Barbados: A modern data protection regime
03 February 2020
Barbados is much closer to the implementation of a modern data protection regime. The Data Protection Bill 2019 ('the Bill') was passed by the Senate on 24 July 2019 and by the House of Assembly on 6 August 2019. Whilst it is not yet passed into law, it is forthcoming. Bartlett D. Morgan, Senior Associate at Lex Caribbean, discusses the scope of the Bill and what its next legislative steps are.
Barbados, as at the time of publication, has not enjoyed the benefits of a broad-based informational privacy regime, and redress has been limited to very narrow protection with the Constitution of Barbados and the common law. There was no statutory obligation for entities processing personal data to implement measures to safeguard the data in their possession, and the effect of this has been an environment where the misuse of the personal data of individuals' in Barbados would not result in meaningful redress.
The Government of Barbados first published a draft of the Bill in 2005. For a 13-year period following this, there was no progress until the publication of an updated version of the Bill in the first quarter of 2018. After a period of public feedback, a significantly revised version of the Bill was made public in the first quarter of 2019.
Subsequently, Parliament formed a Joint Select Committee of both Houses of Parliament that reviewed, then recommended further amendments to the Bill. These recommendations led to the version of the Bill which was passed by the Senate and the House of Assembly.
The Bill that has emerged from this process reveals features heavily influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), including breach notification, impact assessment requirements, and sizeable fines. In doing so, Parliament has passed the Bill with foundations built on a de facto gold-standard data protection framework.
Unlike its draft predecessors, the Bill is much broader in its territorial scope. Under the initial drafts, there was only an allowance for a very narrow extra-territorial scope, and the draft was also focused primarily on the processing of personal data by businesses. The Bill will, by contrast, apply outside of solely business contexts and is much broader in its extraterritorial reach. The Bill will now apply to:
- any processing by a controller or processor in Barbados; and
- the processing of personal data of data subjects in Barbados by a controller or processor not established in Barbados, so long as the processing relates to the offering of goods or services to data subjects in Barbados.
The Bill will regulate the activities of both data controllers and processors of personal data. The obligations of each group are different under the Bill and, by extension, so are the fines payable by either in the event of a breach.
Data processing principles
In order to lawfully process data pursuant to the Bill, six key principles must be observed. Personal data must be:
- processed lawfully, fairly, and in a transparent manner;
- collected for specified, explicit, and legitimate purposes only;
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary; and
- processed in a manner that ensures appropriate security of the personal data.
Sensitive personal data
The Bill will treat sensitive personal data as a distinct class. The rationale is that data deemed sensitive is more likely, in the event of misuse, to result in serious harm to the data subject. As a consequence, sensitive personal data ought to be processed in a manner that reflects this level of seriousness.
Under prior drafts of the Bill, sensitive personal data was limited to information on a data subjects’:
- racial or ethnic origin;
- political opinions;
- religious or similar beliefs;
- membership of a political body;
- physical or mental health;
- sexual orientation;
- financial record/position;
- criminal record; and
- inclusion in proceedings related to any offence committed or alleged to be committed by the data subject.
This list has now been expanded in the Bill to also include union membership and biometric data.
Children will only be deemed to have given consent for the lawful processing of their data in situations where the consent is procured through a parent or guardian. Any person under 18 years of age will be deemed a child for the purposes of the Bill.
Data protection authority
The Data Protection Commissioner (the 'Commissioner') will be the data protection authority under the Bill. The Commissioner will be responsible for the general administration of the Bill and will have the authority to conduct investigations to determine whether the provisions of the Bill are being complied with. In addition, the Commissioner's functions will also extend to sensitisation of different stakeholders, including various governmental entities, data controllers, data processors, and data subjects.
Importantly, the Commissioner will have the express authority to order administrative penalties of up to BBD 50,000 (approx. €22,000) for specified breaches of the Bill.
Enforcement notice decisions by the Commissioner can be appealed to a specialist tribunal, the Data Protection Tribunal.
Data Privacy Officers
The Bill introduces a requirement for controllers and processors to appoint a data protection officer ('DPO') for their operations. Where appointed, the DPO will be a high-level appointee that will report directly to senior management. A DPO appointed under the Bill must operate with independence and must also be an expert in the field of data protection.
The DPO's role will encompass monitoring compliance with the Bill and any relevant policies on data protection. The DPO will also advise data controllers and data processors of their obligations and will advise on any Data Protection Impact Assessments ('DPIAs') being carried out. A DPO is the person to whom all data subjects will address their concerns in respect to their rights under the Bill and will also be the contact point for any interactions with the Commissioner.
Businesses may outsource the DPO function, and groups of businesses or governmental entities may appoint the same person as DPO, possibly thereby lowering the cost of compliance.
Cross-border data transfers
The Bill appears to acknowledge the reality of a modern, internet-driven society and that the international transfer of personal data outside of Barbados is a necessary reality. As such, the Bill addresses this with the inclusion of measures to ensure that the privacy rights afforded to data subjects under the Bill will also travel with their personal data when it leaves Barbados.
To achieve this, the Bill provides that personal data will not be transferable out of the jurisdiction:
- in the absence of adequate levels of protection for the rights and freedoms of data subjects in the foreign jurisdiction; and
- without the existence of an adequate level of safeguards to ensure that the rights of the data subject are enforceable in the foreign jurisdiction.
Among the appropriate safeguards that may be employed under the Bill are standard contractual clauses and Binding Corporate Rules. Where the transfer of data outside of Barbados is between governmental entities, a legally binding instrument between the relevant entities can also be considered an appropriate safeguard.
Right to be forgotten
The Bill will provide individuals with the right to have their personal data erased. Popularly referred to as the right to be forgotten, this right will not be absolute and must be balanced against the rights and interests of others. For example, the right to be forgotten cannot be invoked where it conflicts with another's right to freedom of expression.
Privacy by Design
Data controllers will have an express obligation to comply with the Privacy by Design concept. This will mean that controllers must now integrate data protection best practices and obligations from the design stage of any data processing activities.
Specifically, data controllers will now be obligated to ensure that they implement the appropriate systems and mechanisms that will limit the processing to only personal data that is deemed absolutely necessary. This obligation will require the controller to consider the amount of personal data collected, the extent of processing of that data, the period of storage, and its accessibility.
The Bill will require data controllers to notify the Commissioner and data subjects of personal data breaches within 72 hours. These notifications will require the data controller to provide certain details related to the breach.
There will be no need to notify the Commissioner if there is no risk to the rights and freedoms of individuals. Importantly also, if circumstances justify it, the Commissioner may be notified outside of the prescribed 72-hour window.
Right to compensation
The Bill will require data controllers and processors to pay compensation to persons whose rights under the Bill have been breached. In order to qualify for compensation, a successful party will have to demonstrate that they have suffered damage or distress.
The Bill does not, however, specify whether recourse will be sought through a complaint to the Commissioner or the courts. It is presumed that regulations will address this area.
The Bill will include several measures that may be applied by the Commissioner to ensure effective compliance by data controllers and processors. The measures include enforcement and information notices, injunctions, summary criminal prosecution, payment of fines, and administrative penalties.
Fines under the Bill will be as high as BDD 500,000 (approx. €200,000). The maximum fine payable on a particular breach will vary with the particular provision. For example, the BDD 500,000 fine will only be possible if breaches of four provisions of the Bill are present:
- the fundamental principles;
- transfers of data outside of Barbados;
- processing data without instructions from a data controller; and
- lying in response to an information notice.
Generally, most fines payable will be after summary criminal conviction. The exception is the administrative penalty, which will be payable immediately upon an order of the Commissioner. Administrative penalties are limited to a maximum of BBD 50,000.
The Bill will also allow for criminal convictions resulting in prison sentences ranging from two months to three years for significant breaches. Sentences will be an alternative to fines payable upon summary conviction.
Registration of data controllers and processors
Data controllers and processors will be obligated to register with the Commissioner under the Bill. When registering, particulars of the processing being carried out by the controller or processor must be provided to the Commissioner.
Data controllers and processors will have an ongoing obligation to notify the Commissioner of any changes in the particulars of the processing being carried out.
A failure to register as a data controller may result in a fine of up to BBD 10,000 (approx. €4,000).
Whilst the Senate passed the Bill on 24 July 2019 and the House of Assembly also approved it on 6 August 2019, passage of a bill in both houses of Parliament is not enough to bring that law into effect.
Laws in Barbados may be designed to only come into effect upon proclamation by the Governor General. During proclamation, the Governor General will prescribe the time when an act will come into effect. The lead time provided through proclamation is particularly important as this will determine the amount of time that data controllers, processors and the Commissioner will have to get their houses in order, in time for the Bill coming into effect.
The Bill includes a provision requiring proclamation by the Governor General. What remains uncertain at this juncture, however, is:
- when the Bill is likely to be proclaimed; and
- how much lead time will be provided by the Governor General during proclamation.
The Bill contemplates the making of regulations to give effect to itself. It is left to be seen what the timeline for the passage of regulations will be. These regulations will presumably cover practical matters including:
- the amount of the fees to be paid by data controllers and processors upon registration;
- whether these fees are recurring;
- the timing for completing various procedures under the Bill; and importantly
- the relevant forms to be used to give effect to various notifications, requests, and communications under the Bill.