In honour of Data Privacy Day 2022, I have put together this post on recent developments in privacy law in the Commonwealth Caribbean.* I did a prior version of this post in 2021. You can read that here. The list has been updated to include references to Anguilla and Montserrat, bringing the total number of jurisdictions covered, to 18.
There has been a flurry of activity in the privacy space since the last update. A number of countries have either tabled laws, passed laws previously tabled or brought laws already passed into effect.
TL;DR – 11 Commonwealth Caribbean jurisdictions have passed data privacy laws to-date. Seven jurisdictions, therefore, are without any substantive laws to govern the protection of personal data. Six of the seven jurisdictions without any privacy law have some activity, indicating steps towards the eventual passage of privacy laws. Only two of the jurisdictions surveyed in last year’s report had no meaningful developments to report.
| Country | Law | Passed | Recent Activity |
|---|---|---|---|
| Anguilla | No law | – | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes Anguilla. |
| Antigua and Barbuda | Data Protection Act, 2013 No 10 of 2013 | 2013 | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes Antigua & Barbuda. |
| Bahamas, The | Data Protection (Privacy of Personal Information) Act, CH.324A | 2003 | Updates to the Financial and Corporate Services regulations was passed in December, 2020. The updates, among other things, expressly require licensees to comply with obligations in the Data Protection (Privacy of Personal Information) Act. |
| Barbados | Barbados Data Protection Act, 2019-29 | 2019 | 2021 was a busy year for Barbados. The newest republic, proclaimed the majority of its privacy law and also appointed a regulator – the Data Protection Commissioner. The Regulator was also given an additional enforcement role in respect of the Barbados Identity Management Act. |
| Belize | Belize Data Protection Act, 45 of 2021 | – | The National Assembly of Belize published a draft of its proposed privacy law: the Belize Data Protection Bill in late 2021. The Act was passed by the Assembly and on November 29, 2021, was assented to by the Governor-General. |
| Bermuda | Personal Information Protection Act, 2016: 43 | 2016 | Bermuda has had a busy year in 2021 and this has continued into early 2022. – The jurisdiction announced recognition for the APEC CBPR System as a certification mechanism for overseas transfers of personal data under its privacy law: PIPA. – Two deputy commissioners were announced: Georgia Fevriere in May, 2021 and Cha’Von Clarke-Joell in January 2022; – Guidance on third-party and international transfers was issued in March 2021 and on privacy officers, in August 2021. |
| British Virgin Islands | The Data Protection Act, 2019 | 2021 | A draft data privacy law was published in Q1, 2020. Within a year, the Data Protection Act was passed into law as part of a suite of digital legislation. |
| Cayman Islands | The Data Protection Law, 2021 (LAW 56 OF 2020) | 2021 | – The regulator in Cayman continued to take enforcement action resulting in additional decisions in 2021, beyond the initial 3 reported on. – The Cayman DPL was updated given some minor updates. – Guidance was issued on monetary penalties under the act and data controllers. |
| Dominica | No law | – | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes Dominica. |
| Grenada | No law | – | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes Grenada. |
| Guyana | No law | – | An impending data privacy law for Guyana was announced in September 2020 and thereafter, an RFP for drafting the law was published in November 2020. |
| Jamaica | Data Protection Act, 2020 (No 7-2020) | 2020 | Following passage of Jamaica’s Data Protection Act in June, 2020 and a subsequent advertisement to fill the Information Commissioner role in December of that year, the announcement of a regulator was made a year later, in December 2021. The Minister with responsibility for the JDPA also gave notice that act would come into effect in late 2023. |
| Montserrat | No law | – | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes Montserrat. |
| St Kitts and Nevis | Data Protection Act, 5 of 2018 | 2018 | -On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes St. Kitts and Nevis. |
| Saint Lucia | Data Protection Act, No 11 of 2011 | 2011 | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes Saint Lucia. |
| St Vincent and The Grenadines | Privacy Act of 2003 | 2003 | On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union. The EC Currency Union includes St. Vincent and the Grenadines. |
| Trinidad and Tobago** | Data Protection Act, 2011 | 2011 | The Government of Trinidad and Tobago proclaimed additional provisions of the existing 2011 Data Protection Act in August, 2021. The provisions of the TT DPA – 42(a) and (b) read: “42. Except as provided under any other written law, personal information under the control of a public body may only be disclosed— (a) for the purposes for which the information was collected or compiled by the public body or for a use consistent with that purpose; (b) for any purpose in accordance with any written law or any order made pursuant to such written law that authorises such disclosure;”. By way of background, only sections 7 to 18, 22, 23, 25(1), 26 and 28 of the law were previously proclaimed via assent in 2012. |
| Turks and Caicos | No law | – | – |
* As used here, Commonwealth Caribbean refers to all countries in the Caribbean that are either direct members of the Commonwealth of Nations or jurisdictions that are not direct members of the Commonwealth, but are associated/overseas territories of Commonwealth member countries.
**Trinidad and Tobago’s Privacy law was only partially brought into force.
Processing…
Success! You're on the list.
Whoops! There was an error and we couldn't process your subscription. Please reload the page and try again.