Bartlett D. Morgan

[FinTech] Barbados launches Regulatory Sandbox

In Barbados, the Financial Services Commission and the Central Bank have jointly created an important regulation: the Regulatory Sandbox Framework for the Financial Services Sector.

Sandbox Benefits

The no-fluff definition of a regulatory sandbox? A temporary observatory where regulators try to figure out whether a new financial product/service is fish or foul.

Let’s flesh that out a bit.

Where an entity wishes to introduce an innovative financial product or service in Barbados, it may not be immediately clear which regulatory requirements should be complied with. Why? Financial services are regulated by two separate entities: the Central Bank and the FSC. Broadly speaking, the Central Bank regulates banking-type institutions whereas the FSC regulates all other financial service providers (think: insurance companies, credit unions, pension funds etc).

Applying to and being accepted in the Sandbox allows the applicants some well needed regulatory breathing space. In this period, applicants do not need to comply with and be licensed under the regimes of either the FSC or the Central Bank.

Regulatory Review Panel

For the duration of the applicant company’s time in the Sandbox, governance oversight will be provided by the Regulatory Review Panel (RRP). The RRP will be comprised of no less than 3 persons (there is no upper limit on the number of appointees to the RRP). The Director of Finance and Economic Affairs, the Central Bank and the FSC will be responsible for the appointments to the RRP.

The RRP, among many other governance functions, will determine whether the applicant’s product or service should be regulated pursuant to the FSC’s regime or the Central Bank’s. Alternately, the RRP may conclude that the particular product/service being considered is so novel that entirely new legislation is required.

Key Beneficiaries

In practical terms, the kinds of financial products or services most likely to benefit from sandboxing would be new technology-centric financial service providers a.k.a. FinTech companies. Most FinTech startups tend to focus on disrupting traditional models of operating and will typically employ a combination of novel processes, unconventional business models and innovative products. In doing so, FinTechs will – almost by definition – defy the existing regulatory frameworks which were conceived with the brick-and-mortar realm in mind.

FinTech companies are the primary targets of the Regulatory Sandbox – Internationalbanker.com photo

More Information

The Sandbox was launched at the end of October 2018 and the main documentation can be found on the websites of both the FSC and the Central Bank.

[Presentation] Data Protection: What Service Providers Should Know – Bimtech Digital Forum 2018

I was one of the speakers at the Bimtech Digital Forum 2018. The forum focused on pertinent considerations for service sector entities participating in the digital economy. The forum was put on by the Barbados Coalition of Service Industries (BCSI) which is dedicated to the acceleration of service sector development and enhancing the export potential of service providers in Barbados.

My ‘power chat’ presentation focused on fundamental data protection considerations for entities in the Barbados services sector. During the presentation, some emphasis was placed on the General Data Protection Regulation (GDPR), key data protection principles and practical next steps for Barbadian service providers.

You can view a copy of my presentation here (.pdf).

Barbados Privacy Bill 2018 released for public comments til July 31, 2018

The Government of Barbados has released for comment, a 2018 draft of the Data Protection Bill (Mirror ). The draft bill is open for public input until July 31, 2018.

While the timing is somewhat short for a bill with such far reaching implications, I think its commendable that the bill is being opened up to input from all stakeholders, including civil society interests.

This is the second attempt by the Barbados Government to pass a comprehensive data protection bill. A prior iteration of the bill was initially tabled in 2005. However, meaningful progress in Parliament appeared to stall for the better part of the 13 years since.

On my initial scan, a few things jumped out at me which I mentioned in some tweets:

Under the current draft, if you request information about your own data from a data controller then you have to pay for it. This requirement to pay will likely create a hurdle to enforcement of privacy rights under the act.

— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018

I never saw any data breach notification requirements. In the modern era, not having a requirement for data controllers to notify the data subject and/or the data commissioner of a breach is a huge missed opportunity. For my part: pic.twitter.com/v9aeVIU5RC

— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018

I also think the proposed Data Protection Tribunal is a positive. It will counterbalance decisions of the data commissioner (similar to how appellate courts operate).

— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018

If your data rights are breached under the act, you have a right to compensation (as opposed to a fine being paid into Government coffers). Another huge positive. pic.twitter.com/dSyzTzIUWU

— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018

I will be reviewing the bill more closely over the coming weeks, with a view to submitting comments. If personal data protection is something you are interested in, I encourage you to submit comments, via e-mail to Commerce.Comments@barbados.gov.bb.

State of Privacy Laws in CARICOM/CARIFORUM: Presentation at the Caribbean IGF 2018

Privacy/Data Protection in CARICOM/CARIFORUM

I was pleased to be asked to co-present with Carlton Samuels at the just-concluded Caribbean Internet Governance Forum (“CIGF”). The CIGF, which was held in Suriname this year, is in its 14th year – which makes it, arguably, the longest running regional IGF in the entire world.

This year’s agenda was fairly heavy on the subject of privacy & data protection. In my view, this is a rather timely area of interest given the impending GDPR (which, literally, comes into effect tomorrow) and recent privacy-related events like the Cambridge Analytica/Facebook fiasco.

Our presentation focused on the Caribbean privacy and data protection landscape and sought to highlight some of the recent legislative developments as well as perceived shortcomings in giving effect to well-established privacy principles in regional legislation. We covered topics including breach notification, trans-border data transfers and fines for breaches.

A recording of the presentation can be viewed below.

Link to recording: here.

Link to Presentation: State of Privacy Laws in the Commonwealth Caribbean CIGF 2018

Enforcement powers clarified under updates to Barbados Telecommunications Act

Enforcement powers under Barbados’ Telecommunications Act are now more expansive and clear-cut following recent amendments. The newly passed Telecommunications (Amendment) Act, 2018-10 expressly extends the circumstances in which various enforcement-related activities such as injunctions, search and seizure orders and the issue of warrants may occur. Prior to the amendment, invocation of enforcement powers was almost exclusively grounded in breaches of the Act. Following the amendment, action may now be taken for breaches of any rules, regulations and orders made pursuant to the Telecommunications Act.

If you’re interested in the details, I’ve listed the essence of the changes below.

Previously, the relevant minister had the power to seek injunctive relief or seek damages (pecuniary penalty) only where a telecommunications rule was breached. Under the amendment, in addition to rules, breaches of regulations and orders will also attract injunctions and pecuniary penalties.
Under the amended Act, investigative powers are now extended to a licence issued under either rules, regulations or orders made under the Act. Previously, investigations were limited to breaches of the Act or licences issues under it.
Pursuant to the original Act, the powers to enter, seize and/or search by an authorised inspector were limited to suspected breaches of the Act or a licence issued under it. Under the new amendments, this power has been extended to licences granted under any rule, regulation or order made in accordance with the Act or any registration or authorisation done under the Act.
Magistrates were previously issued with the power to issue search warrants on suspicion that a breach of the Act had happened or was impending. Post-amendment, the magistrate may also issue a search warrant where rules, regulations and orders have been or are about to be breached.
Where anyone interferes with an inspector in the execution of duties, that person will be liable to prosecution if the inspector was performing duties under the Act or any regulations, rules or orders made under it. This power was previously limited to the performance of duties pursuant to the Act itself.

Breach of confidentiality: Aswan v National Commercial Bank and a few lessons for Software Developers

NCB JA — National Commercial Bank, Jamaica – Jamaicaobserver.com photo

Following the Jamaican High Court decision in Aswan v National Commercial Bank, even if a contractual provision provides for confidentiality in your dealings, it may not be enough to protect your intellectual property interests if your actions, subsequent to the entry into the contract, suggest that you are o.k. with your confidential information being disclosed to third parties.

Background

The claimants in Aswan were developers of a point-of-sale top-up software application. The claimants and the defendant bank entered into a joint-venture agreement to create and deploy a customised version of the developers’ point-of-sale software solution. The envisioned end-product would allow users of the point-of-sale devices to ‘top up’ cellular phones with call credit by swiping their credit or debit cards at the point-of-sale machines.

Point of Sale terminal — A point-of-sale terminal, similar to the kind Aswan’s software would be used with. Industries.ul.com photo

The contractual documentation included clauses in a proposal document indicating that the information provided in it was confidential. The clause also required the developers’ written consent before the bank could disclose any confidential information to any third parties. Notably, that aspect of the contractual documentation was never actually signed by the bank’s representatives.

The bank eventually sought the help of a third-party entity to assist it with completing other aspects of the project. The bank shared certain information with the third-party developer via emails (on which the developers were copied) including aspects of the confidential information from the proposal document.

The relationship between the developers and the bank started to break down over time. Eventually, the developers terminated the joint venture agreement, for reasons unconnected with the breach of the confidentially clause. Thereafter, a suit was brought against the bank claiming breach of confidence and seeking damages.

Findings of the Court

Despite the bank’s argument that it did not, in fact, sign the relevant parts of the documentation that imported confidentiality, the Court was willing to construe the overall circumstances as importing a duty of confidentiality. The Court arrived at this decision following the approach to contractual interpretation espoused by the Privy Council in AG Belize v Belize Telecom.

Quick background: that case held that in appropriate circumstances, a court can read implied terms into contracts where it is obvious that the parties intended those implied terms to be part of the contract between them.

The Court, notwithstanding the lack of signature on behalf of the Bank, was willing to accept that there was a confidentiality agreement. It declined, however, to enforce it in the circumstances of the case.

The Court reasoned that the confidentiality agreement should not be enforced since the conduct of the developers indicated that they had acquiesced in the sharing of the confidential information with a third-party. The Court was moved by the fact that the bank had copied the developers on emails wherein the bank corresponded with the third-party developer. In those emails, the information which the developers deemed confidential was shared.

Despite this knowledge that a third-party was being provided with the information which the developers were asserting was confidential, the developers did nothing to enforce the right to confidentiality during the life of the contract. In the Court’s estimation, this appeared fatal.

Lessons for ICT Entrepreneurs

The most important lesson here for app developers and others in the ICT space – ensure that your conduct aligns with your contract. If after entering a contract, the parties acknowledge that the expectations and outcomes have shifted meaningfully from what was initially agreed, it makes sense to expressly agree an addendum to the contract, reflecting the new state of affairs. If not, the parties run the risk of having a court belatedly assuming, on their behalf, what they must have meant.
Ensure that your contracts are expressly agreed to by all the parties; don’t just rush to get to work. Some record of what has been agreed to must exist. A signature is ideal but even a confirmatory email can suffice, depending on the circumstances.
The developers in the Aswan case may be considered lucky that the Court was willing to find in their favour that there was a confidentiality agreement between them and the Bank, despite the Bank’s representative having never signed the documentation. A more conservative court may well have gone a different route. Going forward, developers and other service providers should be careful to do all the formalities, including getting the signature (or equivalent record of agreement) of the other parties to the contract.
Although the two developers referred to themselves as ‘HMA Solutions Limited,’ they sued the bank in their own names. It is, therefore, likely that they were using ‘HMA Solutions Limited’ as a mere trading name at the relevant time.
The lesson here: the capacity in which you contract has very practical, everyday consequences, including whether your liability is personal. For example, lets say you entered a contract in your personal capacity and following a breach, you sue the other party in court. If you lose the claim, the cost order of the Court will likely be enforceable against you personally. By contrast, if you entered into a contract via a company you own, separate legal personality dictates that you would not be personally liable for any adverse outcomes.
Note, this isn’t saying a corporate vehicle like a limited liability company is suitable for every kind of venture. This IS, however saying that before you jump into the next potentially lucrative venture, spend a few hours talking over appropriate legal structures to employ with your advisers.

Published: The Why and How of Taking Privacy Seriously

I recently published an article with practical tips for businesses who wish to give serious consideration to privacy and protecting their customers’ data. My article appears in Vol 4 of the Exporter magazine which is published by the Barbados Coalition of Service Industries. This edition of the magazine’s theme is “ICT in a 21st Century Barbados.”

BCSI Exporter Magazine Vol 4 2017 Bartlett Morgan Privacy — BCSI Exporter Magazine Vol 4 2017

Click here and navigate to page 21 for my article. While there, do check out some of the other fascinating articles which cover a gamut of ICT related topics including implementing blockchain technology into financial product offerings in Barbados and ICT applications in coastal zone management.

Charles Leacock Q.C. – Internet Law in Barbados

This is a video recording of a presentation by Charles Leacock, Q.C. on the state of internet laws in Barbados.

The presentation was given at the inaugural Barbados Internet Governance Forum and does an excellent job of outlining the existing digital law legislative framework at play in Barbados. The presentation touches on the:

Telecommunications Act;
Computer Misuse Act;
Electronic Transactions Act;
Corporate (Miscellaneous Provisions) Act
Copyright Act; and
the proposed Privacy and Data Protection Act

Naturally, being the DPP, Mr. Leacock gave prominence to the operation of the Computer Misuse Act which criminalises certain activities effected via a computer system.

This is a very useful video if you are interested in coming up to speed quickly on the overall state of the law in Barbados. Other video recordings of presentations made at the inaugural Barbados IGF may be accessed here.

End note: Mr. Leacock was, at the time of the presentation, the Director of Public Prosecutions for Barbados. Sadly, shortly after this presentation, he passed away. May he rest in peace.

Notes on the Fair Trading Commission v Digicel Jamaica decision

The Judicial Committee of the Privy Council (the “Board”) recently rendered a high profile decision in Fair Trading Commission v Digicel (mirror) where it confirmed the far reaching power of the Fair Trading Commission to intervene in proposed mergers of telecommunications providers. The decision will likely give telecommunications providers further cause for pause in future bids to takeover or merge with competitor firms in the Commonwealth Caribbean.

Background

The Fair Trading Commission (the “FTC”) is empowered by the Fair Competition Act (the “FCA”) to serve as the competition authority responsible for regulating uncompetitive market practices in Jamaica.

The Board’s decision arose against the background of a 2011 merger of two of Jamaica’s three mobile voice and text providers, at the time: Digicel and Claro. Following a complaint by the third competitor in the telecoms space – LIME (now, Flow) the FTC launched an investigation and concluded that the proposed merger would lessen competition and, ultimately, consumer choice would suffer. Importantly, the FTC also found that the benefits arising from the merger would not offset the anti-competitive effects.

Following the publication of its findings, the FTC launched proceedings in the Jamaican Courts seeking an injunction to prevent the merger from going forward, the imposition of financial penalties and a declaration that the merger was anti-competitive.

The FTC, in approaching the courts, was, in effect, moving to enforce section 17 of the FCA which prohibit actors in a market from entering into an agreement with the effect of lessening competition.

Digicel and Claro took the position that their merger fell outside of the ambit of the FCA as they were telecoms operators and so, only the Telecommunications Act applied to their dealings. They also took the view that section 17 of the FCA did not specifically deal with mergers and so the FTC could not proceed on that basis.

The court dispute could, therefore, be reduced to three specific issues:

Does the FTC have jurisdiction to intervene in the market for telecommunications services?
Does section 17 of the FCA apply to mergers at all?
Does section 17 of the FCA apply to transactions approved by the Minister under section 17 of the Telecommunications Act?

On point 1, the High Court found (pdf) that the two regimes of the FCA and the Telecommunications act, acted in parallel. The Court of Appeal (pdf), in a decision authored by Harris JA, agreed. On point 2, the Court of Appeal disagreed with the High Court’s finding that section 17 of the FCA was not limited to anti-competitive conduct effected between independent entities and extended to those resulting in the elimination of a competitor in a market. On the third point, the Court of Appeal also reversed the High Court judge’s decision that section 17 of the FCA also applied, even though the relevant government minister had given his permission pursuant to section 17 of the Telecommunications Act.

Privy Council Decision

Before the Board, Digicel argued that they were governed, primarily by the ambit of the Telecommunications Act and not the Fair Competition Act and so, in the absence of a reference under section 5 of the Telecommunications Act, no jurisdiction resided in the FTC to review the decision of Digicel to merge with CLARO. They further argued that section 17 of the FCA did not, in any event, apply to mergers. Digicel also argued that the consent of the relevant government minister with authority for telecommunications was sufficient to prevent the intervention of the FTC.

The Board disagreed with Digicel and found favour with the arguments of the FTC on all three points.

Jurisdiction of the FTC
Firstly, it considered that although the Telecommunications Act was specific and the FCA was a general act, in order to prove that the specific act applied, Digicel would have to demonstrate incompatibility between both frameworks. In the view of the Board, although both acts had their own competition mechanisms, the two acts were not in fact at odds with each other but were, in fact, complementary. The Board also considered the reference mechanism in section 5 of the Telecommunications Act and deemed this confirmation of the fact that both acts operated in parallel to each other. The Board, on this basis, concluded that the jurisdiction of the FTC, pursuant to the FCA, did extend to the telecommunications market.

Applicability of section 17 of the Fair Competition Act

In respect of the argument that the scope of section 17 of the FCA did not apply to the merger between Digicel and Claro, the Board found that it did apply. The Board considered that section 17 of the FCA serves to forbid any agreements which contain provisions that have as their purpose the substantial lessening of competition, or have or are likely to have the effect of substantially lessening competition in a market.

Digicel and Claro made a novel argument: upon merging, both companies would become part of one enterprise and, therefore, could not be guilty of concerted conduct with itself. The Board took the view that section 17 of the FCA did not only apply to concerted conduct *after* the agreement was entered into between the parties. Rather, at the point when the agreement to merge is contemplated, so long as the effect falls within section 17, it is open to review by the FCA.

Importantly, also, the Board, inline with case law from the European Union, reasoned that section 17 of the FCA, despite not mentioning mergers expressly, did, in fact, apply to mergers.

Effect of Minister’s approval of a licence under the Telecommunications Act

Finally, Digicel argued that to the extent that section 17 of the Telecommunications Act was the only provision in either act that expressly dealt with mergers, once Digicel had complied with that provision, there was no scope for the FTC, which was operating under the ambit of the FCA to intervene in the merger. Unsurprisingly, given its reasoning on prior issues in its decision, the Board found that the minister’s approval under the Telecommunications Act did not operate in isolation and compliance with the FCA’s regime was also a necessary prerequisite to approval of its merger activities.

Final Thoughts

Following the decision, Digicel has already taken the view that the merger was not anti-competitive and so, it has no case to answer.

By confirming that the FCA operates in parallel with the Telecommunications Act, the Board’s decision necessarily means that, going forward, operators in the telecommunications space in Jamaica must be mindful of the contents of both statutory schemes when potential mergers and acquisitions are being contemplated.

More broadly, the decision is valuable for confirming the broad-based authority of competition authorities, with similarly broad statutory backing to Jamaica’s FCA. If a merger agreement is being contemplated between significant actors in a market, that agreement can lawfully come within the purview of the competition authority, even if the relevant statutory framework does not expressly provide for this power.

In essence, regardless of market, all firms operating in the jurisdiction are bound by the same competition framework.

It may be argued that the Board has taken a broad, purposive reading of the FCA and, in doing so, ascribed to the FTC, powers over mergers which it did not expressly have before. Even if true, this would only serve to bring Jamaica inline with the modern, accepted approach in developed market-driven jurisdictions to the interpretation of similar statute. This is a hard position for most to argue against.