On September 2, 2025, the public consultation period began for a bill aimed at regulating the use of artificial intelligence (“AI”), with a particular focus on the protection of personal data (hereinafter, the “Bill”).
The initiative, promoted by the Superintendency of Personal Data Protection, incorporates strategic definitions, clarifying concepts such as “artificial intelligence system” and “algorithmic explainability.”
The Bill establishes guiding principles for the use of this technology, highlighting transparency, accountability -where any violation will be considered a serious infringement of the personal data regime- confidentiality, security, and data protection by design and by default.
The proposed text provides that data controllers and processors must carry out impact assessments and ensure the traceability of the data being processed through internal records. Furthermore, when such data is used to train AI systems, a technique must first be applied that prevents the direct identification of data subjects.
Data subjects, in turn, will have the right to request information about the system used to process their data, as well as to know whether their rights may be affected by automated decisions.
Finally, the Bill prohibits the use in public spaces of real-time remote biometric identification systems, unless authorized by law or subject to judicial oversight; as well as all systems that generate or disseminate falsified content using personal data, such as deepfakes, which are already regulated in Colombia (see here).
The public consultation term ended on September 29, and the Bill is now being reviewed by the supervisory authority.
