Pursuant to Art. 4 of Decree No. 1,704, telecommunications providers must keep and store for a period of five years subscribers' personal information, such as identity, billing address, and connection type. This information must be available to the Attorney General or any competent authority in the context of a criminal investigation.

According to Art. 23 of Decree 1,377, controllers and processors should appoint a person or function within the company that assumes responsibility for the protection of personal data tasked with reviewing and solving claims made by data subjects. Furthermore, Title VI of Law No. 1,581 establishes the duties of those responsible for data treatment and in charge of data treatment.

A basic legal framework on intermediary liability for copyright infringement is absent in Colombia's law and jurisprudence. The liability regime for damages applicable to Internet intermediaries in Colombia is the same as that generally applied to any other activity, which is a regime of subjective civil liability since the law does not provide for a presumption of fault (or objective) for intermediaries.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Colombia's law and jurisprudence. The liability regime for damages applicable to Internet intermediaries in Colombia is the same as that generally applied to any other activity, which is a regime of subjective civil liability since the law does not provide for a presumption of fault (or objective) for intermediaries.

Colombia has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.

Colombia has ratified the World Intellectual Property Organization (WIPO) Performances and Phonogram Treaty.

Laws No. 256, Decision No. 486, and the Penal Code provide a framework for the adequate protection of trade secrets. Art. 245 of Decision No. 486 allows requesting preventive measures to stop an alleged infringement, avoid its consequences, obtain or retain evidence, or ensure the effectiveness of the action or compensation for damages. In addition, Art. 16 of Law No. 256 punishes the violation of trade secrets and Art. 308 of the Penal Code defines the violation of trade secrets and establishes a sanction.

According to Title IV of Resolution CRC 5050, there is an obligation for passive infrastructure sharing in the country to deliver telecom services to end users. Moreover, passive infrastructure sharing is practised both in the mobile and fixed sectors based on commercial agreements.

The government of Colombia holds 32.5% shares of Colombia Telecomunicaciones SA ESP, which operates under the brand Movistar and focuses mainly on the telephony and mobile connection businesses. In September 2018, the authorities reported that the State was going to sell its stakes in the company but this has not been the case yet. Some public telecommunication companies exist at the local level, for example, ETB (which provides services in Bogotá), EPM (in Medellín), and Metrotel (in Barranquilla).

The country does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, there is an obligation of accounting separation since 2009. According to Arts. 64 and 65 of Law No. 1,341 "Issues principles and concepts on the information society and the organization of Information and Communication Technologies (ICT), creates the National Spectrum Agency [...]" (Ley No. 1341 Por la cual se definen principios y conceptos sobre la sociedad de la información y la organización de las Tecnologías de la Información y las Comunicaciones (TIC), se crea la Agencia Nacional de Espectro [...]), the operators must keep separate accounting. They would be subject to specific sanctions if they do not comply with the requirement.
In addition, according to Arts. 9.1.2.1. and 9.1.2.2. of Resolution 5050 of 2016 (as amended by Art. 1 of Resolution No. 5589 of 2019), Telecommunications Network and Service Providers and/or Pay TV Operators are obliged to adopt separate accounting schemes in compliance with Art. 22 (numeral 19) and Art. 64 (numeral 8) of Law No. 1,341 of 2009.

Colombia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Colombia has a telecommunications authority: the Communications Regulation Commission (CRC, Comisión de Regulación de Comunicaciones). However, it is reported that the decision making process of this entity is not fully independent from the government.

According to Art. 26 of Law No. 1,581, cross-border transfer of personal data is forbidden unless it is made to a country that offers adequate levels of data protection, as defined by the Colombian data protection authority. The prohibition does not apply in certain cases, including when the data subject authorises the cross-border transfer or when medical data is required for health or public hygiene reasons. According to the law, the institution in charge, "Superintendencia de Industria y Comercio" (SIC), establishes the standards regarding international data transfers.

Art. 5 of Law No. 1,266 establishes that a data transfer between data bank operators is permitted when authorisation is obtained from the data subject or when the destination database has the same purpose as the operator that delivers the data. If the receiver of the data is a foreign data bank, the delivery without authorisation must be done with a written record and due verification that the laws of the recipient of the information offer guarantees for the protection of the rights of the data subject.

According to Art. 13.11 of the First Amending Protocol which amends the Additional Protocol to the Framework Agreement of the Pacific Alliance, the four parties (Chile, Colombia, Peru and Mexico) commit to allowing cross-border information transfers through electronic means, including also the transfer of personal data for business activities. Moreover, in Art. 13.11 bis, the parties commit to ban forced localisation of computer facilities in their national territories.