Blog

By Camila Idrovo

Colombia’s data centre market is expanding at a remarkable pace, fuelled by the rise of artificial intelligence (AI). As of 2025, the country hosts 38 data centres — 29 in Bogotá, 4 in Medellín, 3 in Cali, and 2 in Barranquilla — with several more on under development. Valued at US$442 million in 2024, the sector is expected to nearly triple to US$1.16 billion by 2030, growing at an annual rate of 17.6%.

This boom promises major opportunities in digital infrastructure and foreign investment. Yet it also brings serious sustainability challenges. Data centres are notoriously resource-intensive, consuming vast amounts of water for cooling and electricity to keep servers running.

Recognising both the potential and the risks, the Colombian government launched a US$111.5 million National AI Policyin February 2025. The plan seeks to decentralise data centre infrastructure and promote hyperscale facilities powered by renewable energy and water-efficient technologies.

The pressing challenge now is ensuring that Colombia’s AI-driven data centre boom drives inclusive economic growth while safeguarding the country’s water and energy resources.

Projected Impacts

Water Stress

AI’s rapid growth comes with a heavy water footprint. Globally, meeting demand for AI could require up to 6.6 billion cubic meters of water withdrawals by 2027. Data centre water consumption is driven by cooling (Scope 1), electricity usage (Scope 2), and hardware manufacturing (Scope 3).

To address environmental concerns, some providers are experimenting with air-cooling systems that reduce direct water withdrawals. However, these systems are often more energy-intensive, which can increase Scope 2 water use. The lack of reliable data on Scope 3 impacts further complicates assessments, highlighting the need for more transparent and comprehensive reporting.

Example of a data centre’s operational (scope 1+2) water usage

Colombia faces particular risks. New data centres are planned in hot regions such as Santa Marta, where cooling demands will be especially high. Even Bogotá, with its milder climate, faces serious water availability concerns. Between 2023 and 2024, the city experienced once of its worst droughts on record, with its reservoir levels falling to just 10.5%.

Adding to the challenge, Colombia is already one of the world’s top consumers of water per capita, using nearly three times the OECD average. This is partly driven by industrial users facing some of the lowest water tariffs in the region. In 2023, Coca-Cola reportedly paid just US$2,605 to extract 64 million litres near Bogotá. At US$0.008 per cubic meter, Colombia’s industrial water tariff is a fraction of Mexico’s (US$0.99) or Brazil’s (US$0.036).

Colombia’s governance framework is not keeping up with these mounting pressures. An evaluation of the National Policy for Integrated Water Resources Management (2010–2022) found that the country lacks adequate data on water demand, while Bogotá’s District Water Plan, due for an update in 2021, has yet to be revised. Both national and local policies urgently need updating to integrate future water use projections tied to data centre growth.

Without stronger governance and more realistic tariffs, water scarcity could not only constrain Colombia’s AI-driven data centre industry but also threaten access to clean water for communities, exacerbating social and environmental stresses across the country.

Energy use

AI is driving a sharp rise in data centres’ energy needs. While traditional facilities consume between 10 and 25 megawatts (MW) annually, hyperscale AI-focused centres can exceed 100 MW — the equivalent of powering 100,000 households. Because these facilities often cluster in specific cities, their concentrated demand puts major stress on local power grids.

To manage both energy security and carbon footprints, many operators are investing in renewable sources. These projects can accelerate growth in the clean energy sector, but much of the power produced is consumed by the centres themselves, limiting the amount of renewable energy available to the wider grid.

Colombia’s relatively clean electricity mix has helped attract investment. In 2023, 64.4% of power came from hydropower, while 31.8% came from fossil fuels, and only 1.2% from solar and wind. The country’s heavy reliance on dams, however, leaves the system vulnerable. Recent droughts forced greater use of fossil fuels to meet demand, undercutting Colombia’s climate goals. Without a rapid scale-up of solar and wind capacity, rising demand from data centres risks locking the country into deeper dependence on fossil energy, with consequences for both emissions targets and long-term energy security.

Electricity generation sources in Colombia, 2023

Press enter or click to view image in full size

Over the past three decades, Colombia has modernised its energy sector and welcomed private investment, spurring diversification and infrastructure growth. Still, persistent barriers remain. There are gaps in transmission capacity, delays in environmental licensing, and strong community opposition to new projects. Unless these challenges are resolved, Colombia will struggle to expand renewable energy fast enough to keep pace with the demands of an AI-driven data centre boom.

Case Studies

Because data on Colombia’s data centre impacts remains limited, it is useful to look at two regional leaders, Mexico and Chile, where the sector is more mature. Both cases offer valuable lessons for Colombia as it expands its own market.

Mexico

Mexico’s data centre market is projected to reach US$2.26 billion by 2030, growing at an annual rate of 13.5%. The country already hosts 59 centres, with nearly a third concentrated in Querétaro. Tech companies have pledged thousands of jobs and billions in investments, but these promises come with serious environmental trade-offs.

Querétaro is one of Mexico’s most drought-prone states. Yet industrial water use there skyrocketed from 4% of total consumption in 2003 to 40% by 2018. The surge has fuelled protests from indigenous and rural communities, driven up water costs for residents, and left local reservoirs under severe stress. In April 2025, two of the state’s seven reservoirs were completely dry, and overall capacity dropped to just 32.5%. Energy shortages have compounded the crisis, with frequent power outages as the regional grid struggles to keep up with rising demand.

Despite these risks, investment continues. In January 2025, Amazon Web Services announced a US$5 billion investment in Querétaro to serve all of Latin America. Mexico does have a sustainability norm for data centres introduced in 2014 (NMX-489), but because compliance is voluntary, its impact has been limited.

Querétaro’s experience underscores a key warning for Colombia. Without proactive water and energy management, rapid data centre growth can quickly outpace local resources and spark social unrest.

Planned data centre investments in Mexican states under drought.

Source: Menski et al. (2024)

Chile

Chile’s data centre market is projected to hit US$1.24 billion by 2030, growing at a CAGR of 8.27%. The country currently has 62 centres, 55 of them clustered in Santiago. But Chile is also one of the world’s most water-stressed nations, and public opposition has been strong.

In 2024, Google was forced to suspend a planned US$200 million data centre in Santiago after citizen mobilisation and a partial court reversal of its environmental permits. The company later committed to redesigning the project with stricter sustainability standards and more water-efficient technologies.

To address these challenges, Chile recently launched its National Data Centre Plan (2024–2030), developed through multi-stakeholder consultations. The plan includes a digital tool to guide sustainable site selection, a multi-stakeholder monitoring committee, streamlined permitting processes, and public–private clean production agreements to boost efficiency. It also encourages the creation of AI campuses in regions with abundant renewable energy resources, reducing pressure on water-stressed areas like Santiago.

Chile’s proactive approach highlights the importance of early planning, strong stakeholder engagement, and enforceable sustainability standards; lessons Colombia can apply before its own boom accelerates further. That said, it remains to be seen how effectively the plan will be implemented in practice and whether it can truly balance data centre growth with water and energy sustainability.

Policy Recommendations

Colombia is not yet fully prepared to manage the environmental impacts of rapid data centre expansion. To address this challenge, the following recommendations draw on Professor Mariana Mazzucato’s Entrepreneurial State framework. Unlike traditional models that view the state as a passive actor intervening only after market failures occur, this approach positions the state as a proactive market-shaper capable of driving more inclusive and sustainable outcomes.

The framework rests on four core principles: setting a clear direction for change; building the capabilities necessary to drive that change, including sectoral knowledge, risk-taking, and patient finance; adopting dynamic metrics that capture long-term and spillover effects; and ensuring the equitable sharing of both risks and rewards. The recommendations below are structured around these principles.

Set a Direction

Colombia’s National AI Policy sets a strategic direction by tasking the Ministry of Science, Technology, and Innovation with designing and implementing, between 2025 and 2026, a mechanism to accelerate data centre development with a focus on renewable energy and water-efficient technologies. To turn this vision into reality, the government should:

1. Urgently update water management plans at the national and city levels, particularly in areas expecting new facilities. Plans should integrate real-time data on water supply and demand to guide sustainable growth.

2. Embed environmental conditionalities in licensing and public procurement. These include requiring data centre developers to submit detailed technical specifications and projections for water and energy use and mandating the use of resource-efficient technologies accounting for the full spectrum of water use (Scope 1, 2, and 3).

Build Capabilities

To effectively manage data centre expansion and ensure environmental risks are mitigated, the government should invest in developing local expertise and infrastructure. This means not only regulating the sector but also equipping public institutions with the necessary knowledge and resources. To achieve this, the government should:

3. Strengthen public sector expertise by employing AI and data centre specialists, ensuring government agencies have the necessary knowledge to make informed decisions and effectively evaluate the technical information provided by data centre operators.

4. Establish co-investment mechanisms that leverage public, private, and multilateral funding to expand renewable energies and improve water management systems. This funding should be directed not only towards meeting data centre needs, but also to covering the water and energy requirements of low-income households.

5. Support national research and innovation to develop and test solutions for energy and water efficiency. This aligns with Action 3.1 of the National AI Policy, which funds AI-related R&D projects led by universities, research institutions, and private-sector partners.

Use Dynamic Metrics

To effectively manage the impact of data centres, it is essential to move beyond static metrics and ensure real-time data is continuously available. This will enable more responsive and effective resource management, especially during emergencies. To this end, the government should:

6. Install smart meters in data centres to provide real-time water and energy data to authorities. These data streams can feed into AI-powered tools for land use and resource planning that will be developed under Action 6.12 of the National AI Policy.

7. Develop a comprehensive monitoring and evaluation framework that tracks not only economic returns, but also spillover environmental and social impacts.

Share the Risks and the Rewards

With many data centre operators in Colombia being foreign owned, there is a risk that the sector could perpetuate an extractive model, whereby multinationals extract wealth and resources while the government and local communities bear the brunt of the environmental and social costs. To equitably share both the risks and the rewards of the data centre market, the government should:

8. Urgently increase industrial water prices to better reflect the true costs of water and the externalities its extraction imposes on the environment. Energy prices should also be adjusted to more accurately account for Scope 2 water consumption. The water and energy tariffs for data centre providers and other high-water use industries should remain flexible throughout the year, with the option to increase them during periods of water scarcity. This will help regulate demand while encouraging more efficient water use.

9. Integrate conditionalities in the licensing processes for data centres and related renewable energy projects, requiring a small percentage of their computing and energy capacity be reserved at a reduced cost for use by Colombian universities, research institutions, and private sector partners working on environmental projects.

10. Pilot geographical load balancing, distributing AI workloads across data centres based on regional water and energy availability, reducing pressure during emergencies.

These recommendations carry both risks and costs that must be carefully managed. One concern is a potential slowdown in Colombia’s data centre market. However, this does not mean halting growth. As noted, Chile’s market is expanding at an annual rate of 8.27%, while Colombia’s is growing at 17.6%. A modest slowdown is a reasonable trade-off if it ensures growth that is both sustainable and inclusive.

Another challenge is potential pushback from data centre operators who may resist stricter regulations or engage in lobbying. Yet Colombia holds a strong comparative advantage. The cost of building a data centre in Bogotá costs just US$7.10 per watt, compared with São Paulo (US$10.10), Querétaro (US$10.00), and Santiago (US$8.30). This gives the country room to implement higher standards without losing competitiveness. As Chile’s experience shows, clear environmental regulations can even encourage companies to adopt more efficient technologies.

From a financial perspective, while a detailed analysis is still needed, these recommendations appear economically advantageous. The government has already allocated US$111.5 million for the National AI Policy, which can support research, capacity building, and monitoring. Additional revenue from higher tariffs and licensing can be invested in strengthening water and energy infrastructure, while long-term environmental costs can be mitigated through effective conditionalities.

Conclusion

Colombia’s AI-driven data centre boom presents significant opportunities for digital growth, investment, and job creation. However, these benefits could be undermined without careful management of water and energy resources. The National AI Policy provides a strong foundation, but its success will depend on the state embracing an entrepreneurial role: setting a clear strategic direction, building the necessary capabilities, adopting dynamic metrics, and ensuring that risks and rewards are shared equitably.

If implemented effectively, Colombia can become a regional leader in developing a digital economy that is fast-growing, sustainable, and inclusive. Conversely, failure to act could provoke strong community opposition, as local water and energy resources may be perceived as being diverted to foreign-owned facilities. Transparent public engagement will be essential to build trust and demonstrate that policies protect both people and ecosystems.

Beyond water and energy, data centres also create other environmental and social pressures, including increased demand for critical minerals, greenhouse gas emissions, e-waste generation, and land-use competition. While these fall outside the scope of this blog, they merit further analysis to fully understand AI’s environmental impact in Colombia.

This paper is an adaptation of a paper submitted on 8 May 2025 for Latin American Economics (AMER0017), an elective course of IIPP’s MPA in Innovation, Public Policy, and Public Value.

The final piece of China’s cross-border data transfer framework has now been released with the issuance of the Certification Measures. Effective January 1, 2026, businesses must closely monitor certification institutions, standards, and application procedures. Early preparation and strategic planning will be essential for long-term compliance and risk management.

On October 14, 2025, the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR) jointly issued the long-awaited Measures for Certification of Cross-Border Personal Information Transfer (hereinafter referred to as the “Measures”), which will officially take effect on January 1, 2026.

The release of the Measures marks a pivotal moment in China’s data governance landscape. It completes the three-pathway framework for cross-border personal information transfers established under the Personal Information Protection Law (PIPL).

With the certification method now fully defined, China’s regulatory architecture for cross-border data transfer (CBDT) is considered comprehensive and operational.

The Measures clarify key aspects of the certification process, including scope and applicability, application procedures, certification body obligations, as well as supervision and enforcement.

This final regulatory piece enhances legal certainty for businesses. It offers enterprises another structured compliance pathway and may prove especially beneficial for multinational corporations engaged in frequent or large-scale data transfers.

Certification in China’s CBDT framework

Under Article 38 of PIPL, personal information processors in China who need to transfer personal data overseas for business or operational purposes must choose one of three legally prescribed pathways:

1. Undergo a security assessment organized by the CAC, except where exempted by relevant laws and regulations.
2. Undergo a certification for cross-border personal information (PI) transfer by a professional institution in accordance with the regulations of the CAC.
3. Sign a standard contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC.
4. Meet other conditions set by the CAC or relevant laws and regulations.

Since 2022, China has gradually built out this framework through a series of regulatory instruments. The Security Assessment Measures, released in July 2022, laid out detailed procedures for high-risk data transfers. In February 2023, the Standard Contract Measures were issued and came into effect in June, providing a more accessible compliance route for many businesses.

Find Business Support

However, the certification pathway remained incomplete for some time. While several technical standards and guidelines were released – such as the Security Certification Specifications for Cross-Border Processing of Personal Information V2.0 (December 2022) and the Information Security Technology – Certification Requirements for Cross-Border Transmission of Personal Information (March 2023) – a formal regulatory document was still missing.

Now with the release of the Measures, this long-awaited document provides the legal and procedural foundation for certification, aligning with earlier standards and the CAC’s January 2025 draft for public consultation.

Moreover, China’s State Administration for Market Regulation (SAMR) and Standardization Administration of China (SAC) jointly released the Data security technology—Security certification requirements for cross-border processing activity of personal information (GB/T 46068-2025), which will take effect on March 1, 2026.

All these developments signal that the three pathways for CBDT under the PIPL are now fully operational, marking a significant milestone in China’s data governance regime.

Applying for a certification for CBDT

The newly released Measures for Certification of Cross-Border Personal Information Transfer outline the specific conditions under which personal information processors may opt for the certification pathway to legally transfer personal data overseas.

Scope of application

To be eligible for certification, a personal information processor must meet all of the following criteria:

1. It is not a critical information infrastructure operator (CIIO)
2. Transfer volume thresholds:
3. Since January 1 of the current year, it has transferred the PI of between 100,000 people and one million people out of China (excluding sensitive PI).
4. Since January 1 of the current year, it has transferred the “sensitive” PI of less than 10,000 people out of China.
5. The data being transferred must not include important data as defined by Chinese regulations.

Importantly, the Measures prohibit data volume splitting or other circumvention tactics to avoid the security assessment requirement. If the data transfer volume exceeds the thresholds for certification, the processor must undergo a security assessment instead.

Pre-application obligations

Before applying for certification, personal information processors must fulfill several legal obligations, including:

The PIPIA must evaluate:

• The legitimacy, necessity, and scope of data processing by both the processor and the overseas recipient;
• The volume, sensitivity, and type of data being transferred, and potential risks to national security, public interest, or individual rights;
• The technical and organizational safeguards promised by the overseas recipient;
• The risk of data breaches or misuse, and the effectiveness of redress mechanisms;
• The legal environment of the recipient’s jurisdiction and its impact on data protection; and
• Any other factors that may affect the security of the data transfer.

The PIPIA report should be retained for at least three years.

Also read: How to Conduct a Personal Information Protection Impact Assessment in China

Application process

Processors must apply for certification through a professional certification institution authorized to conduct personal information protection audits. For overseas processors, the application must be submitted via a designated domestic representative or entity.

Once the application is approved, the institution will issue a certificate, valid for three years. To maintain continuity, processors must reapply six months before the certificate expires.

Supervision and enforcement

The Measures establish a multi-layered oversight mechanism:

• National and provincial CAC and market regulation authorities will conduct regular and ad hoc inspections of certification activities and outcomes.
• If certified processors are found to pose significant risks or experience data security incidents, authorities may initiate interviews and require corrective actions.
• Whistleblowers, including organizations and individuals, may report violations to certification bodies or regulators.
• Violations of the Measures may result in penalties under the PIPL, Cybersecurity Law, and Certification and Accreditation Regulations, and may lead to criminal liability where applicable.

Comparing standard contract vs. certification

Under China’s CBDT mechanisms, both the standard contract and certification pathways provide legal mechanisms for cross-border transfers of personal information. While they share many similarities, such as overlapping applicability and similar pre-transfer obligations, their structural differences make them suitable for distinct business scenarios.

The standard contract is a self-managed process in which enterprises sign a fixed-format agreement with the overseas recipient, strictly following the CAC’s template. After conducting a self-assessment, the enterprise submits the contract and related materials for filing with the provincial CAC, which may conduct formal or substantive reviews. As a commercial agreement, the standard contract is not publicly disclosed, and its contents are not subject to public scrutiny or external evaluation.

In contrast, certification is conducted by third-party professional institutions based on CAC-issued rules. It involves a comprehensive review of the enterprise’s technical, organizational, and governance measures. Unlike the standard contract, certification carries a degree of public authority – it reflects, to some extent, administrative recognition of the enterprise’s data protection capabilities. For companies with high reputational stakes in personal information protection, certification offers a credible external endorsement of their compliance posture.

Find Business Support

The compliance focus also differs. The standard contract emphasizes the legal obligations of a specific data transfer, ensuring the overseas recipient agrees to uphold data subject rights and assumes clear data protection responsibilities. Certification, on the other hand, assesses the enterprise’s overall compliance framework, including internal governance, data protection systems, and technical safeguards. It promotes ongoing compliance and dynamic supervision. In practice, the standard contract is more suited to “one-off” or occasional transfers, while certification is better aligned with enterprises engaged in frequent or long-term cross-border data activities.

Post-transfer supervision further distinguishes the two. With the standard contract, enterprises are responsible for monitoring the overseas recipient’s compliance, and CAC oversight is primarily conducted through the filing system. Certification bodies, however, implement continuous monitoring mechanisms. Certificates may be suspended or revoked, and violations are publicly disclosed, creating external compliance pressure.

Given these differences, the standard contract is generally more appropriate for low-volume, low-risk transfers. It is relatively easy to implement but offers limited flexibility due to its fixed format. Certification, by contrast, is better suited for enterprises with frequent, high-risk, or high-profile data transfers, or those seeking to demonstrate a high level of data protection. The certification is valid for three years, helping reduce repetitive compliance efforts.

Enterprises should assess their business scale, data export scenarios, and compliance capacity to select the most appropriate pathway for CBDT.

What to watch next?

As the Measures prepare to take effect on January 1, 2026, enterprises should go beyond understanding the basic provisions and actively monitor several key developments to ensure compliant and efficient implementation.

Key areas to monitor include:

• Certification institutions and qualifications: Certification must be conducted by professional institutions that have obtained official qualifications for personal information protection certification. While the list of authorized institutions has not yet been released, it is expected to be jointly determined by the SAMR and CAC.
• Certification standards and technical specifications: The Measures indicate that the CAC, together with relevant data governance authorities, will formulate detailed certification standards and technical specifications, while the market regulation authorities will define certification rules, certificate formats, and usage guidelines.
• Application procedures and operational details: While the Measures outline the general process, many practical details remain to be clarified or will be defined by certification institutions, such as required documentation beyond the PIPIA report (such as data inventory, agreements, internal governance policies), online/offline application channels, review timelines and feedback mechanisms, proof of compliance capability for overseas recipients, and so on.

Companies are suggested to consult the official websites of the CAC, SAMR, and the Certification and Accreditation Administration of China (CNCA) for timely updates and implementation guidance.

Key takeaway

Personal information protection certification is a critical mechanism for enabling compliant, trustworthy, and internationally aligned data flows. As the Measures enter into force in 2026, enterprises must pay close attention to the qualifications of certification institutions, evolving standards and procedures, and long-term compliance obligations. For legal, compliance, and information security professionals, now is the time to study regulatory trends, plan ahead, and strengthen internal capabilities to ensure a smooth transition into the new regime.

If you need further interpretation or practical support, our team at Dezan Shira & Associates is here to assist you with tailored guidance and hands-on expertise. For more information, please get in touch with China@dezshira.com.