New Found Data Protection Regulations in Jamaica

Jamaica’s Data Protection Act 2020 or the DPA for short is a comprehensive data privacy law that was recently passed in Jamaica in 2020. The Data Protection Act 2020 was passed for the purpose of providing Jamaican citizens with new rights as it relates to the protection of their personal data and privacy. Jamaica Data Protection Act 2020 is similar to other major data privacy laws that have been passed in recent years, such as the EU’s General Data Protection Regulation and Brazil’s General Data Protection Law or LGPD. As such, the Data Protection Act 2020 set forth the legal framework for collecting and processing personal data with Jamaica, as well as the penalties that can be imposed against individuals and organizations who fail to comply with the provisions of the law.

How are data controllers and processors defined under Jamaica’s Data Protection Act 2020?

Under Jamaica’s Data Protection Act 2020, a data controller is defined as any person or public authority “who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed”. Alternatively, the law defines a data processor as  “any person, other than an employee of the data controller, who processes the data on behalf of the data controller”. Moreover, the law defines a data subject as “a named or otherwise identifiable individual who is the subject of personal data”, while personal data is defined as “means information (however stored) relating to a living individual; or an individual who has been deceased for less than thirty years”.

What are the requirements of data controllers and processors under Jamaica’s Data Protection Act 2020?

Under Jamaica’s Data Protection Act 2020, data controllers and processors operating within the country are responsible for upholding the following standards when collecting and processing personal data:

• Standard 1- Fair and lawful processing- Personal data must be collected and processed in a legal, fair, and transparent manner.
• Standard 2- Purpose limitation- Personal data may only be collected or processed for one or more specific purposes, and personal data may not be further processed for any reasons other than this specific purpose.
• Standard 3- Data minimization- All personal data that is collected and processed must be relevant and adequate, as well as limited strictly to what is necessary for the intended purpose of processing.
• Standard 4- Data accuracy- All personal data that is collected and processed must be accurate at all times, as well as updated when necessary.
• Standard 5-Data retention- Personal data may not be stored for any period of time longer than is needed to achieve the purpose for which it was collected and processed.
• Standard 6- Consideration of data subject’s rights- Personal data must be collected and processed in accordance with the rights of data subjects under the law.
• Standard 7- Data security- Data controllers and processors are responsible for implementing technical and organizational measures to ensure that personal data is safeguarded from unauthorized user or processing, damage, destruction, or accidental loss.
• Standard 8- International transfers- The personal data of Jamaican citizens may not be transferred to any territory outside of Jamaica, unless said territory “has an adequate level of protection for the rights and freedom of data subjects in relation to processing personal data”.

What are the rights of data subjects under Jamaica’s Data Protection Act 2020?

Under Jamaica’s Data Protection Act 2020, Jamaican citizens are entitled to the following rights with respect to the protection of their personal data and in turn, their personal privacy:

• The right to be informed/ the right to access- Data subjects have the right to know what forms of personal data are being collected from them, as well as what said personal data will be used for.
• The right to rectification- Data subjects have the right to correct any personal data pertaining to them that has been found to be inaccurate.
• The right to erasure- Data subjects have the right to request that any personal data that a business or organization has collected or processed concerning them be deleted.
• The right to object/opt-out of processing- Data subjects have the right to object to or opt-out of the processing of their personal data for “targeted advertising, the sale of personal data, and profiling activities with personal data that may affect the consumer”.
• The right not to be subject to automated decision-making- Data subjects have the right not to have their personal data used in automated decision-making.

In terms of penalties and punishments that can be imposed as a result of failing to comply with the provisions of the law, the Data Protection Act 2020 is enforced by The Office of the Information Commissioner. To this point, penalties related to non-compliance with the Data Protection Act 2020 include up to 4% of a business or organization’s annual gross for the preceding year, personal liability, a monetary fine of up to 5 million JMD ($32,034), and a term of imprisonment of up to ten years. Additionally, the Data Protection Act 2020 also allows Jamaican citizens to bring civil actions against data controllers and processors who violate their rights under the law.

In passing the Data Protection Act 2020, Jamaica has joined the list of countries throughout the Caribbean that have sought to provide an enhanced level of data protection for their respective citizens, such as Trinidad and Tobago’s Data Protection Act 2011 and the Cayman Islands Data Protection Law 2017. Through the Data Protection Act 2020, Jamaica citizens have an avenue for recourse should their personal data be used for illegal or improper means. As such, citizens of Jamaica can have the peace of mind that their personal data and privacy are being protected and upheld at all times.