The Data Protection Bill (DPB) is perhaps the most questionable bill ever produced in Barbados’ Parliament since our Independence. The excuse for passing such a questionable bill is that it had to be compliant with the European Union’s General Data Protection Regulation (GDPR). Well, it does not appear to be.
The European Union (EU) insisted on at least four critical safeguards to protect their citizens from political abuse. The first was to try to ensure that their national supervisory authorities (our Data Protection Commissioner) were completely independent of political influence.
GDPR Article 52.1: “Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.”
GDPR Article 52.2: “The member or members of each supervisory authority shall … remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.”
Our Data Protection Commissioner must regularly report to the Minister. One of the functions of our Commissioner is:
DPB Section 71 (g) “monitor the processing of personal data and, in particular, sensitive personal data, and any other matter affecting the privacy of persons in respect of their personal data, and report to the Minister on the results of that monitoring”.
The second critical safeguard is confidentiality. Every member of the EU supervisory authorities must hold confidential information, to the highest professional duty, for the remainder of their lives.
GDPR Article 54.2: “The member or members and the staff of each supervisory authority shall … be subject to a duty of professional secrecy both during AND AFTER their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers.”
Our Commissioner holds it like water in a sieve. They can simply authorise their staff to release confidential information at their discretion. When it inevitably leaks out, no one is to be held accountable.
DPB Section 73.1: “The Commissioner and a public officer appointed pursuant to section 72(1) shall keep secret all confidential information coming to his knowledge during the course of the administration of this Act or any other Act that the Commissioner has jurisdiction to administer or enforce, EXCEPT insofar as disclosure is necessary for the administration of this Act OR insofar as the Commissioner authorises that person to release the information.”
DPB Section 74: “The Commissioner and his staff shall not be subject to any action, claim or demand by, or liability to, any person in respect of anything done or omitted to be done in good faith in the discharge or in connection with the discharge of the functions conferred on the Commissioner and his staff pursuant to this Act.”
The third critical safeguard is that the EU supervisory authorities must be experienced in Data Protection.
GDPR Article 53.2: “Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform its duties and exercise its powers.”
Regulators should be better qualified, or at least be as competent, as those whom they are regulating. Since these are apparently political appointments, the bar for such an important role is a lawyer with 7 years of irrelevant experience.
DPB Section 70.2: “A person is qualified to hold or to act in the post of Data Protection Commissioner, where that person is qualified to practise as an attorney-at- law and has so practised for a period of not less than seven years, or for periods amounting in the aggregate to not less than seven years”.
The fourth critical safeguard is the integrity of the appeal process. There is an independent European Data Protection Board (our Tribunal), comprising the heads of each national supervisory authority. Each member of the supervisory authority is appointed by a transparent procedure.
GDPR Article 53.1: “Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by: their parliament; their government; their head of State; or an independent body entrusted with the appointment under Member State law.”
Our Tribunal is appointed by the Minister. Since the politically favoured expect these appointments, they do not need to invest in their professional development and competence. So, the bar must be set low enough for them to qualify.
DPB Schedule 1.1: “The members of the Tribunal shall be appointed by the Minister by instrument in writing from among persons WHO APPEAR TO HIM to be qualified as having had experience of, and shown capacity in, matters relating to data protection and privacy OR such other related discipline.”
Grenville Phillips II is a Chartered Structural Engineer and President of Solutions Barbados. He can be reached at [email protected]