by Dean C. Forbes, Gabrielle Whitehall and Jan Yves N. Remy
Today, more than 120 countries have privacy and data protection laws or regulations in place. Many of the new or modernized laws tend to be based on comprehensive legislation, rather than sectoral rules, as data needs to move across industry groups and borders. With its new data protection bill, Barbados is planning to join the ranks; this is a significant move, and it is one fuelled at least in part by the entry into force of the European Union’s General Data Protection Regulation (“GDPR”) on May 25, 2018. The GDPR was designed to harmonize data protection laws across Europe and to protect EU residents’ data privacy rights. Its arrival triggered significant privacy and data protection compliance activities amongst organizations doing business in the EU and working with the personal data of EU residents.
This comprehensive data privacy law wave has already reached parts of Latin America and the Caribbean. For example, Brazil expects data protection legislation to come into effect in 2020, joining the likes of Argentina, Mexico, Uruguay, Colombia, Antigua, the Bahamas, Bermuda, the Dominican Republic, St. Lucia, Jamaica, Trinidad and Tobago, and various other countries that have passed and either have enacted, or are in the process of enacting, their comprehensive privacy and data protection laws.
In Barbados, the public consultation on a draft privacy bill has already taken place, and an amended bill was presented to a Joint Select Committee of both Houses of the Barbados Parliament on May 31, 2019. The Barbados Data Protection Act (BDPA) was passed on July 24, 2019 and now awaits the Governor-General’s signature. Similar to Brazil’s Data Protection Law, the Barbados Data Protection Act, 2018 is structured after the GDPR and internationally recognized privacy principles intended to regulate the safeguard and the processing of personal data, but unlike the GDPR, brings with it potential criminal liability for violations. If passed in its current form, the BDPA will have an impact on commerce both within Barbados and cross-border data transfers out of the country.
We provide a brief overview of BDPA’s principles relating to the processing of personal data, requirements with respect to data subject rights, international transfers, and compliance.
An Overview of the BDPA
As the BDPA is a comprehensive law, if passed, it affects companies in all sectors doing business in or with Barbados. Companies in the financial services, technology, airline and hotel industries are among those that could face substantial compliance obligations. If passed, subject to limited exemptions, the BDPA will apply to “data controllers” and “data processors” that process personal data of Barbados residents (regardless of citizenship), also referred to as “data subjects,” in the context of their business and are established in Barbados. A “data subject” is an individual who is the subject of personal data. As defined in the BDPA, the data controller is the person who determines the purposes for which, and the manner in which, any personal data is or should be processed. The data processor is the person who, other than an employee of a data controller, processes personal data on behalf of the data controller.
Like the GDPR, the BDPA explicitly aims to have extraterritorial reach by applying to “the processing of personal data of data subjects in Barbados by a data controller or a data processor not established in Barbados, where the processing activities are related to the offering of goods or services to data subjects in Barbados.”
The BDPA provides for a broad concept of what should be deemed “personal data.” In particular, personal data is any “data which relates to an individual who can be identified from that data or from that data together with other information which is in the possession of or is likely to come into the possession of the data controller.” Like the GDPR, the BDPA aims to reach information that could be used to identify a person, even if the information on its face does not do so. Given the widespread global adoption of big data analytics and artificial intelligence which allows the rapid correlation of large, structured and unstructured databases, virtually any data may eventually be considered personal data, and therefore subject to the law.
Also akin to the GDPR, the BDPA defines a subset of personal data as “sensitive personal data” and provides special protections for it. Sensitive data is personal data that relates to racial or ethnic origin, religious and political views, union, religious, philosophical or political affiliations, sexual, biometric or genetic data.
The data principles in the legislation serve as the general baseline against which the processing of personal data will be assessed:
· Lawfulness: Personal data must be processed fairly and lawfully.
· Purpose: Personal data should only be processed for legitimate, specific and explicit purposes.
· Necessity: Personal data must be adequate, relevant and necessary in relation to the purposes for which they are processed.
· Accuracy: Personal data must be accurate and, where necessary, kept up-to-date.
· Retention: Personal data must not be kept for longer than is necessary.
· Security: Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss, destruction of, or damage to personal data.
· Data subject rights
Under the BDPA, data subjects will have enforceable rights with respect to their personal data. Some of the key rights will require companies to correct, delete or provide a copy of the data if requested by the data subject.
· Data processing
Under the BDPA, processing shall be lawful where the data subject has given consent to the processing of his personal data for specific purposes, where necessary for, among other purposes, the performance of a contract; to comply with legal obligations; to protect the vital interests of the data subject; and for the administration of justice.
· Mandatory data breach notification
The BDPA will require mandatory notification to the data protection authority and data subjects within 72 hours of a personal data breach, where feasible. A “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
· A new data protection authority
The BDPA requires the establishment of a data protection authority, led by a Data Protection Commissioner. The newly created Data Protection Commissioner will be responsible for the general administration of the BDPA and will have the authority to conduct audits to determine whether the provisions of the BDPA are being complied with. In addition, the Data Protection Commission will have the authority to prepare appropriate codes of practice for the guidance of persons processing personal data.
· International Transfers
The BDPA generally prohibits the transfer of personal data out of Barbados unless the destination country or territory ensures an adequate level of protection for the rights and freedoms of data subjects vis-à-vis the processing of their personal data. An adequate level of protection is one which is adequate in all the circumstances of the individual case, having regard to a number of factors, including: (1) the nature of the personal data; (2) the country or territory of final destination of that information; (3) the purposes for which and the period during which the data are intended to be processed; and (4) any security measures taken in respect of the data in that country or territory. However, exceptions will be made, most notably where: the data subject has consented to the transfer; the transfer is made on terms of a kind approved by the commissioner; or, the transfer is necessary for the performance of a contract between the data subject and the data controller.
· Data privacy officer
The BDPA requires the appointment of a data privacy officer in cases where the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale or where the core activities consist of processing sensitive personal data on a large scale.
The role of the data privacy officer is to monitor the data controller’s or the data processor’s compliance with the BDPA and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. The data privacy officer will also be the communication link between the Data Protection Commissioner and the data controller or data processor on issues relating to data processing.
Fines under the BDPA range from BD$10,000 up to a maximum of BD$500,000. The maximum fine could result from violations of the BDPA principles; violations of restrictions placed on international transfers of personal data; or could result if a data processor processes personal data outside the scope of the data controller’s instructions. Significantly, the BDPA will also allow for criminal convictions resulting in prison sentences ranging from two months to three years. The inclusion of criminal penalties sets Barbados apart from the vast majority of countries that have privacy and data protection laws or regulations in place.
Effect on the Barbadian Private Sector
The greatest impact of the new law will certainly be on companies that process consumers’ data in its daily activities, such as technology, healthcare, and the tourism industries.
· Technology Companies
Technology companies process vast amounts of personal data daily. Under the BDPA, these companies will be open to potential fines for non-compliance, data loss and data breaches, which is a seismic shift within the IT sector in Barbados. These companies will have to adopt stricter security measures, standards and processes within their organizations to protect and handle customer personal data to ensure they are compliant with BDPA.
· Healthcare Organizations
As healthcare organizations like pharmacies, hospitals and health insurance providers manage personal data, including sensitive personal data, their compliance with the BDPA requirements will be critical. Apart from the general protections provided for personal data, the BDPA generally prohibits any kind of processing of sensitive personal data unless explicit consent is given or very specific conditions are met. For example, processing of sensitive personal data is generally permissible for assessing working capacity for employment, for public interest or if the processing is necessary in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject or if the data controller cannot reasonably be expected to obtain the consent of the data subject.
Furthermore, BDPA could well require some healthcare organizations to appoint a data privacy officer because their core activities likely consist of processing sensitive personal data on a large scale.
· Tourism Industry
The hotel and airline industries are vulnerable industries when it comes to data security because these industries process a large volume of personal data and credit card information on a daily basis. Similar to technology companies, these companies will have to adopt stricter security measures, standards and processes within their organizations to protect and handle customer personal data to ensure they are compliant with BDPA.
It is likely that global companies in the tourism industry already have the infrastructure in place to be compliant with the BDPA. However, small, local hotels and regional airlines operating in Barbados will likely face the burden of developing the infrastructure to not only safeguard personal data but also to ensure customers can exercise their data subject rights.
· Small & Medium-sized Companies
The costs of compliance could be onerous for small and medium-sized businesses who may lack the required infrastructure to abide by BDPA’s requirements. The BDPA will require businesses to correct, delete or provide a copy of the personal data if requested by the data subject. In this regard, small companies may be the most affected by this new legislation, due to the necessary investments in technological resources and new business platforms. A considerable amount of structural changes within the day-to-day operations of many entities will have to be implemented in order to comply with the new provisions.
If passed into law, the BDPA will implement a comprehensive privacy and data security regime in Barbados. This regime would require companies to develop the infrastructure to support data subject rights and to protect personal data. The BDPA also imposes limits on the transfer of personal data outside of the country, and potential fines and criminal liability for violators.
Due to the influence of the GDPR in BDPA, an organization’s compliance with the former would, in general terms, help to satisfy the requirements of the latter. However, companies that have not aligned their data practices to align with the GDPR will have the largest programmatic changes to make to become compliant. In this regard, proper education and training about the BDPA should be provided and taken up by the Barbadian private sector.
Dean Forbes and Gabrielle Whitehall are attorneys-at-law from Sidley Austin LLP, Washington DC office. Dr Jan Yves Remy is a former Sidley Austin Associate and now serves as the Deputy Director at the Shridath Ramphal Centre for International Trade Law, Policy and Services at the University of the West Indies in Barbados. For further information, please visit http://datamatters.sidley.com