A discussion of the need for specific data protection laws in the Caribbean; the current status of those laws in the region; and some of the consequence when they are absent.
Across the Caribbean, considerable strides have been made to establish the enabling framework for Information Societies and knowledge-based economies. To date, many countries have approved polices and have enacted laws to, among other things, manage and regulate their telecoms sectors, facilitate electronic transactions, and protect Intellectual Property (IP).
However, although to varying degrees the roll out of new and additional policies and legislation continues, to date, the subject of data protection does not appear to have received any major consideration in the region. This post discusses the need for separate data protection laws, the current status of those laws in the region, and some of the consequences when they are absent.
If we already have IP and privacy laws, why do we still need data protection legislation?
IP, privacy and data protection are three separate and distinct concepts, which although interrelated, address different aspects of protecting an individual’s private information and creative outputs.
First, IP laws typically speak to the recognition of the rights of the creators and owners certain specified works. Depending on the works, which could include words, phrases, music, writing, inventions and designs, the IP rights bestowed on the owner or creator could include copyright, trademarks and patents. Hence protected works:
- cannot be used indiscriminately
- cannot be used without the owners’ or creators’ consent, and
- may require that the owners or creators be compensated for their use.
With regard to privacy, it is a fundamental right under United Nation’s Universal Declaration of Human Rights. Depending on the country, it may also be enshrined in the national constitution, or addressed in specific pieces of legislation. Having said this, privacy, and the rights typically associated with this subject, can be broad and encompass, among other things: personal privacy, private life, private home, private correspondence, unwarranted investigation, etc. Hence local privacy laws tend to explicitly define those rights, but more importantly specify their limits.
Data protection (or data/information privacy) is generally considered a subset of privacy, but its treatment might be limited in that larger context. Data protection laws tend to control and prescribe the ways in which personal data can be processed and stored, and addresses matters related to transparency. Hence individuals have the right to know,
- what personal data is collected
- on what legal grounds that data is being collected
- who is collecting the data
- how it is (or will it be) used, and
- for how long it be used and kept.
What is the status of data protection legislation in the Caribbean?
Under the project for the Establishment of Harmonized Policies for the ICT Market in the ACP Countries (HIPCAR), which is being undertaken with the support of European Union and the International Telecommunications Union, part of its Terms of Reference requires privacy and data protection in the Caribbean be examined and model legislation prepared. In 2012, an assessment report was published on the status of privacy and data protection laws in the Caribbean, along with key recommendations and international best practice. Table 1 summarises the status of those laws in the region.
As at 2013, less than a half of the Caribbean countries surveyed had drafted any specific privacy and data protection laws, and in less than a quarter of them the laws are in force. Interestingly, and with the exception of the Bahamas, the evaluation of those laws determined that the breadth and depth of the treatment given to those subjects was limited. Hence they could benefit from revision to better align them with best practice, along with current needs in the area of data protection.
What are some of the consequences of not having data protection laws?
Although countries might appreciate that the absence of data protection laws is a clear deficiency in their stable of legislation, there are additional consequences that could be considered. Two key ones are outlined below.
First, in today’s society where information has become increasingly valuable, and can be traded and leveraged at almost every opportunity, the opportunities for abuse are rife. By addressing the control and protection of information, data protection legislation safeguards information from misuse and abuse. Additionally it offers both the companies that store and manage private information, along with the individuals that the information is about, a clear framework in which to operate, plus the recourse for breach of the established policies.
Second, and perhaps more importantly, for countries without clear data protection laws, they may not be considered for certain types of investments or the set-up of certain types of businesses. For example, organisations may be reluctant to store information in data centres resident in countries that have no data privacy laws, regardless of how favourably it performs on other factors. The same position is likely to apply to back-office and data processing services that deal with personal or commercially sensitive information.
Furthermore, it is important to highlight that in jurisdictions that do have data protection laws, a commonly adopted principle is the constraint on the cross-border flow or transfer of data. According to HIPCAR, such provisions typically state
… that personal information should not be transferred from one jurisdiction to another without equal or greater protections to privacy and information protection.
Hence for countries in the Caribbean that have no data privacy laws, or whatever exists is considered deficient, they could be at a considerable disadvantage, and specifically less competitive than other countries that have been proactive in addressing this issue. As indicated earlier, as part of the HIPCAR project a sample of the legislation has been prepared, which countries in the region can adopt and adapt. However, how long might the promulgation of comprehensive data protection legislation remain unfulfilled? Only time will tell…
Image credit: cooldesign / FreeDigitalPhotos.net