On 7 September 2011, the Executive in Costa Rica published Law No. 8968 on the Protection of the Person concerning the Treatment of Personal Data (the "Act"). Along with Uruguay, Mexico, Colombia, Peru, Chile and Argentina, Costa Rica is now the seventh country in Central and Latin America with data protection laws.
In the same vein as the EU Directive on data protection, the Costa Rican Act has as its objective the protection of fundamental rights, and in particular the right of the individual to be able to exert control over data concerning his private life (what they refer to as 'informed self-determination'). It also serves to protect other rights, such as the right to liberty and equality with respect to the treatment of personal data. Similarly, there is the requirement for unambiguous consent for personal data to be used for determined purposes. Data subjects have the right to access their personal data (which incorporates the constitutional principle of "Habeas Data"), and the Act also establishes the creation of a data protection authority that can impose sanctions for non-compliance.
Article 2 of the Act, sets out the scope of this legislation and detals it application to both automatic and manual data processing by public or private entities, irrespective of the purposes for the data's use. Article 3 goes on to set out nine definitions, including: 'database', 'personal data', 'personal data of unrestricted access', 'personal data of restricted access', 'sensitive data' (for which there exists a general prohibition on processing and data subjects are not obligated to provide their sensitive data), 'confidentiality', 'data subject', 'data controller', and 'processing of personal data'.
Data controllers must provide information to data subjects, including the purposes for the collection and details of the processing and disclosures before a data subject can provide his/her consent, which can be revoked in the same way as it is provided.
A number of parallels can be drawn with the EU model of data protection legislation which can be seen through the Costa Rican Act's treatment of sensitive data, international data transfers, and the security and confidentiality measures to be implemented to protect personal data from illicit or accidental destruction, loss or unauthorised access. The Costa Rican Act also provides for the public registration of databases which process personal data.
Although a detailed notification process is not specified, Article 21 of the Act states that every database, whether public or private, which is administered for the purposes of distribution, disclosure or business administration, must register with the newly formed Agency for the Protection of Data of the Inhabitants (also known as 'Prodhab'). This new regulatory body will charge an annual fee of $200 for the operation of these commercial databases.
The Prodhab is an independent body which sits under the Ministry of Justice and Peace. It will perform a judicial role and its management will take place under a national director. The Prodhab will create awareness of the rights concerning the collection, storage, transfer and use of personal data, and will have the power of inspection to ensure compliance with the Act, as well as the power to order actions of deletion, rectification or correction. The Prodhab's sanctioning process will be able to penalise breaches of the Act according to less serious, serious and very serious offences.
Any person with a subjective right or legitimate interest can make a complaint before the Prodhab concerning a public or private entity which is in contravention of the Act or its basic principles for the protection of personal data. The data controller will have three business days to contest any such charges, and if unresolved the Prodhab can oversee a sanctioning procedure to demonstrate whether a database regulated by the Act is being administered in conformity with its principles.
The Prodhab is likely to take some time to form and then publish its own guidelines and procedures on various matters, in particular relating to the public registration system, but the new Act highlights Central and Latin America's enthusiasm in following the European model on data protection, which itself is currently under the spotlight for reform.
Client Alert 2011-229