This year’s Global Privacy Assembly (GPA), the 45th, was held in Bermuda; last year’s was in Mexico and next year's will be in Jersey. Apart from an excuse to visit wildly varying locations, the GPA is a get-together for the world’s privacy regulators, together with non-profits, government agencies and the occasional private sector organisation. It is essentially composed of two separate conferences: a three-day open session to which anyone is welcome, made up of panel discussions bringing together very varied perspectives on current concerns in privacy, usually in a global context; followed by three days of closed sessions which may only be attended by regulators and approved non-profits, and at which only the regulators are voting participants. These latter sessions drive policy, collaboration and the production of working papers.
Securys attended the open session. Our primary purpose was to meet with and learn from Caribbean regulators in the context of our growing business in the region, but it was also an opportunity to hear more widely from the horse’s mouth about regulatory focus and viewpoints. The primary topics of discussion were, perhaps inevitably, AI and international data flows. This was leavened by discussions around balancing tensions between different regulations, such as anti-money-laundering and privacy, and explorations of the challenges in establishing privacy regimes in the developing world.
That last point is the focus of this article. As global trade continues to expand and the economic centre of gravity moves East while the demographic one moves South, global organisations need to pay ever-greater attention to regulatory developments outside the conventional EU/UK/US axis.
In the Caribbean, there was at the GPA a general agreement that the region is still the very early stages of effective privacy regulation. The different Caribbean countries are at very varying stages of privacy maturity, with the Bahamas having perhaps the longest-established operational regulator, Barbados’s Commissioner still in her first year in post and Bermuda, the host for this event, having only just passed their updated Personal Information Protection Act. No cross-regional harmonisation or collaboration effort has yet gained any momentum, and most Caribbean countries including those not represented at the event, are still struggling to establish their regulator and engage with basic domestic registration and risk assessment. It was acknowledged that for all of them concerns over legitimisation of international transfers, for example, were a ‘tomorrow problem’. There was also agreement that this is unlikely to change until more of the region almost all of whose territories have some form of privacy regulation on the books, has actually promulgated their laws and appointed a regulator,.
More generally it was interesting to understand the motivations for developing countries in establishing privacy regulations in the first place. For many this is a response to some combination of four factors:
- External treaties, such as the CARIFORUM Economic Partnership Agreement with the EU, signed in 2008, that mandate passing such laws – but which often fail to motivate their being brought into full effect.
- Pressure from multilateral funding bodies, such as the World Bank, to provide legal protection for citizen’s rights; this has been one driver for recent moves to proclaim and enforce long-standing dormant laws.
- A need to reassure the population about the trustworthiness of the government itself and larger data controllers, especially in finance, as part of a move to digitise the economy. It has been acknowledged in particular that the digital national ID schemes in both Jamaica and Barbados were major contributors to those countries’ move to full enforcement.
- External trade pressures, usually because the country has disproportionate representation from multi-national or cross-regional businesses that have to comply with data protection laws elsewhere and seek clarity and consistency in regulatory compliance. Bermuda, for instance, a tiny country of some 68,000 inhabitants, is also home to significant outposts of almost all of the world’s insurance companies; the Bahamas and Barbados too are significant regional financial centres, and this was surely the main driver behind the privacy regulation in the Cayman Islands.
Despite all of these pressures, in most Caribbean countries that even have a regulator that body is both under-resourced and as yet inexperienced. The gap between legislation and enforcement remains wide and will narrow only slowly.
We also heard from the South African and Kenyan regulators as well as from the former Australian data protection commissioner on the challenges of doing more with less. While Australia could hardly be described as a developing country, the theme was the same: with minimal budgets and resources, the key activities are education, education and education and an acknowledgement that most of the effort is coming from the private sector at the urging of the regulator.
It was also instructive to hear regulators recognise that aspects of their legislation (plainly not drafted by practised regulators or privacy professionals) were not just ‘tomorrow problems’ or beyond their present capabilities to enforce but were instead in essence unenforceable or not readily understandable. Consider for instance the addition in South Africa of ‘juristic persons’ (businesses, trades unions, partnerships, associations and so forth) to the normal application of data protection rights to “natural persons”. When challenged to explain how this was to be applied in practical terms the regulator candidly acknowledged that they did not know.
We would do well to learn more from those working in such challenging circumstances, lest we introduce similarly impractical rules into the next round of regulation in the developed world. And yes, EU AI regulation, we are indeed thinking of you as we write this.