Search for:
Cybersecurity, Data and Tech

Colombia: Use of Artificial Intelligence in identity theft classified as an aggravating criminal factor

By and 4 Mins Read

Law 2502 of 2025 issued by the Congress of Colombia

In brief

The Congress of the Republic of Colombia recently enacted Law 2502 of 2025, which amends Article 296 of the Colombian Criminal Code regarding the crime of identity falsification. The amendment introduces an aggravating factor when identity theft is committed using Artificial Intelligence (AI).

This reform raises key issues in the field of personal data protection, responds to the growing number of crimes committed through emerging technologies, and establishes guidelines for a public policy framework aimed at preventing, detecting, and sanctioning such conduct.

Key aspects from the criminal law perspective

This new legislation introduces significant changes to the criminal treatment of identity theft, addressing emerging risks associated with advanced technologies. The most relevant points include:

  1. New aggravating factor: The law modifies Article 296 of the Criminal Code, establishing that when identity theft is committed using AI, the applicable fine may be increased by up to one-third, provided the conduct does not constitute another crime.
  2. Legal recognition of deepfakes: For the first time, the Colombian criminal framework includes a legal definition of “deepfake” as AI-generated audiovisual content that falsely appears authentic, aiming to combat new forms of identity fraud.
  3. Traceability and criminal analysis: The Office of the Attorney General must implement a traceability system for cases involving the use of AI in identity falsification. This registry should allow the identification of criminal patterns, impacts, emerging risks associated with digital technologies, and the judicial measures applied.

Additionally, the law mandates the development of a joint public policy by the National Government, the Attorney General’s Office, the National Police, and the Ministry of Information Technologies and Communications (MinTIC), with a focus on digital ethics, cybersecurity, international cooperation, transparency, and rapid response to identity theft incidents.

Current situation

The aggravating factor will come into effect one year after the law’s enactment, with implementation expected by July 2026. This transition period is intended to give authorities time to strengthen their investigative and technological capabilities, align with public policies on the use and risks of emerging technologies, and establish protocols for responding to identity theft incidents involving AI.

This reform aligns with a global context of increasing concern over the malicious use of AI and represents a significant step toward protecting digital identity and building trust in virtual environments.

Biometric data

Due to their nature as sensitive data, the collection and processing of biometric data is subject to special regulation under the law and requires enhanced diligence from the data controller. Currently, biometric data is the subject of a regulatory project by the Superintendence of Industry and Commerce. In the draft Circular on the processing of personal data in the provision of financial services through digital technologies (fintech), the following obligations are included:

At the time of collection, the data controller must: (i) Inform the data subject, specifically, of the precise purposes for which their biometric data will be processed and why the collection of such data is necessary;  and (ii) obtain additional and explicit consent for the processing of biometric data, in accordance with the stated purposes and necessity.

Throughout the entire processing cycle, both the controller and the processor must: (i) Refrain from using biometric data for purposes not explicitly consented to; (ii) implement additional security measures to ensure the protection of biometric data; (iii) take reasonable steps to ensure that the processing of biometric data is proportional to the risk level of the activity involved; (iv) refrain from sharing collected biometric data with third parties and from feeding centralized or integrated biometric databases; and (v) proceed with the deletion of biometric data within a reasonable period once the contractual relationship with the data subject has ended and the specific purposes for which the data was authorized no longer exist.

Additional information

For further details, you may consult Law 2502 of 2025 at the following link: Ley 2502 de 2025 Congreso de la República de Colombia.

Click here to read Spanish version.

Categories:
Tags:
Author

Carolina Pardo joined Baker McKenzie in 1994 and is a Partner of the Firm since 2008. She is currently a member of the Global Steering Committee for the Firm’s Cybersecurity and Privacy group and of the Global Steering Committee for the Firm’s Investigation, Compliance and Ethics Group. She was a member of the Global Steering Committee for the Firm’s Global Antitrust and Competition from 2016 and until 2020 and is currently a member of the Latam's Antitrust Steering Committee.
She graduated as a lawyer and a specialist in International Contracts Law from Universidad de Los Andes in Bogotá. She obtained a LL.M. with emphasis in International Private Law and Competition Law from the London School of Economics and Political Science.
In 2016 and 2025 Global Competition Review selected her as one of the 100 most influential women in antitrust. The last two Superintendents of Industry and Commerce have selected Carolina as a Non-Governmental Advisor to the Colombian Antitrust Regulator. Legal 500 also awarded her a recognition in 2025 as lawyer of the year in compliance and investigations in Colombia.

Author

Bibiana Cala is a lawyer with more than 22 years of experience in criminal litigation. She is a specialist in criminal law and intellectual property, with a master’s degree in Ibero-American compliance. Her professional practice has focused mainly on corporate criminal law, corporate fraud and corruption. She has advised national and international companies from different sectors of the economy and has successfully defended the rights and interests of companies and their executives in criminal proceedings, as well as their relations with the different state bodies and authorities. Thanks to her knowledge in different areas of law, she has worked as co-author of important publications related to corruption, cyber-piracy and criminal law and the criminal protection of industrial property rights in Colombia. She was an advisor at the Ministry of Justice, position in which she intervened in the elaboration of decisions of the Andean Community of Nations. In 2012 she joined Baker McKenzie as an associate and is currently the partner in charge of the Firm’s corporate criminal law practice.

Related Posts