Costa Rica’s Law No. 8968 of 2011, Securing Data Privacy

October 18, 2021 | 6 minutes read
Costa Rica’s Law No. 8968 of 2011, Securing Data Privacy

Costa Rica’s Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011, known as the Law for short, is a data protection law that was passed in 2011. While the Law places various obligations on data controllers in accordance with other data privacy laws such as the Canadian PIPEDA law and the California Privacy Rights Act or CCPA for short, the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 has not been strictly enforced within Costa Rica as of to date. As a result of this, compliance with the law as it pertains to government and the private sector has been reported to be extremely low. Nevertheless, the Law does provide Costa Rican citizens with some semblance of protection, as it outlines the responsibilities of both data controllers and processors.

What is the scope and applicability of the Law?

In terms of the personal scope of the law, all individuals, business organizations, and government agencies are required to maintain compliance at all times. However, there are exceptions to this scope, as “The Law will not be applicable to any database held by individuals or legal entities for exclusively internal, personal, and/or domestic purposes”. As it relates to the territorial jurisdiction and scope of the law, the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 states that “the Law applies to personal data held in automated or manual databases of public or private organizations, and any form of subsequent use of such data, which has effect within the territory of Costa Rica, or where Costa Rican legislation applies by virtue of the conclusion of a contract or international law”.

Alternatively, the material scope of the law is applicable to  “personal data contained in automated or manual databases, public or private organizations, and any form of subsequent use of such data within the territory of Costa Rica, or where applicable to Costa Rican legislation by virtue of the conclusion of a contract or international law”. What’s more, the law defines personal data to mean “Any information that relates to an identified or identifiable living individual”, while sensitive data is defined to mean “information concerning sensitive information of a person, that may not be stored except in very specific circumstances. This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, spiritual convictions, socioeconomic condition, biomedical or genetic information, health, sex life, and sexual orientation”.

What are the data protection principles set forth by the Law?

Under the Law, data processors and controllers within Costa Rica must uphold and act in accordance with various principles geared towards protecting the data privacy rights of citizens. These principles include the following:

In addition to these data protection principles, one of the other major aspects of the Law is data controllers and processors’ responsibility to obtain the expressed and informed consent of data subjects prior to collecting or processing their data. Per the law, consent must be “unequivocal, freely given, specific, and delivered by written or digital means”. Furthermore, when obtaining consent from data subjects, the following information must be provided:

What are the rights of data subjects under the law?

In addition to the provisions of the Law being enforced in a lackluster manner, the rights of data subjects under the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 are also severely lacking when compared to many modern privacy laws. To illustrate this point further, the law does not provide Costa Rican citizens with the right to be informed, the right to object or opt-out, the right to data portability, or the right not to be subject to automated decision making as it relates to the collection and processing of their personal data. However, the law does give data citizens the right to access, rectification, and erasure. As it relates to a data subject’s right to erasure, data controllers and processors also maintain the right to refuse such requests.

With respect to data controllers and processors who are found to be in violation of the law, the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 is enforced by the Costa Rican Data Protection Authority or PRODHAB for short. As such, the PRODHAB has the authority to issue a variety of punishments in accordance with the law. These punishments include a fine ranging from $3,000 to $18,000. In more severe cases of non-compliance, the PRODHAB also has the power to require that a particular data controller or processor discontinue the use of their database for a period of time ranging from one month to six months.

While Costa Rica still has a long way to go as it relates to the enforcement of the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011, the law nonetheless serves as some barrier to the invasion of privacy of Costa Rican citizens. In this way, Costa Rica is in a similar position to many other countries around the world that have some level of privacy legislation on the books, albeit in an outdated context in relation to the realities of personal data and privacy in the age of the internet. To this end, Costa Rican citizens can remain hopeful that enhanced an enhanced comprehensive privacy policy will be passed within the country in the near future.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »