As every year, the past January 28th we commemorated the International Day for the Protection of Personal Data, for having signed on this date, 40 years ago, Convention 108 of the European Union, the only international treaty on the matter. This Convention, despite having been born within the European Union, is open to non-EU accessions, that is, it is open to any country for adherence, as long as it has a domestic regulatory framework compatible with said Convention.
This year, this commemoration acquires a greater relevance in light of the events that we lived through in 2020, where the issue of the protection of personal data and the privacy of Costa Ricans was of great relevance, not only because of the health situation, but for other factors that should not be forgotten.
Many examples of privacy breach
In February 2020, we learned that the Presidential House intended to formalize, by means of an Executive Decree, the so-called Presidential Data Analysis Unit (UPAD), a group of advisers to the Presidency that had been processing personal data of the inhabitants since the beginning of the Alvarado Administration, collecting or requesting access to personal data guarded by various organs of the State, including sensitive personal data, such as those contained in the SINIRUBE or data related to apprehensions carried out by the Police.
Thanks to the work of the press and the generalized repudiation of the population, the UPAD had an ephemeral legal existence, however, the scope of the processing of personal data that it carried out or even continues to be carried out, is still an enigma for citizens today, that we do not know what data was processed, what was its destination, if they were eliminated, or even, if the accesses that were enabled at the time by the institutions are still operational today or not. The political and judicial consequences are still pending definition.
The Pandemic also brought a series of novel situations, with an important component in terms of privacy, such as taking body temperature in establishments and institutions (which was never regulated by the Ministry of Health), the possibility, not used by the Government of using contact tracing technology made available by Google and Apple, and mishandling of Costa Ricans’ personal data by a group of CCSS officials, who shared the results of the PCR tests of hundreds of people through a WhatsApp chat without any kind of security measure.
We also had security leaks in banking institutions, such as the case of the leak of credit card numbers by the group of crackers called Maze, which published thousands of numbers on the deep web that it claimed, corresponded to Banco de Costa Rica clients. .
It also transpired the existence of a Telegram group where 3,000 people exchanged explicit sexual content of Costa Ricans, affecting the privacy of many of these people who had not consented to the dissemination of this material.
And to end the year, in November, we had news of Law Project No. 21,321, to create the Unique Repository to Strengthen the Tracking and Identification Capacities of People, which was unanimously ruled favorably by the Government and Administration Commission, which aims to create a centralized database of biometric data for all Costa Ricans, which can be accessed by all police forces without further restrictions and without judicial intervention, and, what is more worrying, can be accessed by anyone interested in acquiring these identification services.
Importance of adequate protection
These are all practical examples of the importance of personal data protection today. The year 2021 already shows other cases, for example, the challenges associated with the use of data related to vaccination, the so-called health passports, or even the interest of the population in the terms and conditions of use of instant messaging applications.
The cases that emerged in 2020 also evidenced the ignorance that exists among the population, but, above all, that of the Public Powers in matters of data protection. They also patent the importance and urgency of having a modern regulatory framework that establishes clear rules regarding the processing of personal data, as well as the urgent need to have a regulator with the independence, technical capabilities and sufficient resources to guarantee compliance with the regulations, because in none of the cases mentioned did we see the regulator, be it the Inhabitants’ Data Protection Agency, play any role in this regard.
Policy-makers must step in
The Legislative Assembly has the opportunity, in the remainder of its mandate, to propose solutions to citizens that transcend the merely political, such as the Draft Reform to Article 24 of the Constitution for the inclusion of Data Protection as autonomous right, or finish outlining the comprehensive reform to the Data Protection Law, updating it, bringing it closer to the international standard on the matter and doing major surgery with respect to Prodhab.
These steps would allow us to get closer to the objective of being, one day, part of Convention 108, which would mean a huge possibility of empowering the country as a secure jurisdiction in terms of personal data protection, and that many companies, especially grassroots, which would see us as an option to establish operations in segments with an important component of personal data, the transfer of which is currently jealously regulated in the European Union by the General Regulation on the Protection of Personal Data.