This post was written by Cynthia O’Donoghue.
Costa Rica’s 2011 data protection law came into force March 5, 2013, and Peru’s laws took effect April 22, 30 days after it published regulations. While this imposes new obligations on businesses operating or looking to do business in these countries, as with other data protection laws modelled on the EU’s data protection regime, it will boost the trust and should result in increased trade in these two markets; and given the similarity to the EU data protection regime, we are likely to see these countries apply for adequate protection status in the future.
The Costa Rican law requires data subject consent for any processing; and e-commerce sites must publish privacy notices, and individuals must have a private right of action if their personal data are published. Data controllers are required to register their processing with the Prodhab and give it a "superuser" account for databases, even if maintained or hosted by a third party. The regime also requires organisations to report data breaches within five days of becoming aware of the breach. Costa Rica intends to introduce additional data protection rules for the financial sector later this year.
Peru’s data protection regime also emphasises data subject consent and imposes a high threshold requiring consent to be "free, prior, express, informed and unequivocal." Like the EU, individuals may revoke consent at any time, without justification and with no retroactive or punitive effects. The purposes of processing must be clearly and objectively conveyed to individuals by the data controller. Other "guiding principles" focus on data integrity, quality and security, and like Spain and Argentina, the Peruvian regulations contain specific security standards. Cross-border transfers of personal data are permitted only if the entity receiving the data assumes the same obligations as the transferor contained in a written agreement, also similar to the European model clauses. In addition, all databases containing personal information must be registered with the new National Registry of Data Protection. While the whole system appears to be comprehensive and similar to well-established data protection models, how effective it will be, given the relatively low fines for non-compliance, which range from $289 to $14,430, is questionable.