Latin American Update: Costa Rica And Peru Bring Data Protection Regulations Into Force

Costa Rica's 2011 data protection law came into force March 5, 2013, and Peru's laws took effect April 22, 30 days after it published regulations. While this imposes new obligations on businesses operating or looking to do business in these countries, as with other data protection laws modelled on the EU's data protection regime, it will boost the trust and should result in increased trade in these two markets; and given the similarity to the EU data protection regime, we are likely to see these countries apply for adequate protection status in the future.

The Costa Rican law requires data subject consent for any processing; and e-commerce sites must publish privacy notices, and individuals must have a private right of action if their personal data are published. Data controllers are required to register their processing with the Prodhab and give it a "superuser" account for databases, even if maintained or hosted by a third party. The regime also requires organisations to report data breaches within five days of becoming aware of the breach. Costa Rica intends to introduce additional data protection rules for the financial sector later this year.

Peru's data protection regime also emphasises data subject consent and imposes a high threshold requiring consent to be "free, prior, express, informed and...

To continue reading

Request your trial