Caribbean data protection part of global agenda

BitDepth#1308 

Audio: Listen to audio clip.

AT LAST week's Data Protection World Forum, Caribbean data protection and privacy experts hosted a panel that considered the region's response to threats and regulatory requirements that are now global in scope.

Caribbean nations are at various stages of enacting legislation to implement the legal shields and compliance required for parity with global data processing regimes.

Bermuda was considered by the panel to be in a leadership role in that evolution. It is the only regional state which has appointed and empowered a regulator.

In TT, according to Rishi Maharaj, executive director of EquiGov, a local data protection and privacy consultancy, our first laws were passed in 2011. That was before the benchmark GDPR (General Data Protection Regulation) legislation that governs the European Union, but a lot has happened since then, and amendments are lagging behind current reality.

"In Jamaica," explained Grace Lindo, IP attorney at Carter-Lindo, "legislation is on the cusp of implementation. "Data protection officers are being proactively appointed in businesses, laws have been passed, but not yet brought into force."

"There is significant growth in data privacy and data protection awareness in the Caribbean," said Samantha Simms, data privacy attorney at the UK's The Information Collective.

"Caricom is not where the EU is today and is not positioned to exercise the kind of unified control that resulted in GDPR," Simms said. "Caricom is where the EU was at in 1988 in developing GDPR."

"What Caricom can do now is to provide the guidance that's necessary to create a unified regime for data protection and privacy."

Simms also believes that under the Biden administration the Caribbean region should expect more activity at a federal level from the US on data protection and privacy.

US data protection and privacy laws are a state-level hodgepodge of legislative regimes. Simms expects the US to create federal data-protection laws, and to appoint data privacy and cybersecurity czars. Some state laws may conflict with the new federal laws that are being planned, creating more complexity for operators who share data across US borders.

Claudine Brown, data protection officer at Harneys, in the British Virgin Islands, reports that the BVI is looking to become compliant with GDPR and to be deemed adequate to do digital business with Europe and the UK.

"The countries of the Caribbean are lagging behind," Brown said. "Big tech didn't arrive in the Caribbean the way it arrived in the US and Europe. Harmonisation in Europe took years and required the adjustment of laws going back to the 1990s."

The Cayman Islands passed its data protection act in 2017 and it came into force at the end of 2019. The government spent two years educating the public on the issues. Having a regulatory regime that supported secure data storage and processing was key to adopting a law that largely follows the GDPR approach.

"The ultimate aim is for the Cayman Islands to be deemed an adequate jurisdiction by the EU," said Appelby's Peter Colegate.

“I think that's some way off, but that's the key driver."

GDPR wasn't a perfect project in the EU, but it benefited from existing trade and business harmonisation agreements in that union which made it easier for a common position on data protection and privacy to be formulated and legislated.

Caricom is the only agency in place to make that happen. It is two years away from its 50th anniversary, but it has consistently failed to create a harmonised business and trade regime in the region.

Caricom must step up and create a regional agency capable of lifting all the legislative boats of the islands to meet this challenge.

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there