Harmonising Data Protection Legislation across the Commonwealth Caribbean
The question of whether data privacy can be harmonised throughout the Commonwealth, based on the Commonwealth Model Provisions on Data Protection (“CMP”) is predicated on two presumptions:
- that the passing of a comprehensive data protection law will lead to its implementation; and
- that such implementation will produce the harmonization and consequently protected data flows throughout the Commonwealth.
While the CMP is sufficiently comprehensive and has detailed guidance on the comparisons with international instruments on data protection, such as General Data Protection Regulation in the European Union (“GDPR”), Organisation for Economic Co-operation and Development (“OECD”) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Asia -Pacific Economic Cooperation (“APEC”) Privacy Framework and Association of Southeast Asian Nations (“ASEAN”) Framework on Personal Data Protection, it is not sufficient to harmonise the collection and retention of personal data throughout the Commonwealth. The CMP is relatively current and has successfully provided a comprehensive model law which can be replicated. However, the alignment of national law to the CMP will not necessarily lead to harmonisation. Many Commonwealth Caribbean states, for example, have passed data protection laws, yet few states have fully implemented the data protection laws, and introduced enforcement actions to sufficiently deter data controllers from breaching the data protection laws.
The main challenges affecting the harmonization of data protection laws in the Commonwealth Caribbean are:
1. Uneven Implementation and Enforcement: While many Commonwealth Caribbean states have passed data protection laws, few have fully implemented these laws or introduced enforcement actions to sufficiently deter data controllers from breaching them. The Bahamas is the only jurisdiction which has fully implemented their law and established a regulator, yet has very little enforcement. Other states, Jamaica, Antigua and Barbuda, and Barbados have implemented some provisions and appointed a regulator. Others, like Belize, Grenada and Guyana have not brought the law fully into effect as yet. Dominica has not passed any data protection law. Trinidad and Tobago, one of the earliest adopters of data protection laws in 2011, has yet to bring their legislation fully in force and has no regulator. However, the oldest data protection legislation in the Caribbean, St Vincent and the Grenadines, was passed in 2003 and has yet to be brought into force or have a regulator appointed.
2. Operationalization of Laws: There are persistent challenges in operationalizing the data protection laws that align with international standards such as the GDPR, OECD Guidelines, APEC Privacy Framework, and ASEAN Framework on Personal Data Protection. Several of these jurisdictions face resource challenges, particularly where some provisions have not been brought into force. The Office of the Information Commissioner (“OIC”), the data protection regulator in Jamaica, reported at its Data Privacy Conference in February 2025 that it had collaborated with jurisdictions in the Eastern Caribbean through the World Bank to highlight and assist with capacity building in implementing their data protection laws, yet, all the provisions of the Jamaican Data Protection Act have not been brought info force. Jamaica has not brought into force the enforcement provisions, which remain critical to the effectiveness of data protection laws, five years after the law was passed and three years after it was brought into force.
These challenges highlight the complexities involved in achieving full harmonization of data protection laws across the Commonwealth Caribbean.
Recommendations for harmonisation of data protection across jurisdictions
Once Commonwealth Caribbean jurisdictions can strengthen their regulatory bodies, and simultaneously, attempt to enable adequacy decisions for safe cross-border transfers of personal data across the region, there may be greater likelihood of harmonization.
Key considerations for determining whether a country is deemed to have an adequate level of protection for data protection under the GDPR and the CMP are whether the country has respect for human rights and fundamental freedoms, its data protection rules and enforcement, as well as their rules for onward transfers of personal data. The implementation of trans-border data rules and enforcement are crucial to harmonising data protection norms across jurisdictions. If Commonwealth Caribbean data protection regulators are empowered to institute adequacy decisions in respect of their regional partners in the Caribbean Community (“Caricom”), this would be an important step in facilitating regional trade.
Furthermore, public awareness by regulators and stakeholders is critical in driving implementation.
By focusing on strengthening data protection regulators’ capacity, as well as focusing on cross border transfers and public awareness campaigns, these may be more conductive to attempts at harmonization, rather than a focus on alignment to the CMP. The CMP has a role in being an important international instrument and reference, however, alignment with the CMP, in the absence of Commonwealth Caribbean governments fully implementing their data protection laws, would not lead to this harmonization.
While the present geo-political climate may not lend itself to extensive discussions on increasing inter-connectedness, it is hoped that a focus on cross-border trade will encourage the harmonisation across jurisdictions sought to be achieved by the CMP.
Article provided by INPLP member: Justine Collins (Hart Muirhead Fatta, Jamaica)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)