UPDATED: December 2022 | SOURCE: GW Law and Fundacíon Karisma Revision to Hogan Lovells Commissioned Version

Provision of Real-time Lawful Interception Assistance

COLOMBIAN CONSTITUTION

Article 15 of the Colombian Constitution sets out the general principle that no correspondence or private communication in any form may be intercepted by government agencies unless a judicial order has been granted to permit it. The particular circumstances in which such an order may be granted must also be set out in other laws.

However, where a crime of any kind is being investigated, article 250 of the Colombian Constitution (as amended by Legislative Act 03 of 2002) states that the Attorney-General’s office may order the interception of private communications and in this instance a judicial order will not be required to commence the interception of communications. The process by which the Attorney-General’s office may order interceptions is set out in the Criminal Procedure Code.

CRIMINAL PROCEDURE CODE

Article 14 of the Colombian Criminal Procedure Code (Law 906 of 2004 as amended by article 52 of Law 1453 of 2011) reiterates an individual’s right to respect of their privacy.

Article 235 of the Colombian Criminal Procedure Code provides that public prosecutors (i.e. public officials of the Attorney General’s office) may order the interception of any form of private communication over any telecommunications network to search for evidence or locate a person in relation to any crime that is under investigation. However, Article 235 prohibits interception of the communications of defense counsel.

Interception orders from a public prosecutor must be sent to the Telecommunications, Network and Service Providers (the bodies responsible for the operation of telecommunications networks and services, as defined in resolution 3501 of 2011 of the Colombian Communications Regulation Commission, hereinafter “TNSPs“) in writing. The confidentiality of all intercepted communications must be ensured throughout the process. After the interception has taken place, the investigating body that requested it has certain duties to ensure the legality of the interception, as described in “oversight of access-related powers” section below.

The maximum term of an order from a public prosecutor to intercept communications is six months. After this period has elapsed, the prosecutor may obtain a judicial order allowing an extension. In granting the extension, the judge must deem it reasonable to extend the interception period beyond six months. It should not be extended, for example, simply because of inefficiencies in the investigation.

LAW 1708 OF 2014

Public prosecutors may also, under article 167 of Law 1708 of 2014, order the interception of any communications that use the radio spectrum in the course of an investigation into assets acquired with the proceeds of crime. This law is most commonly used in relation to assets that have been acquired with money from the drugs trade. Intercepting communications is permitted in these cases solely for the purpose of gathering evidence, and is subject to the other conditions from article 235 of the Criminal Procedure Code set out above.

DECISION C-594 OF 2014 OF THE COLOMBIAN CONSTITUTIONAL COURT

According to decision C-594 of 2014, provided they are acting under an order from a public prosecutor in the Attorney-General’s office or a judicial order as set out above, certain officials referred to as the ‘judicial police’ may access the TNSPs’ networks via designated points of connection for the purpose of intercepting communications.

The judicial police were defined in decision C-594 of the Colombian Constitutional Court as:
● members of the national police force trained to perform activities in support of investigations where communications are to be intercepted;
● members of the Technical Investigation Unit of the Attorney-General’s office trained to perform activities in support of investigations where communications are to be intercepted; and
● public servants who have been granted judicial powers, for example mayors, police inspectors and members of the public prosecutor’s office.

Once the intercepted data has been collected, the TNSPs must provide measures to allow the data to be conveyed to the storage facility used by the judicial police to process the data. The cost of this is borne by the branch of the judicial police that is performing the interception.

DECREE 1704 OF 2012

Under Decree 1704 of 2012, TNSPs must ensure that the infrastructure for their networks provides connections and access points for the equipment necessary to implement interceptions authorized under the above laws, and for any other activities necessary to carry out such an interception. Civil society have expressed concerns that this could include facilitating access without having to notify the providers that collect or transmit the data as part of their services. The Ministry of Information and Communication Technologies (“MICT”) prescribes the technical requirements for this. If a TNSP does not comply with its obligations under this Decree, the MICT can initiate an administrative investigation and impose sanctions. Under article 2 of the Decree, TNSPs have no right to appeal against changes to technical requirements.

LAW 1928 OF 2018

Law 1928 of 2018 implemented the Budapest Convention on Cybercrime in its entirety. Article 21 of Law 1928 of 2018 implementing the Budapest Convention on Cybercrime provides that parties should adopt appropriate measures, in relation to a range of serious offenses as determined by domestic law, in order to empower its relevant government authorities to collect or record content data transmitted by means of a computer system in real-time, which includes metadata. Further, Article 21 of the convention requires parties to adopt measures that would provide the relevant government authorities with power to compel service providers to collect or record content data in real-time, or to cooperate with the relevant government authorities engaged in such collecting or recording, which should also be limited to a range of serious offenses as determined by domestic law.

All laws or regulations enacted pursuant to Article 20 (which has identical language regarding traffic data (see more below) and 21 are subject to the requirements of Articles 14 and 15.

Article 14 states that the powers and procedures established across the Convention should be applied to:

  • criminal offenses established in Articles 2 to 11 of the Convention;
  • other criminal offenses committed via a computer system; and
  • the collection of evidence in electronic form of a criminal offense.

Colombia submitted a reservation to Article 14, pursuant to Article 14, paragraph 3, which states that it reserves the right to apply the measures referred to in articles 20 and 21 in accordance with its internal regulations in matters of personal data and protection of the right to privacy.

Article 15 requires parties to ensure the powers and procedures established in the Convention are subject to adequate conditions and safeguards so as to provide for the protection of human rights, including those rights established in applicable human rights instruments such as the International Covenant on Civil and Political Rights, to which Colombia is a party. Article 15 states such safeguards should include, but are not limited to, judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

LAW 1941 OF 2018

Article 1 of Law 1941 of 2018 extended for four years Article 102 of Law 418 of 1997, which prohibits providers from the sending of messages in encrypted or unintelligible language to users of communication devices using the electromagnetic spectrum. It is not clear this law has led to any ban on the use of encrypted communications in Colombia in practice. The current extension in Law 1941 of 2018 is set to expire on December 18, 2022.

LAW 1621 OF 2013

The military, the police, and the Information and Financial Research Unit (together the “Intelligence and Counterintelligence Services“) may, under Article 17 of Law 1621 of 2013, monitor the electromagnetic spectrum for a “lawful purpose;” under Article 4, those purposes are ensuring national security; sovereignty; territorial integrity; the security and defense of the nation; the protection of democratic institutions and the rights of Colombian residents and citizens; and the protection of natural resources and economic interests of the nation. Accordingly, monitoring is distinguished from interception not by the action — as they both access otherwise private information — but by the scope, purpose, methodology, and authorizing party.

However, Article 17 clarifies that interception of private mobile and landline telephone communications shall be subject to the requirements detailed above in Article 15 of the Constitution as well as Article 235 of the Criminal Procedure Code.

Article 5 further clarifies that those who authorize and carry out intelligence activities must observe the principles of necessity, adequacy (“idoneidad”), and proportionality. Under Article 14, intelligence and counterintelligence activities, which includes monitoring the electromagnetic spectrum, must be authorized by the directors, heads or deputy heads of the unit seeking to carry out such monitoring, noting that the level of required authorization “increases depending on the nature and possible impact, the type of objective, the level of risk for sources and agents, and the possible limitation of fundamental rights.”

The law does not stipulate any particular definition of the term monitoring for these purposes of monitoring the electromagnetic spectrum. In evaluating Law 1621 of 2013, however, the Constitutional Court wrote that “monitoring the electromagnetic spectrum, as an activity of the Intelligence and Counterintelligence [organs], consists of carrying out a random and indiscriminate search. It involves the incidental capture of communications in which circumstances are revealed that allow attacks to be avoided and risks to the national defense and security to be controlled… It does not include a selective search focused on specific subjects.” The results of monitoring which do not meet the purposes of the Intelligence and Counterintelligence Services, however, cannot be maintained. Under Article 17, such information must be destroyed.”

Under Article 44, when TNSPs change the technology of their infrastructure, they must provide MICT with 60 days’ notice before implementation and provide both the Attorney-General’s office and the MICT with the equipment required to allow these bodies to intercept communications carried by this new technology. TNSPs may, however, charge a reasonable fee for providing this equipment.

Disclosure of Communications Data

DECREE 1704 OF 2012

There is no separate power for government agencies to request metadata from TNSPs that is distinct from the interception-related powers above. Under Decree 1704 of 2012, as part of the request to a TNSP for the interception of communications, the TNSP can be required to provide communications and subscriber data relating to interception targets such as their identity, billing address, type of connection and information relating to their exact location, provided that it is necessary for the purposes of the interception.

LAW 1621 OF 2013

Article 44 of Law 1621 of 2013 provides that TNSPs must, in the context of an intelligence operation, provide the military, the police and the Information and Financial Research Unit (together the “Intelligence and Counterintelligence Services,” as defined in Decree 857 of 2014) with certain stored data upon request. This can include information related to the history of the interception target’s communications, the equipment that they are using, technical data relevant to the identity and location of the target, and “any other information which contributes to [the target’s] location.” Article 44 provides that the Intelligence and Counterintelligence Services must limit the information requested to a period no longer than five years.

Under Article 44 of Law 1621 of 2013, TNSPs are not required to allow monitoring of communications (or provide metadata) in the course of an intelligence or counterintelligence operation if doing so is “not technically possible,” although what is “not technically possible” is not specifically defined in Colombian law.

LAW 1928 OF 2018

Article 20 instructs parties to adopt appropriate measures in order to empower its relevant government authorities to real-time collect or record traffic data transported by means of a computer system and, further, to compel service providers to real-time collect or record such traffic data, or to cooperate with the relevant government authorities engaging in such collecting or recording.

Article 20 is subject to the requirements of Articles 14 and 15, and Colombia’s corresponding reservation, as discussed above in the real-time lawful interception section.

LAW 679 OF 2001

According to Law 679 of 2001, no Telecommunications, Network and Service Provider (“TNSP“), administrator or user of a network is permitted to store text, images, documents or audio files that are directly or indirectly related to sexual abuse of children, or such files where there are sufficient indications that they relate to child sex abuse. Under article 10 of Law 679 of 2001, as amended by Law 1336 of 2009, TNSPs providing internet access must allow public prosecutors and the police access to their network to track IP addresses which store files relating to sexual abuse of children.

National Security and Emergency Powers

LAW 1341 OF 2009

Under article 8 of Law 1341 of 2009, in the event of an emergency, internal or external turmoil, disaster or public calamity, any government agency that requires priority access to a telecommunications network to transmit a specific message must be given that priority access by any TNSPs. Article 8 further allows the competent authorities access to the identities and locations of users should the requesting entity deem such information useful and relevant in guaranteeing attention to an emergency.

Oversight of the Use of Powers

COLOMBIAN CONSTITUTION

Article 20 of the Colombian Constitution provides for a general right to freedom of expression, and Article 86 provides a specific mechanism for protecting this right, the “Acción de Tutela”. This involves filing a writ with a judge arguing for protection of the specific act of freedom of expression, who then determines whether that action should be specifically protected.

The Constitutional Court of Colombia, in decision T-391 of 2007, expanded on the general right to freedom of expression. The Court found that freedom of expression could only be limited where the limitations:

  • are specifically provided for by law;
  • are intended for a legitimate purpose;
  • are appropriate for the required purpose;
  • were implemented prior to the specific exercise of freedom expression to be limited;
  • do not represent censorship; and
  • where the limitations in question do not hamper the exercise of the right to freedom of expression.

LAW 1755 OF 2015

Law 1755 of 2015 regulates the fundamental right to petition codified in Article 23 of the Colombian Constitution, which provides that a person has the right to submit petitions to the authorities for reasons of general or private interest, and to obtain full and substantive prompt resolution of the same.

LAW 1581 OF 2012 AND LAW 1266 OF 2008

Law 1581 of 2012 sets out the general statutory framework regarding the management of personal data. Its purpose is to develop and regulate the constitutional right of persons to protect individuals’ right to know, update and rectify information gathered about them in databases or files, as laid out in Article 15 of the Colombian Constitution. Law 1266 of 2008 serves the same purpose, specifically related to personal financial data, which includes financial, credit, commercial, and services information, and information of the same characteristics coming from abroad, destined to financial risk and credit risk assessment. Articles 8 and 6, respectively, list the rights of the owner of personal data. Both statutes apply to any processing of personal data carried out within Colombia.

COLOMBIAN CRIMINAL PROCEDURE CODE

After public prosecutors in the Attorney-General’s office have ordered an interception and it has been carried out, the investigating body that requested the interception must file a report with a judge setting out the facts of the interception within 24 hours.

Under Article 237 of the Colombian Criminal Procedure Code (Law 906 of 2004 as amended by Article 52 of Law 1453 of 2011), the investigating body is required to hold a hearing before a judge within 24 hours of obtaining information from any intercepted communications. At this hearing, the judge will determine if the interception was performed legally. If the interception occurred after the accused was charged, Article 237 also mandates the inclusion of the defendant and their attorney, who have a right to challenge the legality of the interception. If it is determined that the interception was not legal, then the information gained from intercepted communications may not be used as evidence of the crime under investigation.

LAW 1437 OF 2011

As a general rule, administrative decisions made by public bodies in Colombia are subject to a right of appeal under article 74 of Law 1437 of 2011. Therefore, Telecommunications, Network and Service Providers may appeal any sanctions imposed upon them in the aftermath of an administrative investigation by the Ministry of Information and Communications Technology, for example a sanction for non-compliance with Law 1341 of 2009 or a sanction imposed for alleged non-compliance with technical requirements under Law 1704 of 2012.

LAW 1621 OF 2013

Under Article 18, Military and Police Inspectors must provide annual classified reports related to intelligence gathering activities such as monitoring to the Ministry of Defense and the Commission for Legal Oversight for Intelligence and Counterintelligence Activities. Moreover, Article 18 makes clear that all members of the Intelligence and Counterintelligence Services have an obligation to denounce “any irregularity in the function and activities” of the respective Service and bring it to the attention of their respective Director. Under Article 39, some members, by virtue of their position overseeing all records, are excluded from the obligation to denounce and declare irregularities; however, even they are obligated to denounce cases where they have information related to genocide, extrajudicial killings, torture, forced displacement, forced disappearance, “massive sexual violence”, crimes against humanity or war crimes conducted by a public servant. That Director is also obligated to inform the President annually of such irregularities.

Censorship-related Powers

COLOMBIAN CONSTITUTION

Article 20 of the Colombian Constitution guarantees the right to freedom of expression and forbids censorship.

LAW 679 OF 2001 AND DECREE 1524 OF 2002

According to Law 679 of 2001, no Telecommunications, Network and Service Provider (“TNSP“), administrator or user of a network is permitted to store text, images, documents or audio files that are directly or indirectly related to sexual abuse of children, or such files where here are sufficient indications that they relate to child sex abuse. The law also allows the Ministry of Information and Communications Technology (“MICT“) to request that IP addresses and web pages containing such types of data be blocked.

Article 6 of Decree 1524 of 2002 obliges TNSPs to implement internal security systems to prevent access to websites that contain child sex abuse images.

LAW 1341 OF 2009
Under Articles 64 and 65 of Law 1341 of 2009, the MICT may investigate the operation of a TNSP. If the TNSP has breached any legal rules related to telecommunications, the MICT can suspend the TNSP’s network for a maximum of two months, for example a breach of the provisions of Law 679 of 2001 described above. Failure to comply with these obligations after a suspension could lead to a cancellation of the permit, license or authorization of the TNSP.

LAW 1581 OF 2012

Under Article 21 of Law 1581 of 2012, the Superintendent of Industry and Commerce (a government agency that regulates intellectual property rights, consumer protection, personal data protection and competition) has the power to temporarily block web pages that host and store personal data where the site providing such pages does not have mechanisms to ensure that:
● data is kept sufficiently confidential;
● the rights of data subjects are protected;
● data subjects are allowed sufficient control of their data; and
● the information on the page is not inaccurate, out-of-date or incomplete.

Oversight of the Use of Powers (Censorship-related)

COLOMBIAN CONSTITUTION

Article 20 of the Colombian Constitution provides for a general right to freedom of expression, and Article 86 provides a specific mechanism for protecting this right, the “Acción de Tutela”. This involves filing a writ with a judge arguing for protection of the specific act of freedom of expression, who then determines whether that action should be specifically protected.

The Constitutional Court of Colombia, in decision T-391 of 2007, expanded on the general right to freedom of expression. The Court found that freedom of expression could only be limited where the limitations:

  • are specifically provided for by law;
  • are intended for a legitimate purpose;
  • are appropriate for the required purpose;
  • were implemented prior to the specific exercise of freedom expression to be limited;
  • do not represent censorship; and
  • where the limitations in question do not hamper the exercise of the right to freedom of expression.

LAW 1755 OF 2015

Law 1755 of 2015 regulates the fundamental right to petition codified in Article 23 of the Colombian Constitution, which provides that a person has the right to submit petitions to the authorities for reasons of general or private interest, and to obtain full and substantive prompt resolution of the same.

Publication of Laws and Aggregate Data

Publication of Laws

COLOMBIAN CONSTITUTION

There is no restriction on a TNSP publishing the laws or regulations to which it is subject. Under article 157 of the Colombian Constitution, a law does not come into full force until it has been published in the official journal of Colombian law.

LAW 1712 OF 2014

Under Law 1712 of 2014, all information stored, managed and produced by government authorities is deemed to be public information and can be published freely. Therefore, there is nothing to prevent publication of laws relating to the use of government powers unless a separate law states otherwise. However, Article 18 of Law of 1712 of 2014 permits the relevant government authorities to refuse information when its access may cause damage to a third party’s rights to life, health, security or privacy, or commercial, industrial and professional secrecy.

Further, under Article 19, authorities may refuse information in order to protect:

  • the defense and national security;
  • public safety;
  • international relations;
  • the prevention, investigation and prosecution of offenses and disciplinary offenses;
  • the due process and equality of parties in court proceedings;
  • the executive administration of justice;
  • the rights of children and adolescents;
  • the macroeconomic and financial stability; or
  • public health.

Publication of Aggregate Data

LAW 1621 OF 2013

There is no law that explicitly forbids the publication of aggregate data on interception requests and requests for metadata. However, under article 33 of Law 1621 of 2013, documents, information and technical details related to investigations of Intelligence and Counterintelligence Services in Colombia are deemed to be confidential to the extent that it would compromise their investigations.