Saint Lucia brings its privacy law into force

Saint Lucia with a view of the Pitons in the background. Photo credit: Dmitry Soldatkin 

Earlier this year, a proclamation order was issued, partially proclaiming the Saint Lucia Data Protection Act Cap 8:18 and bringing key provisions of the law into effect.

The Proclamation Order says:

What does the Proclamation Order change?

The immediate consequences of the Proclamation Order, at the end of January 2023, are outlined below.

  1. The Saint Lucia Data Protection Act now extends to specific data controllers. If you process personal data as a business in Saint Lucia, or you aren’t based in Saint Lucia, but process data in Saint Lucia, your personal data processing activity is now regulated by the Data Protection Act.
  2. The fundamental data protection principles are now in force. These principles include purpose limitation, accountability, adequacy of data safeguards, fairness and transparency of data processing. The substance of the principles outlined in the Act are, largely, consistent with those found in other regional laws and the European Union’s GDPR. Data controllers who fall within the remit of the Act must now observe these principles when processing personal data.
  3. Data controllers must now give effect to several obligations in respect of the collection, processing and security of personal data.
  4. Data controllers now have an obligation to register with Saint Lucia’s privacy regulator – the Data Protection Commissioner.
  5. If a data controller falls within one of several circumstances identified by the Act, that controller may be exempt from some or all of its obligations under the law. The classes of exemptions extend to national security, crime, taxation, domestic purposes, journalism, health, social work, research, statistics, historical research and matters covered by legal professional privilege.

It is not yet apparent when the remaining provisions of the law will come into effect. To quickly contextualise which provisions have not yet been proclaimed, the main divisions of the Saint Lucia Data Protection Act, are outlined below. Those parts already in effect are highlighted.

  • Part 1 – Preliminary
  • Part 2 – Data Protection Commissioner
  • Part 3 – Registration of Data Controllers (partially in effect)
  • Part 4 – Obligation on Data Controllers
  • Part 5 – Rights of Data Subjects and Others
  • Part 6 – Exemptions
  • Part 7 – Investigation and Enforcement
  • Part 8 – Miscellaneous
  • Schedule 1 – Oath of Data Protection Commissioner
  • Schedule 2 – Data Protection Principles (partially in effect)

The Saint Lucia Data Protection Act can be read here.