With the recent activities around operationalising data privacy laws in Barbados and Jamaica, I thought it would be a good time to provide an update on the status of privacy laws in the Commonwealth Caribbean*, generally. I have also included, where applicable, recent privacy-related developments in the relevant jurisdictions.
TL;DR – Six jurisdictions are without any substantive laws to govern the protection of personal data. 10 jurisdictions have passed data privacy laws.
Country
Law
Passed
Recent Activity
Antigua and Barbuda
Data Protection Act, 2013 No 10 of 2013
2013
–
Bahamas, The
Data Protection (Privacy of Personal Information) Act, CH.324A
2003
Updates to the Financial and Corporate Services regulations was passed in December, 2020. The updates, among other things, expressly require licensees to comply with obligations in the Data Protection (Privacy of Personal Information) Act.
Barbados
Barbados Data Protection Act, 2019-29
2019
Advertisement for Data Protection Commissioner role in 2020
Belize
No law
–
–
Bermuda
Personal Information Protection Act, 2016 : 43
2016
The Privacy Commissioner role was filled and the appointment took effect from January 2020.
British Virgin Islands
No law
–
A draft data privacy law was published in Q1, 2020.
An impending data privacy law for Guyana was announced in September 2020 and thereafter, an RFP for drafting the law was published in November 2020.
Jamaica
Data Protection Act, 2020 (No 7-2020)
2020
An advertisement for the Information Commissioner and related roles was published in December 2020
St Kitts and Nevis
Data Protection Act, 5 of 2018
2018
–
Saint Lucia
Data Protection Act, No 11 of 2011
2011
–
St Vincent and The Grenadines
Privacy Act of 2003
2003
–
Trinidad and Tobago**
Data Protection Act, 2011
2011
A TOR to substantially amend Trinidad’s data privacy law to make it more consistent with the GDPR was published in April 2020.
Turks and Caicos
No law
–
–
List of Commonwealth Caribbean territories and the status of their privacy laws.
* As used here, Commonwealth Caribbean refers to all countries in the Caribbean that are either direct members of the Commonwealth of Nations or jurisdictions that are not direct members of the Commonwealth, but are associated/overseas territories of Commonwealth member countries.
**Trinidad and Tobago’s Privacy law was only partially brought into force.
Earlier this week, the Government of Jamaica advertised for a number of roles in the Office of the Information Commissioner.
Advertisement appearing in local papers in Jamaica for roles associated with the Office of the Information Commissioner
This comes on the heel of Barbados carrying out a similar exercise a few months ago. In June, that government advertised for the role of Data Protection Commissioner.
Advertisement appearing in local papers advertising the role of Data Protection Commissioner for Barbados
Neither jurisdiction has, however, taken the relevant procedural steps to actually make their privacy laws enforceable. In the case of Jamaica, this requires the Minister with responsibility for data privacy – currently the Minister for Science, Energy and Technology – to publish a notice in the Gazette. Barbados, on the other hand, requires the Governor-General to proclaim the Data Protection Act, 2019.
If the laws are not in force, no compliance obligations exist for parties processing personal information in these jurisdictions.
The moves by those governments to hire a regulator for their respective privacy laws signals an imminent change in the landscape. Appointing staff is a signal that both jurisdictions are marshalling the necessary human and technical resources to operationalise their respective acts.
To be clear: staffing the regulators is not the end of the operationalisation conversation. Both jurisdictions now need to see about the not insignificant task of preparing regulations to better guide compliance by controllers and (in the case of Barbados) processors of personal data.
A betting man may tell you to expect full operationalisation by 3rd quarter 2021.
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.
The ECT Bill is intended to result in an act that will:
… provide for the facilitation and regulation of secure electronic communications and transactions and for their legal recognition, to promote the development of the legal and business infrastructure necessary to implement secure electronic commerce and to enhance efficient delivery of governance by public authorities by means of reliable electronic records and electronic filing of documents and for related matters.
What’s the Point?
You may ask “Why pass e-commerce laws like the ECT Bill at all?”. The short answer is: less uncertainty.
Internet-based transactions are the new normal. A number of legal grey areas tend to be inherent in doing business this way, however.
The question of jurisdiction provides a classic illustration of this grey area. Consider this: you are physically in Country A, the website you just purchased an item from is in Country B and something went horribly wrong. Where do you sue? Country A where you are? Country B where the website is registered? Or is it Country C where the website servers are located? Let’s not even start pondering Country D where the goods are physically located that you paid for.
Even less heady issues often admit of uncertainty too. Is clicking a button on a website after reading its terms and conditions as valid a form of consent to the website’s terms as physically placing your wet-ink signature on a paper containing contractual terms?
Laws like the proposed ECT Bill help to lessen some of these grey areas by bringing greater certainty and confidence when transacting online. The ECT Bill does not attempt to change the fundamentals of contracting law that have always governed relationships between parties. It merely creates a sense of legal predictability so that citizens transitioning into the digital space will have familiar legal outcomes.
Plainly, whenever Azad in Demarara buys a toy car for his son on a website, the proposed ECT will mean that the contract underlying that transaction is as valid as if he walked into a store to buy it.
What’s under the hood?
So, how exactly does the ECT Bill achieve greater legal certainty for Guyanese citizens? The ECT Bill, in its current form, spans 46 pages and is divided into 10 parts:
Part 1 – Preliminary considerations
Part 2 – Legal requirements respecting electronic records
Part 3 – Electronic Contracts
Pat 4 – Electronic Signatures
Part 5 – Secure Electronic Communications, Records and Signatures
Part 6 – Electronic Security Procedures Providers
Part 7 – Electronic Records, Information, Signatures, Electronic Systems in Public Authorities
Part 8 – Intermediaries and Electronic-Commerce Service Providers
Part 9 – Consumer Protection
Part 10 – Miscellaneous Provisions
Notable Features of the Guyana ECT Bill
Wide scope of exceptions
It is not unusual for e-commerce legislation in the Caribbean to outline, in broad terms, that most transactions entered into may be carried out electronically and thereafter, list a number of exceptions. The usual exceptions found in electronic commerce legislation are wills, the creation or transfer of an interest in land, or declarations related to either trusts or power of attorney documents.
The exceptions to the application of the ECT Bill extend beyond the usual exceptions outlined above. Also excepted are: negotiable instruments, title documents, as well as court orders, notices and other official court documents to be executed in respect of court proceedings.
Sub Silentio Privacy Compliance?
Section 44 places consumer protection obligations on businesses that engage in e-commerce. It includes a mandate for those entities to provide privacy policies. Guyana does not currently have a stand-alone privacy law in effect. If the ECT Bill becomes law before such an act is passed, it is arguable that this provision will effectively jump-start a very basic aspect of privacy compliance in the South Caribbean nation.
Intermediary Liability
Entities on the internet that allow information to be sent, shared or stored on behalf of others are known as intermediaries. The propose ECT Bill includes language that largely immunises intermediaries from liability in situations where an electronic communication results in civil or criminal liability. By way of example, the intermediary liability language in the ECT Bill would mean that (oversimplification) Facebook or GTT will not be liable in situations where a message passed through their platforms or infrastructure that turned out to be defamatory.
That the proposed ECT Bill includes this language is not noteworthy. It is commonplace is most similar laws throughout the Caribbean. What is novel about the ECT Bill is that it defines the concept with marked specificity. Under the proposed act, an intermediary will expressly include the following: telecommunication service providers, network service providers, internet service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes.
Next Steps
The ECT Bill drafters are expected to take account of the feedback received during the commentary period. After any further refining, it will be tabled in Parliament and, eventually passed.
No set timeframe has been indicated for completing any of the foregoing steps as yet.
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.
The Jamaican High Court has awarded significant damages, equivalent to approximately US$4+ million, to a software programmer. The bulk of the award? Interest!
In Paymaster (Jamaica) Ltd. v Grace Kennedy Remittance Services Ltd. (mirror), the underlying grouse of the claimant was that it had copyright in a computer program that it had engaged one of the defendants – a software developer – to create. The claimant also complained that when the developer tried to sell the software to a competitor of the claimant – the other defendant – a breach of confidence occurred.
The matter came alive when an ex parte injunction was granted against the developer in the year 2000. That is over 20 years ago; when humans still used curios like this and the Billboard chart was dominated by what have since become a series of karaoke favourites.
Eventually, the matter was decided by the High Court in favour of the programmer and the other defendant (the claimant did not own the copyright to the software; there was no breach of confidence by the software developer or the competitor to the claimant). This High Court decision was made in 2010, 10 years after the injunction was granted. The High Court’s decision was partially overturned by the Court of Appeal (no copyright ownership, but there was a breach of confidence by the claimant’s competitor) in 2015.
The matter eventually made its way to the Privy Council – the final court of appeal for Jamaica. The Privy Council basically read the Court of Appeal’s determination on the breach of confidence issue and concluded:
The Privy Council’s decision was handed down in 2017. We are now 17 years deep in litigation at this point. Stay with me.
Having held that the claimant had no copyright in the software and that there was no breach of confidence, the Privy Council’s decision meant that the matter had to revert to the High Court to determine damages. The High Court came back with its decision in 2020. That’s 20 years worth of litigation (so far)!
High Court damages decision
The High Court was asked to determine the amount of damages due to the developer flowing from an undertaking in damages given by the claimant when it obtained the injunction in 2000. For this to make sense, it is necessary to explain both injunctions and undertakings.
Injunctions
An injunction is an order from a court forcing someone to either do something (mandatory injunction) or to refrain from doing something (prohibitory injunction). The claimant in the Paymaster matter obtained a prohibitory injunction to prevent the software developer from selling the software to anyone else. Injunctions, like the kind obtained in the Paymaster matter, typically last until the dispute is determined at trial.
Undertakings
Simply put, undertakings are promises to do something. Undertakings typically arise in the context of injunctions. The party asking the court for the injunction will usually be asked to give the undertaking in return for the court granting the injunction.
A party giving an undertaking in damages to a court essentially agrees that, if the matter goes to trial and they lose, they will pay any damages due to the other party. This is significant, as injunctions are often granted at the beginning of court proceedings and typically prevent parties from engaging in activities that would otherwise be beneficial to them (for example, operating a business, leasing property or purchasing shares) until the dispute between the parties is settled at the trial.
Why are undertakings a good idea you ask? Keep in mind that injunctions tend to stay in place until the court has had an opportunity to determine the underlying dispute between the parties at trial. The idea behind the undertaking is this: if someone is prevented from doing something that was beneficial to them for a period of time and it turns out there was no good reason to have prevented them from doing it, then it is only fair (equitable) that they are compensated for the loss of the beneficial activity they were prevented from engaging in.
What the court found
The High Court in Paymaster conducted its enquiry and concluded that the developer should receive damages of J$282,259,386.80 (approximately US$2,025,512.363). The Court also determined that interest should be awarded and…. (cheap pun alert!)… this is where it gets interesting. The judge concluded that the programmer should also get interest on the damages award from August 25, 2000 to June 11, 2020. Yes, you read that right, just under 20 years worth of interest at 6% per annum!
In essence, the judge awarded interest on damages from the time of the injunction to the date of its determination. By my maths, that translates to J$335,463,347.93 (US$2,407,316.9950). As you can see, the interest on the damages award was more than the award itself.
Implications
Bespoke software solutions are actually still fairly popular at the enterprise level in the Caribbean. This means that circumstances are ripe for this kind of claim between other developers and clients to occur. Thankfully, there are a number of ways to minimise the circumstances which led to the unfortunate Paymaster litigation in the first place. I have included some of them in this note.
If you are unable to stave off this kind of litigation, the Paymaster decision holds a significant lesson, whether you are a software developer or hired one. If one of the parties has secured injunctive relief, it is important to explore practical means of resolving the underlying claim quickly.
The Paymaster case demonstrates that the longer the matter drags on, the greater the potential exposure to substantial interest for the losing claimant. Effectively, the longer the litigation continues, the less commercially pragmatic it becomes to fund it. Also, if a party obtains an injunction, but subsequently loses the substantive claim after many years, that exposure to interest on damages, in addition to legal fees and cost awards will be sizeable. Depending on the circumstances, this could prove financially ruinous.
Exploring options for short-circuiting litigation include prioritising genuine settlement talks or sending the matter to mediation. If those options aren’t viable, it may be useful to see about getting the claim determined by the court expeditiously. Many jurisdictions have mechanisms in their court rules that allow for speedy-trials. Discuss with your lawyer whether this may be appropriate for your matter.
The Government of the British Virgin Islands has tabled a number of bills in its parliament aimed at enhancing the digital economy. The suite of proposed legislation covers data privacy, the facilitation of electronic filings via government institutions, electronic commerce (electronic transactions, documents and signatures) and digital payments.
Public comments were invited in the first quarter of 2020, as a precursor to a final reading of the bills in the House of Assembly. It is unclear when the bills will be passed into law.
I was recently interviewed for an article in the Barbados Business Authority. The article touched on the value of executing contracts electronically in the midst of the COVID-19 pandemic and the legal framework supporting e-contracting in Barbados.
After issuing my comments for that article, I was curious about the state of play across the wider Caribbean. I, therefore, researched which countries in the region have e-commerce laws and the results are listed below:
Jurisdiction
Name of e-Commerce Law
Anguilla
Electronic Transactions Act, Revised Statutes of Anguilla, Chapter E38
Antigua and Barbuda
Electronic Transactions Act, No 24 of 2013
Bahamas (Commonwelath of)
The Electronic Communications and Transactions Act, 2003
Barbados
Electronic Transactions Act, 2001;
Belize
Electronic Transactions Act, Chapter 290:01
Bermuda
Electronic Transactions Act 1999
British Virgin Islands
Electronic Transactions Act, 2001 (No 5 of 2001)
Cayman Islands
Electronic Transactions Law (2003 Revision)
Cuba
No law
Dominica
Electronic Transactions Act, 2013
Dominican Republic
Ley de Comercio Electrónico, Documentos y Firmas Digitales No. 126-02
French Guiana
French Civil Code
Grenada
Electronic Transactions Act, 2013
Guyana
No law
Guadeloupe
French Civil Code
Haiti
Décret portant sur la signature électronique (Decree on Electronic Transactions)
Jamaica
Electronic Transactions Act, 2006
Martinique
French Civil Code
Montserrat
Electronic Transactions Act 2009, No 7 of 2009
Netherland Antilles
Landsverordening overeenkomsten langs elektronische weg (P.B. 2000, 186)
Puerto Rico
Ley de Firmas Electronicas de Puerto Rico, Ley numero 359 de Septiembre 16, 2004
Saint Kitts and Nevis
Electronic Transactions Act 2011, No 9 of 2011
Saint Lucia
Electronic Transactions Act, 2011 (not yet in force)
Saint Vincent and the Grenadines
Electronic Transactions Act 2015, No 6 of 2015 (repealing and replacing Electronic Transactions Act, Cap 145)
Suriname
WET van 24 september 2017, houdende regels inzake het rechtsverkeer langs elektronische weg (Wet Elektronisch Rechtsverkeer) [LAW of September 24, 2017, containing rules on legal transactions by electronic means (Electronic Traffic Act)]
Trinidad and Tobago
Electronic Transactions Act, 2011
Turks and Caicos
Electronic Transactions Ordinance 2000, Cap 2.14
As at April 10, 2020, 27 Caribbean jurisdictions surveyed.
A few notes on the list:
In preparing the list, it was apparent that there was a significant level of disparity in the scope of rights and obligations in the different statutes. In future updates, I’ll be looking at some of the more important areas of nuance that exist in the e-commerce frameworks across the region.
For the purpose of this list, ‘Caribbean’ jurisdictions were defined as: i) all the island-states in (or in the direct vicinity) of the Caribbean Sea as well as ii) those jurisdictions on the South or Central American mainland with sufficiently strong and continuing cultural, historical, economic and/or political commonalities with island states in the Caribbean Sea.
Only 2 of the 24 jurisdictions surveyed appear to be without laws targeted at e-commerce: Cuba and Guyana (as of April 2020).
If you’ve spotted an error or are aware of an update to any of the jurisdictions listed above, please let me know: contact {at} bartlettmorgan.com .
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.
In the midst of a global pandemic and a number of recent natural disasters affecting the region, an interesting conversation point has arisen in ICT and telecommunications spaces: how to best utilise telecoms infrastructure to assist in managing inevitable national disasters.
The International Telecommunications Union has recently published guidelines for national emergency telecommunications plans (NETPS).
Per the ITU: “These guidelines assists national authorities and policymakers to develop a clear, flexible and user-friendly framework that guide countries on how to develop a strategic plan to support and enable the continued use of telecommunication and information and communication technology (ICT) networks and services in all four disaster management phases. It not only describes the main elements that an NETP should consider, but also highlights its potential benefits. It includes a step-by-step guide to the development of an NETP, it serves as a useful resource based on ITU recommendations and concepts, as well as expertise from other global bodies and organizations.”
The NETPS Guidelines are fairly in-depth and covers all four phases of disaster management: mitigation, preparedness, response, and recovery.
The ITU has been instrumental in aiding several countries who have put national emergency telecommunication plans in place. This has included early warning systems, monitoring systems and emergency telecommunications equipment.
A resolution at the United Nations – Countering the use of information and communications technologies for criminal purposes – was put to a vote and passed on November 18, 2019. The resolution is geared at creating an
“open-ended ad hoc intergovernmental committee of experts, representative of all regions, to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes…”.
Draft Resolution – Agenda item 107 – Countering the use of information and communications technologies for criminal purposes (link)
In plain-speak: the resolution could result in an eventual UN convention on cybercrime.
How they voted
There were 88 votes for the resolution, 58 against and 30 abstentions. According to the note of the votes, 14 of the 15 full CARICOM member countries voted on the Resolution. This is the breakdown of CARICOM votes on the resolution:
YES: Antigua & Barbuda, Dominica, Jamaica, Suriname, Saint Vincent, Saint Kitts and Saint Lucia
NO: Belize
ABSTAIN: Bahamas, Barbados, Grenada, Guyana, Haiti and Trinidad & Tobago
Why the Controversy?
The countries sponsoring the resolution were: Algeria, Angola, Azerbaijan, Belarus, Bolivia, Burundi, Cambodia, China, Cuba, North Korea, Egypt, Eritrea, Iran, Kazakhstan, Laos, Libya, Madagascar, Myanmar, Nicaragua, Russian Federation, Sudan, Suriname, Syria, Tajikistan, Uzbekistan, Venezuela and Zimbabwe.
A number of these countries are authoritarian regimes and/or enjoy a less than stellar reputation in respect of human rights violations.
The resolution has come in for criticism from the United States and the Europe Union as well as civil society bodies. The key points are:
The language of the resolution appears to be very vague and, per APC’s open letter to the UN, “opens the door to criminalizing ordinary online behaviour that is protected under international human rights law.”
In the blunt words of David Ignatious “[Russia], the country that hacked the 2016 U.S. presidential election and various European campaigns is now leading the process to write international rules about hacking.”
The underlying fear of many of the resolution’s critics is that this proposed convention is an attempt to use an international law instrument to legitimize the repression of free speech online. Naturally, the question becomes: if this is the case, have the majority of CARICOM states unwittingly helped lay the foundation for the erosion of fundamental human rights online?
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.
I was honoured to be part of a panel discussion on the newly passed Barbados Data Protection Act at the inaugural Smart Barbados Week 2019.
The Smart Barbados Week was a 4-day symposium hosted by Barbados’ Ministry of Innovation, Science and Smart Technology (MIST). Its purpose was to engage the Barbadian public with the knowledge needed to support the country’s transition to ‘smart’ status.
My panel was a useful moment to discuss aspects of the new legislation. It also created an opportunity to make the connection between enabling legislation, like privacy laws, and achieving larger technology-focused developmental outcomes like smart societies.
Number portability refers to the ability of a telephone network subscriber to retain use of their telephone number after switching networks. MNP is the cellular telephone-specific implementation of this concept.
MNP is revolutionary to the degree that it potentially opens up a significant degree of consumer choice for mobile subscribers in the EC. The availability of MNP means that a consumer who has maintained a long, valuable association with a particular telephone number, no longer has to be tethered to their mobile service provider in the face of either poor service from that provider or, a better deal from a competitor. The implementation of strategies like MNP by regulators ensure greater choice and, by extension, more competition among mobile service providers for a much more liberated customer-base.
The EC’s implementation of MNP is not without precedent in the Caribbean. Similar developments took place in Cayman in 2012, Jamaica, in 2015 and Trinidad in 2016.
Limitations
The implementation of MNP will be island-specific: a Lime mobile subscriber in Grenada will not be able to port his number to Digicel’s network in Saint Lucia, for example.
The implementation is mobile-specific and so land line subscribers cannot benefit. ECTEL has indicated that fixed-line telephone porting will be allowed in the future when there is competition for this service.
Highlights
There will be no cost to the mobile subscribers for porting. It is, however, possible that subscribers will have to cover the cost of unlocking phones for use on another network.
Both post and pre-paid customers in the EC will have access to MNP. Post-paid customers will have to settle their bills as a pre-cursor to switching networks.
Mobile subscribers will be able to request a reversal of the number porting within 14 days of the switch. Once this 14-day window has expired, subscribers will not be able to request a further switch for another 46 days.
Implementing number portability is a signal acknowledgment of the importance of a more consumer-centric regulatory framework. It may be seen as a move towards further enabling the ‘invisible hand’ of market forces to work in the various EC jurisdictions. Taken to its logical conclusion, this should result in greater competition among the different telecos operating in that region. Given the relatively small size of the EC markets, however, its left to be seen whether MNP’s impact will be more than negligible.
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.
