Data Protection and Personal Privacy in Antigua and Barbuda

Antigua and Barbuda’s Data Protection Act 2013 is a comprehensive data privacy law that was passed in 2013. The Data Protection Act 2013 was enacted for the purpose of promoting “the protection of personal data processed by public and private bodies and for incidental and connected purposes.” To this point, the law sets forth the legal requirements that data controllers and processors must abide by when collecting, processing, using, or disclosing personal data within the country. Moreover, the Data Protection Act 2013 also outlines the administrative and monetary penalties that individuals and organizations are subject to should they fail to comply with the law.

How is personal data defined under the Data Protection Act 2013?

In contrast to many other data protection laws, the Data Protection Act 2013 defined personal data broadly to mean   “any information in respect of commercial transactions, which is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose, is recorded with the intention that it should wholly or partly be processed by means of such equipment, or is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.”

What are the requirements of data users under the law?

As opposed to the terms data controller or data processor, the Data Protection Act use the term data user, “defined as “a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor.” As such, the law mandates that data users operating within Antigua and Barbuda adhere to numerous data protection principles. These principles include:

• General principle- Data users must obtain consent prior to collecting or processing the personal data of data subjects, with certain exceptions. For example, instances in which the collection or processing of personal data is in relation to compliance with another legal obligation.
• Notice and choice principle- Data users are responsible for providing data subjects with information concerning their personal data, such as the purposes for collection and processing, among other details.
• Disclosure principle- Data users are prohibited from disclosing the personal data of data subjects without their consent unless said disclosure is consistent with the purposes for said data was collected and processed.
• Security principle- Data users are responsible for taking practicable steps to “protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction”, among other things.
• Retention principle- Personal data that has been collected or processed for a particular purpose may not be retained for any period longer than is necessary for the fulfillment of said purpose.
• Data integrity principle- Data users are responsible for taking “reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.”
• Access principle- Data subjects have the right to access their personal data for the purposes of correcting it.

What are the right of data subjects under the Data Protection Act 2013?

Under the Data Protection Act 2013, data subjects within Antigua and Barbuda have the following rights with respect to their personal data protection and privacy:

• The right to access.
• The right to rectification.
• The right to erasure.
• The right to be informed.
• The right to object or opt-out.

In terms of punishments regarding non-compliance with the law, the Data Protection Act 2013 is enforced through Antigua and Barbuda’s Information Commissioner, or the Commissioner for short. Subsequently, the Commissioner has the authority to impose the following sanctions against data users who violate the law:

• Summary conviction, to a fine of not more than fifty thousand dollars or to imprisonment for a term of three years.
• Conviction on indictment, to a fine of not more than one hundred thousand dollars or to imprisonment for a term of not more than five years.
• Summary conviction, to a fine not exceeding two hundred thousand dollars.
• Conviction on indictment, to a fine not exceeding five hundred thousand dollars.

Through the passing of Antigua and Barbuda’s Data Protection Act 2013, citizens of the country have been guaranteed data protection and privacy rights. As data protection has become increasingly more important due role that internet usage plays in modern-day society, data privacy laws are more pertinent than ever before. To this end, Antigua and Barbuda has joined the list of Caribbean nations that have passed data protection legislation within the past decade, including other laws such as the Barbadian Data Protection Act 2019 and Jamaica’s Data Protection Act 2020.