New External Circular No. 002 issued by the SIC which provides Guidelines on the Processing of Personal Data in Artificial Intelligence Systems

This Circular is intended to (i) provide Personal Data Controllers with general requirements on the Processing of Personal Data to develop, deploy or use artificial intelligence systems ("AI Systems"), and (ii) provide Data Subjects with certainty about the use of their Personal Data in AI Systems, as they are typically used to make authentic decisions or to assist a human decision maker through recommendations and predictions.

It is important to note that although Circulars do not have the status of Law per se, the Superintendence of Industry and Commerce ("SIC") consider them as interpretative guidelines.

Specifically, the following guidelines were provided by the SIC:

• The processing of personal data through AI leads to the need to carry out a weighing according to the following 4 criteria, aimed at safeguarding the principles established in the Statutory Laws 1266 of 2008 and 1581 of 2012: (i) adequacy; (ii) necessity; (iii) reasonableness; and (iv) proportionality in the strict sense.
• In case of lack of certainty as to the potential damage that may be caused by the processing of personal data, and to avoid causing serious and irreversible damage, Personal Data Administrators shall refrain from such processing or adopt precautionary or preventive measures to protect the rights of Data Subjects, their dignity, and other human rights.
• A new definition for Personal Data Administrator is included as: Administrators of personal data are understood to be: Data Controllers (literal e) article 3 of the Statutory Law 1581 of 2012), Data Processors (literal d) article 3 of the Statutory Law 1581 of 2012), Information Sources (literal b) article 3 of the Statutory Law 1266 of 2008), Information Operators (literal c) article 3 of the Statutory Law 1266 of 2008) and Users (literal d) article 3 of the Statutory Law 1266 of 2008).
• The identification and classification of risks, as well as the adoption of measures to mitigate them, are essential elements of the Principle of Accountability. The risks associated with the processing of personal data in AI should be subject to planning and mitigation efforts proportional to the severity of the eventual damages that may be generated.
• Prior to the design and development of AI, and to the extent that it is likely that the products made through such techniques entail a high risk of affecting data subjects, it will be necessary to conduct and document a privacy impact study.
• The personal data subject to processing through AI must be truthful, complete, accurate, updated, verifiable and understandable. The processing of partial, incomplete, fractionated, or misleading personal data is prohibited.
• One way to comply with privacy by design and by default by means of mathematical techniques is differential privacy. Differential privacy is a set of mathematical techniques that allow us to perform analytics on data without revealing information about the people who provided the data.
• In the Processing of personal data through AI, the right of Data Subjects to obtain from Personal Data Administrators, at any time and without restrictions, information about the Processing of their personal data, must be guaranteed.
• Personal information that is "accessible to the public" is not, per se, information "of a public nature". The fact that they are available on the Internet does not mean that anyone can process them without prior, express, and informed consent of the Data Subject. Thus, Data Controllers who collect private, semi-private or sensitive personal data on the Internet are not entitled to appropriate such information and process it for any purpose they deem appropriate without the prior, express, and informed consent of the Data Subject.
• The processing of personal data in AI systems must provide for relevant, efficient, and demonstrable strategies to ensure compliance with the rights of data subjects established in the Statutory Laws 1266 of 2008 and 1581 of 2012 and their regulatory decrees.

For additional information and how this may affect your data processing practices, please contact us.