The case for Caribbean data protection regulations

BitDepth#1291

THE CARIBBEAN isn't alone in facing a slow adoption of laws supporting wider protections and formal legal structures for data transfer and protection.

As a region, we are likely only to move faster when there's an incident that prompts a "privacy by disaster" response, a data breach exposing personal information that proves catastrophic enough to mobilise a response that transcends individual nation states.

There are already warning signs that hopes that the Caribbean is too small for hackers to bother with are severely misguided.

Businesses paying attention to breaches, both declared and undeclared, should be more publicly and demonstrably focused on protecting the sensitive information that they hold for their customers, business partners and employees.

The General Data Protection Regulations (GDPR) introduced by the European Union (EU) in 2016 have become the standard for these legal protections.

The TT Multi-stakeholder Advisory Group (TTMAG), a stakeholder coalition advocating technology adoption initiatives, held an update session in November 2020 following discussions in 2019.

There hasn't been much movement forward for the Caribbean region on data protection in the year between those discussions or in the months since.

Caricom has been aware of the need for regional data protection and information privacy regulations since the 2008 formation of Cariforum, an aggregate of Caribbean, African and Pacific states pursuing deeper trade relations with the EU.

As part of that process, Cariforum nations are expected to enact data-protection legislation, but adoption remains spotty within the region. The most aggressive nations working toward the national data protection and privacy policy requirements are Jamaica and Barbados.

In most Caribbean nations, the laws exist only on paper after they have been enacted, with no enforcement capacity. TT passed parts of its Data Protection Act in 2011, but the technology developments have already outpaced aspects of the law as it exists.

Bermuda appointed a Privacy Commissioner in 2016 and the Cayman Islands' Ombudsman took the formal action under its laws in August 2020.

Bartlett Morgan, a commercial attorney with a focus on digital law and policy practice at Chancery Chambers in Barbados, called for "a singular enforcement authority to manage multiple jurisdictions" at the November seminar.

"Laws need to be passed into law, and regulators appointed to enforce them," Morgan said. "You can't enjoy all your other (human) rights without an implied right to privacy."

Alongside that regional enforcement authority, he suggested that there should be a one-stop certification portal for anyone who needs to process data in the Caribbean.

Morgan noted that the Caribbean Court of Justice is an example of how that kind of treaty-based collaborative agreement might work.

Unfortunately, it is also an illustration of how it might not work, because 20 years later, several regional nations have still not recognised the CCJ as an appellate body of final resort, including this country.

The TT position on the CCJ is embarrassing, but being deemed an inadequate nation when it comes to privacy laws, failures in implementation and enforcement have more dramatic economic consequences.

There have been successful regional examples of small-island co-operation for development. The Organisation of Eastern Caribbean States has collaborated to create a Central Bank Digital Currency.

"It's abundantly clear that we (TT) need to establish the office of the Information Commissioner," said Vashti Maharaj, adviser on digital trade policy, Commonwealth Secretariat, at the November seminar.

"Don't wait on the regulations to put things into place. There are standards that can be applied to data security management.

"The challenge of regional collaboration is the harnessing and harmonisation of political will to execute these ideals."

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there