Costa Rica’s Data Protection Reform

A Small Country Takes a Big Leap

While much of the world looks to Brussels for privacy standards, an unexpected player in Central America is rewriting its data protection rulebook: Costa Rica. That’s not an exaggeration, it’s a reflection of how far the country has come, and how deliberately it’s aligning with international privacy trends. For years, conversations about data privacy have revolved around the EU’s GDPR or Brazil’s LGPD, while Costa Rica, despite its reputation for peace, innovation, and eco-leadership, remained legally modest in the digital realm. But now, with Bill No. 23097, Costa Rica is stepping onto the privacy playing field with sharper tools and stronger rights.

This move is more than legislative housekeeping, it’s a strategic repositioning. The current Law No. 8968 of 2011, officially titled the Law for the Protection of the Person Against the Processing of Personal Data, was a well-meaning start, especially for its time. It created the foundation for personal data protection and introduced some obligations for data processors and controllers. However, it was shaped under an older paradigm, one focused more on administrative registration of databases than on proactive protection of individual rights. Its scope was narrow, enforcement mechanisms were weak, and key principles like data minimization, accountability, or the right to portability were entirely missing from the conversation.

From Registry-Focused to Rights-Based

Bill No. 23097 changes that script. It marks a shift from a registry-focused model (where companies simply had to register databases with a public agency) to a rights-based model that recognizes individuals as active owners of their data. This transformation isn't just about compliance, it's about cultural change. For the first time, data subjects in Costa Rica will have meaningful rights to access, correct, delete, or even oppose the use of their personal information. Companies, in turn, must build stronger internal controls, demonstrate transparency, and adopt the logic of "privacy by design."

The bill also introduces concepts long missing from local regulation: the right to data portability, stronger consent rules, and heightened transparency obligations. Even more notably, extraterritorial applicability means that companies based outside Costa Rica, but targeting Costa Rican users or handling their data, will also need to comply. This change reflects an increasingly common understanding: data doesn't respect borders, and neither should accountability.

Setting the Stage for a Data-Conscious Costa Rica

Costa Rica’s decision to modernize its data protection framework didn’t come out of thin air. It is a country that has built its brand on trust, trust in its democracy, its natural beauty, and increasingly, its digital services. With thriving sectors like medical tourism, outsourced tech services, fintech, and cloud-based BPO operations, Costa Rica is becoming a hub where sensitive data is not just stored, but continuously processed, shared, and analyzed.

As more multinationals and digital startups enter the country, the regulatory landscape must meet global expectations. Investors and clients want to know: Will my users’ data be safe? Will there be legal recourse if things go wrong? With this reform, Costa Rica is not only catching up, it’s sending a message: we take digital dignity seriously. And if data is the new oil, then Costa Rica is no longer just refining it, it’s building its own safety valves, too. Or to put it more playfully: Costa Rica is going from pura vida to pura privacidad.

The Multi-Stakeholder Model and Costa Rica's International Alignment

Costa Rica's data protection reform doesn't exist in isolation—it's part of a deliberate strategy to align with international governance frameworks that recognize data protection as a fundamental human right. The country's aspiration to accede to Convention 108+ positions it within a global network of jurisdictions committed to harmonized data protection standards. Convention 108+, modernized in 2018, represents the only binding international instrument with global reach in the data protection sphere, transcending the European Economic Area to encompass diverse legal traditions and economic systems. By seeking accession, Costa Rica signals its commitment to principles of data subject empowerment, cross-border cooperation among supervisory authorities, and the recognition that effective data governance requires multi-stakeholder participation—governments, private sector entities, civil society, and technical communities working collaboratively rather than in silos.

This multi-stakeholder approach aligns with broader internet governance principles that Costa Rica has embraced. The decentralized, collaborative model that has historically governed internet standards and protocols now extends to data protection policy-making. Rather than imposing top-down regulatory mandates without consultation, Bill 23097 emerges from extensive dialogue among business associations, consumer protection groups, technology sector representatives, and government agencies. This inclusive process mirrors the participatory governance structures that have proven effective in other digital policy domains, ensuring that regulations are not only legally sound but practically implementable and economically viable. The recognition that data protection requires ongoing adaptation to technological change makes this collaborative framework essential—no single entity possesses complete foresight into how artificial intelligence, quantum computing, or decentralized technologies will reshape data processing paradigms in the coming decade.

Why This Reform Matters Globally

While Europe set the privacy standard with the GDPR, Latin America has been quietly building its own wave of data protection reform, and Costa Rica is now firmly in that current. Following Brazil’s Lei Geral de Proteção de Dados (LGPD), Colombia’s 2022 updates to its privacy framework, and Chile’s pending constitutional-level reforms, Costa Rica is taking a decisive leap with Bill No. 23097 and the Cybersecurity Bill No. 23292. The shift marks the country’s transformation from a jurisdiction with a relatively simple data law from 2011 into a regionally leading player in rights-based, accountability-driven digital governance.

What makes Costa Rica’s reform especially relevant is the extraterritorial reach of the new obligations. The proposed legislation isn’t just aimed at domestic businesses, it’s structured to apply to any company that handles personal data from Costa Rican residents, regardless of whether the company has physical operations in the country. This means that global tech platforms, fintech startups, BPO providers, hospitality chains, and medical tourism operators now face a legal landscape in Costa Rica that mirrors the European model: data subject rights, transparency duties, stronger consent standards, mandatory Data Protection Officers (DPOs), and steep financial penalties.

The stakes are higher because Costa Rica has positioned itself as a strategic digital services hub in the Americas. From shared services centers and cloud storage operations to nearshoring and telehealth platforms, the country is fast becoming a regional node where data flows intersect, and where those flows are increasingly regulated. For multinationals choosing Latin American jurisdictions for digital expansion, Costa Rica’s new model could be a double-edged sword: a compliance challenge, yes, but also a signal of trustworthiness. In a region still catching up on privacy rights, Costa Rica is raising its hand to say: “You can trust your data with us.”

From Law 8968 to Bill No. 23097: A Radical Upgrade

For over a decade, Costa Rica’s data protection framework rested on Law No. 8968 of 2011, a statute that was pioneering for its time but limited in scope and ambition. It largely treated personal data as something to be listed in a registry, focusing more on bureaucratic formalities than on individual rights or technological realities. It lacked strong enforcement tools, clear obligations for companies, or mechanisms to respond to today’s cross-border data economy.

Enter Bill No. 23097, a legislative overhaul that shifts the country’s approach from procedural compliance to a rights-based model inspired by the European Union’s GDPR. One of the most significant changes lies in how consent is defined and required. Under the proposed law, consent must now be freely given, specific, informed, and revocable, meaning companies can no longer hide behind vague privacy policies or rely on pre-ticked boxes. Data subjects are given real control over their personal information, and organizations are expected to respect those decisions with clarity and accountability.

The bill also introduces the concept of Data Protection Officers (DPOs) for certain entities, especially those handling large-scale or sensitive data. These professionals will serve as internal watchdogs, guiding companies on privacy compliance and acting as points of contact for both regulators and data subjects. It’s a sign that Costa Rica is taking data governance seriously, expecting organizations not just to avoid harm but to actively build structures of trust.

But perhaps the most impactful feature is the extraterritorial reach of the proposed law. Similar to the GDPR, Bill No. 23097 extends its jurisdiction to any company, regardless of where it’s based, that processes the personal data of individuals in Costa Rica. Whether it’s a European e-commerce platform, a U.S. cloud storage provider, or a regional app based in Colombia, if it touches Costa Rican data, it must comply. This sends a strong message to international businesses: local data means local rules.

In terms of enforcement, the bill proposes a new independent data protection authority, with genuine sanctioning powers and financial autonomy. Unlike the current setup under the Agency for the Protection of Citizens' Data (PRODHAB), this authority will have teeth. Fines will no longer be symbolic, they’ll be proportionate to a company’s annual turnover, aligning with global best practices. This alone could shift boardroom attitudes about privacy from a legal afterthought to a strategic priority.

Finally, the bill expands the catalog of data subject rights, adding mechanisms like data portability (the right to receive your data in a usable format or transfer it to another provider), the right to deletion (or “right to be forgotten”), and stronger opposition rights. These tools allow individuals to not only know who’s using their data but to challenge that use effectively.

Addressing the Public Sector's Accountability Deficit

While private sector compliance has dominated data protection discourse globally, Bill 23097 confronts an accountability deficit that has plagued Costa Rica's public sector for over a decade. The UPAD scandal, where the Presidency accessed sensitive citizen data without legal authorization or informed consent, exposed systemic failures in inter-institutional data governance. The FARO incident, involving the Ministry of Education's unauthorized collection of minors' socioeconomic data without parental consent, further demonstrated that public entities often operate under a mistaken assumption that governmental purposes automatically legitimize data processing. These incidents weren't isolated technical failures—they reflected a deeply embedded administrative culture that treated personal data as a public resource freely available for any purportedly beneficial governmental purpose, rather than as information deserving of protection equivalent to that required of private actors.

Bill 23097 directly addresses these failures through Article 8's rigorous framework for inter-institutional data transfers. The provision that transfers between public entities require either explicit legislative authorization or prior approval from the Data Protection Agency represents a fundamental shift in administrative practice. No longer can agencies invoke vague notions of "public interest" to justify data sharing—they must demonstrate that the transfer is absolutely necessary, that only the minimum data required will be transferred, and that the receiving entity possesses adequate security measures. The prohibition on massive, indiscriminate database transfers directly responds to the risk-amplification that occurs when complete datasets move between systems with varying security postures. Each transfer multiplies cybersecurity vulnerabilities, as the devastating 2022 Conti ransomware attack demonstrated—what began as a breach of the Ministry of Finance's systems cascaded across interconnected government databases precisely because data sharing lacked proper segmentation and access controls.

The requirement that citizens be notified of inter-institutional transfers within fifteen days introduces unprecedented transparency into governmental data practices. Previously, Costa Ricans had no systematic means of knowing which agencies held their data, for what purposes, or with whom it had been shared. This information asymmetry prevented meaningful oversight and made the exercise of data subject rights practically impossible—how can one request correction or deletion of data when unaware of its existence in government systems? The notification requirement, coupled with mandatory publication of inter-institutional agreements (with personal data redacted), creates public accountability mechanisms that civil society organizations, investigative journalists, and concerned citizens can leverage to monitor compliance. This transparency mandate acknowledges that data protection cannot rely solely on internal administrative controls—external scrutiny by an informed populace provides essential checks against bureaucratic overreach.

The Right to Be Forgotten and Freedom of Expression: Striking the Balance

Article 31's codification of the right to erasure—commonly termed the "right to be forgotten"—introduces one of Bill 23097's most conceptually complex provisions. While deletion rights appear straightforward, their application generates profound tensions with other fundamental rights, particularly freedom of expression and press freedom. The bill navigates this tension by explicitly exempting erasure requests when processing is necessary "to exercise the right to freedom of expression and information." This language tracks closely with European Court of Justice jurisprudence establishing that data protection and freedom of expression exist in a relationship of mutual limitation rather than hierarchical subordination—neither right automatically trumps the other, requiring case-by-case balancing that considers context, necessity, and proportionality.

This balancing framework gains particular salience in Costa Rica's robust journalistic environment and its tradition of investigative reporting that holds public officials and private entities accountable. A blanket right to erasure without journalistic exceptions could enable corruption to be scrubbed from public archives, allow companies to suppress consumer complaints, or permit politicians to rewrite their records by demanding deletion of unfavorable but accurate reporting. Article 59's provisions on rectification in internet contexts further refine this balance—rather than deletion, the law contemplates correction notices placed alongside original content, preserving the historical record while addressing inaccuracies. This "right of reply" model, deeply rooted in Costa Rican constitutional jurisprudence, recognizes that while individuals deserve protection against misinformation, society possesses a countervailing interest in maintaining accessible records of matters of public concern.

The exceptions enumerated in Article 31 reveal the breadth of circumstances where erasure claims must yield: archiving in the public interest, scientific or historical research, statistical purposes, and the formulation or defense of legal claims. Each exception reflects a policy judgment that certain uses of personal data generate societal benefits that outweigh individual privacy interests. The scientific research exception, for instance, recognizes that medical breakthroughs, social science insights, and public health interventions often depend on analyzing datasets spanning decades—premature deletion would irreparably damage research continuity and reproducibility. However, the law doesn't grant researchers carte blanche; Article 56 imposes stringent safeguards including ethics committee review, pseudonymization requirements, and restrictions on reidentification except in narrowly defined emergency circumstances. This layered approach exemplifies the bill's sophisticated understanding that data protection isn't about preventing all processing, but rather ensuring processing occurs within frameworks that respect human dignity and provide meaningful oversight.

Biometric Surveillance and the Facial Recognition Prohibition

Article 52's absolute prohibition on real-time biometric identification systems in public spaces represents one of Bill 23097's most progressive and controversial provisions. This ban places Costa Rica at the forefront of jurisdictions grappling with surveillance technologies that threaten to fundamentally alter the relationship between individuals and both state and corporate actors. Real-time facial recognition deployed in public spaces enables continuous, suspicionless tracking of individuals' movements, associations, and activities—a form of surveillance that, if normalized, would effectively eliminate practical obscurity and anonymity in physical space. The technology's inherent inaccuracies, which disproportionately misidentify individuals from certain racial and ethnic groups, compound these concerns, creating risks of discriminatory enforcement and wrongful accusation.

The prohibition reflects Costa Rica's constitutional commitment to human dignity and its recognition that certain technologies, regardless of purported benefits, are incompatible with a free and democratic society. Unlike jurisdictions that permit biometric surveillance subject to procedural safeguards—court orders, specific criminal investigations, temporal limitations—Costa Rica's approach treats the technology itself as impermissible. This bright-line rule acknowledges that once surveillance infrastructure is deployed, political and institutional pressures inevitably push toward expansion: systems justified for counterterrorism get repurposed for public order policing; tools authorized for specific investigations become continuous monitoring platforms; exceptions granted for exigent circumstances become routine procedure. By prohibiting deployment altogether, the law prevents this normalization trajectory and maintains a technological baseline that preserves spatial privacy.

However, the provision leaves certain questions unresolved. The prohibition applies to "real-time" systems, suggesting post-facto identification—analyzing recorded footage after an incident—may remain permissible. This distinction, while pragmatically recognizing legitimate law enforcement needs for suspect identification in criminal investigations, creates potential workarounds. If agencies can record continuous video and run facial recognition against those recordings with minimal delay, the practical effect approximates real-time surveillance. The bill's success in preventing biometric surveillance creep will depend substantially on how courts and the Data Protection Agency interpret temporal boundaries and whether they adopt formalistic definitions focused on technical processing speeds or substantive approaches examining surveillance capacity and societal impact. The provision's effectiveness may ultimately require complementary legislation addressing storage periods for video surveillance footage, restrictions on database cross-referencing, and limits on retention of biometric templates extracted from images.

Cybersecurity Bill No. 23292: Building a Resilient Digital Framework

If the data protection bill is Costa Rica’s digital seatbelt, the cybersecurity bill is the full airbag system. Bill No. 23292 doesn’t just complement the privacy reform, it fortifies it, acknowledging that data protection is meaningless if the infrastructure storing that data is easily breached. This proposed law recognizes that privacy and cybersecurity are two sides of the same coin.

The urgency behind this reform isn’t theoretical. In 2022, Costa Rica was the victim of a devastating ransomware attack by the Conti group, which disrupted multiple government services, from taxation to health records. It wasn’t just an IT problem; it was a national crisis. The attack exposed systemic vulnerabilities, particularly the lack of protocols, standards, and national coordination. That moment became a wake-up call, sparking not only political will but public demand for a resilient digital shield.

Bill No. 23292 is Costa Rica’s structured response to that wake-up call. One of its centerpieces is the protection of “critical infrastructure”, the digital backbone of sectors like healthcare, banking, energy, water, and telecommunications. Under the bill, these entities must implement minimum cybersecurity standards, designed to prevent breaches before they occur and mitigate damage when they do. No more relying on patchwork defenses or hoping for the best.

The bill also requires mandatory incident reporting for certain types of organizations. If you suffer a breach, you can’t sweep it under the rug. You must notify the relevant authorities promptly and, in some cases, inform affected users. This transparency mechanism improves institutional readiness and strengthens national response capabilities. In essence, it’s about sharing the alarm bells, not hiding them.

Cybersecurity as Data Protection Infrastructure

Bill 23292's cybersecurity framework recognizes a foundational truth often obscured in data protection discourse: the most elegantly crafted privacy rights prove meaningless if data security is breached. The 2022 Conti ransomware attack's devastation—paralyzing tax collection, disrupting health services, compromising sensitive governmental communications—exposed how cybersecurity failures transform from technical incidents into constitutional crises. When attackers exfiltrate citizen data, they don't merely violate confidentiality; they potentially enable identity theft, financial fraud, extortion, and discrimination based on exposed sensitive characteristics. The attack demonstrated that Costa Rica's governmental IT infrastructure, developed incrementally across decades with insufficient coordination and inconsistent security standards, created a vulnerability landscape where a successful compromise of one agency could cascade across interconnected systems.

Article 24's security principle in the data protection bill, complemented by the cybersecurity law's critical infrastructure protections, establishes minimum baseline standards that all data controllers must meet. These aren't aspirational best practices but mandatory operational requirements, with enforcement mechanisms that include both administrative sanctions and potential personal liability for officials who negligently fail to implement adequate protections. The requirement for regular security audits, incident response planning, encryption of sensitive data, and pseudonymization where feasible reflects international consensus on security hygiene—these measures are technologically feasible, economically reasonable for entities handling substantial personal data, and proven effective at preventing the vast majority of common attack vectors.

The creation of a National Cybersecurity Agency centralizes coordination and expertise that previously fragmented across multiple ministries and agencies, each developing siloed capabilities without standardization or information sharing. This institutional architecture mirrors successful models in jurisdictions like Singapore, Israel, and Estonia, where centralized cybersecurity authorities develop national strategies, issue binding technical guidance, coordinate incident response, and serve as repositories of threat intelligence.

The Agency's mandate to work with international partners and Computer Emergency Response Teams (CERTs) acknowledges that cyber threats are inherently transnational—attack infrastructure may be based in one country, controlled from another, and target victims in a third. Effective defense requires real-time information sharing about emerging threats, collaborative takedown operations against malicious infrastructure, and coordinated responses when attacks affect multiple jurisdictions simultaneously. Costa Rica's integration into these international cybersecurity cooperation mechanisms enhances not only its own defensive posture but contributes to collective security across the Americas region.

To coordinate these efforts, the law creates a new National Cybersecurity Agency (Agencia Nacional de Ciberseguridad), tasked with developing policies, issuing technical guidance, and overseeing national response strategies. This agency will also coordinate with international organizations and Computer Emergency Response Teams (CERTs) to align Costa Rica with global best practices, an essential move in an interconnected digital landscape.

Importantly, private companies in sensitive or interconnected sectors, such as health, banking, telecom, cloud services, and critical suppliers, will also face obligations under the bill. While not every startup will need a cybersecurity task force, those playing key roles in the country’s digital ecosystem will be expected to prepare, monitor, and report. The message is clear: digital trust isn’t only a government responsibility, it’s shared.

By introducing clear standards, institutional leadership, and private-sector responsibilities, Bill No. 23292 lays the groundwork for a digital economy that can grow without fear of collapse at the click of a malicious email. It’s a shift from being reactive to being strategically prepared. And in today’s threat landscape, that’s not paranoia, it’s prudence.

Small Country, Big Digital Trust

“Costa Rica: small in territory, big in digital trust.” The phrase isn’t marketing flair, it’s the thesis behind the country’s decision to move from a registry-style privacy law to a rights-based, enforcement-ready model. While Brazil’s LGPD has already set the regional tempo, Costa Rica is composing its own score: GDPR-aligned rights, extraterritorial reach, real fines, and a cybersecurity bill that treats digital resilience as essential public infrastructure. The signal to markets is straightforward: data handled in Costa Rica should meet the same expectations you’d demand in Europe.

Contrast that with jurisdictions moving at different speeds. Brazil (LGPD) is operational and increasingly assertive, shaping vendor expectations across LATAM. Mexico has solid black-letter law but uneven enforcement, which often converts privacy into a paper exercise instead of an operational discipline. Peru is updating, but extraterritoriality and robust supervision remain incomplete. Stepping into that context, Costa Rica’s reform fills a regional trust gap: rights that work in practice, a supervisor with sanctioning power, and a national stance that couples privacy with cybersecurity.

For foreign investors, especially medical tourism, cloud and SaaS, BPO/nearshoring, and fintech, this matters. These sectors live or die on cross-border data flows, vendor assurance, and incident response maturity. A jurisdiction with clear rules, coherent guidance, and credible enforcement reduces legal ambiguity and due-diligence friction. Put differently: strong privacy rules don’t scare serious operators; they filter the market for partners who can actually be trusted.

Costa Rica has long built national value on sustainability. The reform extends that brand into the digital realm. Privacy and cybersecurity are becoming part of the country’s investment proposition, alongside rule of law, talent, and political stability. For boards and GCs making site-selection decisions, “green and secure” is a compelling pair.

Privacy as a Costa Rican Export

Privacy isn’t just a European obsession. In 2025, it’s a Costa Rican export. The trajectory is clear: Costa Rica is moving from a registry-era framework to a rights-based, enforcement-ready model that treats personal data and cybersecurity as core infrastructure. This shift signals a national bet on digital trust, one that complements the country’s long-standing reputation for rule of law, talent, and sustainability.

For businesses, the message is equally clear: align now. Map your data, harden your security, upgrade your contracts, and designate accountable leadership. Waiting for the final vote is a risky strategy; the operational disciplines you build today, consent management, DPIAs, incident response, vendor oversight, will be required tomorrow, and valued by customers and regulators alike.

Very soon, ethical data practices and credible security will be table stakes, on par with stable electricity or clean water. Companies that treat compliance as a design feature, not an afterthought, will move faster through procurement, retain trust after incidents, and win with regulated clients in health, finance, BPO, cloud, and medical tourism.

Costa Rica is staking out a competitive edge: a secure, rights-respecting digital ecosystem where serious operators can scale. If your growth plan touches Costa Rican data, directly or through nearshoring, build for that future now, and turn compliance into advantage.

SEBASTIAN JIMENEZ

Attorney at Law