Photo: 13 Punkod/Shutterstock
With the rise of what author Shoshana Zuboff calls “surveillance capitalism” in her book, The Age of Surveillance Capitalism: The fight for the future at the new frontier of power, consumer data is continuously being monitored, collected and commodified to drive capital accumulation and create immense wealth and imperious power for capitalist institutions. Oftentimes, consumers are unaware of how, when, where and by whom their data are being used.
Online data, and the frequency with which it is shared, has exploded in recent years, with people sending emails, watching videos, and sharing almost every detail of their lives on social media. Data is created every time an Internet user engages in that behaviour, providing reams of information that is unique to that individual; information that online entities or governments may access and use.
With greater understanding of this disquieting byproduct of digitisation, it is important to seriously question what policies or laws have been instituted to protect Jamaican citizens from the exploitation of their private data by profit-driven entities. To this end, this article explores digital data privacy and protection laws in the global space, oversight and regulatory mechanisms in Jamaica, and the Caribbean broadly; and highlights why the protection of citizens’ data (and by extension privacy) should be a concern for every Jamaican and an urgent priority for the government.
Recent statistics show that there are over 4 billion Internet users in the world.. According to Internet Live Stats, 77,431GB of Internet data is used every second globally so far this year. The Caribbean is a noteworthy consumer of digital technologies and an active participant in this evolving digital marketplace, continuously engaging in this accumulation and surveillance as a result of the high rates of Internet and mobile penetration.
History of government regulation in Jamaica and the Caribbean
Jamaica’s path to regulating digital technologies has been long, beginning since colonisation and continuing as the country transitioned from British colony to independent state, while weathering transformations in the development of information and communication technologies (ICT) globally. For decades, successive governments have always attempted to regulate communication via telegraphy, electronic radio, broadcast, satellite and cable television through the introduction of ICT policies. Throughout Jamaica’s evolutionary regulatory attempts, the ICT sector has been monitored by several key legal frameworks, namely: the Post Office Act (1941), Broadcasting and Radio Re-Diffusion Act (1944), Radio and Telegraph Control Act (1973), Fair Competition Act (1993), Office of Utilities Regulation Act (1995), Telecommunications Act (2000), Consumer Protection Act (2005) and the Electronics Transactions Act (2006) and (2011).
While charting the historical imperial foundations of Caribbean media, Dunn (2014) noted that during the 19th and early 20th century, pre-independence Jamaica’s communication technologies were developed and regulated by Britain. In the early 19th century, the telegram emerged as a means of communication and was used to establish and reinforce British technological imperialism and power in its colonies, while wireless technologies emerged in the early 20th century and were seen as a means to facilitate communication, but also teach, the largely Black population in the colonies, a ‘culture of Britishness’ (Dunn, 2014).
As a result, early communication technologies during this period were monitored and regulated by Britain and were used mainly to facilitate the transfer of information between its colonies and dominions. The main users of these technologies, therefore, were commercial and government interests - that is, political, military and business elites. Post-independence, regionally- owned telecommunication services emerged that were primarily regulated by governments, such as the Caribbean News Agency (CANA) in Barbados, and Radio Jamaica Rediffusion in Jamaica in the 1970s. Also, the creation of the Caribbean Telecommunications Union (CTU) by regional governments in the late 1980s, was intended to regulate telecommunications in the region (Brown, 1995).
Since that time, Jamaica’s telecommunications history has evolved significantly. However, it was not until the early 2000s, with the liberalisation of the local telecommunications market, that Jamaicans became even more connected to the global space. As a result, government regulation of mobile telephony began to emerge as telecoms companies had increasing access to customers’ data, amid concerns about how they were sharing mobile numbers and information. With the emergence of broadband technology, there were concerns in the mid 2000s about the implications for the volume of data that can be communicated (Dunn, 2010); but there was seemingly little consideration about how to prevent the direct exploitation of that data.
In the mid 2000s as “citizen media” such as blogging and social networking emerged, there were concerns that traditional regulatory approaches could not be appropriately applied to these media, especially as it relates to the quality of the content being shared, but importantly, as it relates to “privacy, cybersecurity and intellectual property” (Dunn, 2010). The Telecommunications Act was introduced in 2000 and liberalised the industry, legislating competition as it relates to voice and data service provision. The Act’s objective was to regulate telegraphy, telephony and other communication means, promote fair and open service provision, as well as promote universal access to telecommunications and protect the interest of citizens (2000).
Current data and privacy regulation
With the current proliferation of data related to online usage, it introduces to the stakeholders involved the issue of data privacy for users, as well as the protection of that data by both public and private entities. Governments worldwide have responded to this spate of online sharing by regulating data and how it can be utilised within and outside of its borders. Twenty- eight years after the public was granted access to the Internet, 58 per cent of countries on the planet have legislation that address data protection and privacy in one form or the other (Data Protection and Privacy Legislation Worldwide, 2019).
Despite the majority of countries globally having some legislation, there are 21 per cent of countries with no legislation, 12 per cent with no data about legislation and 10 per cent with draft legislation ( Data Protection and Privacy Legislation Worldwide, 2019). Jamaica falls within the list of countries with draft legislation. In this regard regionally, Jamaica is not out of step with it’s fellow full members of the Caribbean Community (Caricom), with only 40 per cent of the Caribbean nations in the body having data privacy or protection laws.
Mirroring the growth of the world’s Internet population, over half of Jamaica’s 2.9 million population has access to the Internet, with 1,581,100 Internet users as at December 2018 (The Caribbean Internet Usage Stats by Country, 2019). The presence of draft legislation is a positive step with regard to the protection of the data of Jamaican citizens and residents, creating a framework that will guide how companies operate, thus growing the industry. The draft legislation, the Data Protection Act, 2017 was introduced on October 10, 2017 and is currently before a special committee of the Jamaican parliament. The government is aiming to pass the law by the end of the year (Scott, 2019).
While the bill has not yet been voted on by the Jamaican parliament and there are no certainties that the final version will look like what currently exists, The Data Protection Act, 2017 offers several levels of protection and mechanisms that are found in other similar legislations around the world. Indeed, in 2013, the International Telecommunications Union based in Geneva, Switzerland, released a document called Privacy and Data Protection: Model Policy Guidelines & Legislative Texts, which focused on the harmonisation of ICT policies, legislation and regulatory procedures in the Caribbean. This document grew out of two workshops in the Caribbean in 2010, which included participation from both the public and private sectors of several Caricom member countries (2013). Jamaica’s draft Act has some of the recommendations from this document in relation to data protection, a legal framework, as well as rules for the role of the data controller.
The 114-page draft Act is comprehensive in outlining how the personal data of any resident of Jamaica should be collected, accessed, stored, processed and disposed of. It also includes requirements that both private and public sector players in the industry have to abide by in the processing of said data. The Act defines several players in the provision, control and oversight of data in Jamaica. The roles defined are data controller (a company/entity that provides services), data protection officer (established by the data controller to monitor complaints. Even if the company is based outside the shores of Jamaica, it has to establish one), the data subject (a resident or entity who produces data by using these services), and an Information Commissioner, who is an independent monitor who oversees compliance and regulation.The Act is only applicable if the data controller is established in Jamaica or is in any place where Jamaican law applies by virtue of international public law.
Similar to other major data protection laws such as the EU General Data Protection Regulation (GDPR), which came into effect May 25, 2018 and is regarded as one of the strongest data protection laws in the world, the draft of Jamaica’s data protection Act has strong safeguards for individuals, as well as establishing guidelines for how companies can use data.
For example, the draft of the Act stipulates that individuals have the right to request, free of charge, access to the data that a data controller has collected on them and the data controller has to respond within 30 days. The bill also requires data controllers to give individuals consent to have their information used. The Act established eight standards for data controllers in how they are to process the data of data subjects. They include that the data be processed lawfully, should not be used for any other purpose other than what it was collected for, be kept up- to- date, not be used for a period longer than it should be used, and be protected with the appropriate technical tools, among others.
If passed, the Act will require data controllers to do annual audits of their data processing systems, report data breaches to the Information Commissioner, and compensate data subjects if there is a violation of the Act in relation to their data. The Data controllers are also subject to various fines ranging from “$500,000 JMD to 10% of annual gross corporate income, and imprisonment ranging from 2 to 10 years, for offenses including failure to comply with an enforcement notice and unlawfully obtaining or disclosing personal data” (Forbes, McNicholas, Paster, & Remy, 2018).
There are some exemptions for data processing included in the proposed law with regard to national security and the publication of journalistic, literary or artistic material.
Conclusion and recommendations
Big data is big business and Jamaica’s recognition of the importance of regulating and protecting consumer data is laudable, and points to the country’s responsiveness to changes in the global digital and technological space. The introduction of the draft Data Protection Act, 2017 is undoubtedly a step in the right direction. From as early as the mid to late 2000s, Jamaica has been setting the stage for the introduction of regulatory legislation that will position the country to be on par with its regional counterparts and more developed countries around the world.
The draft Act has the potential to safeguard user data and protect citizens’ privacy from capitalist exploitation. To achieve this goal, there are some key considerations:
There is the need for public education about the law to ensure that citizens are aware of expectations under the law. The public should also be sensitised about the value of their data in today’s society and the implications of unrestricted access to their personal information and what their rights are under the impending law.
The GDPR law that is applicable in Europe, has a provision where data subjects have the right to have their information forgotten. While there is a provision for when the data controller should dispose of a data subject’s information in Jamaica’s draft Act, there is no specific provision that allows data subjects to force the data controller to erase their information. This takes away autonomy from the data subject over their own information, and should be a serious consideration for inclusion in the Act.
The latest draft of the Act states that in the area of national security, certain provisions would be suspended or not apply. While all governments include these exemptions when making bills, this should not be an excuse for the government to abuse the private data of its citizens and residents, especially in an age of widespread government surveillance.
Brown, A. (1995). Towards regionalization of new communication services in the CARICOM: A technological free-for-all. Canadian Journal of Communication, 20(3). Retrieved from https://cjc-online.ca/index.php/journal/article/view/879/785
Data Protection and Privacy Legislation Worldwide (2019). Retrieved from https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx
Dunn, H. (2010). Embracing 21st century media regulation. Retrieved from http://www.broadcom.org/resources/speeches-presentations?start=80
Dunn, H. (2014). Imperial foundations of 20th-century media systems in the Caribbean, Critical Arts, 28:6, 938-957, DOI: 10.1080/02560046.2014.990644
Forbes, D., McNicholas, E., Paster, N., & Remy, J.. (2018). Jamaica’s new privacy Protection bill. Retrieved from https://datamatters.sidley.com/jamaicas-new-privacy-protection-bill/#page=1
Internet Live Stats (2019). Retrieved from https://www.internetlivestats.com/one- second/#google-band
Ministry of Justice (2013). The Telecommunications Act. Retrieved from https://moj.gov.jm/sites/default/files/laws/The%20Telecommunications%20Act.pdf
Parliament of Jamaica. The Data Protection Act, 2017. Retrieved from https://www.japarliament.gov.jm/attachments/article/339/The%20Data%20Protection%20Act,%202017.pdf
Parliament of Jamaica (2011). Information and Communications Technology (ICT) Policy. Retrieved from http://www.japarliament.gov.jm/attachments/596_Information%20and%20Communications%20Technology%20(ICT)%20Policy.pdf
Privacy and Data Protection: Model Policy Guidelines & Legislative Texts (2013). Privacy and Data Protection: Model Policy Guidelines & Legislative Texts. HIPCAR Project. Retrieved from https://caricom.org/documents/16583-privacy_and_data_protection_mpg.pdf
Scott, S. (2019). Gov’t looks to complete Data Protection Bill, ICT Act this year. Retrieved from http://www.loopjamaica.com/content/govt-looks-complete-data-protection-bill-ict-act-year
The Caribbean Internet Usage Stats by Country (2019). Retrieved from https://www.internetworldstats.com/carib.htm#jm
World Internet Users Statistics and 2019 World Population Stats. Retrieved from https://www.internetworldstats.com/stats.htm.
Zuboff, S. (2015). Big other: Surveillance capitalism and the prospects of an information civilization. Journal of Information Technology, 30. Retrieved from https://cryptome.org/2015/07/big-other.pdf
Zuboff, S. (2019). The age of surveillance capitalism: the fight for the future at the new frontier of power. London: Profile Books.
Keresa Arnold is a Jamaican living in Ontario, Canada where she engages in HIV research among Black communities.
Mark Beckford is an assistant professor at Howard University’s Department of Media. He grew up in Jamaica and worked as a reporter and Online Content Editor for the Gleaner Company before migrating to the United States of America.