On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) entered into force. This is a tool designed to harmonize data privacy laws across Europe, to protect EU citizens’ data privacy and to trigger more secure individual data privacy amongst organizations working with personal data of EU citizens. The GDPR not only applies to stakeholders located within the EU, but it also concerns companies and/or public authorities that process and hold personal data of EU citizens, even if the entity is based outside of the EU.
The GDPR is indeed extremely timely as issues of privacy and data security are truly global and not confined to the borders of a continent, let alone a single country. As I said before, at the core of the EU’s General Data Protection Regulation is the safety of the personal data of individuals. I’m sure this is something that Caribbean people cherish and value.
Last year many would recall the Facebook/Cambridge Analytica revelations which made us realise how vulnerable individuals are and how much there is at stake from a collective point of view, for the society as a whole, including for a functioning democracy and the integrity of the electoral process. These and other developments have reminded all of us why it is important to protect personal data as a central individual right and a democratic imperative but also as an economic necessity, because without consumers’ trust in the way their data is handled, there can be no sustainable growth of our increasingly data-driven economy.
The GDPR is the EU’s response to these challenges. It seeks to protect the individual’s privacy as a fundamental right, enhance consumer confidence in how the privacy and security of personal data is guaranteed, particularly online, and also encourage economic growth.
I understand that the entry into application of the GDPR has raised some questions from several local organizations and the public at large seeking to know more about the GDPR and its possible impact. The concerns raised relate mainly to who is expected to comply, what are the rules to be complied with and what is actually needed to be done to comply with the rules.
From the outset, I would like to emphasize that the GDPR rules only apply to personal data about individuals and do not oversee data about companies or other legal entities. However, information in relation to one-person companies may constitute personal data where it allows the identification of a natural person. In addition, the application of the data protection regulation depends not on the size of a company/organisation but on the nature of its activities which present high risks for the individuals’ rights and freedoms.
One very common misunderstanding about the GDPR is that EU data protection rules will apply outside of the EU (‘extraterritoriality’), to the collection and processing of data of Europeans, anywhere, anytime. Let me reassure you, this is an urban legend! To use an example, a hotel in the Caribbean will not be subject to the GDPR for the simple reason that it is hosting some European tourists. The regulation clarifies that, for the GDPR to apply, some strict conditions have to be met: either the processing operation in question takes place on European soil, within the EU territory, or the business operator specifically targets consumers in the EU. By contrast, the mere fact that an European would for example visit a Caribbean website and decide to book a hotel room or buy a tour is not sufficient to make the processing of data involved in that transaction fall within the GDPR.
Contrary to the perception that the GDPR is a new EU initiative, let me make it clear that the GDPR is an enhancement of the previous EU Data Protection Directive of 1995. Therefore, foreign companies doing business in Europe, including of course Caribbean companies, that were benefitting from the 1995 Directive will continue to do so with the additional benefits introduced with the new GDPR.
Let me mention the most relevant ones:
1. Companies can now offer their goods and services in a harmonized and simplified regulatory environment in the EU. Instead of having to deal with 28 EU Member States’ different data protection laws and 28 different regulators, since 25 May one set of rules applies to their processing operations and is interpreted in a uniform way throughout the EU.
2. Obligations to notify data processing operations or to obtain the prior-authorization (as it was required under the previous regulatory regime) from data protection authorities have been scrapped.
3. The GDPR has been adapted to the needs of the digital economy. This equates to increased legal certainty and a significant reduction in compliance costs and red tape. Again, something particularly important for foreign operators doing business in Europe, especially small and medium sized companies.
4. Finally, co-regulatory tools, such as codes of conduct or certification mechanisms, are being introduced to help companies manage and demonstrate compliance. Therefore, the so-called “risk- based approach” that is at the core of the GDPR means that controllers that limit the impact of their processing operations on privacy will not be subject to a number of obligations.
Simply put, the GDPR is based on a modern approach to regulation which rewards new ideas, methods and technologies to address privacy and data security.
What is also very important to stress is that these developments relating to the GDPR are not limited to Europe but are part of a more global trend of adopting new or updating existing data protection legislation to harness the opportunities offered by the global digital economy and respond to the growing demand for stronger data security and privacy protection.
Today more than 120 countries have data privacy laws in place. Many of the new or modernised laws tend to be based on comprehensive legislation, rather than sectorial rules, as data needs to move across industries and sectors. And this convergence is also taking place in the Caribbean. Just to mention a few examples: recently a new privacy law entered into force in Bermuda, while in Barbados the public consultation on a draft privacy bill has already taken place and an amended bill is expected to be presented to Parliament soon. Similar developments are taking place in Jamaica as “An Act to Protect the Privacy of Certain Data and for Connected Matters” was introduced in the Jamaican House of Assembly in October last year.
In Latin America, a set of Ibero-American data protection standards have recently been adopted to promote regional cooperation in this field and have served as a source of inspiration for several legislative initiatives. Thus Brazil has adopted its first comprehensive data protection legislation and, Chile has created an independent data protection authority. Outside of the region, Asian countries such as India, Indonesia and Thailand are following the path opened by Japan and Korea some time ago, and are also legislating on data protection.
And in a world that is too often characterised by uncertainty and unpredictability, this developing convergence in privacy standards is very positive, for several reasons.
First, this trend offers new opportunities to facilitate data flows and thus trade, at both regional and global levels. In fact, having convergent data protection regulations in the Caribbean would help with easier transferral and sharing of data securely within the region and between the EU and this region, contributing to a more integrated business environment that can boost trade and investment.
Secondly, given that companies increasingly operate across borders and prefer to apply a similar set of rules in all their business operations worldwide, being part of this global trend would help the Caribbean economies, contribute to an environment conducive to direct investment and improve trust between commercial partners.
Thirdly, having common data protection rules can also greatly facilitate the exchanges of data between public authorities, including in the context of law enforcement cooperation.
The European Union is committed to promoting and further building on that convergence with countries or regional organisations that share similar values. This can include the adoption of a so-called “adequacy finding” by the EU, ensuring the free, uninhibited flow of data between the EU and the concerned country (essentially assimilating that country with Member States of the EU when it comes to data flows). And these decisions can bring very significant mutual benefits. Recently, the EU and Japan announced the conclusion of a reciprocal adequacy arrangement thereby creating one of the world’s largest areas of free and safe data flows. We are certainly interested in exploring that possibility with other international partners.
It is my hope that we can have dialogue with the relevant authorities and concerned stakeholders in the coming months on this very important issue. As in the EU we have gone recently through a process of reform of our data protection rules, we are available to share our experience and further discuss these issues with all interested parties.