Skip to Main Content
Main Menu

Emerging Markets: A ride-sharing app in Colombia fails to certify the deletion of personal data

Annie Greenley-Giudici

Drinking and driving is never a good idea and is illegal, depending on the circumstances.

This is particularly true in a city like Bogota, where a population of close to 10 million, an elevation of 8,660 feet above sea level, and occasional foggy nights can make things confusing for drivers that indulge in a few drinks after work.

Perhaps, this is why many Colombians embraced the convenience of an app that hails a designated driver to pick them up at their favorite bars and ensure that users and cars arrive home safely.

But not all consumers want their personal data to reside in the app forever.

After all, it may pertain to their residence, vehicle information, favorite bars, drinking habits, and credit card number. Fortunately, Colombia has a Data Protection Law to protect consumers in these situations.

Recently, Colombia’s Superintendence of Industry and Commerce (SIC) issued an enforcement action that illustrates the need to manage requests for the deletion of personal data in emerging markets.

What happened in this enforcement action?

A consumer could not remove their credit card information from the app and submitted a request to delete their data.

The ride-share company agreed and offered to issue a deletion certificate.

However, a month later, the data still needed to be deleted.

So, naturally, the consumer filed a complaint with the SIC, and a full investigation ensued.

The SIC found that failing to demonstrate the deletion of the consumer’s personal information is a breach of two sections of the Data Protection Law: §§ 8(e) (right to deletion) and 17(a) (duty to guarantee the exercise of the habeas data right).

The ride-share company was penalized with a fine of COP 44,658,840 (US$ 11,711) along with orders to

  • Document processing procedures
  • Develop a procedure for consumers to exercise their habeas data rights,
  • And implement a plan for supervision and periodic review to ensure compliance within two months.

A framework-based analysis is available here. The entire decision (in Spanish) is here.

Emerging Market Impact

Colombia has a GDP per capita of USD 5,332 and an Internet Penetration of 65%.

Enforcement actions involving monetary fines and comprehensive revisions of privacy practices are not rare.

As its 50 million people continue to embrace electronic communications to navigate the intricacies of its geography, more frequent scrutiny on privacy compliance must be expected.

Key Topics

Get the latest resources sent to your inbox

Back to Top