Costa Rica’s quest for an omnibus privacy law took a major step forward on April 27, 2011, when the Supreme Court of Justice of Costa Rica gave its stamp of approval to a far-ranging piece of privacy legislation, finding that it had no constitutional defects. In March 2011, the bill, known as the law of “Protection of the Person in the Processing of His Personal Data” (Protección de la Persona Frente al Tratamiento de sus Datos Personales), survived an initial vote in the unicameral Legislative Assembly. The bill has now been returned to the Legislative Assembly.
If passed in its current form, the law would impose a legal regime modeled on the European Union data protection framework and would regulate almost all processing of all personal data. It would require express written consent for many processing activities, and it would create a new data protection authority within the Ministry of Justice, the “Agency for the Protection of Citizens’ Data” (Agencia de Protección de Datos de los habitantes). This agency, also known as Prodhab, would have authority to inspect databases suspected of being mismanaged, and it could impose sanctions for noncompliance with the law.