerce purposes”, are examples that are worth analysing in this post.
The Colombian legislation incorporates two definitions of e-commerce (Law 527 of 1999 and Law 1480 of 2011). In both it is clear that the central element is the development of consumption or commercial operations through data messaging. Every digital platform, whether through mobile applications (APP) or a website, will be an e-commerce platform as long as it: 1. Develops commercial operations through the exchange of data messages and 2. It is not a mere “contact portal” (Law 1480).
The purpose of this text is to synthesize the most important points that a company should take into account in its e-commerce operation to comply with Colombia’s data protection legislation. Hereafter, we discuss four issues: 1. Obtaining and preserving the authorization for personal data processing; 2. Authentication of the data subject’s identity; 3. Prohibition of the use of negative lists; and 4. Conducting privacy impact assessment studies and the incorporation of privacy by design. The text finishes with some final reflexions about future challenges in the matter of data protection for companies interested in e-commerce.
1. Authorization from the data subject
E-commerce is not exempt from complying with the general rule established by the personal data protection legislation: the collector or processor of personal data must obtain the data subject’s previous, explicit and informed consent. The SIC has established that the existence of a clear and positive action, as an acceptance signal, that reflects the free, specific and informed will from the data subject is required. In consequence “the silence, the inaction by the data subject does not constitute consent. Neither checkboxes which are already marked by default because they don’t entail an active consent by the data subject” (Res. 76538 of 2019). On the same topic the SIC stressed that using checkboxes to accept terms and conditions, accepting the “privacy notice”, or accepting the “data treatment policies” do not imply that the data subject accepted the treatment if its personal data. The data subject must know the nature, the purpose and the consequences of the use that will be given to his or her personal information (Res. 74828 and 76538 of 2019).
Furthermore, the collector or processor of a database must keep the proof of the data subject’s authorization. For the SIC, proving the date of the creation of the user on the platform does not entail that the user authorized the processing of personal data (Res. 74828 of 2019). What must be accredited, according to the authority, is the proof that each data subject authorized the treatment of its personal data in a previous, explicit and informed manner.
2. Authentication of the data subject’s identity
Based on Article 50 of Law 1480 of 2011, the SIC considered that the collector or processor must ensure that the person who is authorizing the treatment of the data is the real data subject and not an identity thief. For this purpose, the authority suggested that the processes implemented should address the following questions: ¿How to increase the certainty that a person is really who he or she says to be? ¿How to identify a person through electronic means? ¿How to prevent identity theft? (Res. 74828 and 76538 of 2019).
3. Do not use negative lists
Negative lists are those in which exclusively unfavorable information of the data subject is compiled. The SIC established, with grounds on constitutional jurisprudence, that using this type of list is an abusive practice; it is an abuse of the faculty of collecting and processing personal data and breaches the principles of liberty, finality and legality (Res. 74828 of 2019). In consequence, if data subject requests the suppression of its personal data, it is not valid to include the data subject in negative lists.
4. Privacy impact assessment studies and privacy by design
In pursuit of the principle of accountability, the SIC recommends conducting privacy impact assessment studies before the design and development of the e-commerce project. The assessment should evaluate the specific risks for the rights and liberties of the data subjects, along with the measures to mitigate them (SIC Guideline 2019). The latter is directly related with another suggestion made by the SIC: the incorporation of ethics and privacy in the design by default (privacy by design). This means that e-commerce projects must always be structured and oriented towards the privacy protection of the data subjects, with the implementation of various technological, human, organizational and procedural measures (Res. 74828 of 2019).
Furthermore, the SIC recommends using tools, when possible, to prevent third parties from being able to identify the data subject. On the other hand, the SIC suggests using contact data only in days and hours that do not affect the tranquility of the persons. Lastly, it proposes the development of activities that create trust in consumers, such as: maintaining open channels of communication, counting with an effective claims and complaints system, and complying in practice with the information processing policies.
5. Reflections about future challenges
We identify three big challenges for companies interested in e-commerce in terms of personal data protection and privacy. Firstly, ensuring compliance starts by having teams who are aware of the legal risks stemming from personal data processing through electronic means. There is still a lot of pedagogical work to be done for employees and collaborators of companies which are developing these technologies to be properly sensitized about those risks.
In second place, a full commitment is needed by the management of the companies to ensure the necessary resources required to comply with the parameters demanded by the personal data protection legislation. While early legal advice can help preventing legal risks, the implementation of technical, human and administrative solutions imply additional costs for companies.
Finally, even though the SIC shed light, through its doctrine and guidelines, regarding the enforcement of the personal data protection legislation, there are some grey areas and questions on how to ensure its compliance in practice. Given the SIC’s proactivity in the issuance of guidelines, we trust that the different gaps will gradually close for the good of the legal certainty of the data subjects and of companies.