Under its Constitution and through various statutes, The Bahamas has developed a legal framework through which the collection, use, handling, privacy and storage of personal data are regulated and protected.

Constitution

Subject to the public interest and the rights and freedoms of others, Article 15 of the Constitution of the Commonwealth of The Bahamas provides citizens a right to protection of the privacy of one’s home and "other property", in addition to protection from deprivation of property without compensation. Similarly, Article 21 of the Constitution addresses the privacy of "other property" and further provides that no person should be subjected to a search of their person or property without their consent, unless such search is reasonably justifiable or executed to protect the rights and freedoms of other persons. These constitutional provisions confer protection in respect of unlawfully obtained personal information and data by way of a data breach, at least where the offending party is the state or a person exercising public powers or functions. Obtaining personal data from an individual’s computer, phone or other electronic device could very well constitute a breach of a fundamental constitutional right unless it can be justified by reference to one of the prescribed exceptions under the Constitution.

Data Protection (Privacy of Personal Information) Act, 2003 (DPA)

DPA is the principal law governing the collection, processing, retention, use and disclosure of personal data, and is broadly based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). DPA focuses on the core principles of data collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and data controller accountability. Its key definitions, concepts and principles are described in some detail below.

Data controller, data processor and data subject

Under DPA, a "data controller" is defined as a person that determines the purpose and manner in which personal data is to be processed (whether alone or in conjunction with others). This role is to be contrasted with that of a "data processor", who processes personal data on the data controller’s behalf. Notably, a "data subject" is defined as a (living) individual who is the subject of personal data.

Personal data and sensitive personal data

DPA makes a clear distinction between "personal data" and "sensitive personal data". Personal data refers to data relating to a living individual who can be identified from the data alone or from the data when considered together with other information that is in the possession of the data controller.

"Sensitive personal data" under DPA refers to personal data as it relates to the following:

• racial origin;
• political opinions;
• religious or other beliefs;
• physical or mental health (subject to certain exceptions);
• trade union involvement or activities;
• sexual life;
• criminal convictions;
• the commission (or alleged commission) of any offence; and
• any proceedings for any offence committed, and the disposal of such proceedings or any sentence made by any court during the course of such proceedings.

Sensitive personal data is given a lengthy definition in the "Interpretation" section of DPA, but it is seldom mentioned in the statute. Section 30(1)(a) of DPA gives the Minister responsible (currently the Minister of Finance) the authority to make regulations providing for additional safeguards relating to sensitive personal data. However, no such regulations have yet been promulgated. Consequently, sensitive personal data does not possess greater legal weight, nor require any safeguards over and above those that apply to regular personal data. Notably, genetic data, biometric data and sexual orientation data (not to be confused with sexual life data) are excluded from the classification of personal data under DPA.

Data subject consent

The notion of data subject consent plays an important role under DPA. For example, a data subject (or someone acting on their behalf) is able to waive any restriction or exception to the disclosure of personal data via their request or consent (Section 13(h) of DPA). Similarly, the transfer of personal data outside The Bahamas may be made upon the express or implied consent of a data subject (Section 17(8) of DPA). It follows that where a data subject has made a request pursuant to their right of access under DPA that would involve disclosing personal data relating to another data subject, the data controller is not obliged to disclose such data unless the other data subject has consented to the same as well (Section 8(5) of DPA).

Territorial scope

Unlike the extraterritorial nature of the EU’s General Data Protection Regulation (GDPR) or Brazil’s recently enacted Lei Geral de Proteção de Dados, DPA in The Bahamas has only limited extraterritorial effect (as it concerns data controllers). Under Section 4(1), DPA only applies to:

• data controllers established in The Bahamas (where the data is processed in the context of the local establishment); and
• data controllers established outside The Bahamas that use equipment in The Bahamas for processing data (other than for transit through The Bahamas).

In the above context, an "established" data controller can be any of the following (in accordance with Section 4(3) of DPA):

• an individual ordinarily resident in The Bahamas;
• a body incorporated or registered under Bahamian law;
• a partnership or other unincorporated association formed under Bahamian law; and
• any person that does not fall into any of the foregoing categories but maintains an office, branch or agency in The Bahamas through which they carry on a business activity or regular practice.

It can be seen, therefore, that a nexus to The Bahamas of the kind described above must be established in order for DPA to apply outside the jurisdiction.

Core data controller obligations

Data controllers owe a statutory duty of care to data subjects in relation to the collection of personal data (or information intended for inclusion in such data or in dealing with such data), pursuant to Section 12 of DPA.

The core duties imposed on data controllers in connection with any personal data kept by them and in accordance with DPA are as follows:

• to collect data using means that are lawful and fair in the circumstances of the case;
• to ensure the collected data is accurate (and kept up to date where necessary);
• to only keep data for one or more specified and lawful purposes;
• not to disclose or use data in a manner that is incompatible with the aforementioned purpose(s);
• to ensure data collected is adequate, relevant and not excessive in relation to the aforementioned purpose(s);
• not to keep data for a period longer than necessary for the aforementioned purpose(s) (except where the data is kept for historical, statistical or research purposes); and
• to take appropriate security measures to prevent unauthorised access to data and to prevent the alteration, disclosure or destruction of data, and to guard against the accidental loss or destruction of data.

Data breach notifications

It should also be noted that DPA places no positive duty on data controllers or data processors to notify data subjects of a data breach incident affecting their personal data. Thus, where such a data breach occurs, data controllers are faced with the option to either not inform the data subject of the breach, or, in the spirit of good corporate governance, transparency and “best practices”, to disclose to the data subject that a breach has occurred and/or seek guidance from the Data Protection Commissioner (DPC).

Enforcement and penalties

The enforcement of DPA is the statutory responsibility of the DPC. In accordance with Part III and Part IV of DPA, the DPC has the authority to, inter alia:

• investigate (or cause to be investigated) claims involving suspected violations of DPA;
• issue an enforcement notice to a data controller or processor requiring a data controller to rectify or erase data subject to an investigation;
• issue an enforcement notice requiring the production of evidence or compliance as it relates to an investigation;
• issue a prohibition notice (as it relates to international data transfers) prohibiting such transfer absolutely or until a specified step is taken with a view to protecting the interests of the data subject(s) concerned;
• issue an information notice requiring a person to furnish information in connection with a matter specified therein;
• request an authorised officer to inspect, examine, operate and/or test any data equipment located on the premises of a data controller or data processor after having given evidence on oath to a Magistrate to request that such a search be carried out in furtherance of an investigation; and
• institute summary proceedings for an offence committed under DPA.

Penalties for persons found guilty of offences under DPA are prescribed as follows:

• on summary conviction (before a magistrate): a fine not exceeding BSD2,000; or
• on conviction on information (in the Bahamas Supreme Court): a fine not exceeding BSD100,000.

Upon the conviction of an offence under DPA, the court may also order that any data associated with the commission of the relevant offence be forfeited, destroyed or erased (as per Section 29(2) of DPA).

Other Relevant Laws and Regulations

Outside of sector-specific regulations, the following enactments are particularly noteworthy.

The Electronic Communications and Transactions Act 2003 (ECTA) brought about the legal recognition of electronic communications, electronic contracts, electronic signatures and electronic information as they relate to commercial and other business transactions. ECTA also provides a definition of "electronic authentication" in connection with the verification of the originator of electronic communications and for the purpose of ensuring that nothing has been altered during transmission.

Of similar importance is Section 11 of ECTA, which addresses the retention of electronic communications. Where electronic documents are required to be retained by law, it is critical that they remain:

• accessible;
• usable for subsequent reference;
• in the same or similar format in which they were generated, sent or received; and
• retained in a way that enables identification of their origin and destination, including information showing the date and time they were sent.

The Computer Misuse Act 2003 (CMA) provides for the protection and securing of computer material(s) against unauthorised access or modification, as well as providing definitions of frequently used terms such as "decryption information" and "encrypted data". Part II of CMA deems the following to be an offence:

• unauthorised access to computer material;
• access to computer material with intent to commit or facilitate the commission of an offence;
• unauthorised modification of computer material;
• unauthorised use or interception of a computer service;
• unauthorised obstruction of use of a computer; and
• unauthorised disclosure of an access code (password).

Notably, CMA has extraterritorial effect pursuant to Section 11 where it is provided that, in relation to any person, despite their nationality or citizenship and regardless of whether they are currently physically located in or outside the jurisdiction of The Bahamas, the provisions of CMA nonetheless have effect so long as:

• the accused is alleged to have committed the offence while physically located in The Bahamas at the material time; or
• the relevant computer, program or data was in The Bahamas at the material time.

Furthermore, Section 11(3) of CMA provides that even where an offence under CMA has been committed in a place outside The Bahamas, it may be dealt with as if the offence had been committed within the jurisdiction of The Bahamas, provided, of course, that the other predicates for the offence are established as well.

As noted in 1.1 Laws, the DPC – through the Office of the Data Protection Commissioner (ODPC) (a corporation sole) – is responsible for the day-to-day enforcement of the provisions of DPA. However, the ultimate, overarching regulator is whichever Minister of the government is assigned data protection as part of their ministerial portfolio – currently the Minister of Finance. Section 30 of DPA gives the Minister the authority to make regulations for a number of purposes, including:

• providing for additional safeguards in relation to sensitive personal data;
• prescribing additional circumstances in which a prohibition, restriction or authorisation should be made for the further protection of the interests of data subjects;
• prescribing fees in connection with matters arising under DPA; and
• prescribing further offences and penalties for non-compliance.

Initiation of Investigations

The DPC may launch an investigation into whether a data controller or data processor has contravened any provision of DPA either via a complaint in writing by a data subject or based on its own considered opinion (pursuant to Section 15 of DPA). Once a complaint is received by the DPC, a determination will be made as to whether the complaint is frivolous or vexatious before notifying the individual who lodged the complaint whether the investigation will be carried out.

Where the DPC is of the opinion that a data controller or data processor has breached or is breaching a provision of DPA, it has the authority to serve an enforcement notice on the data controller or data processor, requiring them to take a specified step (as detailed in the notice) within a specified time. An enforcement notice may also require the data controller or data processor to rectify or erase any data concerned or to supplement the data, as the case may be, in accordance with Section 15 of DPA.

The DPC is tasked with investigating complaints and enforcing the provisions of DPA. There are a number of offences laid down in DPA, pursuant to Section 29 of which persons found guilty of any offence referred to therein will be subject to a penalty (see 1.1 Laws, "Enforcement and Penalties").

Investigation and Imposition of Penalties

ODPC has made a Policy Statement and Guidance on Complaint Handling (2012) (the DPC Complaints Handling Policy) available on its official website, which is non-binding from a legal standpoint but is certainly persuasive in terms of guidance as to best practices. In accordance with Part II of the DPC Complaints Handling Policy, it is first suggested that a data subject should lodge a complaint with the data controller (preferably to senior management of the relevant company) in an effort to resolve the matter amicably as early as possible (though they can, if they prefer, make a direct complaint to ODPC instead). Where the data controller has not complied with the request (or ignored it) or the data subject is not satisfied with the way in which the request or complaint was handled, it is then suggested that the data subject contacts the DPC for further assistance.

Essentially, data subjects may make complaints via a written request, called a Data Protection (Privacy) Complaint Form (Complaint Form), to the DPC. Complaints may also be made verbally via telephone where the data subject making the complaint is unable to submit the Complaint Form. The form is available for use on the ODPC website and should be accompanied by written documentation as evidence to support any claim or allegation made as it relates to the data subject’s concern or complaint. A Complaint Form may be completed through a representative or agent if the data subject does not wish to complete the form themselves. The Complaint Form asks the data subject or their agent whether any of the following has occurred:

• an institution has inappropriately collected, disclosed, deployed or disposed of personal information pertaining to the data subject; or
• "other" (this category is provided in case a complaint does not fit neatly into any of the foregoing categories).

The Complaint Form also asks the data subject for details of the complaint and a description of how they would like the privacy complaint to be resolved. Once submitted, ODPC should acknowledge receipt of the Complaint Form within three working days (provided it is a valid complaint) and, after being notified of the nature of the complaint, the alleged offending data controller or processor will have 21 days to respond to the DPC. It should be noted that complaints are treated with strict confidence, though there may be instances where the DPC will need to disclose the contents of the complaint to the relevant institution (with the data subject’s consent). Consent to disclose details of the complaint to the relevant institution is also asked for in the Complaint Form.

The DPC will make its best efforts to contact the relevant institution with a view to meeting with them (mainly to establish facts) and finding the best solution given the circumstances. In any event, the DPC will review the response of the institution and feed back the results of the investigation to the data subject. Any action that should be taken or that is proposed would also be communicated to the data subject at this time (as per Section 5.4 of the DPC Complaints Handling Policy).

Respondent’s Due Process and Appeals Rights

As described in 1.1 Laws, after the completion of an investigation, the DPC has the ability to issue an enforcement notice, information notice or prohibition notice, depending on the context. Dissatisfied institutions have a right to appeal. Section 24 of DPA states that appeals may be made to – and determined by – the court, in respect of a requirement imposed under an enforcement or information notice or a prohibition outlined in a prohibition notice. The appeal must be brought within 21 days of the date of service of the relevant notice.

See 1.6 System Characteristics.

There are no major privacy or data protection NGOs or industry self-regulatory organisations (SROs) connected specifically to data protection. Over the years, there have been various civil rights and accountability/transparency groups that have spoken out – and in some instances litigated on a “judicial review” basis – concerning a few select data privacy and data protection issues (which shall be explored later in this guide), but only insofar as they concern the general governance of the country and/or the (lack of) freedom of information surrounding various government policies, new legislation or the grant of licences or governmental approvals for controversial development projects.

There are some perceived similarities between Bahamian data protection law and that of other jurisdictions. As was explained in 1.1 Laws, DPA dates back to 2003 and is modelled on the OECD Privacy Guidelines of 1980. Consequently, it does not cover many of the contemporary privacy issues covered in the more recent comprehensive legislation and regulation coming out of jurisdictions like the EU, Brazil or some states within the United States.

The Bahamian data protection framework is not aggressively enforced, as is the case in many other jurisdictions in the “developed world”. ODPC remains relatively quiet on privacy issues of national concern and does not regularly update its website; in fact, it has not posted any additional guidance for the public or data controllers on its website since 2013. Furthermore, although no regulations or codes of practice have been developed thereunder since its enactment, DPA does cover the most fundamental protections for data subjects adumbrated in the OECD Privacy Guidelines.

As alluded to in 1.1 Laws, DPA and the GDPR share similar definitions for personal data, sensitive personal data, data controller and data processor, although the GDPR expands on the classification of certain types of data to include such identifiers as biometric data, sexual orientation, genetic data, location data and philosophical beliefs. Like the GDPR, DPA covers core data privacy principles such as lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.

However, steps taken to ensure that data controllers are abiding by these principles and the associated accountability standards are much more detailed under the GDPR. One example of this is the lack of a data breach notification requirement under DPA, whereas under the GDPR data controllers are obliged to inform data subjects of such a breach within 72 hours. Another example is the requirement under the GDPR for data controllers to appoint a Data Protection Officer (DPO) to act as the contact point for data subjects and the data protection authority; this is not a requirement under DPA. It has been suggested, however, through non-legally binding guidance from ODPC that there should be a contact person within an organisation to handle data subject access requests (DSARs).

One key development of the last 24 months has been the enactment of the Property (Execution of Deeds and Documents) Act 2020, Section 3 of which now allows electronic signatures to be electronically attached to deeds. Deeds may take the form of an electronic communication as per Section 2 of ECTA, and an electronic signature (in accordance with Section 9 of ECTA) used as a method of execution on the deed will be considered valid unless a contrary intention is proved. Prior to this, deeds were not permitted to be executed electronically, although a wide range of other documents were capable of electronic execution under earlier iterations of the legislation.

Also, legislation in the last two years has imposed new data disclosure requirements on companies and other entities (and their owners or controllers) with a view to bringing The Bahamas into greater conformity with the EU, OECD and/or FATF reporting regimes concerning AML and KYC. The legislation dealing with registers of beneficial ownership and commercial entities' reporting is emblematic of this particular trend, adherence to which is vital to avoid EU blacklisting.

Expected Updates to Legislation

There are some changes expected in relation to privacy legislation. In 2021, the then-government of The Bahamas (in partnership with the International Telecommunications Union and the Inter-American Development Bank) announced their intention to launch a National Cybersecurity Project with a view to implementing a national security strategy and establishing a Computer Security Incident Response Team. This was seen as an effort to increase cybersecurity in general within the jurisdiction (particularly in relation to government agencies) and to boost The Bahamas’ ranking on the UN Global Cybersecurity Index as the government presses forward with its goal of digitally transforming e-government services. Since the change in government as a result of the general election of September 2021, it remains to be seen, as at the time of publication, whether the trio of cyberlaws enacted in 2003 (DPA, CMA and ECTA) will finally see updates in furtherance of this objective.

Cyber-attacks

Since the onset of the COVID-19 pandemic, there has been an observed spike in cyber-attacks in both the public and private sectors. There have been reports of cyber-incidents involving schools as they have tried to navigate the transition to virtual learning on various online platforms. Similarly, there was a particularly notable (and controversial) cyber-incident involving a public hospital where confidential patient records were leaked on social media, including the names and addresses of patients who were receiving HIV/AIDS treatment.

he digital database of the Registrar General’s Department was also hacked, resulting in a leak of Companies Registry information that, although not confidential, normally requires a fee to view.

Data Protection Officers

DPA does not require the appointment of a DPO. The (non-binding) Guide for Data Controllers (GDC) provided by ODPC recommends that staff of institutions that are deemed data controllers under DPA should receive appropriate training, and that an internal data protection policy should be put in place to ensure compliance with the law (in accordance with Section 8 of DPA where necessary measures should be put in place to facilitate a DSAR). Elsewhere, the DPC Complaints Handling Policy states that a "contact person" should be appointed to handle complaints, though again this is not required by statute. Some local institutions have appointed DPOs as a matter of best practice.

Authorisation of Data Collection, Use and Other Processing

Interestingly, DPA does not state (in a singular section) the grounds upon which the collection, use and processing of personal data may be authorised. However, Section 1 of GDC, which is non-binding, provides that processing personal data must be necessary for (generally), inter alia:

• preventing injury or damage to the health of the data subject;
• preventing serious loss or damage to the property of the data subject;
• protecting the vital interests of the data subject if seeking consent is likely to damage those interests;
• the administration of justice;
• the performance of a function conferred on a person by or under an enactment; and
• the purpose of legitimate interests pursued by a data controller (except where processing is unwarranted).

Privacy by Design

DPA does not expressly require software or app developers to integrate a privacy by design framework, approach or strategy in the implementation of IT systems or the creation of software, apps or electronic services. Some core principles of privacy by design, including transparency, preventative measures, visibility and security, are addressed in Section 13(1) of the Payment Instruments (Oversight) Regulations 2017 (PIOR), which states that payment service providers should implement measures to address consumer protection, education and privacy. Section 13(2) of PIOR further states that payment service providers should adopt policies on, inter alia, safe operations, privacy of customer information and transparency of products and services.

Privacy Impact Assessment

There is no requirement to conduct a Privacy, Fairness or Legitimate Impact Assessment (or Analysis) under DPA. It should be noted, however, that under the Bahamian financial services legislative framework there are instances where risk assessments must be carried out – typically to prevent and mitigate risks associated with money laundering and the financing of terrorism and terrorist organisations. For example, the recently enacted Digital Assets and Registered Exchanges Act 2020 (DARE) necessitates a risk assessment to be carried out, as well as the implementation and maintenance of policies and procedures to ensure compliance with the Proceeds of Crime Act 2018 (POCA), the Anti-Terrorism Act 2018 (ATA) and the Financial Transactions Reporting Act 2018 (FTRA), in connection with digital asset business service providers. Any guidelines or policies published by the Securities Commission of The Bahamas (SCB) as they relate to risk management must also be followed (as per Section 26 of DARE).

Adoption of Internal or External Privacy Policies

DPA does not require data controllers to have internal and external privacy policies in place, although this is encouraged by DPC under GDC and the non-binding DPC Checklist for Handling Personal Information (DPC Checklist). The DPC Checklist, which was adopted from the Privacy Commission of Canada, states that such policies and procedures will help staff know how to handle DSARs or requests for personal information from government bodies, non-governmental organisations, individuals or the media. Section 7 of GDC further provides that a minimum standard of security includes taking reasonable measures to ensure staff are made aware of the organisation’s security measures in furtherance of the data controller’s core duty under Section 6 of DPA to have appropriate security measures in place to prevent unauthorised access to data. It is implied that privacy policies would fulfil this criterion (but this is not legally mandated).

Data Subject Rights

Under DPA, data subjects are entitled to a right of access (subject to some exceptions) to their data, a right of rectification or erasure of their personal data, and a right to prohibit the use of their data for purposes of direct marketing.

A data subject may make a (written) DSAR to the relevant data controller with respect to accessing their data. Where the request is valid and does not contravene the provisions of DPA, the data controller will have 40 days to provide a response and either:

• inform the data subject of the data kept by them – inclusive of any personal data;
• supply the data subject with a copy of the information associated with the data; or
• provide an explanation of the data where said data may be unintelligible or otherwise expressed in terms that are not easily understood by the data subject (as per Section 8(1) of DPA).

Under Sections 10 and 11 of DPA, data subjects may also make a written request to a data controller pursuant to their right of rectification or erasure of data and their right to prohibit the processing of their data for the purposes of direct marketing where one of the core data controller obligations has been contravened under Section 6 of DPA.

Where a data controller refuses a DSAR in accordance with DPA, they should do so in writing, explaining why the request is being refused (for example, the request is vexatious or the data is confidential or otherwise cannot be provided as it falls under an exception provided under DPA) and indicate to the data subject that a complaint can be made to the DPC thereafter in connection with the refusal.

DPA does not specifically address data portability. Data subjects that object to the collection, use or transfer of their data on the ground that their data has been collected, used or transferred in contravention of a DPA provision should write to the relevant data controller in the first instance in connection with the complaint and then to the DPC (either individually or through an agent) if they are not satisfied with the response; see 1.3 Administration and Enforcement Process, "Investigation and Imposition of Penalties" for more details on this process.

Anonymisation, De-identification and Pseudonymisation

Data that has been anonymised or de-identified would not be caught under the definition of personal data under DPA. Under DPA, personal data relates only to living individuals that can be identified from data directly, or from data in conjunction with other information possessed by the data controller.

Profiling, Microtargeting, Automated Decision-Making, Online Monitoring, Big Data Analysis, Artificial Intelligence and Algorithms

There are no specific restrictions, allowances, regulations or guidelines relating to microtargeting (outside of what is already provided under the provisions of DPA), “big data” analysis, artificial intelligence (AI), algorithms or online monitoring under Bahamian law.

ODPC has released (non-binding) guidance notes with respect to data protection and political parties (DPC Political Campaign Guidance), which briefly address profiling and automated-decision making. Profiling is not expressly forbidden under DPA, although obtaining data for the purposes of direct marketing through deceptive or unlawful means may be considered a contravention of DPA. The DPC Political Campaign Guidance reiterates the "absolute" right for a data subject to prohibit the processing of personal data for the purpose of direct marketing, while reaffirming (per Section 4) that political parties should be careful when conducting market research communications with citizens. Recording attitudes based on responses to such research communications in a way that does not personally identify the individual is of supreme importance. It is thus implied that, where personally identifiable information does need to be recorded and the individual is consequently profiled (with a view to predicting voting behaviour based on responses to surveys and tailored communications or promotional materials based upon attitudes to various social issues, for example), then any future communication should be prefaced by stating that their information is being collected for the purposes of marketing, and respondents have the right to opt out of proceeding any further. In such cases, automated-decision making, profiling and direct marketing are inextricably linked.

Lastly, under (non-binding) GDC, the DPC suggests that data subjects are entitled to know the logic involved in automated decisions, subject to exceptions. Note that this is not explicitly referred to in the corresponding section in DPA (Section 8). Under GDC, however, data controllers are told that such information is encompassed under the criteria of information that should be provided to a data subject pursuant to a data subject’s right of access (unless they are exempted under DPA).

"Injury" and "Harm" in the Context of Bahamian Data Protection Law

Under DPA, any restrictions or exceptions to the disclosure of personal data will not apply where such disclosure is urgently required in order to prevent injury or other damage to the health of a person or serious loss of or damage to property (Section 13(d) of DPA). Similarly, the DPC may prohibit an international transfer of data where such a transfer would likely cause damage or distress to any person (Section 17(2) of DPA). It is not made clear as to whether the "health of a person" (in the context of disclosure) also extends to a data subject’s mental health, but it is submitted that the better view is that it does.

Financial Data

Interestingly, banking and financial data is not considered sensitive personal data under DPA. This may partly be due to the fact that The Bahamas has an extensive, highly developed and heavily regulated financial services legislative framework that addresses the handling, use, retention and confidentiality of banking information, particularly in the Banks and Trust Companies Regulations Act 2020. Nevertheless, any personally identifiable information collected by a banking institution would still be subject to the provisions of DPA, unless otherwise exempted.

Health Data

Health data (including as it relates to "physical" and "mental" health) is considered sensitive personal data under DPA. By extension, this may also include "sexual life", which should also be treated as sensitive personal data. It does not include data kept by an institution (data controllers) in relation to the physical or mental health of its employees in the ordinary course of personnel administration (as per Section 2(1) of DPA). Furthermore, medical practitioners have a statutory obligation not to act in a way that is contrary to medical ethics, including any wilful or reckless betrayal of professional confidence under the Medical Act 2014.

Communications, Voice Telephony, Text Messaging and Electronic Communications Data

Communications data (inclusive of voice telephony, text messaging and electronic communications) is not categorised as sensitive personal data under DPA per se. A communication will be distinguished as sensitive personal data where it can be related or traced back to an identified living individual and the contents of that communication refer to an individual’s race, political opinions, religious or "other" beliefs, physical or mental health, trade union involvement or activity, sexual life or criminal past (or allegations).

"Communications data" is defined under the Interception of Communications Act 2018 (ICA) as, inter alia, any traffic data comprised in or attached to a communication (for the purposes of any postal service or communications network) via a "transmitted communication". It is important to note that communications data does not include the actual contents of a communication. A "communication" under ICA includes anything comprising speech, music, sounds, visual images, or data of any description (which, in most circumstances, can lead to the identity of an individual being discovered).

Children’s or Student Data

Children and students do not enjoy special privileges under DPA as the Act does not distinguish between children and adults. Privacy as it relates to student records would fall under personal data under DPA, although data collected in connection with any of the subcategories of sensitive personal data will be deemed sensitive for the purposes of DPA.

Employment Data

Employment data is not specifically mentioned under DPA and therefore is not categorised as sensitive personal data insofar as that data does not include – or is not inextricably linked to – some statutory sensitive personal data category.

Union Membership, Sexual Orientation, Political or Philosophical Beliefs

See 1.1 Laws.

Internet, Streaming and Video Issues

Browsing data, viewing data, cookies, beacons, location data, tracking technology, etc

Browsing data, viewing data, cookies, beacons and location data (other than tracking technologies that have been authorised to be used through surveillance legislation) are not regulated under the provisions of DPA and would only be classified as sensitive personal data where such data can be used to identify an individual. Pursuant to guidance provided by the DPC, internal and external privacy policies are encouraged in order to explain to the end user what kind of data is being collected from them during the browsing experience. It is also best practice to have a cookies policy in place with a view to being transparent about how any collected data will be used.

Social media, search engines, large online platforms, intermediary liability for user generated content

Where such online platforms meet the criteria for DPA to apply, they will be treated as businesses or online intermediaries under ECTA (and therefore ultimately as data controllers – though in some instances with fewer liability risks) and be subject to Bahamian data protection and e-commerce law. There is no specific privacy or data protection policy relating to the regulation of social media, search engines and large online platforms.

In the context of electronic communications, an intermediary is defined in Section 2 of ECTA as “a person including a host who on behalf of another person sends, receives or stores either temporary or permanently that electronic communication or provides related services with respect to that electronic communication.” Section 20(4) of ECTA provides that intermediaries “will not be held liable in contract, tort, under statute or pursuant to any other right, to any person, including any person on whose behalf the intermediary provides services in respect of information in an electronic communication, for any action the intermediary takes in good faith…” It should also be noted that, pursuant to Section 19(2) of ECTA, intermediaries are not required to monitor information contained in electronic communications in respect of which the intermediary provides services or access solely to establish whether information contained in such communications gives rise to civil or criminal liability.

Addressing hate speech, disinformation, etc

Hate speech and disinformation campaigns became a hot-button issue at the onset of the COVID-19 pandemic in The Bahamas, with many fake news items being shared on social media. This led to the government briefly imposing an emergency law banning the publication of "fake news" calculated to incite public panic, fear or hatred. This provision quickly fell away. Under the Penal Code, the offence of criminal libel is also available as an avenue of recourse for victims of online abuse; the remedy of civil action for defamation is available as well.

It should be further noted that DPA does not recognise any “right to be forgotten”, right to data portability or rights to object to the sale of data as is afforded under the GDPR and in other jurisdictions.

Child abuse in the context of online publications is dealt with in Section 16A of the Sexual Offences Act, which makes producing (for the purpose of publication or not) any child pornography an offence that would render the perpetrator liable to imprisonment for life. Similarly, Section 16A (2) provides that any person receiving, disseminating, possessing or intentionally causing or inciting a person under the age of 18 to be involved in pornography is guilty of an offence and liable to imprisonment for a term of 20 years.

Though deepfakes are not widely seen in The Bahamas, the publication of thereof (particularly if there is a defamatory element) would likely fall within the scope of an "unlawful publication" under Section 318 of the Penal Code, which provides that “a person publishes a libel if he causes the print, writing, painting, effigy or other means by which the defamatory matter is conveyed, to be so dealt with, either by exhibition, reading, recitation, description, delivery or otherwise as that the defamatory meaning thereof becomes known or is likely to become known to either the person defamed or any other person.” "Effigy or other means" in this context would likely cover cyber or digitally manipulated effigies that characterise deepfakes intended to cause damage to the reputation of an individual.

Unsolicited Commercial or Marketing Communications

Data subjects have the right to prohibit processing for purposes of direct marketing under DPA, and may opt out of such via a written request. Internet or online marketing is not heavily regulated in the jurisdiction outside of DPA (unlike broadcasting networks, as explained below).

As it relates to telemarketing calls and texts, Section 47 of the Communications Act 2009 (CA 2009) provides that the Utilities Regulation & Competition Authority (URCA) may prohibit the use of a network or carriage service to provide unsolicited communications in order to reduce or eliminate annoyance, inconvenience or anxiety.

The non-binding guidance provided by the DPC in connection with data protection during political campaigns is instructive (see 2.1 Omnibus Laws and General Requirements).

Workplace privacy or surveillance is not directly addressed under the Employment Act, although it is an offence under CMA to access someone’s computer (or other device) without their knowledge or consent. Employers may ask their employees to waive privacy rights as they relate to company property or software (eg, computers, smartphones, etc) via an employment contract with a view to monitoring, for example, online behaviour while using company property, although consent is not legally required in the context of insider threat detection and prevention programmes. Consent to participate in the same is not required under DPA insofar as any relevant information obtained is not subsequently disclosed to unauthorised third parties and the data is not collected in a deceiving, misleading or potentially damaging or distressing way. Employers should also avoid collecting excessive data that would fall outside the scope of the specific purpose of the programme.

From an enforcement and litigation standpoint, the case law in The Bahamas as it relates to data protection violations is scant. There is nothing precluding a data subject from filing a lawsuit against a data controller for an alleged contravention of DPA where there is an alleged breach of the statutory duty of care owed to data subjects and the obligation to utilise appropriate safeguards to protect personal data from unauthorised access. Class action suits are permissible in the jurisdiction but they are seldom used.

There have been no major reported cases centring around the provisions of DPA.

There are laws and standards that apply to law enforcement agencies regarding the accessing of data for serious crimes.

Section 88 of CA 2009 provides that, as a matter of national interest, licensees under the Act must ensure that their networks enable the ability to hear, listen and record private conversations in accordance with and pursuant to authorisation granted under the Listening Devices Act (now repealed and replaced by ICA). Note that DPA does not apply to personal data kept with a view to safeguarding the security of The Bahamas in the opinion of the Minister or the Minister of National Security, nor will any restriction or exception to the disclosure of personal data apply where such disclosure is required for the investigation of an offence or by any enactment or court order.

Pursuant to ICA (an Act that was met with some public controversy), communications can be intercepted in accordance with an interception warrant, which can be granted by a judge upon application (Section 5 of ICA). Obtaining information under these provisions must be shown to be necessary in order to prevent or detect a specified offence where there are reasonable grounds to believe such has been committed or is about to be committed, or where the information is required under a mutual legal assistance agreement between the government of The Bahamas and some foreign government. Such an application is made by the Attorney General.

See 3.1 Laws and Standards for Access to Data for Serious Crimes.

See 4.6 Limitations and Considerations.

As far as is known, The Bahamas does not participate in a Cloud Act agreement with the United States.

See 1.8 Significant Pending Changes, Hot Topics and Issues.

Generally, there are only limited restrictions on international data transfers of personal information. Section 12(2) of DPA provides that a data controller must use contractual or other legal means to provide a comparable level of protection from any third party to which it discloses information for the purposes of data processing. A third party in that instance is often a cloud service provider. Furthermore, under Section 17 of DPA, the DPC has the ability to prohibit the transfer of personal data outside The Bahamas (via a prohibition notice) where there is a failure to provide protection either by contract or by other methods provided under DPA. The potential damage and distress to any person as a result of an international data transfer, as well as the desirability of facilitating the transfer, will be taken into consideration by the DPC in reaching its decision on whether to permit the transfer. A prohibition notice in accordance with Section 17 of DPA may require the person to take specified steps to protect the interests of the data subject.

A data subject may waive any restriction on international data transfer through their express or implied consent.

There are no specific mechanisms that apply to international data transfers from The Bahamas. Under GDC, which is non-binding, it is stated that, subject to the prevailing laws of the Commonwealth of The Bahamas, there are special conditions that must be met before transferring personal data outside the European Economic Arena (EEA) when the importing country does not have data protection laws that are equivalent to those of the EU (as DPA is generally based on privacy principles established by the OECD, UN, EU and Council of Europe). The conditions to consider include the following:

• whether consent was given by the data subject;
• whether the transfer is required under any enactment or by any convention or other instrument imposing an international obligation on The Bahamas (Section 17(8) of DPA), pursuant to the performance of a contract between the data controller and a third party and/or data subject; and
• whether the transfer is being made with a view to obtaining legal advice.

No government notifications or approvals are required to transfer personal data internationally, unless a prohibition notice has been issued with respect to the data by the DPC in accordance with its powers under DPA.

There are no data localisation requirements under DPA.

See 2.2 Sectoral and Special Issues regarding the data retention requirements relating to financial data.

Under the provisions of the Industrial Property Act 1970, an application to the Industrial Property Office (now the Intellectual Properties Section of the Registrar’s Office) to register a patent must be accompanied by a specification of the invention, describing it and the methods by which it is to be informed. It is not specifically stated that software code and algorithms would need to be shared in the description of the invention, although it is implied. If the application is granted, the patent will be recorded in the Register of Patents.

There is no specific provision under DPA aimed at limiting or prohibiting organisations from collecting or transferring personal data in connection with foreign government data requests, though there are restrictions relating to disclosure pursuant to a foreign government data request. Depending on the jurisdiction and the nature of the investigation, consideration should be given to the Mutual Legal Assistance (Criminal Matters) Act 1990, which provides for the implementation of treaties for mutual legal assistance in criminal matters. The Bahamas currently has mutual legal assistance treaties with the USA, the United Kingdom and Canada. The Act lays down the process through which foreign courts should make a request (applicable) to the (Bahamian) Competent Authority with a view to obtaining evidence in the jurisdiction to be used in foreign proceedings.

Blocking statutes are not a feature of the Bahamian legislative framework, although the Central Bank of The Bahamas does have the power to block transactions with certain countries in order to meet the international obligations of The Bahamas under various UN and other multilateral sanctions.

The following emerging technologies (and aspects thereof) are not currently specifically addressed under Bahamian law:

• big data analytics;
• automated decision-making (outside of what has already been discussed in this article);
• profiling or microtargeting (outside of what has already been discussed in this article);
• AI;
• geolocation (outside of what has already been discussed in this article);
• dark patterns or online manipulation (outside of what has already been discussed in this article);
• fiduciary duties as they relate to data protection (outside of what would ordinarily be required as a data controller under DPA – where applicable – or under Section 77 of the Banks and Trust Companies Regulation Act 2020 and Section 83 of the Trustee Act 1998); and
• the internet of things (IoT) or ubiquitous sensors.

Biometric Data and Facial Recognition

From a legal standpoint, biometric data has only been defined and referred to in legislation within the context of immigration law and biometric cards issued under the Immigration (Amendment) Act 2019, Section 2 of which refers to "biometric data and features" as including digitised fingerprints, machine-readable facial images, machine-readable biographical data and digital signatures.

Drones

Drones (or "unmanned aircraft" or "remotely piloted aircraft") require a permit from the Bahamas Civil Aviation Authority (BCAA), which is a department of the Bahamian government that has safety oversight of matters pertaining to aviation in The Bahamas. Once an application has been granted, drones are subject to strict altitude restrictions and safety regulations, as provided for under Schedule 27 Unmanned and Remotely Piloted Aircraft, the Civil Aviation Act 2016, and Civil Aviation (General) Regulations, 2017.

Disinformation, Deepfakes or Other Online Harms

See 2.2 Sectoral and Special Issues.

There are no known organisations in The Bahamas that establish protocols for digital governance, nor fair data practice review boards or committees that address the risks of merging or disruptive digital technologies outside of URCA, which acts as the electronic communications and telecommunications sector regulator. URCA publishes an Electronic Communications Sector Policy every three years and part of its policy imperatives is to "embrace" emerging technologies. Draft legislation was produced in 2020 with a view to establishing a body corporate called the Virtual Innovation Authority, which would be tasked with, inter alia:

• safeguarding data protection rights;
• developing policies to encourage fair competition;
• assisting vulnerable people through policy;
• promoting fair competition; and
• developing policies in connection with technology risk frameworks and emergent technologies.

This draft legislation, along with the Emergent Technologies Bill, has not progressed any further to date.

See 1.2 Regulators and 1.3 Administration and Enforcement Process.

There has been no significant private litigation involving privacy or data protection in the last year. It is important to note that class action suits are permissible under Bahamian law but are still largely alien to the litigation culture of The Bahamas, except in the areas of employment law and environmental protection law.

When conducting due diligence in corporate transactions, it is imperative to consider any AML, CTF and KYC regulations and guidelines that may apply or are required to be observed, as provided under the relevant legislation. Consideration should also be taken of any data subject rights afforded to individuals (if applicable) under DPA and any conflict of laws as it pertains to, inter alia, the acceptance of digital signatures for corporate transactions.

As far as is known, there are no non-privacy or data protection-specific laws or regulations that mandate the public disclosure of an organisation’s cybersecurity risk profile or experience.

There are no further significant issues.