Commonwealth model data protection provisions the newest international influencer
In this edition, Professor Graham Greenleaf, Asia-Pacific Editor, gives us, as far as we know, the first review of The Commonwealth’s Model Provisions on Data Protection (CMP)(1) which were adopted in November 2022 by Commonwealth Law Ministers meeting in Mauritius.
The Commonwealth is a voluntary association of 56 independent member countries across six regions including Africa, the Americas, Asia, the Caribbean, Europe and the Pacific.(2) The combined population of these countries is approximately one third of the world population. Of these member states, 41 have data protection laws and 15 do not.
The importance of the CMP is that its sets a high standard, as Greenleaf shows in his detailed comparison between the CMP and the EU Data Protection Directive 1995, the Council of Europe Convention, the African Union Convention and the EU GDPR.
A significant question is whether ministers in Commonwealth Member States currently considering or drafting new data protection laws, will implement the provisions which they have approved. The following countries have both data privacy Bills and are Commonwealth members: Bangladesh, Brunei, India, Malawi, Pakistan and Tanzania. There is no compulsion, but the CMP could act as a template to influence new data privacy laws or a source of suggestions for revisions to current laws.
For example, Grenada’s new data protection law adopted in May this year does not include a mechanism for international transfers which is a standard provision, as we see in Table 2. Whether this is a deliberate decision or not, the CMP provides both law makers and interest groups in each jurisdiction a convenient and standard template, with options, for giving their comments when new or amended laws are being drafted.
CMP an aid for intra-regional trade and governance
The CMP could also be valuable for encouraging regional cohesion, if members of a regional group, such as the Caribbean Community (CARICOM),(3) would take a decision to adopt a common approach to data protection laws in their region. The Bahamas, Barbados, Grenada, Jamaica, Trinidad and Tobago and several smaller islands are Member States of CARICOM but have few resources to consider the advantages and disadvantages of different policy decisions when drafting or revising their data protection laws. So the CMP now provides a template for them.
CARICOM celebrated its 50th Anniversary in July this year and its founding treaty was revised in 2002 to allow for the eventual establishment of a single market and a single economy. CARICOM’s core values include “coordination/harmonization of legislative and policy environment to enable equitable access to the benefits of regional integration.”(4) It is easy to see that a common framework of data protection law would facilitate intra-CARICOM trade.
The CMP is a practical template grounded in the real world of modern economies. An increasing number of countries, such as Singapore, a Commonwealth Member State, are pursuing policies of national digital transformation for reasons of economic development and its data protection law is designed and implemented accordingly. The United Kingdom is developing its “bridge” policy as a carefully calibrated alternative to the EU’s “adequacy” programme to encourage data sharing and innovation. The EU is aware of this trend and closely watches the UK’s initiatives. The EU’s new laws intended to build on the GDPR, recognise both the development of new services and innovation, and at the same time respect “the choices we have made as a society in the EU.”
The EU GDPR remains the human rights-based data privacy law “gold standard.” Many existing EU “adequate” countries, such as Argentina, are working to upgrade their laws, to reach this standard. However, it is clear that other options are available and now the CMP is the new one to join the club.
Privacy law developments in the Caribbean Community
15 October 2023, Bermuda
PL&B is organising this introductory session at the 45th Global Privacy Assembly, Bermuda, 15-20 October this year. The objectives are to raise awareness and discuss current national privacy law issues in the Caribbean region, as well as the differences between the jurisdictions, and exchange experience on any compliance challenges companies face. The Caribbean region now has 24 out of 32 jurisdictions with general purpose privacy laws. That is 3 out of 4 countries compared with only half in early 2019.(5)
This GPA Caribbean session speakers are:
- Dr Patrick Anglin, DPO, The University of the West Indies, Jamaica
- Lisa Greaves, Data Protection Commissioner, Barbados
- Bartlett Morgan, Director, Chancery Advocates, Barbados
- Laura Schwartz Henderson, Advocacy and Research Advisor, Internews, US
- Dr. Marisa Stones, Cabinet Office, Government of Bermuda
- Michael Wright, Data Protection Commissioner, The Bahamas
Laura Linkomies, Editor, and I are pleased to be organising this panel and will act as moderators in this session.
Sponsorship is available and it is planned that the open sessions, such as this one, will be live streamed.
While the Commonwealth CMP initiative may at first sight seem ambitious, the rapid development of data privacy laws across the world in the last 12 years (PL&B International Report February 2023) meticulously researched and compiled by Professor Graham Greenleaf, shows this global trend is a reality not a mirage.
We will unveil more in-person and online events in the coming months and look forward to building on the success of Who’s Watching Me? PL&B’s 36th International Conference in Cambridge in July by keeping you well-informed on data privacy law developments around the world.
Publisher, Privacy Laws & Business