- Bermuda is leading the region's adoption of data privacy and protection legislation
- Expect the US to enact Federal laws to govern its data protection and privacy regimes
- Caricom should step up to integrate efforts at regional legislation
Above: Samantha Samms.
BitDepth#1308 for July 01, 2021
At last week’s Data Protection World Forum, Caribbean data protection and privacy experts hosted a panel that considered the region’s response to threats and regulatory requirements that are now global in scope.
Caribbean nations are at various stages of implementation of legislation to implement the legal shields and compliance required for parity with global data processing regimes.
Bermuda was considered by the panel to be in a leadership role in that evolution. It is the only region state which has appointed and empowered a regulator with the power to make rulings on critical data protection and privacy issues.
In Trinidad and Tobago, according to Rishi Maharaj, Executive Director of EquiGov. a local data protection and privacy consultancy, our first laws were passed in 2011.
That was before the benchmark GDPR legislation that governs the European Union, but a lot has happened since then, and amendments are lagging behind current reality.
“Interest in data privacy peaked around the time of the Cambridge Analytica scandal,” Maharaj said. “The legislation has also prompted a strong response from journalists.”
Local journalists have repeatedly made representations to the Attorney General to reconsider provisions for the practice of journalism which are under threat by existing wording in legislation currently under consideration.
“In Jamaica,” explained Grace Lindo, IP attorney at Carter-Lindo, “legislation is on the cusp of implementation.”
“Data protection officers are being proactively appointed in businesses, laws have been passed, but not yet brought into force.”
Lindo described the average Jamaican as being very interested in issues of data privacy.
The country also seems to be interested in belling the social media tiger.
Jamaica’s laws will require social media companies to demonstrate accountability and transparency if they are using data from nationals of the country.
“There is significant growth in data privacy and data protection awareness in the Caribbean,” said Samantha Simms, Data Privacy attorney at The Information Collective out of the UK.
Simms operates out of the UK and Jamaica and brought a focused and informed perspective on comparisons between the European experience and Caribbean protection and privacy developments.
“Caricom is not where the EU is today and is not positioned to exercise the kind of unified control that resulted in GDPR,” Simms said.
“Caricom is where the EU was at in 1988 in developing GDPR.”
“What Caricom can do now is to provide the guidance that’s necessary to create a unified regime for data protection and privacy.”
“There is a role for the Caribbean Court of Justice in this.”
But for that to happen, more island states will need to recognise that legal body as its court of final appeal.
Despite being the host country for the CCJ, TT does not recognise the court as its highest court and continues to take cases to the Privy Council, which has already said that it would rather not hear them.
Simms also believes that under the Biden administration, the Caribbean region should expect more activity at a federal level from the US on data protection and privacy; US data protection and privacy laws are a state level hodgepodge of legislative regimes.
Simms expects the US to create federal data protection laws, and to appoint data privacy and cybersecurity czars. Some of the state laws may conflict with the new federal laws that are being planned, creating more complexity for operators who share data across US borders.
Claudine Brown, Data Protection Officer at Harneys, in the British Virgin Islands, reports that the BVI is looking to become compliant with GDPR and to be deemed adequate to do digital business with Europe and the UK.
“The countries of the Caribbean are lagging behind,” Brown said.
“Big tech didn’t arrive in the Caribbean the way it arrived in the US and Europe. Harmonisation in Europe took years and required the adjustment of laws going back to the 1990’s.”
“We need to move [forward] but we are in a good place relative to data protection regulatory development.”
The Cayman Islands passed its data protection act in 2017 and it came into force at the end of 2019. The government spent two years educating the public on the issues.
The country is positioning itself as a tech hub in the region and has a trade zone with a strong technology presence, inclusive of data warehousing and plans a tech city in the future.
Having a regulatory regime that supported secure data storage and processing was key to adopting a law that largely follows the GDPR approach.
“The ultimate aim is for the Cayman Islands to be deemed an adequate jurisdiction by the EU,” said Appelby’s Peter Colegate.
“I think that’s some way off, but that’s the key driver.”
GDPR wasn’t a perfect project in the EU, but it benefited from existing trade and business harmonisation agreements in that union which made it easier for a common position on data protection and privacy to be formulated and legislated.
The aggressive position that Bermuda has taken on digital transformation, FinTech, data protection and privacy needs to be emulated throughout the region.
Caricom is the only agency in place to make that happen. It is two years away from its 50th anniversary, but it has consistently failed to create a harmonised business and trade regime in the region.
A successful Caribbean data protection and privacy regime is too important to become another faltering regional project.
Caricom must step up and create a regional agency capable of lifting all the legislative boats of the islands to meet this challenge.