The General Data Protection Regulation (GDPR) is a European Union (EU) based law that is applicable to all Member States of the Union. It became effective on the 25th May 2018. The GDPR generated much concern and activity worldwide in recent days. Mail boxes are flooded with requests for persons to re-consent to direct marketing and information emails or updated privacy policies. The major concern is focussed on compliance with the GDPR’s provisions with eyes firmly fixed on the hefty fines of €20,000,000.00 or 4% of the businesses’ global income for the prior year whichever is higher.
Non-EU businesses assume that the GDPR automatically applies to their activities due to the extra-territorial application of the Regulation. The Regulation fuels this assumption. Article 3(1) states that the Regulation is applicable to the processing of EU data subjects’ personal data whether the processing takes place in the EU or not. It further specifies that it applies where non-EU businesses offer goods or services in the EU irrespective of whether payment is made or where there is monitoring of EU data subject’s behaviour. It may also apply if Member State Law applies by virtue of public international law.
Notwithstanding the extra-territorial effect of the GDPR however, it does not automatically apply to non-EU businesses. The usual or likely circumstance in which such businesses would fall within the GDPR net is where they have an online presence, have email details or other contact information for EU data subjects. However, the existence of these factors are not conclusive. The fact that a Jamaican or non-EU business is accessible in the EU or by EU data subjects is not enough to bring it within the scope of the regulation. The non-EU business must demonstrate an intention to attract or target EU data subjects as customers. Instead of assuming that the GDPR applies therefore, a Jamaican business engaged in the selling of goods or services must assess whether their actions or activities target EU customers or whether there is an intention to do so. A number of factors are relevant to this assessment.
These include but are not limited to the following:
a. Does the Jamaican business enable access by EU data subjects in their language or currency?
b. Are EU data subjects able to access good or services in their language?
c. Whether the Jamaican business refer to EU customers by name or by reference to a Member State when advertising goods or services?
Monitoring activities that trigger the application of the GDPR includes the tracking of individuals on the internet and using the information to:
a. profile a natural personal so that decisions can be made about the data subject;
b. assess the data subject’s personal preferences such as purchasing or browsing behaviour.
Profiling, occurs when the automated processing of personal data is used to “analyse or predict a person’s behaviour.” 5 The information is then used to evaluate the data subject’s personal preferences for several purposes including direct marketing or purchasing habits or location. In considering the requirements for compliance, Jamaican businesses must determine whether they collect data for EU data subjects and how it is collected or used.
The more common activities which explains some of the emails that are flooding mail boxes are:
a. web analytics;
b. tracking;
c. cookie identifiers;
d. radio frequency identification tags;
e. geo-location tracking
This determination requires an assessment of the business. If after an assessment it is determined that the GDPR applies, the Jamaican business must determine the nature of the personal data that it processes for EU subjects and put in place mechanisms such as systems to manage the data as well as data protection policies to assure compliance. Perhaps more fundamentally, the business must appoint an EU representative who is located in a Member State and more so where the EU data subjects are located. The representative’s appointment should be in writing. The relevant information commissions or authorities should be advised to address the representative instead of the Jamaican controller or processor. In the event of failure to comply the representative is the likely person or entity to be the subject of enforcement proceedings.
This does not affect the right of the authorities or data subject to bring judicial proceedings directly against the Jamaican data controller or processor. The word out there is that EU representatives are not in large supply for non-EU businesses due to the risk of enforcement proceedings against them directly. It is more likely that such representatives may extract stringent terms including indemnity and insurance as a condition to representing non-EU businesses.
For Jamaican businesses whose primary contact may be in Britain, the appointment of a representative, if necessary, should be given some thought in light of Brexit which means that shortly it will be a non-EU Member State, that is a third country. This is not to say that as between Jamaica and Britain the GDPR or GDPR type regulation will not be in effect. GDPR apart, there is a new Data Protection Act, 20187 in the UK which substantially mirrors the GDPR.
Notwithstanding the foregoing Jamaican businesses should be mindful of the indirect application of the GDPR. This is because there are restrictions on EU personal data transfers from the EU to third countries (non-EU Member States) or from those states to other third countries. The restrictions are imposed because the EU is keen to ensure that the GDPR remains as an effective measure for the protection of the EU data subject’s personal data. In this context, an “adequacy decision” would be required for Jamaica or one or more specified sectors in Jamaica which affirm that adequate levels of protection are in place to preserve the objectives of the regulation. On the other hand, there may be an exemption from the requirement for an “adequacy decision” if the EU controller or processor has provided adequate safeguards as required by Article 46. This exemption is available on condition that “enforceable data subject rights and effective legal remedies are available.” One such measure is for “associations and other bodies representing categories of controllers and processors” 8 adopt codes of conduct that acknowledge the application of the GDPR.
Finally, the requirement for persons to consent or re-consent to direct marketing or information emails is not yet a part of the GDPR. It is being done pursuant to the e-Privacy Directive, 2002/58/EC which regulates marketing via electronic communications. Jamaican businesses should commence with an assessment of their EU contact, the nature, content and subject matter of that contact before implementing the GDPR regime or as part of that implementation. It is the dawn of a new era and a long new road for Jamaican businesses.