Reseña

In this document we analyze the privacy policies of 30 companies with data-driven business models that collect data in Colombia and identify practices that have not been sufficiently contemplated by the personal data protection regime currently applicable in our country.

Now more than ever, there is a latent concern that the availability of large volumes of digital data and the current capabilities to find correlations in this data can lead to other accurate or inaccurate personal data. Besides, from this personal data, decisions?sometimes unfair or discriminatory?can be taken regarding citizens, without them having security, knowledge, or control of what is happening with their data.

An example of these risks can be illustrated from the latest scandal of Facebook and Cambridge Analytica, in which Facebook allowed the use of an application that ended up collecting information from 87 million user profiles from around the world. This information would later be used by Cambridge Analytica to influence voters in the United States presidential campaign period in 2016 and in the referendum on whether the United Kingdom should remain in the European Union.

In order to combat the vulnerability in which citizens from all over the world find themselves, in 2018 the European Union?s General Data Protection Regulation (GDPR) came into force. Likewise, during the same year, the California Consumer Privacy Act (CCPA) was issued. Seeking to balance the development of the digital economy with the guarantees of privacy rights and the protection of personal data, both regulations address the new sources of data, types of processing operations, and processing purposes that are specific to the digital age, which include the use of cookies, web crawling, algorithms, profiling, automated decision-making, data commercialization, and behavioral advertising.

But what has been done in Colombia to guarantee these rights in the digital economy framework? In this document, we explore the degree of preparedness of our legal personal data protection regime and data protection authorities for tackling the risks that the digital era poses to different values and rights, thereby holding accountable the companies with data-driven business models (DDBM).

From the review of their privacy policies, we analyze the modus operandi of an illustrative sample of 30 DDBM, among which are included?for their economic, technological, and social power?the so-called GAFAM (Google, Apple, Facebook, Amazon, and Microsoft). After this analysis, we identify several practices that have not been sufficiently contemplated by the personal data protection regime currently applicable in Colombia, and whose regulation, in comparison with the European GDPR and the CCPA of California, has significant room for improvement. Likewise, we identify several shortcomings in the capacities of the Colombian data protection authorities in holding the DDBM accountable and therefore, propose some corrective measures.