The House of Assembly passed a set of digital society legislation, including a data privacy law, last month.
The BVI Government initially tabled the suite of digital laws in late 2019. The legislation, which included the, then, data privacy bill, was stalled until November, 2020 when reference was made to the bills being part of the Government’s legislative agenda for the third session of the fourth House of Assembly. The Governor – Augustust Jaspert – also spoke to the legislation in his throne speech that month.
Fast-forward to the first week of March, 2021. The draft laws were placed on the agenda for the House of Assembly and passed shortly thereafter.
What is(n’t) under the Hood?
The BVI Data Protection Act, 2019 does not include a number of measures typical of recent privacy laws in the Caribbean. Privacy by design and the obligation to have a DPO do not find a home in the law.
Perhaps most notably, the Act is not broad-based in its application. Though the Act applies to all personal data processed by governmental entities, its scope is, otherwise, limited to private entities that process data in the context of commercial transactions. The Act’s applicability is also not (meaningfully) extra-territorial in scope.
This is not the same as saying the Act is, somehow, ineffective. For all intents and purposes, the fundamentals of a functional data privacy regime are present in the Act. My instinctive reading of the law is that the legislators have gone for a ‘light touch’ approach. Presumably, this is to ease the overall compliance burden of companies in the global finance jurisdiction.
The Act does include:
- Fairly sizable fines. The largest fine under the Act is US$250,000.00. This is about US$50,000 less than the largest fine available in the Caribbean: the, approximately, US$ 304,880,00 fine under Cayman’s law.
- The usual data privacy principles are included in the Act (transparency, accuracy, security etc).
- Specific considerations for the processing of sensitive personal data are included in the law.
- An unusually strong consent requirement. The starting position under the Act is that all processing of personal data requires consent. The requirement for the consent of data subjects is only negated where a specified exception can be demonstrated by the data user (the language used in the Act to describe data controllers).
- Provisions creating the office of the Information Commissioner. The Commissioner is the de-facto regulator for the Act and will have powers to investigate complaints and issue notices. Perhaps disappointingly, the Act does not include language expressly affirming the independence of the Commissioner (cf section 4(4) of the Jamaica Data Protection Act, 2020).
- A direct right of appeal to the Eastern Caribbean Supreme Court for persons aggrieved by decisions of the Commissioner.
- Specific compliance obligations for CEOs. The Act prescribes several duties that must be carried out by the CEO of companies subject to the Act. For e.g. the CEO is obligated to inform data subjects of any decision related to a request made by that individual for access to their personal information.
The most important things on the BVI privacy agenda are now:
- The appointment of a Commissioner and support staff to enforce the Act and sensitise the public.
- The issuance of regulations. All data privacy laws need them to guide controllers in their bid to comply. The Act places the responsibility on the relevant minister to get the regulations in place.