Andre Palmer | All around the world and I can’t find my data
Published:Wednesday | February 26, 2025 | 12:07 AM
INTERNATIONAL TRANSFERS of personal data are a complex and contentious topic, but also one that cannot be avoided. Unless someone doesn’t use the internet or modern software, they will be transferring data to other countries and, therefore, need to understand the rules that apply. There are some myths about data transfers that must first be dispelled.
Data processing includes collection, storage and access, as well as the actual work, often thought of as ‘processing’. This means data is being transferred outside Jamaica in any of these circumstances:
• Using a software program, any part of which is hosted on servers outside the country
• Using a service provider based outside Jamaica. Even if the data stays on servers in Jamaica, access from outside the country by their staff counts as a transfer.
• One is part of a group with entities in other countries whose personnel have access to the data, unless those personnel are directly employed by a Jamaican corporate entity.
• Personal data is shared with another controller based outside the country, or they have access to the data from their location.
• Contracting with a local data processor, but they use off-island systems or subcontractors.
• Using a software program, all of which is hosted in Jamaica, but the supplier has administrators based outside the country who have remote access to the data.
To give some real-world examples:
• Using Microsoft Office 365, which transfers personal data to the United States (US), and possibly to other countries, depending on where one’s tenancy is hosted.
• Having a back office in Costa Rica with staff there employed by a Costa Rican incorporated subsidiary of a local firm. Any of their work that touches personal data will constitute a data transfer.
• Contracting with a local firm to handle an email marketing campaign, and they, in turn, use MailChimp, which transfers personal data to the US.
• Booking a hotel for a member of staff who is travelling to Panama. In this case, personal data would be transferred to Panama (and possibly other countries, depending on which reservation system the hotel uses and how the booking is made).
In every one of these circumstances and the almost infinite number of other examples, there is a simple rule. Data controllers are responsible for ensuring that personal data transferred to other countries remains safe and legally processed, in accordance with the requirements of the Jamaican Data Protection Act (DPA). They must be able to demonstrate that they have done the necessary work to ensure safety and compliance, or that there is an exception that applies.
LEGAL DUTY
Because data protection is new to Jamaica, and the Office of the Information Commissioner (OIC) is still in the early stages of its journey to regulatory maturity, there is not yet much of the specific guidance and none of the official rulings that provide the basis for formal compliance with the Eighth Standard of data protection. This does not mean that it can be ignored, because one’s legal duty remains, and evidence of compliance will often form part of due diligence by customers and partners.
The DPA broadly provides for three ways to legitimise a transfer to another country:
1. The receiving country has been judged to offer adequate data protection by the commissioner under Section 31(7)(b) of the DPA. No list of adequate countries has yet been published, and the DPA does not provide for reliance on any other list (unlike the Cayman Islands, for example, whose law allows reliance on European Union adequacy decisions). So, for now, this basis is not available to controllers in Jamaica.
2. Conclusion of a data-sharing or processing agreement with the party with whom one is sharing data that includes specific undertakings to adopt safeguards, which, one believes, will ensure adequate protection. There is provision in the DPA for the use of so-called ‘standard contractual clauses’ (SCCs) that act as a blueprint for these undertakings, but no approved Jamaican version of SCCs has yet been published by the OIC. However, the commissioner has stated that the use of the European SCCs, suitably redomiciled, is acceptable in the interim. This approach is believed to be the safest both for transfers to third parties and for internal transfers within a multi-country group.
3. Reliance on one of the exceptions in subsection 4 of the Eighth Standard. These are broad, although they are also subject to review and restriction by the responsible minister. They include both consent and the fulfilment of contractual obligations, so, on the surface, they are attractive. However, it is important to understand that for consent to be valid, it must be freely given, fully informed, and susceptible to easy and immediate withdrawal; and that for a contract to be a viable basis, a data controller must be able to show that both the transfer itself and every individual data item involved were absolutely necessary in order to meet contractual obligations. In addition, there is strong European precedent that limits the application of the equivalent exceptions (Article 49 of the General Data Protection Regulation) to exclude routine and bulk transfers. It is not known as yet whether the OIC or the minister will take the same view, but given the importance of data protection to the export economy and the extent of multilateral pressure for the adoption of the DPA in the first place, it is best not to bet too heavily on the use of subsection 4.
Andre Palmer is an experienced management consultant and head of practice at Securys Limited, a global data protection firm, with offices in the United Kingdom and Jamaica, serving clients in over 60 countries. Email: info@securys.com.jm. Send feedback to columns@gleanerjm.com.