Christopher Pryce | Get data protection law right
As a developing nation, Jamaica is compelled to operate in a world dominated by the larger and more developed economies. One such consequence, fair or foul, is that standards and best practices developed by these mature economies are foisted on us at great cost and under threat of the country and its enterprises being 'de-risked' unless we take steps to become compliant.
This wave of global best practices is not always driven by nation forces perceived by us to be imperious and brutish. Rather, the onward march of technology, with its reach that transcends borders and even economic class and demographic categories, is a co-equal driver.
A classic and present example relates to the explosion of cyber and data crimes and breaches, and the need - indeed, the imperative - for Jamaica to propose and implement regulations that are specific to data privacy and data protection. Such action is urgent as relying on the existing common-law is demonstrably insufficient and ineffective to adequately address, let alone keep apace with the rapidly emerging challenges posed by technology in these areas.
In this context, it is most timely for the draft bill shortly titled The Data Protection Act, 2017 to be before a joint select committee of Parliament. It has been widely acknowledged that this proposed statute will be far-reaching and will impact on virtually every person or entity in Jamaica that 'processes' personal data. I, therefore, share a few observations that may be useful to inform the current stakeholder assessments and the deliberations of the joint select committee.
It is wise that the proposed legislation does not attempt to address in one fell swoop all things related to data protection and data privacy. Indeed, it is laudable that the Memorandum of Objects and Reasons speaks to securing the confidentiality of personal data to, among other things, provide for the rights of individuals in relation to their personal data in the possession of specified entities. The bill makes a valiant attempt to define 'personal data' at Section 2 (1) (b) as:
Data relating to a living individual who can be identified -
(a) from the data; or
(b) from the data and other information in the possession of, or likely to come into the possession of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
However, this definition is problematic. Where it may be obvious and acceptable that one's name, date of birth and blood type fall within the scope of the definition of personal data, what of other information widely used by aggregators, such as a tax registration number, a licence plate number, a telephone number, a current or prior address, a utility reference code?
Would the triangulation of such information - which only in the aggregate and not on its own face - come within the scope of 'personal data'? If yes, there will be a host of data aggregators who then will have to comply with several provisions of the legislation that will impose material administrative and financial costs. Perhaps, such operators will need to shutter their businesses as an unintended consequence of the bill.
It is clear that with this being a Jamaican law, its jurisdiction will be local. But as a practical matter, this limited scope, as compared to regulations such as the UK's Bribery Act, 2010, which is extraterritorial in reach, will either defeat or nullify the progress of criminal or other investigations related to breaches that almost always will have an extraterritorial component.
This is so as, by its very nature, data processing traverses machinery such as servers and ISPs (Internet service providers) that operate in multiple jurisdictions concurrently. This is the case for our local telecoms, and for most banks and financial institutions that require the cross-border transfer of personal data for their business to exist. Perhaps, amendments will be considered to address this situation.
If one is to be persuaded by the news and public discourse, it is clear that the expectation will be for the banks to absorb any and all expenses related to compliance with the proposed regulation. But what of other non-bank financial entities such as broker dealers, insurance companies and pension funds? How will they recover or expense the costs that will be substantial, to recruit and retain staff with the requisite skills and competencies to meet the protocols and staffing capacity that flow from some of the proposed provisions?
The draft bill casts a wide net all at once and it is a lot to chew all at once. As the saying goes, when eating an elephant, take one bite at a time. Perhaps the legislation may attempt, in the first phase, to focus on where the greatest risk is and where the greatest control can be achieved effectively.
Such an approach may exclude, if only on a temporary basis, entities such as the Premier League football clubs, churches and non-governmental organisations in general, such as parent-teacher associations, youth clubs, for per the bill, all these entities are in scope.
Perhaps there could be a risk-based approach so that entities in scope, such as banks, hospitals, clinics, universities, high schools, primary schools and early-childhood centres, would be rated on a scale ranging from high-high, high-medium, high-low, medium and low-high, to medium to low. Then based on the risk-rating, certain measures would apply.
This legislation will necessarily have a knock-on impact on several other statues ranging from criminal statutes such as POCA, the Terrorism Prevention Act, the so-called lotto-scamming statutes, and financial regulations such as the Banking Services Act and the FSC Act.
Each of these has some specification(s) on how information that includes 'personal data' is to be handled in terms of who can see or access it; in terms of the retention period of the data; and in recognition of the fact that the legitimate processing of data related to banking, and the illegitimate processing of data related to illegal gambling, Internet gaming and lotto-scamming have different and varying statutory limits.
In the case of the proposed bill, the record retention period is different from the record retention period under POCA. To the extent that there will need to be a scheme to prevent anomalous data retention treatment of 'personal data' across varying statutes and regulations that impose themselves on this same category of data, this needs to be addressed in this first round of the legislation.
I offer high marks to the Government, as this legislation is sorely needed. But I implore the Parliament to take time, even as it makes haste. Better to do it right or almost right the first time than to lay down a confusing and cumbersome piece of legislation that is either unenforceable, or one that disrupts normal commercial enterprise and constitutional behaviours of the citizenry and thereby thwarts the original noble objects and reasons for the Bill.