The Barbados government has produced, for public comment, a draft of the bill it expects to eventually pass into law as the Barbados Data Protection Act, 2018. With the proposed BDPA, Barbados appears to be taking a necessary first step towards protection of personal data — albeit for the second time (a prior draft was floated in 2005).
Key features of the BDPA
Scope of application
The BDPA is fairly narrow in its scope and, if passed, will only apply to data controllers that process data in the context of their business and are established in Barbados and companies outside of Barbados that use equipment in Barbados to process personal data.
Varying degrees of exemptions to the application of the BDPA will be allowed. Some notable exemptions include matters concerning national security, crime and taxation, regulatory activity, journalism, and manual data held by public authorities.
Principles covered
The data principles in the legislation serve as the general baseline against which the processing of personal data will be assessed.
The BDPA covers eight data principles:
- Personal data must be processed fairly and lawfully.
- Personal data should only be obtained for certain specified and lawful purposes.
- Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data must be accurate and, where necessary, kept up-to-date.
- Personal data must not be kept for longer than is necessary.
- Personal data must be processed in accordance with the various rights to be accorded under the bill.
- Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss, destruction of, or damage to personal data.
- Personal data may not be transferred out of Barbados unless that an adequate level of protection for the rights and freedoms of data subjects are ensured.
Data subject rights
Under the BDPA, data subjects will have enforceable rights in respect of their personal data. Some key rights include the right of access to personal data whereby data subjects can request information related to personal data being processed by the data controller company. Data subjects will have the right, under the bill, to block the processing of personal data likely to cause damage or distress. Also, data subjects will have the right to block, erase or destroy personal data.
Sensitive personal data
The current BDPA draft includes the concept of sensitive personal data as a distinct class of data. The essential idea behind sensitive personal data is that the context of their processing could result in significant risks to the rights and freedoms of data subjects, such as discrimination.
Sensitive data does not extend to biometric data or union membership under this draft of the BDPA.
Under the current version, the categories of information considered sensitive are limited to information on a data subject’s: racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; membership of a political body; physical or mental health or condition; sexual orientation or sexual life; financial record or position; criminal record; and inclusion in proceedings related to any offense committed or alleged to be committed by the data subject.
Data protection authority
The data protection authority to be established under the bill is the Data Protection Commissioner. The commissioner will be responsible for the general administration of the BDPA and will have the authority to conduct audits to determine whether the provisions of the BDPA are being complied with.
Registration of data controllers
Entities will be required to register with the Data Protection Commissioner in order to operate as data controllers. Upon registration, particulars of the data processing must be provided to the Data Protection Commissioner. A failure to register as a data controller will result in a fine being levied.
International data transfers
The BDPA acknowledges the crucial importance of international data transfers to modern internet-driven commerce and trade by allowing international data transfers of personal data.
As a starting principle, the BDPA will prohibit the transfer of personal data out of Barbados unless the country or territory ensures an adequate level of protection for the rights and freedoms of data subjects vis-a-vis the processing of their personal data. However, exceptions will be made, most notably where the transfer is made on terms of a kind approved by the commissioner; the data subject has consented to the transfer; or the transfer is necessary for the performance of a contract between the data subject and the data controller.
Appeals tribunal
The BDPA will establish a Data Protection Tribunal, which will hear appeals against the commissioner's decision to serve notices in respect of enforcement, information or special information. The Data Protection Tribunal will be empowered to make its own findings of fact and may allow or dismiss appeals against the commissioner's decisions and, in appropriate cases, substitute notices or decisions for those made by the commissioner.
Enforcement
In order to ensure effective enforcement, data protection legislation needs to be proportionate and sufficiently dissuasive. Enforcement measures under the proposed BDPA, include notices, imprisonment and fines.
Fines under the proposed BDPA range from BD$1,000 (or US$500) up to a maximum of BD$1,000,000 (US$50,000). The maximum fine is payable in respect of any breaches of the data principles outlined in the BDPA.
The BDPA will also allow for criminal convictions resulting in prison sentences ranging from two months to two years for significant breaches of the proposed act.
Likely next steps
The comment period for the bill closed Aug. 31, and the Ministry of Commerce is expected to present a modified draft BDPA before the Barbados House of Assembly (the lower house of Barbados' parliament) soon. After deliberations there, the BDPA will likely move to the Senate before being passed into law.
It is left to be seen whether the version that makes its way to the Barbados Parliament will eventually be enlarged to also account for fundamental concepts including breach notification, the right to be forgotten, data portability, liability for data processors and the implementation of data protection officer requirements.
Photo credit: Bablu chakma via YouTube