In 2019 at the World Economic Forum, Antonio Neri, CEO of Hewlett Packard said “Data is the new currency”. This analogy has become very popular because data is now considered one of the most valuable commodities.
In the European Union (EU), data protection is a fundamental right, and the General Data Protection Regulation (GDPR) which came into force on May 25th, 2018, is the framework for protecting that right. The GDPR represents one of the highest standards of data protection in the world, creating a unified legal basis for data protection and enforcement across the European Union.
Other countries are looking to the GDPR model as they develop or implement their own laws to protect data.
The GDPR became a model for many national laws outside the EU, including United Kingdom, Panama, Argentina, Brazil, Japan, Chile, South Korea, Kenya, and Mauritius. Reputable offshore jurisdictions in the Caribbean have not been left behind. In this article I will share the key aspects on what some of the Caribbean jurisdictions have done regarding this matter:
1) The Bahamas (“Bahamas”)
The Bahamas’ Data Protection (Privacy of Personal Information) Act (DPA) and the Bahamas Guide for data controllers sets out the legal framework for the collection, use and disclosure of personal information. The DPA was passed in 2003 but came into force in April 2007. Both documents are consistent with internationally recognized principles established by the Council of Europe, the EU, the Organization for Economic Co-operation, and Development (OECD), and the United Nations (UN).
The Bahamas has the Data Protection Commissioner where related matters and complaints are handled.
A person guilty of an offence under the DPA shall be liable on summary conviction, to a fine not exceeding US$2,000; or on conviction on information, to a fine not exceeding US$100,000.
2) Cayman Islands
The Cayman Islands Data Protection Law, 2017 (DPL) came into force on 30th September 2019.
The Ombudsman is the main regulator for data protection in the Cayman Islands. The Office of the Ombudsman of the Cayman Islands, created in July 2004, is an impartial and independent office of Parliament that acts as the Cayman Islands’ guardian of fairness, transparency, and accountability to encourage government departments and agencies to better serve the public.
The DPL applies to personal data processed by “data controllers” and “data processors” established within the Cayman Islands and to data controllers established outside the Cayman Islands that process personal data within the Cayman Islands otherwise than for the purposes of transit of the data through the Cayman Islands. Where a data controller established outside the Cayman Islands processes data in the Cayman Islands it will be required to nominate a local representative in the Islands who shall be the data controller for the purposes of compliance with the DPL.
Breaches of the DPL could result in fines of up to CI$100,000/US$122,000 per breach, imprisonment for a term of up to 5 years or both. Other monetary penalties of up to CI$250,000/US$305,000 are also possible in certain circumstances where there has been a serious contravention of the DPL.
3) British Virgin Islands (“BVI”)
The British Virgin Island’s Data Protection Act 2021 (DPA) was published in the Gazette in April 2021 but came into force in July 2021.
The DPA applies to any person or entity that processes, or has control over or authorizes the processing of, personal data in connection with a commercial transaction, so long as that person either:
(a)established in the British Virgin Islands and processes personal data, or employs or engages any other person to process personal data on their behalf, whether in the context of that establishment; or
(b)Is not established in the British Virgin Islands but uses equipment in the BVI for processing personal data other than for the purposes of transit through the BVI.
Data controllers must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction. Data controllers are not required to register with or notify the BVI authorities, and presently there is no requirement for the appointment of data protection officers, however it will soon be recommended best practice.
Breaches of the DPA could attract fines of US$250,000 to US$500,000, and directors and officers may be held liable. However, there is no deadline to date to become compliant. Moreover, there is no national data protection authority in the BVI. Instead, courts are guided by the English common law duties of privacy and confidentiality.
Law 81 on Personal Data Protection (PDP) was published in the Official Gazette in 2019 but came into force in March 2021. Besides the PDP, the Constitution of the Republic of Panama establishes the general principle of personal data protection.
According to the PDP, all principles, rights, obligations, and procedures related to the protection of personal data, considering its interrelation with private life and other fundamental rights and freedoms of citizens, apply to natural or legal persons; public or private law; and profitable or non-profit organizations.
Under the PDP, the regulator is the National Authority for Transparency and Access to Information (“ANTAI”) by its acronym in Spanish. Additionally, the PDP establishes a Protection of Personal Data Council, which is comprised of different public authorities and private associations, and that serves as a consultant body to ANTAI.
ANTAI is entitled to order the provisional or permanent cease of storing and processing of personal data and has the power to impose economic fines that may go up to US$10,000.
Belize has chosen to remain silent about this issue. For now, there is no data protection legislation in Belice. Many service providers in Belice are executing agreements, implementing data protection compliance programs, updating their internal policies, and in many other ways are responding to the requests of clients located in jurisdictions that do require compliance with a data protection law. This is mainly to keep a good business relationship but not because there is a legal obligation in Belice.
When giving the first steps into complex waters like data protection, it is very common that companies get lost in the avalanche of legal requirements or in developing that product or service that might result attractive to its clients. However, for a business, changing the focus to issues that they may consider more interesting should never be an option because the results of data breaches include many types of damages: from reputational to financial.
At Morgan & Morgan we know that data is one of the most important assets our business. Therefore, we have implemented a robust data protection compliance program alongside Cyber Security measures that have become part of our core business model.
For more information on these topics, please contact:
Morgan & Morgan