Jamaica Takes First Step Toward Comprehensive Privacy Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Companies doing business in Jamaica for the first time would face broad privacy rules under a government bill introduced in Parliament.

A new privacy office would be able to levy fines of up to 2 million Jamaican dollars ($15,597) or up to 10 percent of a company’s gross income. The proposed law would also allow the privacy office to seek prison terms of up to seven years for individuals that violated the law. Individuals would be able to ask the privacy office to recover damages from companies that violated the law.

The country has sector-specific laws for financial services and electronic transactions that have some general rules on data use and storage, but the bill would give Jamaica its first comprehensive privacy statute.

“Jamaica is becoming a very attractive location for business processing services,” but having a comprehensive privacy law would hopefully make it a more attractive place to locate data centers and might lure more data processing work for higher-end businesses, Grace Lindo, a commercial, intellectual property, and technology partner at Nunes, Scholefield, DeLeon & Co. in Kingston, Jamaica, told Bloomberg BNA.

However, the bill, which was introduced in the House Oct. 10, may increase compliance costs and burdens on companies operating in Jamaica. The proposed law includes several new compliance obligations for companies, including obtaining consumer consent and notifying the privacy office of data breaches.

Data security and data collection restrictions on the bill would create costly compliance obligations that may come as a surprise to companies, Danielle Stiebel Johnson, a technology and electronic transactions attorneys at Myers, Fletcher, & Gordon LLP in Kingston, told Bloomberg BNA.

Large Jamaican companies that would face new obligations under the proposed law include include financial holding company NCB Financial Group Ltd. , food and finance conglomerate GraceKennedy Ltd, and insurance provider Sagicor Group Jamaica Ltd, according to Bloomberg data.

The bill says that data processing may be performed using consumer consent, but the consent provision contains wide exceptions, according to Lindo. “I find these exceptions to be very pro-business,” Lindo said. For example, a company need not obtain consent if it can show that it cannot be reasonably expected to obtain it and it has exhausted all possible avenues to obtain it, she said.

Data Breach Notification

The legislation would require companies to notify the privacy office of breaches of personal data “without undue delay.” he bill would also require companies to notify individuals of a data breach if it is “likely to affect” them.

The legislation would require companies to protect the privacy and security of “personal data,” which is defined as data capable of identifying a living person, either on its own or when combined with other information likely to be possessed.

The proposed law would require companies to take extra care to protect “sensitive personal data,” including genetic, biometric, racial, ethnic, political opinion, health, and sex life information.

Major New Requirements

The bill includes provisions found in similar recently-enacted privacy laws with accountability principles, such as appointing a data protection officer and requiring privacy impact assessments, Miriam Wugmeister, co-chair of the global privacy and data security group at Morrison & Foerster LLP in New York, told Bloomberg BNA. But it also has a provision to require companies that control the collection and use of personal data to register with the data protection authority. Such a provision more often shows up in privacy laws without accountability provisions, she said.

The proposed law would require data controllers to:

  •  register with a new privacy office;
  •  report any data breaches to the privacy commissioner without undue delay;
  •  appoint a data protection officer;
  •  conduct annual privacy impact assessments; and
  •  allow consumers to opt-out of direct marketing.
“This bill will offer the highest level of protection for personal information. Wemust ensure that information is handled and stored properly,” Trevor Forrest, senior adviser to the Science, Energy and Technology Ministry, the government agency that introduced the bill told Bloomberg BNA.

Accountability Principles

The Jamaican legislation is based on European Union tenets of data protection, Lindo said.

The bill would require companies to make “appropriate” technical and organizational data protection and security measures consistent with best practices and take into account cost considerations. Additionally, the bill would require companies to ensure that data is:

  •  processed fairly and lawfully;
  •  obtained for a specified and lawful purpose;
  •  collected for adequate, relevant purposes and not excessively to the lawful purpose for which it is being processed;
  •   kept accurate and up to date;
  •  not stored longer than necessary for processing;
  •  processed in accordance with the rights of the data subject; and
  •  not transferred to third countries without adequate privacy laws.
To become law, the bill must pass the House and Senate and receive the Governor-General’s assent. The Minister of Science, Energy, and Technology has authority to promulgate regulations to effectuate the bill, if passed into law.

With assistance from Lucien Chauvin in Lima

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The bill, as introduced, is available at http://src.bna.com/tjO.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security