Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy framework

The Constitution of the Republic of Costa Rica1 does not protect privacy as such, but it allows for the protection of intimacy and the right to secret communications. Article 24 reads: "The right to intimacy, freedom and secret of communications is guaranteed."

Besides setting out the right to intimacy, Article 24 of the Constitution has been recently amended2 to provide a thorough and strict framework for wiretapping, other invasions of the personal space, and violations of the basic right to private communications. Article 24 reads:

"Private documents and written, verbal or other communications of the inhabitants of the Republic are inviolable. However, a law, which enactment and amendment shall require the vote of at least two thirds of the entire membership of the Legislative Assembly, shall determine those cases in which courts of justice may order the seizure, search, or examination of private documents, whenever this is absolutely necessary to clarify matters submitted to their cognizance.

Likewise, this law shall determine the cases in which courts of justice can order the interception of any communication and indicate the investigation of offences in which the use of this exceptional investigatory power can be authorized; and the period of time during which such an intervention shall be permitted. The law shall also determine the responsibilities and penalties of any officials who illegally apply this exception. Any judicial resolution under this provision shall be duly motivated and can be immediately enforced. Its application and control shall be the responsibility of judicial authorities and cannot be delegated . . .

A special law, passed by two thirds of the entire membership of the Legislative Assembly, shall determine which other bodies of the Public Administration shall be authorized to examine the documents established by said law in the performance of their duties of regulation and control for public ends. This law shall also provide the cases when such an examination is appropriate.

Any correspondence seized or information obtained as a result of the illegal interception of any communication shall have no legal effect."

Data Protection Bills

There is no statutory protection of privacy in Costa Rica. However, there are currently three different bills under discussion that attempt to regulate the automated processing of personal data and ensure the protection of information self-determination.

The first bill (No. 147783) amends the existing Law of Constitutional Jurisdiction.4 This law regulates the individual complaints to the Costa Rican Constitutional Court. At this time, the law recognizes three actions, habeas corpus, amparo and the unconstitutionality action.5 The new bill would create another individual complaint called habeas data, meaning "you should have the data."6 This type of complaint can be brought up by any citizen against any register to find out what information is held about him or her. That person can request the rectification, update or even the destruction of the personal data held, most of the time, regardless of whether the register is private or public. The legal nature of the individual complaint of habeas data is that of voluntary jurisdiction, which means that the person whose privacy is being compromised can be the only one to present it. The courts do not have any power to initiate the process by themselves.7

The second bill (No. 147858) has a similar structure to the first one, as it attempts to reform the Law of Constitutional Jurisdiction to add the habeas data procedure to the list of individual constitutional complaints accepted by the Constitutional Court. In both projects, the habeas data complaint does not require the creation of supervisory bodies, as it uses the existing rights enforced by the Constitutional Court.

The third bill (No. 151789) is not a habeas data project, but rather an attempt to implement a European-style data protection regime in Costa Rica. The intellectual precursor of this project seems to emanate from a close reading of the European Union Data Protection Directive,10 as it follows closely its structure, and of several Latin American versions of data protection legislation based on the European model, such as legislation from Argentina and Chile.11 The definitions and principles of the bill are very similar to the EU directive and the Argentine data protection law.12 The bill also contains an export restriction principle and creates a new governmental supervisory authority, the Agencia para la Protección de Datos Personales (PRODAT), which will have very similar functions to that of European data protection authorities. The PRODAT will report to the Parliament, having the highest level of an agency has ever obtained by statutory law in Costa Rica. It will be empowered to create administrative rulemakings against individuals and corporations who violate data protection rules, including the power to fine and prohibit commercial activities for a limited time, and through a procedure respectful of due process.

It is unfortunate that all legislative efforts in Costa Rica are being spent on these three bills. The bills are assigned to the parliamentary Commission of Juridical Affairs and can only be examined after the discussion about the new Criminal Code.13 While the first two are very similar and can be implemented almost immediately after approval from the Costa Rican Parliament, the third bill is simply a parroting of the EU Data Protection Directive, with very little regard to the effectiveness of the European data protection model. This could have been an opportunity to marry both the habeas data style of data protection and the European style into a hybrid law that could have brought together the best of both regimes. However, some experts believe that it is not necessary to create a statute on habeas data in Costa Rica since the Constitutional Chamber of the Supreme Court of Justice has already created by case law a special kind of amparo, by regulating both material and procedural rules related to data protection.14 In any case, the habeas data in other Latin American countries has been unable to prevent violations of privacy.15

The Judicial Affairs Commission of the Legislative Assembly passed these bills; however, they have not been discussed yet in the Legislative Plenary. The US-CAFTA Free Trade Agreement has the priority in the Legislative Plenary. This circumstance makes it difficult to forecast the fate of data protection regulation in 2007, although data protection will likely remain on the legislative agenda since free trade negotiations with the European Union have begun.16

The General Telecommunications Bill17 Article 45 generally protects personal data related to telecommunications, especially in traffic data, as well as that of the communications themselves. However, effective protection under the law would depend on the specific regulations enacted by the Executive Branch.

The Electronic Commerce Bill establishes that electronic contracts have full legal validity and will produce all legal effects.18 The bill also provides that Internet Service Providers (ISPs) will not be liable for damages caused by information flowing over their networks if the ISPs only transmit or host the information of their clients. ISPs must, as soon as they become aware of the situation, communicate to the appropriate law enforcement authority if clients´ information transmitted through their networks appears to be illicit. Finally, the bill establishes that all ISPs must implement technological mechanisms to block the services of any provider when it is ordered by a competent judicial or administrative authority, whether as a precautionary measure (medida cautelar) or in the execution of legal resolutions.19