Jamaica has become the 15th Caribbean nation to enact its own set of privacy laws, joining the Bahamas (2003), Saint Vincent and the Grenadines (2003), BES Islands (the Netherlands municipalities of Bonaire, Sint Eustatius and Saba) (2010), Curaçao (2010), Saint Maarten (2010), Aruba (2011), Saint Lucia (2011), the Republic of Trinidad and Tobago (2011), Dominican Republic (2013), Antigua and Barbuda (2013), Bermuda (2016), the Cayman Islands (2017), Saint Kitts and Nevis (2018) and Barbados (2019).
The Act establishes the scope of whom the law applies to, as well as the requirements for the handling of personal data. The Act defines a data controller as any person or public authority that determines the purpose and manner for processing personal data collected from individuals. The Act applies to any data controllers established in Jamaica, or any entity that processes personal data through Jamaica, regardless of that entity’s physical location. The Act further establishes that entities that process the data of an individual who is in Jamaica while offering a product of service to individuals in Jamaica, or any entity that monitors the behavior of subjects within Jamaica, qualify as a data controller.
A further requirement of the Act is each individual or entity that qualifies as a data controller must appoint a data controller representative. The data controller representative is limited to a Jamaican resident, an entity established and formed in Jamaica or a person who maintains a regular practice in Jamaica. The data controller must comply with the data protection standards outlined in the Act, and discussed below. The data controller is also required to report any data breaches within 72 hours of becoming aware of the breach.
The Act also defines a how personal data is handled by entities, as well as data protection standards. The Act details eight standards that data controllers must apply when processing personal data, including:
- Fair and Lawful Processing: Data may only be processed if the subject consents to the processing of data, and this consent has not been withdrawn. For the processing of sensitive data, this consent must be in writing.
- Obtained Only for Specified Lawful Purposes: Data should be collected only for specified and lawful purposes and shall not be processed in any manner that is incompatible with those purposes.
- Data Quality: Personal data collected must be adequate, relevant and necessary relative to the purpose for which the data is processed.
- Accurate and Up to Date: The data must be accurate and kept up to date when necessary.
- Limited Retention: The data shall not be kept for longer than is necessary and will need to be disposed of in accordance with regulations.
- Processed in Accordance with the Rights of Data Subjects: The Act outlines the rights of access to personal data, processing data for direct marketing, failure to comply with a notice.
- Protected by Appropriate Technical and Organizational Measures: Additional technical and organizational measures are requisites, as is a data controller.
- International Transfers: Similar to the GDPR, transfer of data outside of Jamaica is prohibited unless an adequate level of protection can be ensured.
Although the Act does not go into effect until 2022, individuals and entities who qualify as a data controller should become more familiar with the requirements in the Act and work towards compliance. If you have any questions about your company’s compliance efforts please contact a member of the Akin Gump cybersecurity, privacy and data protection team.
