AI Regulation Tracker / Regulator guidance
Colombia requires a privacy impact study before training or deploying AI on personal data
Colombia's data regulator, the SIC, says any company processing Colombians' personal data with AI must run a privacy impact study and apply necessity, proportionality, and de-identification. The 2025 national AI policy reinforces that baseline.
Colombia has told companies that using artificial intelligence on personal data is not a free zone. The Superintendencia de Industria y Comercio, the country's data protection authority, issued Circular Externa No. 002 on August 21, 2024, setting out how existing data protection law applies when personal data flows into AI systems. The guidance is short in form and broad in reach. It says that before an organization develops, deploys, or uses an AI system on the personal data of Colombians, it must study the privacy impact, design for privacy from the start, and justify the processing under a strict set of principles.
What the circular requires
The core instruction is a privacy impact study conducted before data collection and processing begin. The SIC states the study must contain a minimum set of information, so a one line note in a project ticket will not satisfy it. Processing must rest on four criteria that the circular names directly: suitability, necessity, reasonableness, and strict proportionality. In practice that means a controller has to show that the AI use is appropriate for its stated purpose, that no less intrusive method would work, and that the volume and sensitivity of data are proportionate to the goal. The guidance also calls for privacy by design, meaning controls are built into the system from the first stage of a project rather than added after launch.
De-identification is named, not implied
The circular does not stop at principles. It points to concrete engineering practice. It recommends de-identification techniques, including differential privacy, that let teams analyze data while limiting the risk that an individual can be identified. For data scientists, this is the operative sentence. The regulator expects technical measures on the data itself, not only policy documents around it. Where a project cannot resolve uncertainty about potential harm, the SIC says controllers should hold off or adopt precautionary measures rather than proceed.
The circular also expects controllers to adapt their risk management to the specific hazards of AI processing and to keep the data subject informed. The privacy impact study is where these pieces come together. It is meant to document the purpose of the processing, the categories and sensitivity of the data involved, the risks to the rights of the people behind that data, and the measures chosen to reduce those risks. Because the SIC sets a minimum content standard, the study functions as the record a controller relies on if the regulator later asks how a system was built and why the data use was justified.
What it does and does not do
The circular is guidance, not a new statute. It interprets Law 1581 of 2012, Colombia's data protection regime built on the constitutional right of habeas data, and it operationalizes duties that already exist. That distinction matters, but it should not be read as softness. The SIC is the same authority that investigates and sanctions violations of Law 1581, and the circular tells controllers how it expects that law to be met when AI is involved. It does not create a licensing regime for AI, and it does not ban any specific model or use. It sets the process and the standard a controller must be able to show.
Why 2025 is the freshness angle
The reason this 2024 circular matters now is CONPES 4144, the National Policy on Artificial Intelligence that Colombia's national planning council adopted on February 14, 2025. The policy sets a roadmap of more than 100 actions toward 2030 and places governance, ethics, and data protection among its axes. As part of that work, the SIC published inputs for updating Colombia's personal data framework in light of AI, flagging risks such as unauthorized collection, inference of sensitive data, profiling, and automated decisions. CONPES 4144 does not repeal the circular. It reinforces the baseline the circular set and signals that Colombia intends to keep building on it.
For a US or multinational company, the cross border point is direct. Colombian data protection duties follow the data subject, so a firm processing Colombians' personal data in an AI system is expected to meet this standard regardless of where the model runs. Colombia is also one of the few countries in the region with a national AI roadmap, which makes its approach a plausible reference point for neighboring regulators. Firms already running privacy impact assessments for Europe or Brazil will find the shape familiar, but they should confirm the Colombian version names necessity, proportionality, and a specific de-identification method rather than reusing a template built for another regime.
Frequently Asked Questions
What did Colombia's SIC change for companies using AI on personal data?
The SIC issued Circular Externa 002 of 2024, which sets guidelines for processing personal data in AI systems. It requires a privacy impact study before processing, privacy by design, processing justified by suitability, necessity, reasonableness, and strict proportionality, and de-identification techniques such as differential privacy. It applies Colombia's existing data protection law, Law 1581 of 2012.
Who is affected by this guidance?
Any organization that develops, deploys, or uses AI on the personal data of Colombians, including lenders, insurers, health, marketing, and HR platforms, and the AI vendors that build models on that data. The privacy officers, data scientists, and compliance teams inside those organizations carry the operational duties.
Is Circular Externa 002 legally binding, or just advice?
It is guidance rather than a standalone statute, but it interprets Law 1581 of 2012, which is binding and which the SIC enforces. The SIC treats the privacy impact study and the necessity and proportionality analysis as expectations for meeting that law, so ignoring the circular carries enforcement risk under the underlying regime.
How does CONPES 4144 of 2025 relate to the circular?
CONPES 4144 is Colombia's national AI policy, adopted February 14, 2025. It sets a broader roadmap and reinforces data protection as a governance priority, and the SIC contributed inputs on updating the data framework for AI. It reinforces the circular's baseline rather than replacing it.
What is the single most important step to take now?
Complete and document a privacy impact study for every AI system that processes Colombian personal data, recording the lawful basis, the necessity and proportionality analysis, and the de-identification method applied, so the organization can show compliance if the SIC asks.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.