New Data Privacy Regulation in the British Virgin Islands

The Virgin Islands Data Protection Act, 2021 is a data protection and privacy law that was recently passed in the British Virgin Islands in November of 2021. The Virgin Islands Data Protection Act, 2021 was enacted for the purposes of providing for “the protection of personal data processed by public and private bodies and for related matters.” As such, the law establishes the legal basis upon which personal data may be collected, processed, used, disclosed, and transferred within the Virgin Islands. Moreover, the law also establishes the Minister, defined as an individual “to whom responsibility for Information is assigned” for the purposes of enforcing the various regulations and obligations that are set out in the law.

How are data controllers and processors defined under the Virgin Islands Data Protection Act, 2021?

Under the Virgin Islands Data Protection Act, 2021, a data controller is defined as “a person who either alone or jointly or in common with other persons processes any personal data, or has control over, or authorizes the processing of any personal data, but does not include a data processor’.” Alternatively, a data processor is defined as “a person who, processes data on behalf of a data controller, but does not include an employee of the data controller.” Furthermore, the law defines personal data as “any information in respect of commercial transactions, which is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; is recorded with the intention that it should wholly or partly be processed by means of such equipment, or is recorded as part of a relevant filing system or with the intention.”

What are the requirements of data controllers and processors under the Virgin Islands Data Protection Act, 2021?

Under the Virgin Islands Data Protection Act, 2021, data controllers and processors within the country as responsible for upholding the following data protection principles:

• General principle- Data controllers and processors shall not process the personal data of data subjects without their expressed consent. Under the law, sensitive personal data is defined as “any personal data about a data subject’s physical or mental health, sexual orientation, political opinions, religious beliefs or other beliefs of a similar nature, criminal convictions, the commission or alleged commission, of any offence; or any other personal data that the Minister may by Order prescribe.”
• Notice and choice principle– Data controllers and processors are responsible for providing data subjects with information detailing various aspects of their data protection operations, including the purposes for which their data is to be collected and processed, among other pertinent details.
• Disclosure principle– Data controllers and processors are prohibited from disclosing the personal data of data subjects unless the purposes for said disclosure are provided to data subjects at the time of collection.
• Security principle– “A data controller shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.”
• Retention principle– Personal data that has been collected or processed for any purpose may not be retained longer than is necessary for the fulfillment of said purpose.
• Data integrity principle– Data controllers and processors must take reasonable steps to ensure that all personal data in their possession is accurate, not misleading, and kept up to date where necessary.
• Access principle– “A data subject shall be given access to his or her personal data held by a data controller and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.”

What are the rights of data subjects under the Virgin Islands Data Protection Act, 2021?

Under the Virgin Islands Data Protection Act, 2021, data subjects within the country have the following data privacy rights:

• The right of access to personal data.
• The right to prevent processing for the purposes of direct marketing.
• The right to be informed.
• The right to erasure.
• The right to rectification.
• The right to file a complaint with the Information Commissioner.

In terms of punishments that may be imposed as a result of non-compliance with the law, the Virgin Islands Data Protection Act, 2021 is enforced by the Minister. To this end, the minister has the authority to levy the following penalties against data controllers and processors who violate the rights of data subjects under the law:

• A fine not exceeding five thousand dollars or to imprisonment for a term not exceeding six months or, both.
• A fine of not exceeding fifty thousand dollars or to imprisonment for a term not exceeding three years, or both.
• A fine not exceeding one hundred thousand dollars or to imprisonment for a term not exceeding five years, or both.

Although the British Virgin Islands is a British Overseas Territory, the country does not fall under the jurisdiction of the EU’s General Data Protection Regulation or GDPR. As such, the Virgin Islands Data Protection Act, 2021 ensures that citizens of the country are afforded a level of data protection and personal privacy that is on par with that given to citizens of EU member states. To this point, the British Virgin Islands have joined the ranks of other nations throughout the Caribbean that have adopted legislative means to ensure the personal privacy of their respective citizens, including Antigua and Barbuda’s Data Protection Act 2013 and Saint Lucia’s Data Protection (Amendment) Act 2014.