Costa Rica Makes Pro-Business Data Protection Changes

By David Haskel

Costa Rica has introduced a series of changes to its personal data protection legislation that have the potential to make life easier for multinational companies and advance data owners’ rights, privacy professionals told Bloomberg BNA.

Executive Decree JP-40008 drops a previous requirement to register databases held by different units of a single company that share information with each other.

Regarding consent, Decree JP-40008 introduces the principle of “unequivocal” assent. Database holders must be in a position to prove to Prohab that they have obtained this consent “in an indubitable fashion” and must provide data owners access to their own information.

Additionally, the decree makes clear that if a database holder subcontracts services, it remains the main responsible of the data security and integrity before the law. It also clarifies how the 10-year “right to be forgotten” principle must be calculated and allows the two sides to negotiate freely what exact date should be taken as a starting point, she added.

Companies that need to internationally transfer data within its business unit and companies that market data will benefit from this law. Dropping the registration requirement and lowering fees were major demands made by both local and international companies, Gabriela Arroyo, an attorney with Soley, Saborio & Asociados law firm in San Jose, Costa Rica, told Bloomberg BNA Dec. 22.

The new law also scraps the concept of “super-user,” which in the past gave Costa Rica’s Citizens Data Protection Agency (Prodhab) the right to gain unrestricted access to listed databases. Additionally, it tightens up the procedures that database holders must follow to get owners’ consent for data transfers and makes a two-point cut in royalties paid by database holders that market information.

“Those features were causing a lot of concern to companies,” she said.

Companies Bid Farewell to ‘Super User’

“The notion of super-user made no sense at all,” Viviana Solis, a lawyer at Costa Rica’s Legal Business Advisors told Bloomberg BNA Dec. 22. This concept, unique to the Central American nation, wasn’t mentioned in Costa Rica’s Personal Data Protection Act enacted in 2011 and was only adopted through its implementing regulations issued in 2013, she said.

Prior super-user powers by Prodhab were particularly troublesome for companies because those powers could run right against confidentiality clauses that are a common business feature, privacy professionals said.

Therefore, the need to comply with them had the potential to expose firms to sanctions arising from a breach of contract scenario, Arroyo said.

Additionally, the super-user clause’s vague language was giving excessive discretionary powers to the head of Prodhab. “Getting rid of this clause was one of the main achievements of the reform,” she said.

Easier Data Sharing Within Companies

“Previously, a company with a unit in Costa Rica and headquarters in the U.S. needed to register its database in order to be allowed to shuffle data back and forth,” Arroyo said. “Now, only the transfer of information between two parties on a for-profit basis requires database listing.” This waiver applies even if the two sides operate under different brand names.

However, Solis said, it would be wise for companies to register with Prodhab nonetheless. By doing so, “they will be regarded as companies eager to comply with local and international security, quality and confidentiality data-use standards, which these days is extremely important,” she said.

“This reform gives a respite to multinationals operating in Costa Rica in the sense that if they are part of one economic group and they don’t disseminate, distribute to third parties, sell or commercialize their databases, they can share their content among them” without a need to register, Solis said.

To contact the reporter on this story: David Haskel in Buenos Aires at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.