In the past decades Costa Rica has become an increasingly significant provider of outsourcing services in Latin America. Its efforts to foster a knowledge economy and attract foreign investment in information and computer technology date as far back as 1996, when it became the site of Intel’s first plant in Latin America. By 2012, Costa Rica was home to more than 100 multinational corporations with IT and BPO outsourcing operations, had hundreds of local firms providing these services, and maintained several incubators. Today, despite Intel’s recent closing of its operations in the country, Costa Rica continues to serve as an important outsourcing hub in the region.
Costa Rica’s approach to data protection is one key factor when considering whether the nation will be able to retain multinational corporations and attract new investment. Its data protection laws are modeled after the European Union’s Data Protection Directive and provide a familiar environment for companies accustomed to operating within the EU framework. Costa Rica’s data protection laws differ in some important ways, however.
Most notably, they give the Costa Rican government full access to registered databases in certain instances through “superusuario” or “super-user” accounts. Corporations interested in starting outsourcing operations in Costa Rica must understand this powerful right and how the government can wield it.
Costa Rica’s Data Protection Basics
Broadly speaking, Costa Rica’s laws governing the collection and use of personal data follow the EU model, primarily based upon September 2011’s Law No. 8968, the Ley de Proteccíon de la Persona Frente al Tratamiento de sus Datos Personales, (the Law for Protection of the Person with Regards to the Processing of his or her Personal Data).
The regulations were elaborated and expanded in March 2013, and require the informed consent of data holders before personal data can be collected or transferred, and institute various safeguarding mechanisms to protect data. The laws distinguish between personal data and sensitive data, a subset of personal data that might be used to discriminate against the holder (such as data relating to race or sexual orientation), and has stronger requirements for obtaining consent and the processing of sensitive data.
Subject to certain exceptions, databases must be registered with the Agency for the Protection of Data of Residents (PRODHAB), an independent regulatory agency affiliated with the Ministry of Justice and Peace. Under the laws, data holders have the right to access, and as applicable, correct or remove their data. There are standards for security requirements and updating of databases, as well as a scale of applicable penalties for violations of the laws.
The March 2013 update introduced a concept that was not previewed or contemplated previously — and was thus met with concerns. Under Article 45, owners of registered databases are required to create a “super-user” profile for the PRODHAB, at the owner’s expense, at the time of the registration of the database. The “super-user” status gives the PRODHAB the capacity to freely search the relevant database with no restriction. The agency is not permitted to use its super-user capacities at any time — it is supposed to do so only when there is evidence of, or a written complaint alleging, mismanagement of the database. The PRODHAB is tasked with establishing guidelines to guarantee compliance with privacy and keeping detailed records regarding searches performed with these accounts.
The PRODHAB’s website attempts to address criticism regarding the powers of the super-user, offering justifications of the purpose of these accounts and pointing out their limits (many of which are not described in the language of the law). Its FAQ explains that the purpose of the super-user right is to protect individual data holders and remind readers that the agency’s personnel have confidentiality obligations that prevent them from misusing information or violating personal rights of data holders. They state that, contrary to the multiple news reports of third parties, the PRODHAB is not overstepping its authority but instead acting as a guide or auditor.
Directly acknowledging the concerns raised by the private sector, the agency says that it has access only to personal data of individuals, and that, for example, it has no access to information regarding business and banking transactions, financial statements, or other company files that do not include data of a personal nature. Though the regulations grant super-users broad search rights, the FAQ say that super-users will only have access to certain personal data that is placed in a shared folder by the owner of the database using special software.
What Databases Must Be Registered?
It is important to realize that only registered databases are required to have super-user accounts. But what databases must be registered with the PRODHAB? Simply put, those that are subject to Costa Rican law and are used for commercial purposes.
As defined by the laws, “commercializing” mean selling, negotiating, exchanging, transferring or pledging for financial gain, in favor of a third party, whether one or more times, the personal data in a database. The agency’s guiding criteria in making a determination of whether a database is commercial is to look at the use of the personal data, the purposes of such use, and the level of conservation, protection and maintenance that the data is given.
In other words, the PRODHAB’s concern is safeguarding personal data, and it makes its best assessment of whether a database has a commercial or internal nature with this value in mind. It appears to be inclined to see any activity that jeopardizes the safety and privacy of personal data, especially activity that benefits the owner or operator of the database in a tangible way, as potentially commercial and meriting the PRODHAB’s direct oversight.
Implementing Data Protection Laws
The date for public and private entities to comply with the requirements of the Data Protection Laws was in June 2014. Today, the PRODHAB’s website has a public list of all registered databases with information about their owners and their good standing. There are about 50 databases on the list, a significant number of which were registered in the past month or so. Notably, several of databases have been registered by the local subsidiaries of large multinational companies.
Despite initial concerns that super-user accounts could lead to misuse of government power, the PRODHAB appears to be moving slowly and cautiously on the implementation and enforcement of the data protection laws, and there has not been a significant backlash to it from the local or international business community. In part, this gradual approach has been necessary because the agency has itself needed time to grow its staff, begin operations and provide further guidance on ambiguities and open point in the regulations.
However, the Costa Rican government is surely also trying to balance its competing interests of protecting the data of individuals and maintaining a regulatory environment attractive to BPO and IT outsourcing and technology companies generally. Companies with a presence in Costa Rica, or that are considering a move there, should continue to watch for developments in these areas and carefully analyze how data protection laws would apply to their practices and their databases.