On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.” The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record. If passed, the new law will be named the “Data Protection Act, 2017.”
Once effective, Jamaica will join the ranks of other countries in the greater Caribbean region that have similarly passed comprehensive data protection legislation in recent years; this includes Antigua and Barbuda, Aruba, the Bahamas, the Dominican Republic, St. Maarten, Trinidad and Tobago (currently, their law is only partially-enacted). As of 2011, Saint Lucia has also adopted legislation, but the law has not yet gone into effect.
The Bill aims to safeguard the privacy of individuals, by providing privacy and security protections over their “personal data” that are managed by “data controllers.” Under the Bill, personal data relates to a “living individual who can be identified” either from the data, or the combination of the data and any other information in the possession of, or likely to come into the possession of, a “data controller” (i.e., any person or public authority that “determines the purposes for which and the manner in which any personal data are, or are to be, processed”). The Bill also specifically covers certain classes of “sensitive personal data” (i.e., genetic or biometric data, and data regarding racial or ethnic origin, sex life, physical or mental health or condition, political opinions, philosophical and religious beliefs, trade union membership, or the commission or alleged commission of any offenses).
The Bill contains eight data protection “standards” for the processing of personal data, including that such data:
- be processed fairly and lawfully;
- be obtained only for one or more specified and lawful purposes, and not be further processed in any manner incompatible with those purposes;
- be adequate, relevant, and not excessive, in relation to the purpose for which it is processed;
- be accurate and, where necessary, kept up to date;
- not be kept for longer than is necessary for that purpose, and be disposed of in accordance with regulation;
- be processed in accordance with the rights of data subjects;
- be protected using appropriate technical and organizational measures; and,
- not be transferred to a State or territory outside of Jamaica, unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects.
Once it becomes law, the Bill will carry with it several new obligations relating to personal data “processing” (which is broadly defined to cover “obtaining, recording or storing” the data, or “carrying out any operation or set of operations” on the data). Among them is the establishment of a new local Data Protection regulator (i.e., the office of an “Information Commissioner”) “charged with the responsibility of overseeing the manner in which personal data in the possession of [private and government] entities is handled.” Additionally, the Bill requires that data controllers:
- register personal data processing activities with, and report (“without undue delay”) data breaches to, the Information Commissioner;
- be established and process personal data in Jamaica or where Jamaican law applies by virtue of international public law, or, if not established in Jamaica, use equipment in Jamaica for processing such data other than for purposes of transit through Jamaica;
- appoint a data protection officer responsible for “monitoring in an independent manner the data controller’s compliance” with the Act;
- conduct an annual privacy impact assessment and submit it to the Information Commissioner;
- allow individuals to exercise choice concerning direct marketing and automated decision-making, and rectify inaccuracies in personal data;
- compensate individuals for damages suffered in contravention of the Act or relating to certain “special purposes”; and
- be subject to various levels of civil and criminal penalties, from fines ranging from $500,000 JMD to 10% of annual gross corporate income, and imprisonment ranging from 2 to 10 years, for offenses including failure to comply with an enforcement notice and unlawfully obtaining or disclosing personal data.
The Bill includes some exemptions, such as the exemption related to the processing of specified forms of data processing for “special purposes” related to the publication of journalistic, literary or artistic material.
This Bill was introduced in the context of concerns raised over the increasing amount of personal data and other sensitive information entering the hands of companies and other entities. Jamaica’s need for additional privacy protections was first recognized in 2000 when the telecommunications market was liberalized; it was subsequently reflected in the country’s 2011 Information and Communications Technology policy. Recent incidents such as a fake lottery scam targeting the elderly highlighted concerns over the protection offered by Jamaica’s existing privacy laws.
In a “Memorandum of Objects and Reasons” signed by Jamaica’s Minister of Science, Energy and Technology and appended to the Bill, it is noted that “Jamaica, as part of CARIFORUM, entered into an Economic Partnership Agreement (EPA) with the European Union on October 15, 2008. The EPA requires signatory CARIFORUM States to establish appropriate legal and regulatory regimes, in line with existing high international standards, with a view to ensuring an adequate level of protection of individuals with regard to the processing of personal data.” As Jamaica seeks to position itself as an attractive destination for data centers and business processing services, the Data Protection Act has been welcomed as a step in the right direction, particularly for potential investors from Europe and North America that promote high standards for data protection.
If passed, the Data Protection Act would mark a shift towards a model similar to EU law, which is cross-sectoral and applies to all industries. This is in contrast to Jamaica’s current privacy legislation, which is applied at a sectoral level, and more closely resembles the US approach of applying different data protection regimes to different industries.
The Data Protection Act is one of several pieces of legislation and initiatives by the government to bring added awareness and security to technology-related sectors. For instance, the government has signaled that related legislation and draft legislation – such as the 2015 Cybercrimes Act and a new Information and Communications Technology Bill – will be reviewed and/or tabled. Jamaica also passed a bill in the Senate on 13 November 2017 creating a National Identification System (NIDS). NIDS will establish a central national database supporting reliable identity verification and authentication by storing biometric data, therefore complementing the Data Protection Act’s emphasis on securing the data of individuals. Passage of the Data Protection Act is crucial to the success of NIDS as it would serve to discourage and punish those attempting to abuse the data stored by NIDS.
While the Bill addresses obvious problem areas as they relate to data protection in Jamaica, for many companies operating in Jamaica, compliance with the Bill will mean incurring costs to put into place the necessary technical and institutional support to ensure protection of personal data within their custody or control. Among other things, the Bill requires the Information Commissioner to prepare and submit to the Minister a code of practice (referred to as “the data-sharing code”), which will contain practical guidance on personal data sharing (i.e., disclosure of the data by transmission, dissemination or otherwise making the data available) in compliance with the Act; the Information Commissioner is required to allow various groups, including trade associations and data subjects to comment on the code, which should provide an opportunity for organizations to weigh-in on data subject rights , as well as the business impact of the new law’s implementation.
To become law in Jamaica, a bill must first successfully pass through Jamaica’s House and Senate. The House first debates the bill as introduced and votes on it, referring the bill to a committee to consider in closer detail if it passes. The Bill for Data Protection has been tabled for debate in the House, and subject to a passing vote, would then be considered by an 11-member committee made up of members of both the House and Senate, chaired by the Minister of Science, Energy and Technology, Dr. Andrew Wheatley. Once it clears the committee, the Speaker of the House will report on any comments or amendments to the Bill, after which the House may vote on the amended Bill. If passed, the Bill will move to the Senate, where once again, it may be amended at which point it will have to return to the House for additional consideration, or the House may ask the Senate to reconsider its amendments. Once an agreement is reached, the Bill will go to the Governor-General for assent. The new law will only go into effect on the day it is appointed by Minister Wheatley, by notice published in the local Gazette.
*The authors are not Jamaica-qualified attorneys; Sidley Austin LLP does not have offices in Jamaica.