Central America Moves to Catch Up on Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ivan Castano

Jan. 22 — Central America is moving to develop a more advanced data protection regime, with Costa Rica and Panama hosting the most advanced statutory and regulatory frameworks and Honduras and El Salvador working to improve theirs, practitioners and academics told Bloomberg BNA.

“The region is much more backward than Mexico and most South American countries like Argentina, Chile, Colombia and Peru,” Cedric Laurant of the Cedric Laurant law firm in Mexico City said. “Legislators don't see this as a priority. There are large family-owned business groups that manage everything and see these laws as a threat to their business. Very few people have Internet access or know how to use a computer.”


Costa Rica has the most developed privacy rein, followed by Panama and by Nicaragua—which has a privacy statute but lacks an enforcement agency. Guatemala is working to tweak its public information access law to include private data protection. In Honduras, legislators are working to pass a 2014 law through Congress while El Salvador is starting to discuss the issue.

Costa Rica Leads Privacy Efforts

“Costa Rica has the most advanced law in Central America,” Alfredo Chirino, dean of the University of Costa Rica Law Faculty in San José, Costa Rica, said. “It is based on the European model, particularly on Spain and Germany's data protection laws.

Chirino, who also advises the Justice Ministry on privacy matters, said the country enacted its data protection framework statute—the Law to Protect a Person from the Treatment of Their Personal Data—in 2012 in synch with its free-trade agreement with the European Union. “We wanted to a do a regulation that was compatible with Europe,” he said.

A data protection authority, the Agency to Protect Citizens' Data (Prodhab) was established in 2014 and implementing regulations for the statute were set in 2015, Chirino said, but noted that enforcement of the law has been weak. The thinly-staffed Prodhab has issued just 10 recommended decisions on enforcement cases. “The idea was to staff the agency with 15 people but so far there are only five,” Chirino said. There aren't enough personnel to conduct the audits the Prodhab is required to conduct by the law, he said.

Costa Rica's Congress is working to modify the implementing regulation and may conclude the effort by the end of February 2016, Chirino said.

Costa Rican Business Concerns

The regulation restricts international data exchanges between parent and subsidiary companies and demands that companies allow Prodhab access to monitor and potentially alter company databases, triggering concerns from some businesses that it would undermine their operations.

“Some multinationals are worried because they can't share data, such as that involving customers or suppliers, with their divisions outside the country,” Chirino said, adding that hotels or travel companies in the country's flagship tourism sector often outsource booking or other data management to third parties. “They have asked the Justice Ministry to modify the regulation so that these type of transfers are seen as normal business activities, done internally and not between borders.”

“The DPA has an access key. They can revise your database so its integrity could be affected,” Chirino said.

Under the law, companies processing large data amounts must register their databanks with Prodhab. But only 30 of some 800 large and midsize firms— mainly in the financial, insurance and health sectors—have registered these data pools with the authority, Chirino said.

“This is a very strong and aggressive law that gives the DPA a series of powers that are not compatible with a reasonable data-protection regime,” he said, predicting that the cross-border transfer and DPA database access provisions will be removed from the remodeled regulations. High database registration fees, which Chirino said exceed international standards, may also be cut.

Costa Rica has a large technology, travel and services outsourcing industry “so the government doesn't want to risk losing future investments,” Chirino added.

Meanwhile, Costa Rica's tax authority is demanding large firms provide shareholder databases to help it boost paltry collection rates blamed for a ballooning public deficit. Following business group requests that it intervene in the matter, the DPA ruled that turning over the information would violate stockholders' privacy rights. The Justice Ministry expected to decide the matter in coming weeks.

Panama's Banks

Panama's economy is larger than Costa Rica's but lags in data protection.

“There is no privacy law though the issue has been discussed in the National Assembly,” Antonio Ayala, executive vice president of Riscco Privacy Consultancy in Panama City, said. There is a lack of political will to pass a framework law as Panama's breadwinning banking and financial industry would likely oppose such a move, he said.

Complying with a data protection law “would cost millions of dollars for banks and that's something they are not going to spend on,” he said.

But the banking and insurance sectors do have data security regulations, Ayala said.

“The Superintendency of Banks has established measures for the financial and insurance sectors to have data security controls and policies to protect customers' information,” Ayala said. Stock brokers and related companies will also have to meet similar regulations by mid-2017, he said.

Nicaragua's Nonexistent Privacy Office

In October 2012, Nicaragua approved a framework Personal Data Protection Law, but the government hasn't set up a data protection authority to enforce it.

“There is no administrative power,” Jorge Luis Garcia of PLP Legal in Managua said. There is no date on the horizon for establishing the office, he said.

Garcia said he hopes the issue will gain traction after Nicaragua's elections next year, adding that a growing electronic commerce culture might prompt the government to set up the DPA.

“There are many Asian companies interested in developing digital e-commerce platforms,” he said, “and many banks that want to provide online banking.” Garcia said.

Guatemala, Honduras, El Salvador

Guatemala is moving to reform its Law of Free Access to Public Information, to extend it to the private sector, Guatemala City-based cybersecurity consultant Jose Leonett said. A congressional committee hopes to introduce the reform bill by the end of 2016, he said.

Leonett expects the move will take longer, however, mainly because of Guatemala's small privacy culture and lingering business opposition.

According to Leonett, Guatemala privacy groups have used the public statute to pursue suits against companies, recently winning a big settlement.

In Honduras, a Data Protection and Habeas Data Action bill was introduced in December 2014. However, it remains stuck in Congress, Odin Guillen, a lawyer with IG Abogados & Asociados in Tegucigalpa, Honduras, said. “There is a lot of ignorance about the law and there are political and business interests against it.”

Large family-owned companies in Honduras—which carry heavy government lobbying power—are also countering the initiative, lawyers said.

El Salvador also trails sharply behind. It has data-protection provisions in its Law of Public Access Information, but they are very limited. This has flagged the need for a new data-protection bill, Chirino said.

To contact the reporter on this story: Ivan Castano in Mexico City at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com