The Jamaica Information Service (‘JIS’) announced, on 1 July 2019, that the Minister of Science, Energy and Technology, Hon. Fayval Williams (‘the Minister’), had provided, on 27 June 2019, an update on the bill for the Data Protection Act, 2017 (‘the Bill’), stating that the Government is moving to complete the Bill, which is currently before a Parliamentary Joint Select Committee. In particular, the Minister stated that the Bill would complement the new national identification system that the Government plans to implement. Moreover, the Bill provides requirements on how personal data is to be collected, processed, stored, used and disclosed in physical or electronic forms, including, for example, the requirement to process personal data accurately, and where necessary, keep personal data up to date, and not keep personal data for longer than is necessary for the purpose for which it was processed for.
Grace Lindo, Partner at Nunes, Scholefield, DeLeon & Co., told DataGuidance by OneTrust, “There is no time scale [for the Bill’s passing], but the Government will need to reconvene the Joint Select Committee which has been reviewing the Bill. Recommendations and submissions must now be assessed, and amendments made if lawmakers think the changes are reasonable […] The key implications [arising from the Bill] are the introduction of rights surrounding personal data and the eight principles [as specified under Sections 22 to 31 of the Bill] which data processors must now be aware of. This is the first compliance law linked to ICT usage and so we can call this Jamaica’s foray into localised technology usage. For a small country with many businesses in the services industries such as tourism and outsourcing, the impact will be felt when the Bill comes into force.”
Companies can be subject to fines of up to 10% of their gross income and this can be interpreted to include global income of the corporate entity
In addition, the Bill notes, among other things, that personal data may only be obtained for specific lawful purposes, with the consent of the data subject, and may not be further used or processed in any way that is incompatible with the original purpose. Furthermore, the Bill stipulates that personal data must not be transferred to a foreign state or territory outside of Jamaica, unless such state or territory can ensure an adequate level of protection for the rights and freedoms of the data subject in question.
Lindo outlined, “I can say that the Bill is fairly similar to the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) inasmuch as the data protection principles and the definition of personal data are similar […] The penalties are not as high as those under the GDPR, but they are still substantial within the Jamaican context. The disclosure of personal data can lead to a criminal fine or even imprisonment for up to ten years, depending on the nature of the offence. Companies can be subject to fines of up to 10% of their gross income and this can be interpreted to include global income of the corporate entity […] There have been concerns raised regarding the applicability of the penalties to small companies and whether they can afford to have data protection officers. We will await the review in our Parliament to see whether these concerns are taken aboard.”
MARCUS DESOUZA Privacy Analyst