• Personal data is constantly collected (social media,

businesses, governments).
• Need to balance privacy, security, and innovation.

• How do we protect privacy while allowing

technological progress?
• What are our rights and responsibilities?
 •
•
•
• Informational Privacy (data protection laws, GDPR)
• Bodily Privacy (biometric data)
• Communication Privacy (email, calls, messaging)
• Territorial Privacy (home, workplace surveillance)
• Decisional Privacy (personal choices, healthcare)

• Section 11- Right to privacy

• Section 17- Protection from unlawful searches and
seizures
• Barbados Data Protection Act (2019): Aligns with
GDPR.
Types of Personal Data:
• Names, addresses, phone numbers
• Biometric data, browsing history, financial/medical records
Why it matters:
• Prevents misuse, theft, and unauthorized sharing.
1. Lawfulness, Fairness & Transparency (Users
must be informed).
2.Purpose Limitation (Data used only for its
intended purpose).
3.Data Minimization (Collect only necessary data).
4.Accuracy (Keep data up to date).
5.Storage Limitation (Don’t store data indefinitely).
6.Integrity & Confidentiality (Protect data from
breaches).
7.Accountability (Organizations must follow best
practices).
• Data Controllers: Decide how and why data
is processed (e.g., Facebook, banks).
• Data Processors: Process data on behalf of
others (e.g., cloud storage providers).

• Right to Access
• Right to Rectification
• Right to Erasure (“Right to be Forgotten”)
• Right to Object
• Data flows across borders, but laws are
national.
• Examples of Global Issues:
• GDPR applies worldwide but is hard to
enforce.
• U.S. and China have weaker privacy laws.
• Tech giants store data in multiple
countries (jurisdictional conflicts).
• Possible Solutions:
• Stronger international agreements.
• Increased cooperation among Data
Protection Authorities.
1. Conflicts Between Privacy & Security
• National Security
• Law Enforcement
• Public Health

2. Privacy & Data Protection Shape Our Daily

Lives
• Stronger Enforcement
• Global Cooperation
• Public Awareness
• Before the digital age, personal and business records were stored manually
(paper-based).
• Digital transformation has improved accessibility but increased risks such
as hacking, breaches, and cyberattacks.
• Data protection laws help safeguard personal information, prevent abuse,
and ensure privacy rights.
COMPARING DATA PROTECTION LAWS
 • Early Laws: England’s Data Protection Act 1984 – First
framework for data privacy.
• Commonwealth Caribbean Adoptions: Early laws (Bahamas
2003, St. Lucia) modeled after UK laws.
• Modern Approach: Shift towards EU General Data Protection
Regulation (GDPR)-style laws with stronger security
measures.
While early acts lacked explicit provisions for hacking and
breach notifications, recent laws, particularly those modelled
after the GDPR, impose stricter security requirements and
higher penalties for non-compliance. These developments
demonstrate a growing recognition of data privacy as a
fundamental right and the need for stronger legal safeguards in
the digital age.
DATA ROTECTION PRINCIPLES
Some principles include that personal data
should be processed fairly, accurately and
lawfully, be collected for specific purposes and
not for another purpose, the data should be
relevant and not excessive, accurate and up to
date and not be kept longer than is necessary.

RESPONSIBILITIES OF ORGANIZATIONS
the responsibility to protect personal
data effectively and to exercise
intellectual property rights properly.
 01 Personal data should only be collected
for specific purposes and it should not
then be processed for another purpose
or use

RIGHT TO HAVE Macgregor v Procurator Fiscal of Kilarnock

PERSONAL DATA 02 (1993), unreported, 23 June.

The court found that his actions did not
COLLECTED FOR equate to policing purposes and the
SPECIFIC PURPOSES information was used for another purpose.

03 This principle promotes data subjects

being able to trust the integrity of an
organisation to whom they give their
information to.
01
the purpose of the legislation is to
protect the rights of the individual; and
second, that the standard required is
one of objective fairness.

Bell v Alfred Franks & Bartlett Co Ltd [1980]

02 1 All ER 356
Shaw LJ- consent required a positive
affirmative action, that a data subject’s
information can be processed. Thus, opt-in
boxes rather than opt-out boxes are used by
organisations when asking for consent for their
data to be processed.
01 HAOCHEN SUN
Haochen Sun opinioned that because
intellectual property is important to economic
development and social justice organisations
should be required to license patent rights in a
way that is fair, reasonable and non-
discriminatory

02 FEDERAL TRADE COMMISSION V QUALCOMM

organisations can protect their intellectual

property but not to the extent that it
affects data subjects and other
competitors.
Technological innovations, such as AI, blockchain, and 5G, are
reshaping data transfers, but they also introduce new privacy
risks

•Movement of personal or sensitive data across borders for

processing, storage, or service delivery.
•

•
•

•
•

•
 •Jamaica’s BPO & GDPR:
01 Firms handling EU data 02
(e.g., Sutherland Global
Services) comply with
GDPR.
•Barbados Financial
03 Services & FATCA: Banks 04
transfer customer data to
the U.S.
•CARICOM IMPACS &
Regional Security: Data
sharing for crime-
fighting.
Cloud Hosting of
Government Data:
Barbados’ AWS migration
and adherence to data
transfer laws.
 BEST PRACTICES TO
SECURE DATA
TRANSFERS

1. USE STANDARD 2. IMPLEMENT 3. CONDUCT DATA TRANSFER

CONTRACTUAL STRONG IMPACT ASSESSMENTS
CLAUSES (SCCS) FOR ENCRYPTION & (DTIAS) BEFORE HANDLING
LEGAL COMPLIANCE. CYBERSECURITY DATA INTERNATIONALLY.
MEASURES.
• Google obtained a wide variety of information relating to
users ranging from general browsing habits to more
sensitive information
• Issue Could this browser-generated information (BGI) be
construed as personal data?
• COA concluded that ‘identification for the purposes of data
protection is about data that “individuates” the individual, in
the sense that they are singled out and distinguished from all
others.

WHAT IS NPD
online background check and
fraud prevention service
experienced a significant data
breach which exposed up to
2.9 billion records with highly
sensitive personal data of up to
170M people in the US, UK, and
Canada.
DATA CONTAINED:
• Full names RISKS
RISKS
• Social Security • increase the patrons
• increase the patrons
likelihood of becoming
Numbers likelihood of becoming
subject to identity theft,
• Mailing addresses subject to identity theft,
harrassment, increased
harrassment, increased
• Email addresses phishing attacks and even
phishing attacks and even
• Phone numbers​​ physical threats
physical threats
 1. EUROPEAN UNION
• Article 33: Breach
notification within 72
hours
• Article 34: Notify
individuals if high risk to
their rights/freedoms
2. BARBADOS DATA PROTECTION ACT 3.
• Section 63: Mandatory
breach reporting to the
Commissioner
• Section 64: Notify
individuals within 72
hours if high risk
IDAHO DATA BREACH LAW
• Immediate notification if
misuse is likely
• Fines: $25,000 per breach
for companies, $2,000
fine/imprisonment for
government employees
1. WHAT IS BIG DATA AND WHAT ARE THE CONCERNS
SURROUNDING IT?

Large-scale analysis of data for trends and patterns

Concerns:
• Increased surveillance & reduced privacy
• Data has market value; privacy doesn’t
• Investment in data collection vs. privacy protection

2. PCAST VIEW ON BIG DATA (US)

• Claims positive benefits outweigh risks

• Traditional data protection rules hinder innovation
• "Notice and consent" seen as outdated
1. SCHREMS CASE (EU)
• The court found that there was not adequate protection for the
personal data on transfer to the US. It is clear from the judgment
though that a third country must maintain a high standard of
protection for personal data if it is to be deemed adequate
• The term ‘adequate level of protection’ must be understood as
requiring the third country to ensure,a level of protection of
fundamental rights and freedoms that is essentially equivalent to that
guaranteed within the European Union

2. CHINA
• Lax privacy laws enable AI surveillance (e.g., gait recognition)
• What is Gait Recognition? artificial intelligence is used to identify
persons from over 160 feet away even if their face is covered or their
back is turned to the camera. It assists the police in identifying
fugitives and even jawalkers.
• Prioritization of security over individual privacy
Key Caribbean privacy laws:
• Barbados Data Protection Act (2019)
• Jamaica Data Protection Act (2020)
• Trinidad & Tobago Data Protection Act (2011)
Challenges:
• Weak enforcement and lack of awareness.
• Limited regulatory oversight.

Recommendations:
• Strengthen data protection authorities.
• Harmonize CARICOM-wide regulations.
• Customer transaction details were leaked online.
• Impact:
• Eroded customer trust.
• Highlighted weak security practices.
• Lessons learned:
• Need for stronger cybersecurity in financial institutions.
• Importance of compliance with Jamaica’s Data Protection Act.
1. REAL-TIME MONITORING & 2. BAHAMAS POLICE 3. STRENGTHENING CYBERSECURITY
FRAUD PREVENTION DATABASE HACK (2021) IN THE CARIBBEAN
Why is real-time monitoring
important? • Hackers accessed and Key cybersecurity weaknesses:
• Detects suspicious activity early. leaked police reports. • Outdated IT infrastructure.
• Prevents fraudulent transactions • Impact: • Low awareness
and data breaches. • Exposed witness • Weak government
regulations.
information and crime scene
Common threats: Solutions:
details.
• Phishing – Fake emails stealing • Enforce Multi-Factor
Lessons learned:
credentials. Authentication
• Need for encryption and
• Ransomware . • Develop National
access controls. Cybersecurity Centers.
• Insider Threats.
• Governments must prioritize • Secure Data Encryption
• Card Fraud
real-time monitoring. • Invest in Cyber Incident
Best Practices: Response Teams (CIRTs).
• AI-powered threat detection.
• Automated fraud alerts.
• Continuous network monitoring.
 • Ransomware attack disrupted
government services.

Impact:
• Delayed operations and increased
costs.

Lessons learned:
• Need for better data backups and
response plans.
• Stronger cybersecurity measures
needed in government agencies.
 • Amazon was fined for violating data
privacy rules in targeted advertising.

Why does this matter?

• Shows that even large corporations
must comply.
• Caribbean regulators can learn from
GDPR enforcement models.
 • Privacy protects personal freedom, while data protection
regulates information use.
• Laws have evolved to strengthen security, but
enforcement gaps remain.
• Caribbean nations face challenges with cybersecurity and
data transfers.
• Stronger regulations, business security measures, and
public awareness are needed.
• By working together, we can protect privacy while
embracing technology safely.

Protecting data means protecting people. The future

depends on it.