Sun | Oct 21, 2018

Data Protection Bill comes with undue burden on small businesses

Published:Wednesday | March 14, 2018 | 12:00 AMErica Virtue/ Senior Gleaner Writer

Software developers SlashRoots Foundation/Make Better Community said while the spirit of the Data Protection Act of 2017 was commendable, the scope of the bill in its current form would impose undue burden on small companies in all industries, entrepreneurs, and innovators.

Matthew McNaughton, principal of the SlashRoots Foundation, said small business operators were likely to be constrained by resources.

As a result, the representatives recommended a tiered approach to applicability of the act for organisations of differing sizes.

According to him, there was need for electronic signature for proof of consent and data request submissions.

"The ability for citizens to provide consent via digital channels will play an important role in enabling the digital services and online transactions. However, the definition of consent within the Data Protection Act (Section 2) only explicitly references oral or written expressions of consent," McNaughton told parliamen-tarians reviewing the bill yesterday.

 

UNDUE FICTION

 

According to him, the limited definition of consent would create undue friction for citizens, government agencies and service providers seeking to create Jamaican digital ecosystem of services and online transactions. He said the Electronic Transaction Act makes provisions for the signing of documents using electronic signatures and encrypted signatures, depending on the type of documents. McNaughton said, while the use of electronic signatures is not yet widespread, the Data Protection Act 2017, as a forward-looking document, should include provisions facilitating existing or emergent digital interfaces (e.g., OAuth) to provide access to data.

He said it was natural for tension to exist between facilitating innovations and protecting data rights. He believes that while all entities that collect personal data on Jamaican citizens should respect the privacy of individuals, not all organisations are equally equipped to meet the requirements outlined in the policy as defined.

It was likely unreasonable, he said, to expect that a young entrepreneur exploring the viability of new business ideas with early customers should be expected to adhere to the same data-protection requirements as large corporations in the Jamaican landscape.

He wants an exemption for annual revenues less than or equal to J$500m; limited exemption for revenues greater than J$500,000 but less than or equal to J$2b, and full compliance for enterprises with revenue in excess of J$2b.