Bogotá, August 21, 2025. With the participation of 500 people virtually and 100 in person, the 12th International Congress on Personal Data Protection concluded at Universidad Externado de Colombia.

This event, a benchmark for discussions on personal data protection issues in Colombia, was marked by the announcement by the Superintendent of Industry and Commerce, Dr. Cielo Rusinque, regarding the national government’s intention to introduce a bill aimed at modernizing the legal framework for personal data protection.

Against this backdrop, the first panel, moderated by the Deputy Attorney General for Human Rights, Dr. Néstor Osuna, addressed some of the challenges related to modernizing the legal framework and updating Law 1581 of 2012. Among them were issues related to the scope of application of the law, the lawful bases for processing, the inclusion of new principles, rights and obligations, and especially, adjustments to the administrative guarantees of the right to personal data protection. These included the possible creation of a delegated office with data protection functions, new rules for inter-institutional coordination, and adjustments to the sanctions regime. Here, the consensus on the need for reform did not overshadow the debate over details, and the discussion remains open.

Next, the second panel focused on the protection of children in digital environments. Sadi Contreras, Commissioner of the Communications Regulation Commission, expressed concern that 79% of minors use mobile devices daily and 64% access digital content without supervision. The debate explored alternatives for parents, the State, and the private sector to implement actions aimed at promoting safe digital environments for children.

The following day opened with a notably interdisciplinary panel: an engineer, a physicist, a lawyer, a philosopher, and a political scientist discussed the advantages and risks of processing biometric data. During the conversation, Heidy Balanta, professor at Universidad Externado, reminded participants that “the iris has 240 unique characteristics, and they never change.” In her view, the impossibility of modifying this information—in contrast to other personal data that can change (such as name, phone number, etc.)—justifies the special protection that biometric data deserves.

The debate brought together diverse perspectives. On one hand, Daniela Jaime Peña, representative of Colombia Fintech, emphasized that financial inclusion in Colombia depends on enabling non-traditional financing service providers to minimize risks of fraud and identity theft, for which biometrics is essential. On the other hand, civil society representatives highlighted the risks involved in processing biometric data and insisted on the benefits of maintaining strict regulation.

The next panel addressed the legal and educational dilemmas arising from the design and implementation of the open finance system, which is currently under development. This system seeks to allow, with prior authorization from data subjects, that other actors within the system access consumers’ financial information to foster competition in the sector and promote financial inclusion.

The panelists agreed on the importance of high security and control standards to guarantee users’ privacy and strengthen shared responsibility between financial institutions and citizens. “Financial information is a valuable asset; protecting it not only builds trust and prevents fraud but also empowers consumers in the exercise of their rights,” said Adriana Ovalle Herazo, Vice President of Legal Affairs at Asobancaria

Finally, the closing discussion focused on the responsibility of transnational companies in processing personal information. Eduardo Luna Cervantes, head of Peru’s data protection authority, spoke about the Peruvian approach to the question of accountability under Peruvian law and the Constitution for multinational companies that process personal data in Peru but are neither domiciled nor registered in the country.During the dialogue on this topic, Hernán Correa, Associate Justice of the Constitutional Court, stressed that these companies must comply with the law and integrate data protection into their value proposition by adopting global standards that ensure safe and legitimate data processing, regardless of where the data is processed.

In his closing remarks, Juan Carlos Upegui, Deputy Superintendent for Personal Data Protection of the Superintendence of Industry and Commerce, thanked those who attended the two-day event and highlighted that open dialogue and democratic debate, even on highly technical issues, are fundamental to building a pluralistic society that respects human rights. That goal inspired the 12th International Congress on Personal Data Protection, which brought together diverse voices, experts with different professional backgrounds, representatives from various sectors, and different viewpoints—all in the context of a pressing need to modernize the personal data protection law and the upcoming debates on this matter in the Congress of the Republic.

If you wish to revisit these debates and panelist interventions, you may do so at the following links:

Day 1 (August 12): https://www.youtube.com/watch?v=9fS55NYnPzE&t=16005s 

Day 2 (August 13): https://www.youtube.com/watch?v=M18l0m86oKU