I was one of the speakers at the Bimtech Digital Forum 2018. The forum focused on pertinent considerations for service sector entities participating in the digital economy. The forum was put on by the Barbados Coalition of Service Industries (BCSI) which is dedicated to the acceleration of service sector development and enhancing the export potential of service providers in Barbados.
My ‘power chat’ presentation focused on fundamental data protection considerations for entities in the Barbados services sector. During the presentation, some emphasis was placed on the General Data Protection Regulation (GDPR), key data protection principles and practical next steps for Barbadian service providers.
You can view a copy of my presentation here (.pdf).
The Government of Barbados has released for comment, a 2018 draft of the Data Protection Bill (Mirror ). The draft bill is open for public input until July 31, 2018.
While the timing is somewhat short for a bill with such far reaching implications, I think its commendable that the bill is being opened up to input from all stakeholders, including civil society interests.
This is the second attempt by the Barbados Government to pass a comprehensive data protection bill. A prior iteration of the bill was initially tabled in 2005. However, meaningful progress in Parliament appeared to stall for the better part of the 13 years since.
On my initial scan, a few things jumped out at me which I mentioned in some tweets:
Under the current draft, if you request information about your own data from a data controller then you have to pay for it. This requirement to pay will likely create a hurdle to enforcement of privacy rights under the act.
— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018
I never saw any data breach notification requirements. In the modern era, not having a requirement for data controllers to notify the data subject and/or the data commissioner of a breach is a huge missed opportunity. For my part: pic.twitter.com/v9aeVIU5RC
— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018
I also think the proposed Data Protection Tribunal is a positive. It will counterbalance decisions of the data commissioner (similar to how appellate courts operate).
— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018
If your data rights are breached under the act, you have a right to compensation (as opposed to a fine being paid into Government coffers). Another huge positive. pic.twitter.com/dSyzTzIUWU
— Bartlett D. Morgan (@BartlettMorgan) June 23, 2018
I will be reviewing the bill more closely over the coming weeks, with a view to submitting comments. If personal data protection is something you are interested in, I encourage you to submit comments, via e-mail to Commerce.Comments@barbados.gov.bb.
I was pleased to be asked to co-present with Carlton Samuels at the just-concluded Caribbean Internet Governance Forum (“CIGF”). The CIGF, which was held in Suriname this year, is in its 14th year – which makes it, arguably, the longest running regional IGF in the entire world.
This year’s agenda was fairly heavy on the subject of privacy & data protection. In my view, this is a rather timely area of interest given the impending GDPR (which, literally, comes into effect tomorrow) and recent privacy-related events like the Cambridge Analytica/Facebook fiasco.
Our presentation focused on the Caribbean privacy and data protection landscape and sought to highlight some of the recent legislative developments as well as perceived shortcomings in giving effect to well-established privacy principles in regional legislation. We covered topics including breach notification, trans-border data transfers and fines for breaches.
A recording of the presentation can be viewed below.
I was really pleased to discuss the impending General Data Protection Regulation (GDPR) with Michele Maurius of ICT Pulse recently. On the eve of the GDPR’s commencement, it offered an opportunity to discuss the scope of the new law and, importantly, the potential extra-territorial implications for the Caribbean.
I recently published an article with practical tips for businesses who wish to give serious consideration to privacy and protecting their customers’ data. My article appears in Vol 4 of the Exporter magazine which is published by the Barbados Coalition of Service Industries. This edition of the magazine’s theme is “ICT in a 21st Century Barbados.”
BCSI Exporter Magazine Vol 4 2017
Click here and navigate to page 21 for my article. While there, do check out some of the other fascinating articles which cover a gamut of ICT related topics including implementing blockchain technology into financial product offerings in Barbados and ICT applications in coastal zone management.
This is a video recording of a presentation by Charles Leacock, Q.C. on the state of internet laws in Barbados.
The presentation was given at the inaugural Barbados Internet Governance Forum and does an excellent job of outlining the existing digital law legislative framework at play in Barbados. The presentation touches on the:
Telecommunications Act;
Computer Misuse Act;
Electronic Transactions Act;
Corporate (Miscellaneous Provisions) Act
Copyright Act; and
the proposed Privacy and Data Protection Act
Naturally, being the DPP, Mr. Leacock gave prominence to the operation of the Computer Misuse Act which criminalises certain activities effected via a computer system.
This is a very useful video if you are interested in coming up to speed quickly on the overall state of the law in Barbados. Other video recordings of presentations made at the inaugural Barbados IGF may be accessed here.
End note: Mr. Leacock was, at the time of the presentation, the Director of Public Prosecutions for Barbados. Sadly, shortly after this presentation, he passed away. May he rest in peace.
A privacy and data protection act is to be tabled in Jamaica in the next three months. Andrew Wheatley, the government minister responsible for technology, made the disclosure via the Jamaica Information Service website recently.
This is the third such public announcement by the Minister in five months (See here and here). Presumably, therefore, there is substance to the minister’s statement.
The importance of privacy and data protection legislation cannot be underscored enough. Only this morning, the Jamaica Gleaner ran a story highlighting a significant data breach involving the confidential information of students at 16 high schools in Jamaica. Unfortunately, as there is no legislation in place, there is currently no allocation of privacy-related rights and obligations among the various actors involved in that incident.
Privacy and data protection legislation is also important in the context of a nation’s digital-era development. It is accepted that trust is a critical component in developing a domestic digital economy, since people tend to only engage in e-commerce where there is a high level of trust.
The presence of a statutory privacy safeguard, such as a privacy act, is critical to developing trust among users of the internet. Those users will more likely trust that their data will not be mishandled and, importantly, that they can have recourse in the event of a breach. Therefore, when local entrepreneurs provide services for pay to local consumers in Jamaica, those consumers are more likely to purchase the offerings. The more local goods and services purchased online, the more the domestic digital economy develops.
Only this week, UNCTAD referenced research indicating that “Internet users are increasingly concerned about their online privacy, and that 49 percent of users polled say lack of trust is their main reason for not shopping online ”.
Jamaica is not starting from scratch where privacy legislation is concerned. Its Constitution was recently amended to more expressly secure the individual’s right to privacy at section 13(3)(j) of the Charter of Rights. However, it was always known that this was insufficient since the Charter of Rights’ provisions are next to impossible to enforce against non-state actors. A specialist act that covers privacy and data protection was still necessary since it would, at a minimum, extend privacy protection to cover abuses by non-state actors, including other private citizens and commercial entities. Additionally, a substantive privacy act will likely outline in detail: the privacy rights being afforded to individuals; the reasonable limitations on those rights; and the responsibilities of those who collect and store the private information of others.
Minister Wheatley, perhaps, has these considerations in mind since he indicated that the proposed legislation will:
“…govern the collection, regulation, processing, keeping, use and disclosure of certain information in physical or electronic form.
The legislation will seek to set out the rights of the individual, with respect to their personal data. This will include, for example, the right to confirm whether or not personal information or data is being processed by an organisation.”
The sooner Jamaica passes comprehensive privacy and data protection legislation, the sooner its citizens can be offered true privacy protection. Importantly too, a domestic digital economy will edge that much closer to reality.
