By David Haskel
Costa Rica has introduced a series of changes to its personal data protection legislation that have the potential to make life easier for multinational companies and advance data owners’ rights, privacy professionals told Bloomberg BNA.
Executive Decree JP-40008 drops a previous requirement to register databases held by different units of a single company that share information with each other.
Regarding consent, Decree JP-40008 introduces the principle of “unequivocal” assent. Database holders must be in a position to prove to Prohab that they have obtained this consent “in an indubitable fashion” and must provide data owners access to their own information.
Additionally, the decree makes clear that if a database holder subcontracts services, it remains the main responsible of the data security and integrity before the law. It also clarifies how the 10-year “right to be forgotten” principle must be calculated and allows the two sides to negotiate freely what exact date should be taken as a starting point, she added.
Companies that need to internationally transfer data within its business unit and companies that market data will benefit from this law. Dropping the registration requirement and lowering fees were major demands made by both local and international companies, Gabriela Arroyo, an attorney with Soley, Saborio & Asociados law firm in San Jose, Costa Rica, told Bloomberg BNA Dec. 22.
The new law also scraps the concept of “super-user,” which in the past gave Costa Rica’s Citizens Data Protection Agency (Prodhab) the right to gain unrestricted access to listed databases. Additionally, it tightens up the procedures that database holders must follow to get owners’ consent for data transfers and makes a two-point cut in royalties paid by database holders that market information.
“Those features were causing a lot of concern to companies,” she said.
“The notion of super-user made no sense at all,” Viviana Solis, a lawyer at Costa Rica’s Legal Business Advisors told Bloomberg BNA Dec. 22. This concept, unique to the Central American nation, wasn’t mentioned in Costa Rica’s Personal Data Protection Act enacted in 2011 and was only adopted through its implementing regulations issued in 2013, she said.
Prior super-user powers by Prodhab were particularly troublesome for companies because those powers could run right against confidentiality clauses that are a common business feature, privacy professionals said.
Therefore, the need to comply with them had the potential to expose firms to sanctions arising from a breach of contract scenario, Arroyo said.
Additionally, the super-user clause’s vague language was giving excessive discretionary powers to the head of Prodhab. “Getting rid of this clause was one of the main achievements of the reform,” she said.
“Previously, a company with a unit in Costa Rica and headquarters in the U.S. needed to register its database in order to be allowed to shuffle data back and forth,” Arroyo said. “Now, only the transfer of information between two parties on a for-profit basis requires database listing.” This waiver applies even if the two sides operate under different brand names.
However, Solis said, it would be wise for companies to register with Prodhab nonetheless. By doing so, “they will be regarded as companies eager to comply with local and international security, quality and confidentiality data-use standards, which these days is extremely important,” she said.
“This reform gives a respite to multinationals operating in Costa Rica in the sense that if they are part of one economic group and they don’t disseminate, distribute to third parties, sell or commercialize their databases, they can share their content among them” without a need to register, Solis said.
To contact the reporter on this story: David Haskel in Buenos Aires at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)