Costa Rica gazetted - on 5 March 2013 - Regulations of the Law for the Protection of the Individual against the Processing of their Personal Data (the Regulations). The Regulations, which entered into force on the same day, establish the Costa Rican data protection authority (Prodhab), a five-day data breach notification period, and a maximum data retention period of 10 years.
Following enactment of Law 8968 in 7 July 2011, the Regulations were published to establish the scope of the Law and applicable penalties and fees in case of violation of the protected rights.
Ignacio Esquivel, Partner at Sfera Legal, told DataGuidance: "The Law introduces the concept of informational self-determination, understood as the fundamental right to control the flow of personal information, and the right to revoke such consent at any point in time". In particular, the Regulations require that express written consent be obtained for data processing, except for data processing required under law.
Alejandra Castro, Junior Partner at Arias & Muñoz said: "There are many doubts about how consent can be given. Legislation requires it to be given in writing, but businesses are trying to make sure it will be possible to give it electronically."
Castro also notes that the scope of the law still remains unclear. "The Bar Association and the Chamber of Information Technologies had filled a request for professional data to be left out, as well as internal databases", said Castro. "It remains unclear how cloud services will be affected [as well], given that the rule includes a definition of 'technology intermediary'. The original wording for this figure is that it creates uncertainty for contracting cloud services."
The Regulations further introduce a data breach period of five days for notifying affected data subjects, and to conduct an exhaustive investigation to determine the extent of the breach and implement the corresponding corrective and preventive measures. Data controllers are also obliged to notify Prodhab.
"The Bylaws only establish that such investigation must initiate within said timeframe, but does not specifically imply that the investigation must be conducted and completed within such term", said Esquivel. "Therefore, as long as the Company takes the proper steps to protect and mitigate the damages, it will be in compliance with the Bylaws. Without a doubt, the Law and the Regulations set a new milestone for Costa Rican protection standards and set a precedent for the rest of Central America."