Lennox Paton logo

Lennox Paton

lennoxpaton.com
Show options

News and developments

A Regional Perspective on Privacy: Caribbean Data Protection Laws and the Case for Reform in The Bahamas

By: Takeio Frazer

Published: July 2025

Introduction

In an age where data is currency, safeguarding personal information is no longer optional  it is a national imperative. The Caribbean has seen a wave of modern privacy legislation, with countries like Barbados and Jamaica taking bold steps to implement comprehensive data protection laws. In contrast, The Bahamas, once a pioneer in this area with the Data Protection (Privacy of Personal Information) Act, 2003 (“DPA”), now lags behind.

  • The Bahamas: A Pioneering but Outdated Framework

    • The Bahamian DPA came into force on April 2nd, 2007, and was one of the first regional laws addressing personal data privacy. It applies broadly to both public and private sector entities, establishing a regulatory framework under the Data Protection Commissioner. It outlines several key features:

  • Section 2 Definition of Personal Data: Covers identifiable data and “sensitive personal data” including health, religious beliefs, and criminal records.

  • Section 8 Data Subject Rights: Individuals have the right to access personal data held about them.

  • Section 6 Data Controller Obligations: Controllers must collect data lawfully, keep it accurate, retain it only as needed, and ensure adequate security.

  • Oversight: The Commissioner monitors compliance and maintains a public register of data controllers.

    • While progressive at the time, the DPA lacks critical modern features. It contains no right to erasure or data portability, no breach notification requirements, and does not mandate Data Protection Officers (DPOs). Enforcement has also been hampered by under-resourcing and limited regulatory powers.

  • Barbados: Comprehensive and GDPR-Aligned

    • Barbados enacted the Data Protection Act, 2019, which came into effect in March of 2021. It is explicitly modeled on the European Union’s General Data Protection Regulation (GDPR), arguably the gold standard in privacy law.

    Key features include:

  • Section 12: Right to Erasure: Data subjects can request deletion of personal data where it's no longer necessary or consent is withdrawn.

  • Section 15: Data Portability: Individuals may receive their data in machine-readable format and transmit it to another controller.

  • Section 18: Automated Processing Oversight: Individuals can object to decisions made solely by algorithms.

  • Sections 22 and 23: Cross-Border Transfers: Transfers to third countries require “adequate” protection or contractual safeguards.

    • This legislative architecture positions Barbados as a regional leader, ensuring strong individual rights and signaling to international partners a commitment to responsible data stewardship.

  • Jamaica: Balancing Privacy and Innovation

    • Jamaica’s Data Protection Act, 2020, in force since the 1st of December 2023, represents a balanced approach. Like the GDPR, it includes extra-territorial reach and robust individual rights. The law is administered by an independent Information Commissioner, with clear enforcement powers.

    Key features include:

  • Section 13: Right to Rectification and Processing Objection: Individuals can correct data or object to its use.

  • Section 21: Mandatory Breach Notification: Breaches must be reported within 72 hours.

  • International Scope: Applies to foreign processors handling Jamaican data.

    • Jamaica’s law aims to encourage innovation while protecting data subjects, recognizing privacy as a core feature of a digital society.

  • The Case for Reform in The Bahamas

    • The Bahamian framework, while historically significant, is now outdated. With limited enforcement powers, narrow rights, and no alignment with current international standards, the DPA is ill-suited for a modern data economy.

    Suggested Reforms:

  • Modern Rights: Add erasure, portability, and breach notification provisions.

  • Enforcement: Expand the powers and resources of the Data Protection Commissioner.

  • AI Regulation: Address algorithmic decision-making and require human oversight.

  • International Compatibility: Ensure cross-border adequacy for trade and digital services.

    •  

  • Conclusion

    • Data protection is no longer a niche regulatory issue it is a core component of national digital governance. While The Bahamas was a Caribbean pioneer in 2003, the time is ripe for a legislative overhaul. By looking to neighbors like Barbados and Jamaica, The Bahamas can craft a modern, resilient data privacy law that serves its citizens and supports a thriving digital economy. A revised legal framework should incorporate GDPR-style protections, robust enforcement mechanisms, and technological neutrality to ensure The Bahamas remains competitive in a data driven world

    For further information please contact Takeio Frazer at Lennox Paton by telephone at 242-502-5000 or by email at [email protected] .

    References 

  • The General Data Protection Regulation (“GDPR”).

  • The Data Protection (Privacy of Personal Information) Act, 2003

  • The Data Protection Act, 2019 (Barbados)

  • The Data Protection Act, 2020 (Jamaica)

    • Content supplied by Lennox Paton