In 2011, the Legislative Assembly of Costa Rica approved the “Law for the Protection of the Person Against the Processing of their Personal Data”, and its regulations. The latter was subject to a reform to specify the scope of the regulation in aspects that initially raised doubts.
Now Law 8968 falls short, due to the changes that have been witnessed since its approval, and current law initiatives in the world take as reference instruments such as the General Data Protection Regulation of the European Union (RGPD).
In addition, in the country the discussion around the protection of personal data has gained relevance. The foregoing by the questioned Presidential Data Analysis Unit (UPAD), whose function was to use data intelligence for public policy, including through access to confidential information. The decree was repealed after the wave of criticism and the investigation is ongoing.
In 2021, deputies of the ruling party presented the legislative initiative: “Comprehensive Reform of the Law for the Protection of the Person Against the Processing of their Personal Data”. What does this reform propose?
News of the bill
1. The Data Protection Agency (Prodhab) is in charge of ensuring compliance with the regulations on data protection, imposing sanctions, and keeping a record of the bases regulated by law. The initiative maintains these attributions but enables the sale of services to public and private entities, revenues that would complement its budget.
2. The scope of application is extraterritorial, that is, when the personal data has been collected in Costa Rica even though its treatment takes place abroad. It also applies to the processing of data (of residents in Costa Rica) by managers not established in the country.
3. A section on cross-border data transfers is added. Through an adaptation process, Prodhab must evaluate whether the host country or international organization can guarantee an adequate level of protection. Without authorization from Prodhab, the data controller may carry out the transfer if he had offered the guarantees to the users, through legally binding instruments or business agreements that express the rights and obligations of the law.
4. The initiative eliminates certain exceptions to informational self-determination established in current law, but moves them to exceptions to informed consent. There are vague concepts such as “public interest” or exception to consent for databases for statistical, historical or scientific research purposes, which could be defined with greater precision to avoid broad interpretations.
5. The proposal establishes a minimum age of 15 years to provide informed consent on the processing of data in digital services. In minors under 15 years of age, the treatment is only considered lawful if the consent was authorized by the legal person in charge.
6. The project extends the exceptions to the prohibition of the processing of sensitive data (eg biometric data). Therefore, it leaves out of regulation specific treatments in the field of health, social assistance, among others that use sensitive data.
7. Maintains the registration of databases with the Prodhab subject to an annual fee of $ 300 ($ 200 currently). Although the practice of registering databases is widespread in countries of the region, paying a fee is not. Additionally, fines are increased and criteria are incorporated to determine the type and its amount.
Finally, the bill takes into consideration recommendations from civil society organizations for the creation of a framework for data protection. The explanatory memorandum explains the need to update the regulatory framework in accordance with international standards, therefore, the project is emerging as a first step that could allow improvements for greater legal certainty.