[Quoted] Global Data Review article on the Eastern Caribbean States accessing Facebook’s disaster mapping technology

Global Data Review recently reached out for comments on a recently announced collaboration between the Organisation of Eastern Caribbean States and Facebook. Under the initiative, the OECS will have access to Facebook’s Disaster Maps feature in the event of natural disasters.

Links:

Jamaica’s Court declares freestanding constitutional right to informational privacy

Image result for constitution

The Jamaican Constitutional Court in a 3-judge panel decision recently struck down an entire statute. The act – the National Identification and Registration Act 2017 – was being implemented with a view to making registration in a national ID database mandatory.

The complainant in the case had argued that it breached his constitutional rights.

The case is made interesting as the Jamaican Constitution does not include an express broad-based right to privacy and, certainly not informational privacy. In striking down the act, the Court took a weaving path that required an assessment of the degree to which the Jamaican Constitution provided a basis for protecting the right to privacy, despite this.

The Constitutional Court, having reviewed prior case law from throughout the Commonwealth, concluded that given the necessity of the right to privacy as a precursor to the enjoyment of the other rights in the Jamaican Constitution, a general right to privacy must be read into the Jamaican Constitution.

A copy of the case can be found here.

[FinTech] Barbados launches Regulatory Sandbox

In Barbados, the Financial Services Commission  and the Central Bank have jointly created an important regulation: the Regulatory Sandbox Framework for the Financial Services Sector.

Sandbox Benefits

The no-fluff definition of a regulatory sandbox? A temporary observatory where regulators try to figure out whether a new financial product/service is fish or foul.

Let’s flesh that out a bit.

Where an entity wishes to introduce an innovative financial product or service in Barbados, it may not be immediately clear which regulatory requirements should be complied with. Why? Financial services are regulated by two separate entities: the Central Bank and the FSC. Broadly speaking, the Central Bank regulates banking-type institutions whereas the FSC regulates all other financial service providers (think: insurance companies, credit unions, pension funds etc).

Applying to and being accepted in the Sandbox allows the applicants some well needed regulatory breathing space. In this period, applicants do not need to comply with and be licensed under the regimes of either the FSC or the Central Bank.

Regulatory Review Panel

For the duration of the applicant company’s time in the Sandbox, governance oversight will be provided by the Regulatory Review Panel (RRP). The RRP will be comprised of no less than 3 persons (there is no upper limit on the number of appointees to the RRP). The Director of Finance and Economic Affairs, the Central Bank and the FSC will be responsible for the appointments to the RRP.

The RRP, among many other governance functions, will determine whether the applicant’s product or service should be regulated pursuant to the FSC’s regime or the Central Bank’s. Alternately, the RRP may conclude that the particular product/service being considered is so novel that entirely new legislation is required.

Key Beneficiaries

In practical terms, the kinds of financial products or services most likely to  benefit from sandboxing would be new technology-centric financial service providers a.k.a. FinTech companies. Most FinTech startups tend to focus on disrupting traditional models of operating and will typically employ a combination of novel processes, unconventional business models and innovative products. In doing so, FinTechs will – almost by definition – defy the existing regulatory frameworks which were conceived with the brick-and-mortar realm in mind.

FinTech companies are the primary targets of the Regulatory Sandbox
FinTech companies are the primary targets of the Regulatory Sandbox – Internationalbanker.com photo

More Information

The Sandbox was launched at the end of October 2018 and the main documentation can be found on the websites of both the FSC and the Central Bank.

[Presentation] Data Protection: What Service Providers Should Know – Bimtech Digital Forum 2018

I was one of the speakers at the Bimtech Digital Forum 2018. The forum focused on pertinent considerations for service sector entities participating in the digital economy. The forum was put on by the Barbados Coalition of Service Industries (BCSI) which is dedicated to the acceleration of service sector development and enhancing the export potential of service providers in Barbados.

My ‘power chat’ presentation focused on fundamental data protection considerations for entities in the Barbados services sector. During the presentation, some emphasis was placed on the General Data Protection Regulation (GDPR), key data protection principles and practical next steps for Barbadian service providers.

You can view a copy of my presentation here (.pdf).

 

Comments on the Barbados Data Protection Bill, 2018

I was recently tasked with drafting comments on the 2018 Barbados Data Protection Bill on behalf of three public interest groups – the Barbados ICT Professionals Association, the Barbados Information Systems Security Association and the Barbados Chapter of the Internet Society. Effectively, civil society and professional development organisations with separate areas of focus but all interested in matters at the intersection of ICT and development.

Link: Comments on the Data Protection Bill, 2018 – BIPA ISSA ISOC.

 

Barbados Privacy Bill 2018 released for public comments til July 31, 2018

Barbados data protection Bill 2018
Barbados data protection Bill 2018

The Government of Barbados has released for comment, a 2018 draft of the Data Protection Bill (Mirror ). The draft bill is open for public input until July 31, 2018.

While the timing is somewhat short for a bill with such far reaching implications, I think its commendable that the bill is being opened up to input from all stakeholders, including civil society interests.

This is the second attempt by the Barbados Government to pass a comprehensive data protection bill. A prior iteration of the bill was initially tabled in 2005. However, meaningful progress in Parliament appeared to stall for the better part of the 13 years since.

On my initial scan, a few things jumped out at me which I mentioned in some tweets:

I will be reviewing the bill more closely over the coming weeks, with a view to submitting comments. If personal data protection is something you are interested in, I encourage you to submit comments, via e-mail to Commerce.Comments@barbados.gov.bb.

 

State of Privacy Laws in CARICOM/CARIFORUM: Presentation at the Caribbean IGF 2018

Privacy/Data Protection in CARICOM/CARIFORUM

I was pleased to be asked to co-present with Carlton Samuels at the just-concluded Caribbean Internet Governance Forum (“CIGF”). The CIGF, which was held in Suriname this year, is in its 14th year – which makes it, arguably, the longest running regional IGF in the entire world.

This year’s agenda was fairly heavy on the subject of privacy & data protection. In my view, this is a rather timely area of interest given the impending GDPR (which, literally, comes into effect tomorrow) and recent privacy-related events like the Cambridge Analytica/Facebook fiasco.

Our presentation focused on the Caribbean privacy and data protection landscape and sought to highlight some of the recent legislative developments as well as perceived shortcomings in giving effect to well-established privacy principles in regional legislation. We covered topics including breach notification, trans-border data transfers and fines for breaches.

A recording of the presentation can be viewed below.

Link to recording: here.

Link to Presentation: State of Privacy Laws in the Commonwealth Caribbean CIGF 2018

Guest Spot on the ICT Pulse Podcast discussing GDPR

I was really pleased to discuss the impending General Data Protection Regulation (GDPR) with Michele Maurius of ICT Pulse recently. On the eve of the GDPR’s commencement, it offered an opportunity to discuss the scope of the new law and, importantly, the potential extra-territorial implications for the Caribbean.

Link: http://www.ict-pulse.com/2018/05/ictp-005-nuts-bolts-gdpr-bartlett-morgan/

 

 

 

Enforcement powers clarified under updates to Barbados Telecommunications Act

Enforcement powers under Barbados’ Telecommunications Act are now more expansive and clear-cut following recent amendments. The newly passed Telecommunications (Amendment) Act, 2018-10 expressly extends the circumstances in which various enforcement-related activities such as injunctions, search and seizure orders and the issue of warrants may occur. Prior to the amendment, invocation of enforcement powers was almost exclusively grounded in breaches of the Act. Following the amendment, action may now be taken for breaches of any rules, regulations and orders made pursuant to the Telecommunications Act.

If you’re interested in the details, I’ve listed the essence of the changes below.

  1. Previously, the relevant minister had the power to seek injunctive relief or seek damages (pecuniary penalty) only where a telecommunications rule was breached. Under the amendment, in addition to rules, breaches of regulations and orders will also attract injunctions and pecuniary penalties.
  2. Under the amended Act, investigative powers are now extended to a licence issued under either rules, regulations or orders made under the Act. Previously, investigations were limited to breaches of the Act or licences issues under it.
  3. Pursuant to the original Act, the powers to enter, seize and/or search by an authorised inspector were limited to suspected breaches of the Act or a licence issued under it. Under the new amendments, this power has been extended to licences granted under any rule, regulation or order made in accordance with the Act or any registration or authorisation done under the Act.
  4. Magistrates were previously issued with the power to issue search warrants on suspicion that a breach of the Act had happened or was impending. Post-amendment, the magistrate may also issue a search warrant where rules, regulations and orders have been or are about to be breached.
  5. Where anyone interferes with an inspector in the execution of duties, that person will be liable to prosecution if the inspector was performing duties under the Act or any regulations, rules or orders made under it. This power was previously limited to the performance of duties pursuant to the Act itself.