The CARICOM Experiment a no go without a robust data protection regime.

The Observer Sunday Finance paper, on the front page asked the question, “The CARICOM experiment failure or work in progress? In the absence of a robust CARICOM data protection regime adopted by all member states the CARICOM experiment can not qualify as a work-in-progress. The challenge is that the five major thrusts of the CARICOM Single Market and Economy : free movement of skills/labour, free movement of goods, free movement of services, free movement of capital and the right of establishment all depend on the free movement of personal data across the region. With no national safeguards in place, in the form of national data protection legislation, the sharing of this data that is necessary to achieve these objectives is unlawful.

For clarity, if any of the data sharing regimes that have been developed by CARICOM member states to support its various initiatives were to be challenged, either in the Caribbean Court of Justice or the Jamaican Supreme Court, by a Jamaican citizen, if the judicial precedent were to be followed, the Court would be bound to find the regime unlawful and unconstitutional. For those interested a quick read of the Schrems v Data Protection Commissioner would prove very insightful.

The noble and action oriented mandate given by the Heads of Government coming out of the recently concluded Forty-Third Regular Meeting of the Conference of Heads of Government of the Caribbean Community (CARICOM) to convene meetings of the Registrars of Companies to elaborate the steps to enable Member States to implement the principle of mutual recognition of any company incorporated in another CARICOM Member State, amounts to nothing more of the same balderdash.

The secretariat has seemed to overlook the small fact that both Jamaica and Barbados have declared that their citizens enjoy a right to informational privacy and neither the government nor any regional body can process personal data without authorization of the citizen. For example, the CARICOM initiative to build an automated data management system for information exchange and networking among the national company registries regarding companies, if they include names of directors and shareholders would be unconstitutional. Not to mention the sharing of personal data to prevent and investigate transnational crime across the region.

All is not lost as Data Protection legislation enacted by both countries have created a framework that allows for the free flow of personal data as long as it is done in accordance with the prescribed framework.

The eighth data processing standard of the Jamaican Data Protection Act states that personal data shall not be transferred to a State of territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to among other things — — the law in force in the State or territory in question; — the international obligations of that State or territory; — any relevant codes of conduct or other rules which are enforceable in that State or territory (whether generally or by arrangement in particular cases); and — any security measures taken in respect of the data in that State or territory.

The question must be, how can either the Jamaican or Barbadian government share any personal data of any of its citizens with other CARICOM member states that have not enacted any form of Data Protection legislation. On the face of it, in the absence of Data Protection legislation, member states cannot demonstrate that they have an adequate level of protection to safeguard the informational privacy rights of Jamaican citizens.

CARICOM is very much aware of this issue but has seemed to have stuck its head in the sand. In October 28, 2020 the CARICOM Secretariat promulgated its internal privacy rules that governed its administrative activities. In the forward it stated as follows:

“Privacy has been identified as a human right, as concretised in various provisions of the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, as well as the American and European Convention on Human Rights. This right to privacy which protects the individual’s private life against arbitrary, unlawful or abusive interference, by extension provides for the protection of the personal information of the individual, and the protection of the transmission of such information.

Privacy and Data Protection laws are based on the premise that the individual must have some level of control over how the personal information collected from them, whether by the government, businesses, international and regional public service organizations is utilized, processed or disclosed.”

How can CARICOM credibly look to implement all these data sharing regimes having acknowledged that privacy is a human right without ensuring that Member states have adequate safeguards and mechanisms to give individuals control over their personal data.

My proposition that a robust data protection regime across CARICOM member states is necessary to achieve its stated objective is neither unique nor novel. In 2018 the EU Ambassador to Barbados, the Eastern Caribbean States, the OECS and CARICOM/CARIFORUM, Daniela Tramacere in a published opinion stated that “to facilitate data flows and thus trade, at both regional and global levels, having convergent data protection regulations in the Caribbean would help with easier transferral and sharing of data securely within the region and between the EU and this region, contributing to a more integrated business environment that can boost trade and investment”. She further went on to say that “having common data protection rules can also greatly facilitate the exchanges of data between public authorities, including in the context of law enforcement cooperation.”

A brief search of the information published by CARICOM on its websites reflects only a fleeting reference to data protection as an issue that it is pursuing. At the Thirty-Third Inter-Sessional Meeting of the Conference of Heads of Government of the Caribbean Community (CARICOM) held on 1–2 March 2022. It was mandated that the CARICOM Secretariat and The Caribbean Community Implementation Agency for Crime and Security conduct a needs assessments for a regional data privacy policy as well as the legislation required to cover such a System. What has become of this? We also saw where the Caribbean Telecommunication Union made public statements in relation to the impact of the General Data Protection Regulation on the region.

The context in which CARICOM has been trying to achieve integration has fundamentally changed. Understandably so as this has been a work in progress for over 50 years. If we want to pursue this cause, even if it is only for freedom of movement of people, which has been identified by William Mahfood as the most critical issue, CARICOM must build out or encourage the build out of a strong data protection regime in each Member state. This would enable the free flow of personal data, which data underpins the objectives of CARICOM.

Chukwuemeka Cameron is a privacy practitioner, trained Data Protection Officer, a certified ISO 27701 lead implementer and the founder of Design Privacy a firm that helps companies comply with privacy laws. Feedback can be sent to ccameron@designprivacy.io.