Above: Barrett Morgan speaking at the 2019 Internet Governance Forum. Photo by Mark Lyndersay

BitDepth#1291 for March 04, 2021

The Caribbean isn’t alone in facing a slow adoption of laws supporting wider protections and formal legal structures for data transfer and protection.

As a region, we are likely to only move faster when there’s an incident that prompts a “privacy by disaster” response, a data breach exposing personal information that proves catastrophic enough to mobilise a response that transcends individual nation states.

There are already warning signs that hopes that the Caribbean is too small for hackers to bother with are severely misguided.

Businesses paying attention to breaches, both declared and undeclared, should be more publicly and demonstrably focused on protecting the sensitive information that they hold for their customers, business partners and employees.

The General Data Protection Regulations (GDPR) introduced by the European Union (EU) in 2016 has become the standard for these legal protections, but even the GDPR has also faced challenges with individual member states of the EU enforcing the regulations at different levels.

The TT Multi-stakeholder Advisory Group (TTMAG), a stakeholder coalition advocating technology adoption initiatives held an update session in November 2020 following discussions in 2019.

There hasn’t been much movement forward for the Caribbean region on data protection in the year between those discussions or in the months since.

Caricom has been aware of the need for regional data protection and information privacy regulations since the 2008 formation of Cariforum, an aggregate of Caribbean, African and Pacific states pursuing deeper trade relations with the EU.

As part of that process, Cariforum nations are expected to enact data protection legislation, but adoption remains spotty within the region. The most aggressive nations working toward the national data protection and privacy policy requirements are Jamaica and Barbados.

Both nations advertised for the role of Data Protection/Information Commissioner in December, but for most Caribbean nations, the laws exist only on paper after they have been enacted, with no enforcement capacity.
Trinidad and Tobago passed parts of its Data Protection Act in 2011, but technology developments have already outpaced aspects of the law as it exists.

In April 2020, terms of reference were published for amendment of the legislation.
Bermuda appointed a Privacy Commissioner in 2016 and the Cayman Islands’ Ombudsman took the formal action under its laws in August 2020.

Bartlett Morgan, a commercial attorney with a focus on digital law and policy practice at Chancery Chambers in Barbados called for “a singular enforcement authority to manage multiple jurisdictions” at the November seminar.

“Laws need to be passed into law, and regulators appointed to enforce them,” Morgan said.
“You can’t enjoy all your other (human) rights without an implied right to privacy.”

Alongside that regional enforcement authority, he suggested the establishment of a one-stop certification portal for anyone who needs to process data in the Caribbean. Morgan noted that the Caribbean Court of Justice is an example of how that kind of treaty-based collaborative agreement might work.

Unfortunately, it is also an illustration of how it might not work, because twenty years later, several regional nations have still not recognised the CCJ as an appellate body of final resort, including this country.

The TT position on the CCJ is embarrassing, but being deemed an inadequate nation when it comes to privacy laws with failures in implementation and enforcement will have more dramatic economic consequences.

There have been successful regional examples of small island cooperation for development. The Organisation of Eastern Caribbean States have collaborated to create a Central Bank Digital Currency.

“It’s abundantly clear that we (TT) need to establish the office of the Information Commissioner,” said Vashti Maharaj, Adviser on Digital Trade Policy, Commonwealth Secretariat at the November seminar.

“Don’t wait on the regulations to put things into place. There are standards that can be applied to data security management.”
“The challenge of regional collaboration is the harnessing and harmonisation of political will to execute these ideals.”

Bartlett Morgan’s wishlist for a Caribbean Data Protection regime

• Free flow of data within Caribbean states
• Standard/uniform principles
• Unified enforcement mechanisms Singular enforcement authority
• Modern data protection features (breach notification; scalable fines)
• One-stop certification for external controllers; processors of outbound Caribbean data
• One stop certification of safeguard mechanisms of internal actors
• Country-level flexibility on particular issues
• Flexible data sovereignty approach