Personal data processing in the Dutch Caribbean: still a long way to go

Publication

16 June 2020

Privacy awareness is slowly increasing in the Dutch Caribbean. The first feat: the recently published report of the Commission Supervision Personal Data Protection BES about the processing of personal data on the BES islands. The coronavirus crisis did, indeed, result in some awareness in terms of the privacy legislation on Curacao and the other countries of the Dutch Caribbean, but this topic deserves more attention of social organizations and the government.

Every island of the Dutch Kingdom has its own personal data protection legislation and in Curacao there has been talk of a media code to safeguard privacy rights in the best way possible for a while now. Everybody knows that we are all entitled to privacy, but what it means exactly is unclear. We are all familiar with the phenomenon of direct marketing messages received on your personal mobile number. And, more recently during this coronavirus crisis: how difficult it was for the Minister of Health to explain to reporters that she cannot share the details of the first coronavirus patients with the press. A discussion also arose as to whether it is allowed to take body temperatures in stores and whether employers can inquire after the health condition of the employees.

Then what personal data do we try to protect?

Personal data are basically all data that are related directly to a person or that can be traced back to a specific person. This does not only include obvious data like name, address and date of birth but also, for instance, IP address, license plate, images, passport photos, staff number, bank account number, private and business (!) email address, login details, salaries, résumés, physical characteristics, online search history, and so on. Thanks to the worldwide developments and digitalization we become ever more aware of the importance and value of personal data that, on the one hand, provide access to all sorts of services but, simultaneously, end up on the street or are used in a way that we not consented to. Ever more often personal data are qualified as commodities, unless sufficient supervision and enforcement of rules take place.

European legislation

In 2016 the European Union already called for harmonization of legislation in the area of personal data protection of European countries. This resulted in the General Data Protection Regulation (the “GDPR”), which took effect in 2018. Although this is European legislation, the GDPR resulted in ample motion and development in the area of legislation and awareness in the whole world.

The privacy legislation of the islands of the Dutch Caribbean is largely based on the old Dutch Personal Data Protection Act that, although less strict, shows similarities with the methodology of the GDPR. In addition, it should be noted that the strict European GDPR can, in certain circumstances, also be applicable to personal data processing by an organization on one of the islands of the Kingdom, with all associated consequences.

Personal data protection on the islands is still to start

In this region, things are not that strict yet and supervision still needs to be stepped up. In Aruba, the law does not provide for specific supervision yet. On the other hand, the privacy legislation of Curacao and St. Maarten of 2010 provides for the incorporation of official authorities that must supervise compliance with the applicable rules, however they still need to be established. Having regard to the fast-changing and digitalizing world, it is time for this to take place shortly. For the BES islands this Commission has been in place since April 2014 and a number of remarkable issues come to the fore in its first report on compliance with data protection legislation. For instance, the BES supervisory authority underlined the excessive processing of personal data within an entity in one of the BES islands.

We can all remember one or more situations where each time  various copies are made of your identity document or long forms must be completed in three copies. It is not always clear whether all that information is truly relevant and necessary, how long the information will be retained of who all have access to the said information. Subsequently you are harassed with marketing messages or information is used against you for a different purpose. This practice is not without risks for the organizations that process these data because it is often in violation of the law. On the basis of the new GDPR extremely high fines, up to 4% of the worldwide annual revenue, have already been imposed on companies in Europe. Although our current legislation also provides for sanctions on non-compliance with the applicable laws, enforcement of these rules is yet to be seen on the islands, but it is only a matter of time.

How to move on?

Having regard to the accelerated digitalization and a growing offer of digital services (streaming, web stores, social media), we should also learn to handle personal data in a more conscious and more diligent manner on the islands. Of course this includes more knowledge of – and discussion about – legislation about the collection, storage, erasure and consultation of personal data. In our daily life, but also in less obvious instances, for instance in contact with financial institutions, in case of takeovers, employment relations, educational institutions, marketing, government, digital service providers and care institutions, we all have to deal with personal data processing. However, people do not realize the importance of the existing regulations.

Nobody has failed to realize that the coronavirus crisis resulted in much more digitalization of services and commercial transactions on the islands. This also implies that ever more personal data are processed via WhatsApp messages and online accounts. This development only increases the need for control and enforcement by a supervisory authority. In addition, this development ensures that people start wondering more often to what degree these organizations and businesses, but also the government, are aware of the applicable legislation and how diligently they handle the collected personal data.

The lack of supervision does, however, not imply that the rules in the area of personal data protection are not applicable and that they do not need to be observed. That is also why it is recommended that organizations handle these kinds of personal data diligently and take reasonable measures to protect them.  Below a few tips and tricks are already provided how to handle personal data:

  • Determine for what purpose(s) the data will be processed;
  • Determine what data are necessary for the realization of the said purpose(s);
  • List and define whether special data, e.g. medical data, are involved;
  • Check whether all data that are requested are also actually necessary for the realization of the said purpose(s); and
  • Take technical and organizational measures to secure the collected personal data.

Do you want more information about this, please contact Ruthnialys Mogen or Diek Fabius.