The National Assembly of Belize has published a draft of its proposed privacy law: the Belize Data Protection Bill. Broadly speaking, the Bill, builds on the work of its Caribbean neighbors by going further, in terms of its overall scope and implementation requirements.
UPDATE: The Belize Data Protection Bill was passed into law and assented to by the Governor-General on November 29, 2021. A copy of the gazetted version of the law – the Belize Data Protection Act, 45 of 2021 – can be found here.
I have included, below, a few observations following an initial read of the Bill.
- If you’ve been paying attention to the privacy landscape in the Caribbean recently, reading the draft law may have an air of familiarity. That is because the proposed act draws heavy inspiration from the other side of the Caribbean: Barbados’ Data Protection Act. The direct implication is that, similar to Barbados, the Belize Bill will sport a number of key features and framework, similar to Europe’s GDPR, as well as the 1998 UK Data Protection Act.
- While the Bill shares a number of similarities with the framework of other laws in the region, it also has some fairly unique elements too. A good example of this: the Bill contemplates the sharing of data between governmental agencies. In effect, the legislators appear to be embedding a framework for open-data-style sharing of information.
- It is also useful to point out that, unlike Barbados’ law, the Bill does not include an obligation to maintain a register of data processors and controllers. From a compliance perspective, this may present Belize as a more cost-effective and less burdensom jurisdiction to do business from and with.
- That said, like Barbados, the Bill does include one’s financial record as a category of sensitive personal data. The move by Barbados, until this point, was fairly novel (and not without its critics). It is left to be seen whether this approach will prove advisable, practical or useful.
- Another noteworthy area of nuance in the Data Protection Bill is its inclusion of specific treatment for small businesses. Save for specified exceptions, small businesses in Belize will be exempt from privacy compliance obligations under the current draft. This move will, no doubt, come in for applause from the small business community while drawing criticism from the digital rights community in equal measure.
- Fines under the Data Protection Bill go as high as BZ$500,000 (US$ 250,000). The largest fine is solely for breaches of the fairness principle. This fine is far outsized, relative to the other fines under the Bill.
- On the point of international transfers, the Data Protection Bill, quite commendably, creates a carve-out for international transfers of data to cloud storage outside Belize. In essence, so long as the reason for the external transfer is storage in the cloud, no consent is required from the data subjects.
- Notably, the current draft of the privacy law expressly requires data controllers to demonstate accountability. This was one of the perceived shortcomings of the Barbados-equivalent: that the accountability requirement was implied but not expressly stated.
- Finally, the Bill, consonant wtih modern trends, sets a 3 day window as the default for notifying the Commissioner and data subjects of breaches.
A copy of the Belize draft Data Protection Bill is attached below