Foreign Investment, New Data Privacy Law in Saint Lucia

Saint Lucia’s Data Protection (Amendment) Act 2014, also known as the Amendment Act for short is a data protection law that was passed in Saint Lucia in 2014. The Amendment Act was passed for the purposes of updating Saint Lucia’s Data Protection Act 2011 that had been passed three years prior. One of the primary means for the Amendment of the Data Protection Act 2011 was to encourage foreign investment into the offshore banking and tourism industries of Saint Lucia, as these industries represent a significant part of the island nation’s economy. To this point, the Amendment Act sets forth the legal basis for which personal data may be collected or processed within the country, in a manner similar to that of the European Unions General Data Protection Regulation or GDPR.

How are data controllers and processors defined under Saint Lucia’s Amendment Act?

Under the Amendment Act, a data controller is defined as “a person who, either alone or with others, processes data or determines how personal data is processed or processes personal data”. Alternatively, the law does not provide a specific definition for the term “data processor”, and instead defines the act of processing “in relation to information or data, means obtaining, recording, or holding the information or data or carrying out any operation or set of operations on the information or data, including organization, adaptation or alteration of personal data, retrieval, consultation or use of the information or data, etc”. Moreover, personal data is defined as “information about a data subject that is recorded in any form including their name, address, fingerprints, etc”.

What are the responsibilities of data controllers under Saint Lucia’s Amendment Act?

Saint Lucia’s Amendment Act establishes a number of data protection principles that data controllers operating within the country must adhere to when collecting or processing personal data. These principles include the following:

• Collection of personal data– Personal data may only be collected and processed for lawful purposes, and personal data can only be collected when it is necessary for these purposes.
• Consent for processing of personal data– A data controller is prohibited from processing the personal data of a data subject without first obtaining the express consent of said data subject.
• Criteria for processing sensitive personal data– Data controllers and forbidden from processing the sensitive personal data of data subjects, subject to certain exceptions. Such exceptions include when the processing of a data subject’s sensitive personal data is done so in accordance with another law within Saint Lucia, among various others.
• Processing of sensitive personal data– Even under the circumstances in which the sensitive personal data of data subjects is permitted, data controllers are also responsible for ensuring that appropriate safeguards are implemented, and the processing of said sensitive personal data is necessary.
• Accuracy of personal data– Data controllers are responsible for ensuring that all personal data that they collect or process is accurate, as well as kept up to date where necessary.
• Security of personal data– Data controllers are responsible for implementing technical security and organizational measures to ensure that any personal data that they collect or process remains secure at all times.
• Duty to destroy personal data– When the purposes for which personal data has been collected or processed are completed, data controllers are responsible for destroying said personal data, as soon as reasonably practicable.
• Unlawful disclosure of personal data– Data controllers are prohibited from disclosing personal data in a manner that is incompatible with the purposes for which it was collected or processed.

What are the rights of Saint Lucian citizens under the Amendment Act?

Under the Amendment Act, Saint Lucian citizens are afforded the following rights in terms of the protection of their personal data:

• The right to access their personal data.
• The right to rectification.
• The right to prohibit the processing of their personal data for direct marketing purposes.
• The right to be informed.
• The right to erasure.
• The right to object to or opt-out of consent.

In terms of penalties with respect to non-compliance with the law, Saint Lucia’s Amendment Act is enforced by the Commissioner. To this end, the Commissioner has the authority to impose the following penalties against data controllers who fail to comply with the provisions set out in the law:

• In the case of the individual, a fine not exceeding ten thousand dollars, or imprisonment for a term not exceeding six months or both.
• In the case of the body corporate, a fine not exceeding one hundred thousand dollars.

With the passing of the Amendment Act in 2014, Saint Lucia has joined the ranks of many other Caribbean countries that have passed comprehensive data privacy laws in recent years, such as Jamaica’s Data Protection Act 2020 and Trinidad’s Data Protection Act 2011. As Saint Lucia is looking to encourage foreign investment into the various industries that exist on the island, passing a law concerning personal data protection makes things easier for said investors. More importantly, however, the law ensures that the personal data of Saint Lucian citizens will remain secure at all times.