[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Costa Rica

Constitutional Privacy Framework

The Constitution of the Republic of Costa Rica[1873] does not protect privacy as such, but it allows for the protection of intimacy and the right to secret communications. Article 24 reads: "The right to intimacy, freedom and secret of communications is guaranteed."

Besides setting out the right to intimacy, Article 24 of the Constitution has been recently amended[1874] to provide a thorough and strict framework for wiretapping, other invasions of the personal space, and violations of the basic right to private communications. Article 24 reads:

Private documents and written, verbal or other communications of the inhabitants of the Republic are inviolable. However, a law, which enactment and amendment shall require the vote of at least two thirds of the entire membership of the Legislative Assembly, shall determine those cases in which courts of justice may order the seizure, search, or examination of private documents, whenever this is absolutely necessary to clarify matters submitted to their cognizance.

Likewise, this law shall determine the cases in which courts of justice can order the interception of any communication and indicate the investigation of offences in which the use of this exceptional investigatory power can be authorized; and the period of time during which such an intervention shall be permitted. The law shall also determine the responsibilities and penalties of any officials who illegally apply this exception. Any judicial resolution under this provision shall be duly motivated and can be immediately enforced. Its application and control shall be the responsibility of judicial authorities and cannot be delegated . . .

A special law, passed by two thirds of the entire membership of the Legislative Assembly, shall determine which other bodies of the Public Administration shall be authorized to examine the documents established by said law in the performance of their duties of regulation and control for public ends. This law shall also provide the cases when such an examination is appropriate.

Any correspondence seized or information obtained as a result of the illegal interception of any communication shall have no legal effect.

Data Protection Bills

There is no statutory protection of privacy in Costa Rica. However, there are currently three different bills under discussion that attempt to regulate the automated processing of personal data and ensure the protection of information self-determination.

The first bill (No. 14778[1875]) amends the existing Law of Constitutional Jurisdiction.[1876] This law regulates the individual complaints to the Costa Rican Constitutional Court. At this time, the law recognizes three actions, habeas corpus, amparo and the unconstitutionality action.[1877] The new bill would create another individual complaint called habeas data, meaning "you should have the data."[1878] This type of complaint can be brought up by any citizen against any register to find out what information is held about him or her. That person can request the rectification, update or even the destruction of the personal data held, most of the time, regardless of whether the register is private or public. The legal nature of the individual complaint of habeas data is that of voluntary jurisdiction, which means that the person whose privacy is being compromised can be the only one to present it. The courts do not have any power to initiate the process by themselves.[1879]

The second bill (No. 14785[1880]) has a similar structure to the first one, as it attempts to reform the Law of Constitutional Jurisdiction to add the habeas data procedure to the list of individual constitutional complaints accepted by the Constitutional Court. In both projects, the habeas data complaint does not require the creation of supervisory bodies, as it uses the existing rights enforced by the Constitutional Court.

The third bill (No. 15178[1881]) is not a habeas data project, but rather an attempt to implement a European-style data protection regime in Costa Rica. The intellectual precursor of this project seems to emanate from a close reading of the European Union Data Protection Directive,[1882] as it follows closely its structure, and of several Latin American versions of data protection legislation based on the European model, such as legislation from Argentina and Chile.[1883] The definitions and principles of the bill are very similar to the EU directive and the Argentine data protection law.[1884] The bill also contains an export restriction principle and creates a new governmental supervisory authority, the Agencia para la Protección de Datos Personales (PRODAT), which will have very similar functions to that of European data protection authorities. The PRODAT will report to the Parliament, having the highest level of an agency has ever obtained by statutory law in Costa Rica. It will be empowered to create administrative rulemakings against individuals and corporations who violate data protection rules, including the power to fine and prohibit commercial activities for a limited time, and through a procedure respectful of due process.

It is unfortunate that all legislative efforts in Costa Rica are being spent on these three bills. The bills are assigned to the parliamentary Commission of Juridical Affairs and can only be examined after the discussion about the new Criminal Code.[1885] While the first two are very similar and can be implemented almost immediately after approval from the Costa Rican Parliament, the third bill is simply a parroting of the EU Data Protection Directive, with very little regard to the effectiveness of the European data protection model. This could have been an opportunity to marry both the habeas data style of data protection and the European style into a hybrid law that could have brought together the best of both regimes. However, some experts believe that it is not necessary to create a statute on habeas data in Costa Rica since the Constitutional Chamber of the Supreme Court of Justice has already created by case law a special kind of amparo, by regulating both material and procedural rules related to data protection.[1886] In any case, the habeas data in other Latin American countries has been unable to prevent violations of privacy.[1887]

The Judicial Affairs Commission of the Legislative Assembly passed these bills; however, they have not been discussed yet in the Legislative Plenary. The US-CAFTA Free Trade Agreement has the priority in the Legislative Plenary. This circumstance makes it difficult to forecast the fate of data protection regulation in 2007, although data protection will likely remain on the legislative agenda since free trade negotiations with the European Union have begun.[1888]

The General Telecommunications Bill[1889] Article 45 generally protects personal data related to telecommunications, especially in traffic data, as well as that of the communications themselves. However, effective protection under the law would depend on the specific regulations enacted by the Executive Branch.

The Electronic Commerce Bill establishes that electronic contracts have full legal validity and will produce all legal effects.[1890] The bill also provides that Internet Service Providers (ISPs) will not be liable for damages caused by information flowing over their networks if the ISPs only transmit or host the information of their clients. ISPs must, as soon as they become aware of the situation, communicate to the appropriate law enforcement authority if clients´ information transmitted through their networks appears to be illicit. Finally, the bill establishes that all ISPs must implement technological mechanisms to block the services of any provider when it is ordered by a competent judicial or administrative authority, whether as a precautionary measure (medida cautelar) or in the execution of legal resolutions.[1891]

Wiretapping and Surveillance

Wiretapping can only be performed under special circumstances, as specified by Article 24 of the Constitution. Unauthorized violation of personal privacy by the police or any official authorities is considered a criminal offense. Title VI, Sections I and II of the Criminal Code[1892] creates a number of offenses related to individual privacy. For example, Article 198 of the Criminal Code establishes prison sentences from one to three years for any person who intercepts or listens to verbal communications by any medium, or implants a listening device to intercept or listen to a private conversation. If the person committing the offense is a public official, the imprisonment will range between two and six years. In 2001, the Criminal Code was amended to make computer-related crimes illegal. Articles 196 bis, 217 bis and 229 bis[1893] punish the interception of electronic communications, computer fraud and hacking.

Wiretapping and surveillance can only be performed with a court order via the Public Prosecution Office, pursuant to the Code of Criminal Procedure.[1894] Similarly, entering into a home for a search and seizure must be ordered by a court, and any public officer who enters into a home without authorization will be subject to a suspension from work for a period between six months and three years.[1895] Article 196 of the Criminal Code specifies that any person who opens or intercepts a written communication destined to a third party will be subject to one to three years' imprisonment, regardless of the medium of the communication.

In 2007, the “Civil Defense of the Victim Bill”[1896] was introduced into Congress. The bill proposes a reform to the Register, Kidnapping and Private Documents Examination and Communications Wiretapping Act,[1897] in order to widen the scope of wiretapping to crimes like simple and qualified homicide, simple and aggravated theft, fraud and ideological fraud (in which there was deprivation of goods or rights registered in the Public Register), public official’s corruption and fiscal fraud. The initiative also includes a reform of Article 1 of the Register and Judicial Archives with the aim of making publicly available, on the Internet, information related to those condemned for crimes such as: simple homicide, qualified homicide, manslaughter and involuntary injuries (in traffic accidents if the driver was under the influence of alcohol, drugs or competing with other driver), human trafficking, simple and aggravated theft, sexual crimes, kidnapping with extortion, fiscal fraud, fraud and ideological fraud (in which there was deprivation of goods or rights registered in the Public Register) and in the crimes provided by the Act that involve narcotics, psychotropic substances, unauthorized drugs, capital legitimating and related activities. This proposal demands that these people’s information is recorded in a database in a tidy, complete, updated form and with the corresponding photography of the person. This database would be available to any citizen.

There have been many debates in Costa Rica related to the utilization of personal data banks to fight against certain types of violent criminal behaviors, mainly of a sexual nature. Advocates consider that use of the data banks is authorized by the urgency and the necessity of citizens’ security. For example, in 2003, the “Kattia and Osvaldo Bill,”[1898] was introduced into Congress; this bill would establish a databank of those who committed crimes of sexual nature against minors (sexual molesters, rapists, procurers, homicides, pornography producers, etc.) in order to locate them quickly in the case of an investigation of a crime of sexual nature against a minor. The register would be also used by all public and private institutions with employees in contact with children and adolescents, and by all citizens, with the aim of discovering if any of the people on the register lived in a particular community. The idea of the project was mainly to prevent people accused or condemned for crimes against minors from having the opportunity to commit similar criminal activities. It was also expected that the register will include DNA samples, with the aim of facilitating police investigation through the comparison of genetic samples collected at crime scenes. The bill was not passed; however, recent crimes have given an incentive to re-examine this bill.

Criminal Jurisprudence is still an important bastion to prevent the spreading of unclear regulations about personal data; however, there has been no contemplation regarding the perils related to indiscriminate use of electronic monitoring capacities as a criminal control tool. A recent judicial decision about the use of videoconferencing to speed up the investigation procedure and the debate of procedural topics has opened an important opportunity for judicial-constitutional analysis of this issue.[1899]

Financial Privacy

The essential concern in the 2005-2007 period has been the incursions into citizens’ privacy by the companies in charge of providing credit protection. Some of the corporations offer citizens’ very sensitive information for sale, causing individuals many financial interaction difficulties.

Recent Costa Rican Constitutional Court sentences have insisted on the necessity to control the operation of this credit protection companies in order to ensure their public interest function for protecting the investment and the commerce but at the same time ensuring the citizens’ right to informative self-determination (derecho a la autodeterminación informativa). This is precisely the sense of resolution 14580-2006.[1900] Besides ratifying the terms of the sentence 4847-99[1901] about the importance and content of the right to informative self-determination, the resolution details the necessity of effective compliance with the principle of quality in the processing of data with financial interest, as it was indicated in the sentence 754-2002.[1902]

However, up to this moment there are no constitutional cases that consider problems other than those of a financial or commercial nature. Issues like criminal investigation using genetic profiles, comparison of databanks or the investigation of traces using personal data comparisons has not been a topic of reflection in the current jurisprudence.

Open Government

Article 30 of the Constitution provides limited freedom of information rights. The article states, "Free access to administrative departments for purposes of information on matters of public interest is guaranteed. State secrets are excluded from this provision."

The right to access public information is not regulated in any statute. However, the Constitutional Chamber of the Supreme Court of Justice has recognized this right in its case law. It has held that access to public files is unlimited, except in those cases classified as "top secret," where information concerning individuals, groups or corporations is considered confidential, or when the information can seriously affect public security, public order or public health.[1903]

An Open Government and Access to Public Information Bill was introduced into Congress.[1904] Article 2 provides a wide definition of what that Act would consider sensitive data, emphasizing among others clinical and psychological data, as well as data related to personal and familial life.

International Obligations

Costa Rica and Canada signed the "Joint Statement of Global Electronic Commerce Costa Rica – Canada."[1905] Both countries committed themselves to cooperate bilaterally to create a positive international environment by "ensuring safeguards to provide protection and increase confidence in the digital marketplace by addressing such issues as privacy, security, and consumer protection."[1906] These goals will be achieved by two means. First, both countries recognize that they will encourage the enactment of legislation protecting consumers' privacy. Second, both countries "agree to share information on the functioning of their respective data protection regimes."[1907] Although encouraging, the statement is only a declaration of principles without implementation or enforcement mechanisms of any kind. Costa Rican government officials and experts also signed "The Minimum Rules for the Diffusion of Information on the Internet," known as the "Rules of Heredia," which seek to protect the user of judicial services.[1908]

[1873] Constitución de la República de Costa Rica de 1949, available at <http://www.costaricalaw.com/constitutional_law/constitution_en.php>.

[1874] Law No. 7607, May 29, 1996, available at <http://www.pgr.go.cr/scij/> (in Spanish).

[1875] Proyecto de Ley, Adición de un capítulo IV a la Ley de Jurisdicción Constitucional (Recurso de Hábeas Data). Expediente Nº 14.778, June 12, 2002.
[1876] Ley No. 7128.
[1877] A Mavcic, The Constitutional Review and its Development in the Modern World: A Comparative Constitutional Analysis (1999), available at <http://www.concourt.am/Books/harutunyan/monogr3/ogl.htm> (in Spanish).
[1878] See generally A Guadamuz, Habeas Data vs. the European Data Protection Directive, 3 The Journal of Information, Law and Technology (2001), available at <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=569106#PaperDownload>.
[1879] Id.

[1880] Adición de un nuevo capítulo IV, denominado del recurso de habeas data, al título III de la Ley de Jurisdicción Constitucional, Ley 7135, de 11 de octubre de 1989, Expediente Nº 14785, June 18, 2002.

[1881] Ley de Protección de la Persona Frente al Tratamiento de Sus Datos Personales, Expediente No. 15178, March 17, 2003.
[1882] Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, OJEC L281/31 (1995), available at <http://europa.eu.int/spain/novedades/documentos/31995L46.htm> (in Spanish).
[1883] In Chile, see Ley sobre protección de la vida privada No. 19628, August 30, 1999 (in Spanish).
[1884] Ley de protección de datos, September 14, 2000, available at <http://www.ulpiano.com/habeadata_diputados.htm> (in Spanish).

[1885] <http://www.asamblea.go.cr/cjuri.htm>.
[1886] Sala Constitucional, sentencias números 4154-97, 7175-97, 4347-99, 5802-99, 1345-98, 1119-00, 00754-02, 08996-02, 12698-03, etc., available at <http://www.poder-judicial.go.cr/scij/> (in Spanish).
[1887] Alfredo Chirino and Marvin Carvajal, El camino hacia la regulación normativa del tratamiento de datos personales en Costa Rica, Revista de Derecho Constitucional 4, 91 (2004). See also Cristina Sansoneti, Protección de datos personales en Costa Rica, available at <http://www.bufetenassar.com/boletin.htm> (in Spanish).

[1888] Email from Alfredo Chirinos, Judicial School Director, Professor of Criminal Law, Costa Rica University, to Katitza Rodriguez Pereda, International Policy Fellow, Electronic Privacy Information Center, May 28, 2007 (on file with EPIC).

[1889] Proyecto de Ley de Telecomunicaciones [Telecommunications General Bill]. Substitute Text, Proceeding 16398, available at: <http://www.racsa.co.cr/asamblea/proyecto/16300/16398T-1-SUS.doc> (in Spanish).

[1890] Proyecto de Ley de Comercio Electrónico [Electronic Commerce Bill], Proceeding 16081, available at: <http://www.racsa.co.cr/asamblea/proyecto/16000/16081.doc> (in Spanish).
[1891] Proyecto de Ley de Comercio Electrónico [Electronic Commerce Bill], Proceeding 16081, available at <http://www.racsa.co.cr/asamblea/proyecto/16000/16081.doc> (in Spanish).

[1892] Código Penal de la República de Costa Rica. Ley No. 4573, March 4, 1970.
[1893] Ley No. 8148 de 24 de octubre del 2001, available at <http://www.pgr.go.cr/scij/index_pgr.asp?url=busqueda/normativa/normas/nrm_articulo.asp?nBaseDato=1&nNorma=47430&nVersion=1&nArticulo=2> (in Spanish).

[1894] Código de Procedimientos Penales, October 19, 1973.
[1895] Código Penal, supra at Article 205.

[1896] Civil Defense Victim Project, received from the supporters on March 26, 2007, Bill 16595, presented by the Congressman Oscar Nuñez based on a number of citizens initiative, the text is not available yet in the web site of the Legislative Assembly.
[1897]Act 7425 of August 9, 1994, available at <http://www.poder-judicial.go.cr/salatercera/leyes/leypenal/secuestrodocumentos.htm> (in Spanish).

[1898] “Kattia and Osvaldo” Bill, Creation of a Criminal Register of People that has committed crimes and infringements against minors, Legislative Proceeding 15348 of 2003 <http://www.asamblea.go.cr/proyecto/15300/15348.doc>. An analysis of it scope can be consulted at <http://www.ecpat.net/es/ecpat_inter/irc/articles.asp?articleID=672&NewsID=59>.

[1899] Tribunal Penal II, Circuito Judicial, 584-06, November 20, 2006, available at <http://www.poder-judicial.go.cr/scij/> (in Spanish).

[1900] Constitutional Court, Sentence 014580-2006, available at <http://www.poder-judicial.go.cr/scij/> (in Spanish).
[1901] Constitutional Court, Sentence 014847-1999, available at <http://www.poder-judicial.go.cr/scij/> (in Spanish).
[1902] Constitutional Court, Sentence 754-2002, available at <http://www.poder-judicial.go.cr/scij/> (in Spanish).

[1903] Sentencias de la Sala Constitucional números2002-03074, 2003-03489, 2004-09705, etc., available at <http://www.poder-judicial.go.cr/scij/>.

[1904] Proyecto de Ley de Transparencia y Acceso a la Información Pública [Open Government and Access to Public Information Bill], Proceeding 16198, available at: <http://www.racsa.co.cr/asamblea/proyecto/16100/16198.doc> (in Spanish).

[1905] Joint Statement of Global Electronic Commerce Costa Rica - Canada, March 21, 2001, available at <http://www.comex.go.cr/acuerdos/comerciales/TLC%20Canada/ingles/e-commerce.pdf> (in Spanish).
[1906] Id.
[1907] Id.
[1908] <http://www.iijusticia.edu.ar/Reglas_de_Heredia.htm> and <https://www.agpd.es/index.php?idSeccion=349> (in Spanish).