Privacy in Paradise
Jamaica's House of Representatives Approves New Data Protection Act
Jamaica may soon join the growing list of countries enacting comprehensive personal data protection regimes. The Data Protection Act, 2020 (DPA) was approved by the House of Representatives (Lower House of the Jamaican Parliament) on May 19, 2020. The DPA will be sent to the Senate (Upper House) for debate and voting. If the DPA passes in the Senate, it would then need to be signed by the Governor-General and published in the Jamaica Gazette before the DPA would come into force.
The Jamaican Minister of Science, Energy, and Technology has noted that personal data is considered the "new gold" and that the DPA will "delineate the rights of individuals in relation to the processing of their personal and sensitive data" and "provide for transparent oversight that will enable the public and private sectors to strengthen the protection of personal data." Although the DPA mirrors the European Union's General Data Protection Regulation (GDPR), there are some differences between the DPA and the GDPR. Companies with operations in Jamaica or that process the personal data of data subjects in Jamaica may wish to familiarize themselves with the DPA, as passed by the House of Representatives, and follow the progress of the DPA.
Scope of DPA
The DPA would apply to the processing of personal data by data controllers that are either:
- Established in Jamaica (i.e., by residency or incorporation under the laws of Jamaica) or anywhere that Jamaican law is applicable by virtue of international public law; or
- Not established in Jamaica, but use equipment in Jamaica for the processing of personal data (other than for the purpose of transit through Jamaica), or process personal data of a data subject who is in Jamaica and the processing activities are related to:
- Offering of products or services to data subjects in Jamaica, regardless of whether a fee is required; or
- Monitoring of the behavior of data subjects to the extent their behavior takes place in Jamaica.
Data Subject Rights
The DPA mirrors the GDPR in recognizing that the consent of the data subject is required to process their personal data, unless at least one of the enumerated conditions is present. The DPA would provide data subjects with the following rights:
- Data Access - Upon written request to the data controller and free of charge, data subjects would have the right to be informed whether the data controller is processing personal data related to them, and if so, to be provided with a description of the data, the purpose or purposes for which the data is being processed, and the person or persons to whom the data has been or may be disclosed.
- Data Subject Access Report - Upon written request to the data controller and payment of a fee, data subjects would have the right to be provided in an intelligible form with the data that relates to them.
- Data Portability - Upon written request to the data controller and payment of a fee (and where technically feasible), data subjects would have the right to have their data transmitted to another data controller as specified in the request.
- Automated Processing Logic - Upon written request to the data controller and payment of a fee, data subjects would have the right to be informed of the logic involved in a decision where the processing (a) is by automatic means for the purpose of evaluating matters such as work performance or the credit worthiness of the data subject, or (b) is, or is likely to be the sole basis for any decision significantly affecting the data subject.
- Consent to Direct Marketing - Data subjects would have the right to prevent a data controller from processing their personal data for the purpose of direct marketing unless the data subject has given consent or is a customer of the data controller.
- Data Processing Restrictions - Data subjects would have the right, upon written notice to the data controller, to prevent the processing of their personal data in certain circumstances.
- Automated Decisioning - Upon written notice to the data controller, data subjects would have the right to prohibit decisions to evaluate matters related to them to be based solely on the processing of personal data by automatic means.
- Data Rectification - Upon written request to the data controller, data subjects would have the right to seek rectification of inaccuracies in their personal data.
The DPA would also require data controllers to comply with certain data protection standards to ensure that personal data is:
- Processed fairly and lawfully;
- Obtained under one or more lawful purposes and not further processed in any manner incompatible with those purposes;
- Adequate, relevant, and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Not kept for longer than necessary for the purposes it was collected for;
- Processed according to the rights of each data subject;
- Subject to appropriate and technical measures; and
- Not transferred outside of Jamaica unless the other country ensures an adequate level of protection for the rights and freedoms of data subjects.
Registration, DPIAs, and Other Obligations
The DPA would establish a new Office of the Information Commissioner (Commissioner) to, among other things, monitor compliance with the DPA, disseminate information to the public concerning their rights under the DPA, and disseminate "guidelines that promote good practice." In addition, the DPA would require data controllers to register with the Commissioner in order to process personal data and if established outside of Jamaica, data controllers would be required to appoint a representative in Jamaica. Data controllers would also be required to appoint a data protection officer who would be responsible for monitoring the data controller's compliance with the requirements of the DPA and to annually submit a data protection impact assessment (DPIA) to the Commissioner regarding all personal data in the data controller's custody and control.
The DPA authorizes the Commissioner to serve enforcement notices to a data controller if the controller has contravened or is contravening any of the DPA's data protection standards. Failure to comply with an enforcement notice may result in conviction in a Parish Court and a fine not exceeding $1,000,000 JMD (approx. $7,000 USD).
The DPA, as passed by the Jamaican House of Representatives, may be amended in the Senate or even fail to pass in the Senate. Although prior attempts to pass similar measures stalled out in Jamaica, the current proposal appears to have strong bipartisan support and may be on a fast track to enactment into law. If enacted, many companies may find that implementing a formal program to ensure compliance with the DPA will not be "ya mon" (no problem). Stay tuned for more privacy news from Jamaica.