Among the favourable aspects of the bill included are conformation to the regulations and principles included in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), such as principles of loyalty, transparency, and minimisation of data, among others.

Minors' consent

While the current Law does not include any reference for the processing of the information of minors, Article 16 of the bill does, by providing that the consent given by 15-year-old individuals will be considered valid within services designed or adequate for them. In the case of children under the age of 15, consent from their parents or guardians is needed.

Security breach reports

Article 33 of the bill includes an explicit obligation of notifying security breaches within five business days after being aware of the incident. The notification to the affected data subjects and the Costa Rican data protection authority ('PRODHAB') must include, at least: (i) the nature of the incident; (ii) the compromised data; (iii) the corrective measures immediately taken upon notice of the breach; and (iv) the contact information and place where more details about this matter can be obtained.

Data protection regulator

While the intention to provide PRODHAB greater independence is laudable, the means proposed for that purpose would be unconstitutional as the Constitutional Chamber established that it is contrary to the division of powers to assign by ordinary law executive powers and sanctions to a body of the Legislative Branch.

Basis for processing

Regarding the lawfulness of processing personal data, Article 13 of the bill demands mandatory express, precise, and unequivocal consent from the data subject unless any of the exceptions of Article 15 of the bill are met. Among the exceptions are that consent will not be needed when processing is necessary for the performance of a contract, when processing is necessary in order to protect the vital interests of the data subject, when there is a mandatory obligation to process such information, and when an order from a judicial authority is served. However, rather than options for proceeding with the lawful processing of the information, these options are included as exceptions to the obligation of informed consent.

Registration requirement 

Although many legal provisions have sidelined the obligation to register databases by opting for an accountability principle, the bill maintains an obligation to register databases with an annual payment of $300 for each database. In addition, failure to comply with this obligation would be considered a gross misconduct with a penalty of up to 6% of the total revenue of the business.

Instead of establishing clear parameters to define when it is necessary to appoint a data protection officer, PRODHAB is given the power to define when this figure is required. In this sense, further to allowing a controlled development of personal data handling, it significantly centralises PRODHAB's power.

Data transfers

In connection with the international transfer of data, it is important that international transfers are conducted when Standard Contractual Clauses ('SCCs') have been adopted, which have been established by the European Commission. This allows an increased opening, while maintaining the corresponding guarantees and does not require the creation of any clauses and revisions by the governing body, which saves money and time.

Sanctions

It is important to increase the amount for penalties of the current Law, given that the maximum amount of the current penalty is approximately $15,000. However, the penalties included in the bill are extremely high as they range from 2% of the annual revenue for minor misconduct, up to 6% of the revenue in cases of gross misconduct. Furthermore, in the case of public institutions, the only penalty established is the obligation of correcting the fault committed.

Final thoughts

As mentioned, it is very important for Costa Rica to reform its legal framework in terms of the protection of personal data. This reform should allow the country to accede to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') and seek to be declared as an adequate country for the international transfer of personal data from the European Union countries, which today is a competitive advantage. In this sense, it is imperative that a reform be made in this regard.

León Weinstok Director
[email protected]
Uri Weinstok Partner
[email protected]
BLP Legal, San José