Colombia's Data Protection Authority Rules Journalistic Databases Exempt from Personal Data Suppression Regime

By Castillo Grau Abogados

Colombia's Superintendencia de Industria y Comercio (SIC), acting as the National Personal Data Protection Authority, denied a request to suppress personal data published in a news article by Infobae Colombia S.A.S. The petitioner, identified in the article as a person accused of sexual harassment, sought removal of information including his academic institution and employer.

The SIC's Habeas Data Directorate ruled that journalistic databases and other editorial content fall outside the scope of Law 1581 of 2012 (Ley Estatutaria 1581 de 2012), Colombia's primary personal data protection statute, and ordered the administrative proceeding archived.

Law 1581 of 2012, enacted October 17, 2012, and published in Diario Oficial No. 48587, constitutes Colombia's general personal data protection regime. It implements the constitutional right to habeas data established in Article 15 of the Political Constitution of Colombia, read in conjunction with Article 20, which protects freedom of information and of the press.

The exemption in Article 2°(d) reflects a deliberate legislative choice to prioritize freedom of the press (Article 20, Political Constitution) over the individual data subject's right to informational self-determination (Article 15) when the two conflict in the context of editorial publication. The SIC's ruling in this case reaffirmed that hierarchy.

The SIC noted that media outlets operate under separate and distinct legal standards — specifically, the obligations of journalistic accuracy and ethics derived from the constitutional protections of buen nombre (good name), intimidad (privacy), and the right to truthful information — but that these standards are not coextensive with, and do not incorporate, the consent-based authorization framework of Law 1581.

The petitioner requested suppression under Article 8° of Law 1581, which grants data subjects the right to request deletion of personal data from databases when the data is no longer necessary for the purpose for which it was collected, or when the data subject withdraws consent. He argued that:

1. The publication included personal data — specifically, his university affiliation and employer — without his authorization, in violation of the consent requirement in Article 9° of Law 1581.

2. The accusations of sexual harassment contained in the article lacked evidentiary support ("sin sustento probatorio").

3. The inclusion of his identifying information constituted treatment of datos sensibles (sensitive personal data) within the meaning of Article 5° of Law 1581, which governs data related to personal reputation and social standing.

The SIC rejected all grounds. The central finding was jurisdictional: because the publication constitutes journalistic content, the entire framework of Law 1581 — including its consent requirements, suppression rights, and sensitive data provisions — does not apply to it. The Directorate ordered the proceeding archived and denied the suppression request.