Why Governments in Colombia Can Monitor Their Own Officials Even When Privacy Is a Constitutional Right
Intelligence Oversight Under Colombia’s Law 1621 of 2013, state intelligence agencies are authorized to collect data to prevent threats to national security.
However, Article 15 of the Colombian Constitution mandates that any interception of private communications requires a prior judicial warrant. This tension creates significant litigation risk when "confidential funds" bypass standard procurement oversight.
To most people, a government official’s private communications are protected by the same privacy expectations as any other citizen.
Under Law 1621 of 2013, specific intelligence protocols apply when national security or internal oversight is invoked. That principle is now drawing attention following Justice Minister Andres Idarraga’s allegations regarding the Pegasus spyware.
The reported breach does not determine criminal guilt, personal liability, or the final outcome of the corruption probes involved.
What You Need to Know
The use of surveillance technology is governed by Law 1621 of 2013 and Article 15 of the Constitution.
Once a procedural trigger involving national security occurs, certain information becomes accessible to state actors. Personal preference or reputational concern generally does not control release when a valid intelligence mandate exists.
What the Law Does Not Protect
-
Private data stored on state-issued devices under Decree 1070 of 2015.
-
Encrypted conversations flagged under formal counterintelligence mandates by the Joint Intelligence Board.
-
Metadata of officials involved in investigations managed by the Prosecutor General’s Office.
The Framework of State Surveillance
Legally, this means the deployment of spyware requires a documented requirement under the National Intelligence Plan.
In practice, the process begins when an agency identifies a target as a threat to constitutional order or national stability. Under Law 1621, the "necessity and proportionality" of the surveillance must be recorded before the first byte of data is intercepted.
Any deviation from this documented path creates immediate grounds for a criminal investigation into "unlawful violation of communications" under the Colombian Penal Code.
The procedural start is rarely a single button press. It involves a "mission order" issued by a director of intelligence. This document serves as the legal anchor for the operation.
If the Justice Minister’s phone was accessed 8,700 times, as alleged, each instance must theoretically correspond to a mission parameter. Without this, the act transitions from statecraft to a felony.
Who Controls the Data
Courts generally hold that data controllers are bound by Statutory Law 1581 of 2012 (General Data Protection Regime).
This law mandates that any entity handling personal data—even during a counterintelligence operation—must maintain a verifiable chain of custody.
When software is purchased using "confidential funds" or "seized narco-dollars," the lack of a public contract violates transparency requirements established in Law 80 of 1993 (Public Procurement Statute).
This procedural failure shifts the burden of proof. Normally, a state agency is presumed to act legally. However, when the funding mechanism is obscured, the Ministry of Defense may be forced to justify the acquisition in a "reparations" suit.
Legally, the controller is not just the person who sees the data, but the institution that licensed the Pegasus software.
When Discretion Applies
The "Gray Zone" of surveillance exists within administrative discretion. Under Decree 1070 of 2015, heads of intelligence have the discretion to determine what constitutes a "counterintelligence threat."
If a Justice Minister is investigating military corruption, a commander might argue that the investigation itself threatens "institutional integrity."
Legally, this discretion is not absolute. The Council of State (Colombia’s highest administrative court) has repeatedly ruled that "national security" is not a magic wand that makes the Constitution disappear.
Discretion ends where "fundamental rights" begin. If the surveillance was used to mount a "smear campaign," the discretion was abused, rendering the entire operation a "deviation of power."
Where Limits Exist
Limits exist within Article 250 of the Constitution, which reserves the power to intercept communications exclusively for the Prosecutor General’s Office (Fiscalía).
Intelligence agencies may monitor the electromagnetic spectrum for broad signals, but they cannot target specific individuals for "content interception" without a judicial warrant.
Legally, any evidence gathered without this "legal predicate" is inadmissible. This is the "Fruit of the Poisonous Tree" doctrine. If the military used Pegasus to see the Minister’s corruption evidence, that evidence may now be legally "tainted."
The irony is that the very corruption the Minister sought to expose could be shielded by the illegal way the military learned about his investigation.
The Strategic Fallout
Unauthorized surveillance creates a high-stakes litigation risk for the state. Under the Single Disciplinary Code (Law 1952 of 2019), officials involved in illegal interceptions face destitution—immediate dismissal and permanent debarment from public office.
The consequences extend far beyond political fallout: any evidence obtained through unlawful surveillance risks being ruled inadmissible, potentially undermining the very corruption cases the Minister sought to build.
Strategically, the pressure now shifts from the alleged corrupt actors to the investigators themselves.
When a state is found to have unlawfully surveilled its own Justice Minister, it creates a profound due-process crisis. Defense attorneys can argue that the investigations were irreparably tainted, opening the door to challenges that could result in widespread case dismissals.
Any such finding would be procedural—focused on the legality of evidence collection—rather than a determination of guilt in the underlying corruption cases or criminal liability of the officials involved.
The Intuition Gap: Why Human Logic Fails in Court
Non-lawyers often assume that "if the evidence exists, the court must see it." In the Pegasus case, business logic suggests that if the military found evidence of a smear campaign, they were "just doing their job."
However, Procedural Law prioritizes the method over the result. Under Article 29 of the Constitution, "evidence obtained in violation of due process is null and void by right."
This means a court would rather let a guilty person go free than allow the state to hack its citizens without a warrant. To an executive, this feels like a failure of justice; to a lawyer, it is the only way to prevent a police state.
This Is Why People Are Alarmed
It feels like a betrayal when the tools of the state are turned inward to scrutinize a person’s private life—especially when the target is a high-ranking official such as the Justice Minister.
Yet the law grants intelligence units broad preventative powers in the name of internal stability. While targeting a specific individual without proper authorization is unlawful, the mere possession, testing, and classification of surveillance tools are frequently shielded by national security secrecy, making civil accountability extraordinarily difficult absent a prolonged and public scandal.
This is precisely why the Pegasus affair has become a testing ground for how privacy law will evolve in the 2020s. For employers, business owners, public officials, and private citizens alike, the implications are structural rather than theoretical.
Even where communications content remains encrypted, metadata—who contacted whom, when, and for how long—is often accessible without a warrant under existing frameworks such as Law 1621.
Devices issued by an employer or state body further erode any reasonable expectation of privacy, shifting legal risk onto the user rather than the institution. And in future litigation, the focus of discovery will increasingly move beyond what communications say to how they were obtained.
Where evidence is gathered through unauthorized digital intrusion or opaque data scraping, the chain of custody may collapse, rendering otherwise damning material legally worthless.
For the ordinary citizen, the lesson is sobering: privacy today is as much a function of technical capability as it is of legal protection.
If state-level tools can bypass the safeguards of a Justice Minister, it underscores a deeper reality—that “private” data is only as secure as the oversight governing those who control the keys.
FAQ: Surveillance and the Law
Can the government legally hack its own employees?
Under Article 15 of the Constitution, the government cannot intercept communications without a warrant. However, administrative monitoring of state-owned devices for "performance and security" is often permitted under internal employment contracts and Decree 1070.
Why can this happen at all if it's illegal?
Intelligence agencies operate under "confidential budgets" (gastos reservados) which lack the traditional oversight of the Comptroller General. This "dark money" allows for the acquisition of tools like Pegasus without a public paper trail, creating a gap between what is "legal" and what is "possible."
Does this mean the Justice Minister is in trouble?
No. Being the target of surveillance does not imply the target has committed a crime. Under the Code of Criminal Procedure, the "victim" of an illegal interception has the right to suppress that data and seek damages from the state.
Can this data really be made public?
If a "smear campaign" is proven, the data becomes part of a public criminal trial against the hackers. At that point, the privacy of the official is secondary to the public’s interest in government transparency, as governed by Law 1712 of 2014 (Transparency and Access to Public Information).
What happens if the money used was "seized cash"?
Using seized assets (unaccounted dollars) to fund intelligence violates the National Budget Law. This creates a "procedural nullity" that could jeopardize every intelligence operation conducted during that period, as the funding source itself was unauthorized by Congress.
