In today’s world the use of technology is synonymous with everyday life – from supermarket shopping, food delivery, filing prescriptions, medical treatment and employment data – unparalleled volumes of personal data is transmitted and shared through mobile apps, social media, telecommunication networks, the internet, online publications, online platforms and cyberspace. This trend is set to increase.
As the global market for goods and services expands beyond national borders, laws which are meant to protect an individual’s personal information are constantly under threat. The speed of technology moves quickly, literally at the click of a mouse, making it challenging to protect data on the global front, in all spheres.
Data Protection in the local context
In Trinidad & Tobago, at present personal data and data privacy protected by the Data Protection Act 2011 (the ‘DPA’), including online transmission of personal information. At present, only the establishment of an Information Commissioner and the general data privacy principles which provide guidance for handling, storing and processing of a person’s personal information are in force. The operative parts of the DPA which govern how that information is collected, protected and disclosed as well as sanctions for breach of the Act are not yet proclaimed.
An individual’s personal information can be extensive and can include information in any recordable format, such as information relating to the race, nationality or ethnic origin, religion, age or marital status of the individual, education or the medical, criminal or employment history of the individual or information relating to the financial transactions, any identifying number, symbol or other particular that can identify an individual, an individual’s name, address telephone contact number and more detailed information such as fingerprints, DNA, blood type or the biometric characteristics. It can also include confidential correspondence sent by an individual, views and opinions of a third party about the individual.
The general data privacy principles act to ensure that the handling, storage or processing of a person’s personal information is done in a manner that affords some measure of protection both by public and private entities. These guidelines or principles include that:
- an organization shall be responsible for the personal information under its control.
- before or at the time when information is collected, the reason for collection should be made clear.
- an individual’s information should only be collected, used or disclosed with his/her full knowledge and consent, and should be as accurate and complete as is needed for purpose of collection.
- collection of an individual’s personal information must be a legal undertaking and limited to what is necessary and in keeping with the reason or purpose for collection.
- unless there is an exemption in law, an individual is entitled to request and obtain full disclosure of any documentation containing personal information about him, and to challenge the accuracy and completeness of that information and the extent to which the holder of that information has complied with these data privacy principles.
- an individual’s personal information has to be protected depending on the sensitivity of the information.
- except where an exemption exists, sensitive personal information is protected from being processed
Cross-border Protection in the digital space
Given the ease with which personal information is transmitted to and by third parties through advancing technology, the danger and vulnerability faced by individuals where there are ineffective online security measures in place to protect them poses a real concern. Where personal information is not protected, individuals face real threats such as breaches of security of online payments, cybercrime, online fraud, identity theft and misuse of personal data.
As it relates to cross border transmission of personal information, the DPA requires that personal information that is to be disclosed outside of the jurisdiction ought to be regulated and appropriate safeguards put in place to allow for monitoring of those jurisdictions where the personal information is received. There are still limitations, as these safeguards are not yet in place. In one sense, it falls to individuals to do more to protect their personal information.
While the current DPA presents restrictions for the protection of personal information in this jurisdiction, other countries are far more developed in the strides made to protect personal information including information transferred across borders. One example is the United Kingdom’s General Data Protection Regulations which sets out the rules that oversee protection of individuals as it relates to the processing of information and free movement of personal information and use of online information.
The recent UK appellate case of Soriano v Forensic News LLC and others  EWCA Civ 1952 is a good example of the strides being made. The case involved a claim brought by a naturalized British citizen with Israeli nationality, domiciled in the UK who found himself the subject of a series of publications by a US online newspaper that included publications via a website, social media and podcasts. The Claimant filed a number of claims in the UK court, one of which was in respect of breach of data protection laws against the US based Defendants.
The case affirmed two issues. Firstly that location or what constitutes a legitimate place where personal information is processed or collated can be simple. It can be somewhere where there is minimal activity taking place, such as an online service provider with a few staff members. What is important is the nature of the activity taking place. Secondly, it recognizes that the jurisdiction for data protection operates across borders inclusive of monitoring how organisations who collect data behave or treat with that information.
Though not available under local data protection laws now, hopefully in the near future, there will be protection for personal information here that is in step with technology. Even so, there may be little substitute for the actions of an individual actively seeking redress for misuse of their personal information across jurisdictions, particularly where that information is of a sensitive nature, for example, race, political affiliations, sexual orientation or criminal records.
As improvements for the security and protection of personal information continue to develop though at its own pace, it continues to be a work in progress to see whether laws and safeguards can match the speed at which technology is able to churn through information. Complete comfort with how your personal data is used and accessed online, whether nationally or across borders is some ways off.