Some people are wondering what’s the sudden brouhaha about data protection. They argue that we have been long accustomed to sharing some of our personal data with certain service providers (government institutions, insurers, bankers, lawyers, doctors) without legislative input or protection. While that is indeed true, our increasing online footprint means that we are sharing our personal information with several persons, agencies and businesses that can easily keep and or disseminate this information without our knowledge or consent.
For the past decade, most entities and online companies have adopted a self regulation regime anchored on procuring your consent to their retention and use of your information. Web- users are familiar with the ubiquitous prompts requiring consent to the use of cookies, text files which may contain data such personal data as name, address that you have given to the site. Though a good first step, the consensus is that corporate and web-based self regulation and self policing would not constitute sufficient data protection.
Data protection is perhaps most helpfully defined as a mix of practices, safeguards and binding rules to ensure a person’s personal information is not accessed, disseminated, retained or modified except in accordance with such practices , safeguards and rules. Personal data is information that identifies or pinpoints a natural person.
The European Union with its General Data Protection Regulation (GDPR), which took effect May 2018 has led the way with the most comprehensive data privacy regulation to date. With Barbados’ data protection bill1 (the “Bill”) making its rounds for passage, no Caribbean regulation is to date as comprehensive in scope as GDPR. As is the case for the rest of the world, Barbados will be impacted or caught by the whenever data processors in the island process the personal information of EU citizens. Key tenets or principles of data protection as established by the GDPR have made their appearance in the Bill such as the rights to data access, data quality, privacy by design and restriction on data transfer to territories with adequate data protections. Still there are some provisions and some omissions in the Bill which present challenges and opportunities for the fintech and blockchain sector.
Under the GDPR the data subject has a right to require erasure of its personal data if there’s no legitimate reason for its continued processing. This principle does pose a challenge for blockchains. Data can be overridden but not erased from the chain. In what may be a coup for fintech and block chain service providers processing data in Barbados, the right to erasure under the Bill is tied to the data subject establishing the data is inaccurate. In short blockchains will not need to irreversibly encrypt data( irreversible encryption has been recognized as a valid form of erasure by some protection authorities ) provided the data is accurate. The Bill requires that data controllers, entities charged with ensuring that personal data is processed in accordance with the protection principles elucidated under the Bill, be registered.
However identifying the data controller in decentralized public blockchains may be problematic as arguably any member of the public could add data to the chain and be the ‘controller’ for the data added. This issue may be muted 1 Data Protection Bill (2018) as most blockchains employed by enterprises are permissioned or private. Players in a permissioned are restricted and arguably the enterprise could designate a party as controller for registration purposes. The integration of traditional players such as banks and or credit agencies with fintech providers necessarily entails the sharing of customer data with third party players. These players may be located in territories without similar protections in respect of data protection.
The Bill prohibits the transfer of data to countries without adequate data protections. It is safe to assume that data transfer to a country in the EU or to a state that has adopted GDPR type provisions in its regulations or laws will be deemed compliant. In every other case a bank or fintech operator in Barbados will have to be mindful of its third party data sharing unless its contractual arrangements for protection of the data shared are approved by the Data Protection Commissioner. All in all, there appears to be interesting times ahead for the fintech and blockchain sector in Barbados as it grapples with ensuring data protection compliance.