Overdue: Regulations for regional data protection

BitDepth#1182

“IS IT TIME for us in the Caribbean to consider our trust issues?” asked George Gobin of the audience gathered for the third local Internet Governance Forum (TTIGF) last Friday.

Introducing the topic of Caribbean Data Protection Regulations (CDPR), the former local Microsoft bossman, career technologist and TTIGF director suggested that such efforts be government led, but guided by the people whose data will be overseen by the process.

Data protection has become a more heated area of discussion lately, with Europe implementing the General Data Protection Regulations (GPRD) regime, which has forced many internet companies to either publicly declare how they use customer data or run afoul of the laws now being enforced in EU nations.

Some companies have simply blocked access to their websites from countries in Europe, raising justifiable fears of a balkanised internet.

Dr Yufei Wu, associate professor and co-ordinator, Caribbean Institute of Cybersecurity, explained that netizens now had to consider some critical clauses in the GPRD, specifically:

* How are you protecting against unlawful access to your data?

* How are you demonstrating a commitment to data protection?

* What steps are you taking to protect against unlawful access and to manage it when it occurs?

* What steps are you taking to report on and notify users of any breach?

These aren’t just hypothetical problems either. According to Wu, companies found liable will be fined two per cent of their income. Take a moment to work that out.

In fuelling the discussion on CPRD, Wu noted, “If there are no standards and there is no legislation, there are no barriers as well as no protections.

“Policy without action is not a complete solution.”

Trinidad and Tobago has a Data Protection Act on its law books, but it’s unclear exactly how these laws will be enforced and by whom.

Bartlett Morgan, a corporate attorney with Lex Caribbean in Barbados, agreed with Wu, but suggested that a Caribbean-wide model for data protection would be ideal.

“We should harmonise our approach,” Morgan said.

“We should be formulating model law that all [Caribbean] nations might use as a starting point for the region to draft their own legal frameworks.

“Good data protection practices are fundamental, and they tend to pass muster in different regions without significant problems.”

If you use GBPR as your baseline, there’s a good chance you will be compliant in other regions as well.”

Such an approach would proceed more smoothly if the region operated with the type of general agreement on basic principles that underwrite most major EU decisions, but Caricom has proven unable to agree, for more than a decade, on a regional court of final appeal for its legal systems.

Vashti Maharaj, head, legal services at the Ministry of the Attorney General and Legal Affairs, pointed out that the GDPR represents “a unified position on the handling of data and its protection.”

“Sixty-eight per cent of Caribbean nations do not have data protection laws, and some of those who do are quite outdated,” Maharaj said.

“If you had a regional body composed of businesses to drive data protection law, implementation and enforcement, it would happen quickly, because their bottom line is driven by profit and because many of them operate internationally and they need to be compliant with all regulations.”

There’s precedent for that perspective in the global implementation of generally accepted accounting principles (GAAP) at the turn of the century in the wake of the Sarbanes-Oxley Act, which pushed state agencies and local companies operating globally to embrace systems, sometimes kicking and screaming, which conformed to the rigours of more transparent accounting systems, which meant navigating the intimidating software products of SAP.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there