Above: Eamon Sheehy. Photo via Cloud Carib.
BitDepth#1355 for May 23, 2022
At a webinar on May 18, Eamonn Sheehy, Public Sector Head of Cloud Carib and Rishi Maharaj, Data Protection Advisor with Privicy, discussed the current state of data protection legislation in the Caribbean.
The region is on the cusp of big changes in the oversight of data handling within Caricom’s borders, but it isn’t clear that all the nation states of the archipelago are pushing in the same direction with equal enthusiasm.
The Bahamas led the adoption of data protection legislation in April 2007, followed by Trinidad and Tobago, which made its legislation enforceable in 2012.
Recent data protection laws in the Caribbean have been heavily modeled on the European Union’s General Data Protection Regulations (GDPR), with Barbados and Jamaica enacting laws heavily influenced by the legislation.
The British Virgin Islands, the Bahamas, Bermuda and Belize are also following the model.
In Trinidad, the Data Protection Act has been passed into law but has not been fully implemented, with legislation passed and a budget allocated to create an Information Commissioner’s office.
There is no office. There is no Information Commissioner.
The TT government has begun amending the act and is preparing for consultations with private and public sector stakeholders.
A draft bill is expected to be read in Parliament soon that will include provisions taken from GDPR to be in greater compliance with more recent legislation enacted in Jamaica and Barbados.
From a service provider’s perspective, the greatest challenge to delivering cloud based services as a data processor or data controller is the unevenness in the legal regimes in use in the Caribbean region.
In Barbados and Jamaica, according to Eamonn Sheehy, there is a specific requirement that data processors and controllers must be registered with the Data Protection Commissioner in those countries.
While Cloud Carib primarily operates as a data processor, Sheehy notes that, “We are not a data processor in every case.”
“If we provide certain kinds of services, such as Secure Active Directory services, Identity and Access Management data key management, then we could be identified as a data controller.”
“If a cloud provider is acting as a data processor,” Sheehy said, “the contracts that are required with the data controllers, the owners of the data, should become more descriptive and more detailed in a legal environment that is based on GDPR.”
“Companies need to understand that data protection is here and that they need to take appropriate steps to comply with the laws,” said Rishi Maharaj.
“Start by understanding the laws in your jurisdiction. For companies that operate in multiple jurisdictions or cloud service businesses that are working with companies in different countries, understanding the specific nuances of each country’s requirements is critical.”
Fines for non-compliance under GDPR regimes can be staggering. Fines imposed under the EU’s data protection laws can run up to four per cent of global profits.
For Google, in March 2020, that turned out to be a fine of seven million euros after the search engine and advertising company failed to purge data it could not prove it still required.
Fines in the region aren’t on that scale, but there are penalties on the books that companies need to be aware of.
“There are liabilities for directors, there are liabilities for senior management,” warned Maharaj.
“Regulators [in the Caribbean] are actively seeking guidance from the Information Commissioner’s office in the UK, and from other regulators in the EU to find out what they need to do to be effective regulators.”
“Regulators are moving away from a checkbox mentality, checking to see if documents are in place and requiring companies to actively demonstrate that they are complying with the law.”
“Know your data,” Maharaj advised, noting that the Jamaican data protection act allows for imprisonment of directors as well as fines.
“You need to know what data you collect, how you collect it, the total lifecycle of the data, from collection, to use, to sharing, to transferring, to eventual deletion.”
“You need to develop a Record of Processing Activity (ROPA), which some regional data protection acts require.”
Companies should commit to a continuous audit of agreements with third-party cloud service providers that emphasise a functional data retention policy which purges data that’s no longer needed from databases and computer systems.
Sheehy advocated for greater coordination between Caribbean nations in their implementation of data protection strategy and called for Caricom to lead a legislative integrative effort to harmonise laws and create standard operating procedures in the region.
Data protection law: some misconceptions
“[As a customer] I have to trust that you will use data [collected] in a transparent, accountable way,” Maharaj said.
“That you will have appropriate security protocols in place to secure that data and that you will not use that data in any way except how we have agreed that the data should be used.”
Giving consent for data collection is an implicit part of that contractual expectation between consumer and collecting company, but is consent always necessary?
“Consent is important, and all data protection laws speak to the notion of consent,” Maharaj said.
But data protection laws were not created to stop innovation, and consent is not required every time you process someone’s data.
If the business and customer are operating in a contractual relationship, specific consent for each data collection transaction is not required.
“Then there is legal obligation,” Maharaj said.
Some companies have a requirement to collect specific kinds of personal data, such as KYC information gathering required by financial institutions and there are also exemptions for public services that you operate in the public sphere, delivering goods or services in the public interest.
There is no specific limitation on using collected data for AI analysis, but Maharaj suggests that companies do a proper risk assessment before using data in that way.
In some cases, the Data Protection Commissioner in the relevant jurisdiction may need to be consulted on the broad outlines of how the data will be used for
analysis.
Sharing of collected data isn’t necessarily disallowed under a legal data protection regime, but there must be documented due diligence done on third parties that you intend to share data with and appropriate, legally binding agreements in place that align with the requirements and intent of data protection legislation.