Grenada has a general application data privacy law on the books. The Deputy Governor General assented to the Data Protection Act, No 1 of 2023 (the “GDPA”) in May 2023.
The GDPA sports several of the fundamentals expected in data privacy laws, albeit in a minimal fashion. The GDPA establishes a supervisory authority, identifies the usual core principles (transparency, fairness etc) and allows for fines. There are, however, a few features of Grenada’s law that can be described as a-typical of the current privacy law zeitgeist.Read more: Grenada Passes Data Privacy Law
I’ve shared some notes on some noteworthy features of the GDPA below.
Wide data subject definition
A data subject is the person that the personal data relates to. A data subject is a human being – at least, that is the common understanding in data privacy law. The GDPA extends the definition of data subject to also include legal persons. A legal person is any entity or thing that enjoys several of the legal rights and responsibilities typically reserved for human beings. For instance, a legal person can sue and be sued just like regular people. A company is an example of a legal person.
This means that Grenada’s legislators, in extending the definition of data subject in this way, have broadened the scope of the act beyond data of people (ie truly personal data) and now, potentially, make the law of wider application to any data relating to any person or entity. The GDPA is therefore, strictly speaking, an act that protects data, not just personal data.
For context, this move is not without precedent. Argentina’s privacy law takes a similar approach.
Scope of the act
The GDPA’s material scope is limited to commercial transactions in Grenada. Privacy pragmatists will hail this as a practical move in tandem with the reality of processing personal data in the modern business-focused context. Privacy purists will, understandably, see this as undermining the reasonable scope of protection afforded to persons in Grenada under the new law. There are many non-commercial contexts where personal data can be misused to the detriment of the data subject.
The GDPA is silent on the question of territorial scope. In the result, unlike some of the other recent laws in the region, there is no immediate consequence for entities outside Grenada who abuse the data-related rights of persons in Grenada.
Liability for senior leadership
Grenada’s privacy law expressly contemplates liability for the senior leadership of an entity that has breached the law. The provision is in similar vein to what has been proposed in Guyana’a draft law.
This is a positive move, from a governance perspective. The inclusion of this provision means that corporate leadership of entities in Grenada must now operate with ‘skin in the game’ where privacy compliance is concerned.
No International transfer mechanism.
The GDPA does not include anything that contemplates safeguards for international transfers of personal data outside Grenada. This means that when personal data leaves Grenada, there is no way for Grenadians to be sure that their information will be afforded the same or a similar level of protection afforded by the GDPA itself.
Establishment of an Information Commission
Instead of a singular commissioner, the GDPA contemplates a 3-person commission as the apex of Grenada’s privacy regulatory structure. The Commissioners will be appointed for 3-year terms that are renewable and will be supported by several named roles in the Commission.
Contextualizing passage of Grenada’s law
The pace of passage of privacy laws in the region in the past 4-5 years has been rapid. The Caribbean now has 24 out of 32 jurisdictions with general purpose privacy laws on the books. That is: 3 out of 4 countries. For context, in early 2019, only half of the region’s territories had substantive laws addressing data privacy.