According to a Bloomberg BNA report, privacy professionals stated that several changes to Costa Rica’s personal data protection legislation were recently introduced. These changes are intended to make life for multinational companies easier. They are also designed to further the rights of data owners.
Officially known as Executive Degree JP-40008, an earlier requirement whereby registered databases held by different units within the same company had to share information, was dropped. As for consent, this legislation introduces a principle known as “unequivocal” assent. With this, database holders are required to be in a position where they can prove to Prodhab, Costa Rica’s Citizens Data Protection Agency, that they were granted consent “in an indubitable” fashion. They must also give data owners access to their own information.
The decree goes on to state that if any services are subcontracted, the database holder is still primarily responsible for data integrity and security before the law. Another thing clarified in the decree is how the decade long “right to be forgotten” principal has to be calculated. As part of this new decree, both sides are allowed to freely negotiate regarding the exact date to use as a starting point.
The companies that will benefit the most from this law are those the need to transfer data internationally within its business unit, as well as companies that market data. The biggest demands made by local and international companies pertained to dropping the requirement for registration and reducing fees, this according to Gabriela Arroyo, attorney with Soley, Saborio & Asociados law firm in San Jose, Costa Rica.
However, there were other aspects of this new law. For example, it eliminates the “super-user” concept, which in the past allowed Prodhab to have unrestricted access to listed databases. In addition, this law tightens procedures that database holders have to follow in order to get an owner’s consent for data transfers. The law also cuts two points in royalties that database holders are paid for market information. As imagined, many companies are concerned.
Goodbye to “Super-User”
Viviana Solis, attorney at Costa Rica’s Legal Business Advisors, said to Bloomberg BNA in December, “The notion of ‘super-user’ made no sense at all”. This concept, which was unique to this Central American country, was never mentioned in the 2011 Personal Data Protection Act. Instead, it was only adopted in 2013 through the implementation of regulations.
Of particular trouble for companies were prior super-user powers by Prodhab. The reason is that it created potential for those powers to run against confidentiality clauses that are a common business feature. As Arroyo explained, for companies that had to comply, this put them at serious risk for being sanctioned due to a scenario of breach of contract.
The other issue is that the language used in the clause for super-user is extremely vague. Therefore, it lends incredible discretionary powers to the head of Prodhab. As stated by Arroyo, “Getting rid of this clause was one of the main achievements of the reform.”
Data Sharing within Companies Becomes Easier
“Previously, a company with a unit in Costa Rica and headquarters in the U.S., needed to register its database before they could shuffle data back and forth”, Arroyo said. “Now, only the transfer of information between two parties on a for-profit basis requires database listing”. Even if both sides operate under different brands, this waiver applies.
Solis strongly recommended that companies go ahead and register with Prodhab in that “they will be regarded as companies eager to comply with local and international security, quality, and confidentiality data-use standards, which these days is extremely important.”
Solis went on to say, “This reform gives a respite to multinationals operating in Costa Rica in the sense that if they are part of one economic group and don’t disseminate, distribute to third parties, sell, or commercialize their databases, they can share their content among them, without a need to register.”