Costa Rica: Data protection amendments reflect country’s “digital maturity”

15 December 2016

The Government published, on 6 December 2016, amendments to Executive Decree No. 37554-JP (‘the Regulation’) (‘the Amendments’), which supplements Law No. 8968 on the Protection of Individuals with Regards to the Processing of Personal Data 2011 (‘the Data Protection Act’). The Amendments introduce new definitions of key concepts such as database, consent, technological intermediary or service provider, data transfer, and the right to be forgotten.

Fabian Solis, Associate at Facio & Cañas, told DataGuidance, “The Amendments seek to clarify some issues that raised concerns in both the public and private sectors regarding the application of the Data Protection Act. Considering the degree of ‘digital maturity’ of the country it is possible to affirm that this reform is valid and necessary. While Costa Rica is [raising awareness about data protection] and trying to get entities to register databases before the data protection authority (‘PRODHAB’), Europe is regulating issues such as data portability, Privacy by Design, Privacy Impact Assessments and the appointment of data protection officers.”

The Amendments also simplify the procedures for database registration by requiring that only minimum security protocols be disclosed to PRODHAB during registration. Moreover, the Amendments clarify that financial institutions subject to the control and regulation of the supervisory authority of financial institutions (‘SUGEF’) are not required to register their databases with PRODHAB.

Gloriana Alvarado, Senior Tax & Legal Consultant at Deloitte, commented, “The Amendments took place because there was some confusion as to the scope of application of the data protection legislation, since the Data Protection Act and the Regulation establish that all domestic databases (those used for internal purposes) are excluded from their scope of application. The Amendments clarify that domestic databases are those that contain public and restricted personal data. However, there is no mention of sensitive data and it is therefore unclear whether the Data Protection Act and Regulation are applicable to internal or domestic databases that handle sensitive data.”

The Amendments have addressed the most pressing issues raised since the Data Protection Act came into force.

The Amendments have also suppressed the concept of the superuser, which was unique to Costa Rican data protection law and required data controllers to give PRODHAB an access profile when registering their databases so that PRODHAB could access the data contained within at any time and without restriction.

Alvarado continued, “The Amendments have clarified the scope of application of the law, reinforced data controllers’ liabilities before data subjects, and [modified] the obligation to maintain information for no more than 10 years [which is now calculated from the moment] the relationship is terminated. The Amendments have addressed the most pressing issues raised since the Data Protection Act came into force.”

In addition, the Amendments introduce new conditions for data transfers. Before the Amendments, consent to transfers had to be express and informed, whereas it now has to be unequivocal and informed. Moreover, the Amendments, which introduced the concept of ‘economic interest group,’ state that sending data within such a group does not constitute a transfer, nor do transmissions of data to technological intermediaries or service providers.

Solis concluded, “The Government is trying to bring Costa Rican law in line with international standards. We are on the right path but more and bigger changes are needed. Proof of this is that Costa Rica does not yet provide an adequate level of protection according to the European Commission. Moreover, despite PRODHAB’s good work, its budget is not robust enough to face barriers such as a lack of interest and knowledge. Education is very important for the stage we are in.”

Rachael Nelson-Daley | Privacy Analyst