Costa Rica’s Law No. 8968 of 2011, Securing Data Privacy

Costa Rica’s Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011, known as the Law for short, is a data protection law that was passed in 2011. While the Law places various obligations on data controllers in accordance with other data privacy laws such as the Canadian PIPEDA law and the California Privacy Rights Act or CCPA for short, the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 has not been strictly enforced within Costa Rica as of to date. As a result of this, compliance with the law as it pertains to government and the private sector has been reported to be extremely low. Nevertheless, the Law does provide Costa Rican citizens with some semblance of protection, as it outlines the responsibilities of both data controllers and processors.

What is the scope and applicability of the Law?

In terms of the personal scope of the law, all individuals, business organizations, and government agencies are required to maintain compliance at all times. However, there are exceptions to this scope, as “The Law will not be applicable to any database held by individuals or legal entities for exclusively internal, personal, and/or domestic purposes”. As it relates to the territorial jurisdiction and scope of the law, the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 states that “the Law applies to personal data held in automated or manual databases of public or private organizations, and any form of subsequent use of such data, which has effect within the territory of Costa Rica, or where Costa Rican legislation applies by virtue of the conclusion of a contract or international law”.

Alternatively, the material scope of the law is applicable to “personal data contained in automated or manual databases, public or private organizations, and any form of subsequent use of such data within the territory of Costa Rica, or where applicable to Costa Rican legislation by virtue of the conclusion of a contract or international law”. What’s more, the law defines personal data to mean “Any information that relates to an identified or identifiable living individual”, while sensitive data is defined to mean “information concerning sensitive information of a person, that may not be stored except in very specific circumstances. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, spiritual convictions, socioeconomic condition, biomedical or genetic information, health, sex life, and sexual orientation”.

What are the data protection principles set forth by the Law?

Under the Law, data processors and controllers within Costa Rica must uphold and act in accordance with various principles geared towards protecting the data privacy rights of citizens. These principles include the following:

• Principle of informed consent– The law states that express, informed consent is mandatory for all processing of personal data, in the absence of an exemption.
• Purpose limitation– Personal data may only be collected and used for explicit, specific, and legitimate purposes, personal data may not be collected or used for any context outside of these purposes.
• Accuracy– All personal data that is collected and processed must be accurate, and data controllers are charged with taking the necessary measures to ensure that personal data is neither inaccurate nor incomplete, with respect to the purposes for which said personal data was collected, processed, rectified, or deleted.
• Up to date– All personal data that is collected and processed must be current, and personal data may not be held for any period longer than is necessary to fulfill the purposes for which it was collected.
• Truthfulness– Data controllers are obliged to modify or delete personal data that is found to be incorrect. Similarly, data processors are also obliged to ensure that personal data is processed in a manner that is both truthful and lawful.

In addition to these data protection principles, one of the other major aspects of the Law is data controllers and processors’ responsibility to obtain the expressed and informed consent of data subjects prior to collecting or processing their data. Per the law, consent must be “unequivocal, freely given, specific, and delivered by written or digital means”. Furthermore, when obtaining consent from data subjects, the following information must be provided:

• The existence of a private database for the purposes of storing personal data.
• The purposes for the collection of personal data.
• The final recipients of a data subject’s personal data, as well as any other third parties or individuals who will also have access to said personal data.
• Whether it is mandatory for a data subject to provide a data controller with their personal data, and the consequences that can result from choosing not to do so.
• Information detailing the rights of data subjects under the law.
• The name and address of the company that will administer and manage the database.

What are the rights of data subjects under the law?

In addition to the provisions of the Law being enforced in a lackluster manner, the rights of data subjects under the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 are also severely lacking when compared to many modern privacy laws. To illustrate this point further, the law does not provide Costa Rican citizens with the right to be informed, the right to object or opt-out, the right to data portability, or the right not to be subject to automated decision making as it relates to the collection and processing of their personal data. However, the law does give data citizens the right to access, rectification, and erasure. As it relates to a data subject’s right to erasure, data controllers and processors also maintain the right to refuse such requests.

With respect to data controllers and processors who are found to be in violation of the law, the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 is enforced by the Costa Rican Data Protection Authority or PRODHAB for short. As such, the PRODHAB has the authority to issue a variety of punishments in accordance with the law. These punishments include a fine ranging from $3,000 to $18,000. In more severe cases of non-compliance, the PRODHAB also has the power to require that a particular data controller or processor discontinue the use of their database for a period of time ranging from one month to six months.

While Costa Rica still has a long way to go as it relates to the enforcement of the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011, the law nonetheless serves as some barrier to the invasion of privacy of Costa Rican citizens. In this way, Costa Rica is in a similar position to many other countries around the world that have some level of privacy legislation on the books, albeit in an outdated context in relation to the realities of personal data and privacy in the age of the internet. To this end, Costa Rican citizens can remain hopeful that enhanced an enhanced comprehensive privacy policy will be passed within the country in the near future.