Status of Data Privacy Laws in the Caribbean [January 2022]

📸© Monstera from Pexels

In honour of Data Privacy Day 2022, I have put together this post on recent developments in privacy law in the Commonwealth Caribbean.* I did a prior version of this post in 2021. You can read that here. The list has been updated to include references to Anguilla and Montserrat, bringing the total number of jurisdictions covered, to 18.

There has been a flurry of activity in the privacy space since the last update. A number of countries have either tabled laws, passed laws previously tabled or brought laws already passed into effect.

TL;DR – 11 Commonwealth Caribbean jurisdictions have passed data privacy laws to-date. Seven jurisdictions, therefore, are without any substantive laws to govern the protection of personal data. Six of the seven jurisdictions without any privacy law have some activity, indicating steps towards the eventual passage of privacy laws. Only two of the jurisdictions surveyed in last year’s report had no meaningful developments to report.

CountryLawPassedRecent Activity
AnguillaNo lawOn January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes Anguilla.
Antigua and BarbudaData Protection Act, 2013 No 10 of 20132013On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes Antigua & Barbuda.
Bahamas, TheData Protection (Privacy of Personal Information) Act, CH.324A2003Updates to the Financial and Corporate Services regulations was passed in December, 2020. The updates, among other things, expressly require licensees to comply with obligations in the Data Protection (Privacy of Personal Information) Act.
BarbadosBarbados Data Protection Act, 2019-2920192021 was a busy year for Barbados. The newest republic, proclaimed the majority of its privacy law and also appointed a regulator – the Data Protection Commissioner. The Regulator was also given an additional enforcement role in respect of the Barbados Identity Management Act.
BelizeBelize Data Protection Act, 45 of 2021The National Assembly of Belize published a draft of its proposed privacy law: the Belize Data Protection Bill in late 2021. The Act was passed by the Assembly and on November 29, 2021, was assented to by the Governor-General.
BermudaPersonal Information Protection Act, 2016: 432016Bermuda has had a busy year in 2021 and this has continued into early 2022.
– The jurisdiction announced recognition for the APEC CBPR System as a certification mechanism for overseas transfers of personal data under its privacy law: PIPA.
– Two deputy commissioners were announced: Georgia Fevriere in May, 2021 and Cha’Von Clarke-Joell in January 2022;
– Guidance on third-party and international transfers was issued in March 2021 and on privacy officers, in August 2021.
British Virgin IslandsThe Data Protection Act, 20192021A draft data privacy law was published in Q1, 2020. Within a year, the Data Protection Act was passed into law as part of a suite of digital legislation.
Cayman IslandsThe Data Protection Law, 2021 (LAW 56 OF 2020)2021– The regulator in Cayman continued to take enforcement action resulting in additional decisions in 2021, beyond the initial 3 reported on.
– The Cayman DPL was updated given some minor updates.
– Guidance was issued on monetary penalties under the act and data controllers.
DominicaNo lawOn January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes Dominica.
GrenadaNo lawOn January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes Grenada.
GuyanaNo lawAn impending data privacy law for Guyana was announced in September 2020 and thereafter, an RFP for drafting the law was published in November 2020.
JamaicaData Protection Act, 2020 (No 7-2020)2020Following passage of Jamaica’s Data Protection Act in June, 2020 and a subsequent advertisement to fill the Information Commissioner role in December of that year, the announcement of a regulator was made a year later, in December 2021. The Minister with responsibility for the JDPA also gave notice that act would come into effect in late 2023.
MontserratNo lawOn January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes Montserrat.
St Kitts and NevisData Protection Act, 5 of 20182018-On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes St. Kitts and Nevis.
Saint LuciaData Protection Act, No 11 of 20112011On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes Saint Lucia.
St Vincent and The GrenadinesPrivacy Act of 20032003On January 19, 2022, the Organisation of Eastern Caribbean States invited applications for a consultant to develop the Terms of Reference for drafting harmonized data protection legislation in the Eastern Caribbean Currency Union.

The EC Currency Union includes St. Vincent and the Grenadines.
Trinidad and Tobago**Data Protection Act, 20112011The Government of Trinidad and Tobago proclaimed additional provisions of the existing 2011 Data Protection Act in August, 2021.

The provisions of the TT DPA – 42(a) and (b) read: “42. Except as provided under any other written law, personal information under the control of a public body may only be disclosed— (a) for the purposes for which the information was collected or compiled by the public body or for a use consistent with that purpose; (b) for any purpose in accordance with any written law or any order made pursuant to such written law that authorises such disclosure;”.

By way of background, only sections 7 to 18, 22, 23, 25(1), 26 and 28 of the law were previously proclaimed via assent in 2012.
Turks and CaicosNo law
List of Commonwealth Caribbean territories and the status of their privacy laws.

* As used here, Commonwealth Caribbean refers to all countries in the Caribbean that are either direct members of the Commonwealth of Nations or jurisdictions that are not direct members of the Commonwealth, but are associated/overseas territories of Commonwealth member countries.

**Trinidad and Tobago’s Privacy law was only partially brought into force.

Processing…
Success! You're on the list.