In November 2022, the Central Bank of Costa Rica (“BCCR“) requested from the General Superintendence of Financial Institutions (“SUGEF“) access “to the integral information of all credit operations that the supervised financial intermediaries submit, including necessarily the identification number (physical, legal, dimex, or others), to the Information Management Division of the Central Bank of Costa Rica, for the elaboration of the new credit statistics”. Likewise, the BCCR required the delivery of such information to the supervised financial institutions.
The refusal of the Superintendent of SUGEF to make available to BCCR the credit information of individuals and legal entities without anonymizing has opened a legal debate on different fronts, to discuss the scope of the right to informational self-determination in banking matters and the normative and jurisprudential protection of this right against the powers of the public administration, particularly the information rights of BCCR.
This is an analysis of the specific case presented in connection with the BCCR’s request. We have included the local regulations currently under discussion, and the regulations applicable in Central America.
II- A budding legal debate: the case of Costa Rica
By means of Oficio JD-6093/10 dated November 25, 2022, the BCCR requested SUGEF’s authorization – within a specific period of time – to access information on all credit operations submitted by supervised entities, including the identification number of individuals and legal entities, national or foreign.
BCCR’s technical justifications focus on the obligation to develop the climate risk indicator for the International Monetary Fund (which would give access to certain loans) and thereby define “the level of household indebtedness, the financial risk of loans granted to units located in areas susceptible to flooding or other phenomena associated with climate change, as well as to improve the effectiveness of monetary policy transmission”. In order to achieve this objective, as well as to unify databases and generate certain stratification variables, BCCR claims to require personal information from debtors.
The legal basis cited by BCCR to support its request to SUGEF, and the regulated entities revolves around the Organic Law of the Central Bank of Costa Rica (“LOBCCR“), the Law of the National Statistics System, and the pronouncements of its Legal Management Department and the Attorney General’s Office. The following is a summary of the regulations and legal criteria:
(a) Organic Law of the Central Bank of Costa Rica
The LOBCCR establishes the main objectives and subsidiary objectives of the BCCR. Among the main objectives we find:
- To maintain the internal and external stability of the national currency.
- To ensure its conversion to other currencies.
In the case of the subsidiary objectives, BCCR highlights the following:
- Promote the orderly development of the Costa Rican economy to achieve full occupation of the nation’s productive resources, seeking to avoid or moderate inflationary or deflationary tendencies that may arise in the monetary and credit market.
- To promote a stable, efficient, and competitive financial intermediation system.
Likewise, art. 14 paragraph d) of the LOBCCR establishes the obligation to publish monthly “a statistical summary of the economic situation of the country, including, at least, information on production, prices, currency, credit, exports, imports, and gross and net international reserves”. The same article in fine establishes that BCCR must keep confidential the information provided by individuals and legal entities.
This duty of confidentiality of BCCR officials is equally applicable to SUGEF officials and supervised entities and is developed in art. 133 paragraph d) of the LOBCCR in the following terms:
In the same sense, art. 615 of the Code of Commerce establishes the secrecy (inviolability) of bank current accounts.
(b) National Statistics System Law
Art. 4 of the National Statistics System Law establishes that statistical activity is of public interest “to produce and disseminate reliable and timely statistics for the accurate and comprehensive knowledge of the Costa Rican reality, as a basis for efficient public and private administrative management”. The BCCR is part of this system if its statistical activity is relevant in different areas, and its records are of interest to produce official statistics.
Likewise, the National Statistical System is governed, among others, by the principle of statistical confidentiality by which the personnel are prohibited from disclosing information of individuals or legal entities that they come to know directly or indirectly through the performance of their activities.
Art. 16 of the same regulatory body establishes the obligation for individuals, legal entities, residents or not, to comply with the request of the National Statistics System and to deliver the required information. Furthermore, Art. 68 of the National Statistics Law punishes with penalties ranging from fines to the crime of disobedience those who refuse to respond to requests from the participants of the System or to deliver the required information.
(c) Legal Opinions and Opinions
The BCCR resorts to certain criteria of the Attorney General’s Office (“PGR“) to justify its right to request non-anonymized information from supervised financial institutions, due to its status as a member of the National Statistics System. According to the ruling C-145-2008 of May 5, 2008, the PGR establishes the following:
- It recognizes the BCCR as a statistics production function.
- Under the protection of the public interest, the BCCR may request necessary information from other public agencies (even if it is of private origin).
- The access to information granted to the BCCR is not on aggregate data but on individual data.
Likewise, BCCR relies on the opinion PGR-C-264-2022 of November 30, 2022, which concludes that although the information of the Credit Information Center (CIC) is constitutionally protected by the right to informative self-determination and banking secrecy, its legal protection is not absolute if so established by a legal rule (the above according to articles 2 and 8 of the “Law for the protection of the individual against the processing of his personal data”, Law number 8968).
On the other hand, the criteria of the Legal Management Department of BCCR resorts to the interpretation of the above-mentioned regulations and the rulings of the PGR to conclude that BCCR has a “solid, valid and current” legal basis to continue requesting information and that there is currently no judicial or administrative order that restricts BCCR from requesting information for statistical purposes. It should be noted that, currently, two proceedings are being processed against the BCCR’s decision, in particular:
- A complaint before the Agencia de Protección de Datos de los Habitantes (“PRODHAB“) which generated the issuance of a precautionary measure to suspend BCCR’s request for access to personal data of debtors of financial institutions. In principle, the process and the precautionary measure are suspended until the Constitutional Chamber rules on the merits of an action of unconstitutionality filed against certain articles of the LOBCCR and the Law of the National Statistics System.
- An action of unconstitutionality against certain articles of the LOBCCR and the Law of the National Statistics System filed by the Costa Rican Banking Association and accepted by the Constitutional Chamber of the Supreme Court of Justice (“Constitutional Chamber”) for review.
At the same time, SUGEF’s refusal to deliver the information without anonymizing it – based on the criterion of confidentiality of personal information as sensitive data and protected by banking secrecy – led the Superintendent to file a criminal complaint – filed by BCCR – for the alleged crime of disobedience to authority, which is currently being processed.
SUGEF, the National Council for the Supervision of the Financial System (“CONASSIF”), and the banking associations agree on the protection of personal information as sensitive data and protected by banking secrecy. In the same sense, the Costa Rican Bar Association, through the Constitutional Law Committee (through official letter CDC-05-23 of September 1, 2023), based on art. 24 of the Political Constitution (which guarantees the right to privacy, freedom, and secrecy of communications), and on the jurisprudence of the Constitutional Chamber on the protection of the right to privacy and the pro hominy principle developed in the pronouncements of the Inter-American Court of Human Rights.
As a matter of principle, it will be up to the Constitutional Chamber to elucidate the scope of the public interest powers of the administration vis-à-vis the protection of the right to informational self-determination. We believe that any position adopted by the Constitutional Chamber will put into perspective an analysis of issues that will continue to generate legal debate.
III- Protection of the right to informational self-determination in Central America
One of the main challenges in our region is the regulatory development of the right to informational self-determination of individuals (regardless of their nationality). The recognition of this right generates protection for individuals in relation to their private life or activity, and equality in the treatment of data corresponding to their person or property, especially if that information is contained in public or private databases.
In Central America, the treatment of the right to informational self-determination of individuals is recognized at different regulatory levels, both constitutional and legal. The following is an approach to the regulation of each country.
The Political Constitution of Guatemala recognizes the individual’s right to know, correct, rectify, and update the information about him/her contained in files, records, or state registries.
On the other hand, the Law of Access to Public Information, whose rules are of public order, not only establishes the procedures to guarantee individuals access to information or acts of the public administration but also guarantees the right of individuals to access, reserve, or rectify the information corresponding to their person held by public entities and private individuals or legal entities that are required by law to deliver such information (habeas data).
Currently, a bill called “Integral Law for the Protection of Personal Data Held by Third Parties” is in the process of approval in Congress. This bill dates from 2022 and aims to guarantee the protection of personal data held by third parties, its legitimate, proportional, secure, controlled, and informed processing, and, consequently, privacy and the right to informational self-determination.
The Constitutional Court of Guatemala has made clear in its rulings the obligation to protect the fundamental rights to privacy and intimacy, allowing individuals to access, update, rectify, reserve (confidentiality), and exclude their personal data from public or private databases.
With respect to banking information, banking secrecy is regulated in art. 63 of the Law of Banks and Financial Groups. Its exceptions are the information that banks must deliver to the Superintendence of Banks, the Bank of Guatemala, and the information requested by the Superintendence of Tax Administration. The non-observance of banking secrecy generates criminal penalties for the individuals involved and fines for the responsible legal entities.
In line with the above, the Constitutional Court has considered that there is a violation of the right to privacy if the person has not given his express consent for the collection, processing, marketing, and dissemination of his personal data and private information.
- El Salvador
The “Law for the Regulation of Information Services on the Credit History of Individuals and its Technical Norms” regulates the treatment of credit information of financial consumers and the limits to the information to which economic agents have access. This regulation is extensible to data collected in any commercial transaction and stored in a database. Additionally, the same law establishes the express consent of the individuals for the processing of their personal data.
The Constitutional Chamber in its resolutions 934-2007 and 142-2012 has reiterated the need to have the express consent of the individuals for the review and processing of their personal data.
On the other hand, art. 232 of the Banking Law establishes banking secrecy and only allows the disclosure of information to the holders of the accounts or financial products and to the public institutions empowered to do so.
Failure to comply with the obligation of bank secrecy is subject to criminal and civil penalties pursuant to art. 201 of the law.
In Honduras there is no special law regulating data protection; however, the general provisions of the Constitution of the Republic of Honduras, the Constitutional Justice Law, and the Law on Transparency and Access to Public Information are applicable.
For its part, the Commercial Code regulates the figure of banking secrecy and its exceptions, providing protection to customers of banking products and services. The delivery of information to the competent authorities in tax matters and in matters of prevention and detection of money laundering is exempted from banking secrecy, provided that due process is complied with. Failure to comply with banking secrecy generates civil and criminal liability.
Additionally, the protection of customer data, in the technological field, is regulated by the Rules for the management of information technology, cybersecurity, and business continuity, issued by the National Banking and Insurance Commission.
The processing of personal data and the protection of the natural person against automated or non-automated processing of their public and private data is found in the Personal Data Protection Law, approved on March 21, 2012.
This law guarantees the right to personal and family privacy in observance of the right to informational self-determination.
For its part, the General Banking Law establishes the duty of bank secrecy and bank officials and entities are jointly and severally liable for any damages they cause.
The Superintendency of Banks and the Financial Analysis Unit are empowered to request particular or individual customer information from banks; however, the current regulations do not establish the conditions under which the information must be provided. Customer consent is not mandatory to receive information on financial products and services.
- Costa Rica
Art. 24 of the Constitution regulates the right to privacy, freedom, and secrecy of communications.
For its part, the “Law for the protection of the individual against the processing of personal data” enshrines the right to informational self-determination (art. 4) as a fundamental right. It also establishes that this right encompasses the set of principles and guarantees relating to the legitimate processing of personal data and the control of the flow of information concerning each person derived from the right to privacy, preventing discriminatory actions. In this sense, the law and its corresponding regulation develop a series of principles of mandatory application, among which we find: the principle of informed consent – including the obligation to inform and the right to consent on access to information -, and the principle of quality of information (timeliness, truthfulness, accuracy, suitability for the purpose).
Likewise, rights such as access to information and rectification are established and data are categorized into:
- Personal data with restricted access.
- Personal with unrestricted access.
- Credit behavior data.
The law and its regulations establish protocols for the collection, storage, and use of data and security and confidentiality measures.
Additionally, the Data Protection Agency of the Inhabitants (“PRODHAB“) was created as the agency in charge of overseeing compliance with the data protection regulations, dictates regulations, and keeps a registry of the databases regulated by the law. Regarding banking secrecy, we cited in Section II above the LOBCCR and the Code of Commerce, supported by reiterated jurisprudential criteria of the Constitutional Chamber of the Supreme Court of Justice. The Constitutional Chamber itself delimits banking secrecy as follows:
“(…) banking secrecy, understood as the duty imposed on any financial intermediation entity not to disclose the information and data it possesses on its customers for any banking operation or banking contract it has entered into with them, especially in the case of checking accounts, since number 615 of the Code of Commerce expressly establishes it for that hypothesis, and the industrial, commercial or economic secrecy of companies about certain ideas, products or industrial procedures and their financial, credit and tax statements”.
Finally, informed consent, both for financial consumers and for the authorization of the use and access to personal data, is widely protected in both administrative and judicial courts.
The BCCR’s injunction to SUGEF and the banking entities raises an important political-legal debate that could well serve as a precedent for similar situations in the region.
Although the Constitutional Chamber will oversee settling the conflict of interest and will generate an unappealable interpretation, the truth of the case is that it is not possible not to reveal the possible antinomies considering the consecration of fundamental rights (such as the right to informational self-determination) versus the public interest and the consequent obligation to deliver information to certain public agencies. In both cases, the determination of the limits to rights and obligations is a task that we expect the constitutional authority to fulfill with objectivity and impartiality.
In all the countries of the region, there is an express legal recognition of banking secrecy. However, it is an important challenge for the authorities of the different Central American countries to develop complementary regulations, enforce the protection of banking secrecy, and achieve an effective balance in the interpretation in administrative and judicial venues, especially to prevent or elucidate situations such as those currently being heard in different administrative and judicial venues in Costa Rica.
Far from seeking to reach a restrictive interpretative line, we are of the opinion that the discussion will be open at all levels and in all countries, and the concrete cases will be the ones that set the trends, Such as in the case of Costa Rica, the solution to which will ultimately resolve the discussion on whether the powers of authority in matters of information and for statistical purposes are unrestricted in terms of including credit information with the personal data of debtors or whether, on the contrary, the requirement of the BCCR lacks reasonableness for practical purposes and in safeguarding a fundamental right.
In any case, the legal discussion is just beginning.
 The SUGEF is an organ of maximum deconcentration of the Central Bank of Costa Rica. Article 115 Organic Law of the Central Bank of Costa Rica.
 Organic Law of the Central Bank of Costa Rica, article 2.
 See, among others, article 10 paragraph a) and article 20 of the Law of the National Statistics System.
 DAJ-CJ-0079-2023 of September 14, 2023.
 The complaint is being processed under file number 180-08-2023-DEN.
 The unconstitutionality action is being processed under file number 23-020910-0007-CO.
 CONASSIF is the superior management body of the following superintendencies: Superintendencia General de Entidades Financieras (SUGEF); Superintendencia General de Valores (SUGEVAL); Superintendencia General de Pensiones (SUPEN), and Superintendencia General de Seguros (SUGESE).
 Constitution, Article 3.
 Judgments of the Constitutional Court dated (i) June 21, 2011 (file number 863-2011) and (ii) February 10, 2015 (file number 3552-2014).
 Decision of the Constitutional Court dated September 22, 2009 (file number 2674-2009).
 Resolution number 2022019850, Constitutional Chamber of the Supreme Court of Justice, of nine hours and fifteen minutes of August twenty-sixth, two thousand and twenty-two.