Reform of the Data Protection Law in Costa Rica: Proposals for improvement
If the last few months have taught us anything, it is that the protection of personal data is transcendental, especially in the face of the inevitable digitization of society. Nevertheless, on several occasions, it has been shown that the Law on Protection of the Person against the Treatment of Personal Data (Data Protection Law) urgently requires comprehensive reform. In this regard, the plan presented along these lines by Deputy Enrique Sanchez is positive and can provide the basis for a serious discussion.
However, we consider that the Sanchez proposal, due to its form and substance, requires careful handling. We assume, therefore, that the Deputy’s presentation is synonymous with openness to constructive perspectives that result in a consensual, robust, but above all, effective Proposal.
In the first place, although the intention to provide the Data Protection Agency (PRODHAB) with greater independence is laudable, the path proposed for that purpose would be unconstitutional. Since 1991, the Constitutional Chamber has held that it is contrary to the division of powers to attribute executive and sanctioning authority to an organ of the Legislative Branch by ordinary law.
On the contrary, what is legally feasible and technically appropriate is for PRODHAB to adopt the form of a decentralized public entity. Only in this way would it enjoy full administrative, functional and budgetary autonomy to exercise its functions without interference from the Government in office.
Essentially, numerous elements must be carefully reviewed. The following are just some of the points that call for further discussion:
- Across the globe, the main data protection regulations have resorted to the principle of active responsibility of those who are obligated to protect instead of seeking the mandatory registration of databases and their protocols. Despite this, the proposal, as outlined, includes the mandatory registration of practically all databases with the consequent payment of an annual fee of $300.00. Non-registration would be considered a most serious offense, which is blatantly unreasonable.
- Nowadays, it is practically impossible to process personal data without having to consult a “treatment manager,” a third party that provides support tasks to fulfill certain marketing needs, such as data storage, to the person responsible for the treatment of such information. Yet, the bill is silent in this regard and, without a doubt, a regulation on the subject would provide greater assurance.
- The penalties included are disproportionate and unbalanced, which would be unconstitutional. A fine of up to 6% of a company’s global income could be levied (an even worse penalty than provided by the main international standards on the matter such as the General Data Protection Regulation of the European Union). Yet, on the other hand, there are no real or sufficiently dissuasive sanctions against public institutions and/or public officials who violate this Law.
- Instead of establishing clear parameters to signal when it is necessary to appoint a Data Protection Officer, the Agency is given the power to define when such an officer is required. Rather than allow a controlled development of the handling of personal data, the Sanchez draft considerably centralizes power in the Data Protection Agency, inculcating bureaucratic rulership over the active responsibility of agents.
- The regulation on sensitive data is confusing and contains the possibility of extending the definition of such data by decree, which could violate the principle of reservation of law in matters of fundamental rights. Beyond prohibiting the processing of personal data (required for a significant number of lawful activities), a series of clear guidelines should be established for their treatment and the avoidance of their inappropriate use, but without limiting the importance of such data in many areas.
- Some of the exceptions to informed consent are dangerous and highly generic. For example, the current authorization that empowers public institutions to process (and therefore share) personal data is maintained without the need for consent or justifying the treatment. The only two exceptions to informed consent in the public sector should be (a) the passage of a Law that expressly exempts that consent and (b) the existence of an order from a Judge of the Republic. In any case, no exception to consent and informational self-determination in the public sector should be imposed without demanding safeguard measures, proportional use, and dismissal sanctions for reluctant officials.
As indicated, Costa Rica is urgently required to reform its legal framework for the protection of personal data. This reform should allow the country to adhere to Convention 108 (the main international treaty on the matter) and also seek to be declared as a suitable country for the international transfer of personal data from member nations of the European Union, which today represents a competitive advantage.
Finally, the open debate over this proposal should be used to go beyond just “tropicalizing” foreign regulations. The adoption of new methods and mechanisms could well be used to place Costa Rica at the forefront in terms of protection standards, such as data trusts and other collective data safeguards.
In any case, reform to the Data Protection Law must balance the importance of personal data and the need to take timely advantage of it, with the right to privacy and fair treatment of such information. Any attempt to make us believe that we have to give up one to get the other must be ignored.