The following laws and/or regulations govern data protection and privacy in Jamaica:

• Tthe Data Protection Act, 2020 (DPA);
• the Data Protection Regulations, 2024 (the “Regulations”); and
• the Data Protection (Data Controller Registration) Regulations, 2024 (the “Registration Regulations”).

In Jamaica, these laws are the only set which govern data protection and privacy. Our laws do not distinguish between federal and state, nor do we have laws that distinguish between the national and subnational, the supranational and domestic, or the general and sectoral.

The DPA is extraterritorial in scope in that it applies to individualsand/or entities that are not resident or established in Jamaica but:

• use equipment in Jamaica for the processing of personal data other than for the purpose of transit through Jamaica; or
• process personal data of data subjects in Jamaica, and the processing activities relate to:
1. the offering of products or services to data subjects in Jamaica, irrespective of whether a payment is required; or
2. the monitoring of the behaviour of data subjects to the extent that their behaviour takes place within Jamaica.

Interplay Between the DPA and Other Laws

Cybercrimes Act

The Cybercrimes Act, 2015 supports the DPA’s security goals by criminalising unauthorised access and interference with systems and data.

A data breach under the DPA may also constitute an offence under the Cybercrimes Act, for example, unauthorised access, which has the potential to create dual civil and criminal liability.

The Cybercrimes Act applies to all data and is not limited to personal data. This means that it covers criminal misuse of non-personal data such as corporate data held on IT systems.

General Principles

All data controllers are required to comply with the eight data protection standards set out under the DPA. These data protection standards are as follows:

• Fairness and lawfulness: Personal data must be processed fairly and lawfully and must not be obtained by deception or any misleading information.
• Purpose limitation: Personal data must only be obtained for a specific and lawful purpose and must not be processed in any manner incompatible with those purposes.
• Data minimisation: Personal data must be adequate, relevant, and limited to the purpose for which it is being processed.
• Accuracy: Personal data must be accurate and, where necessary, kept up to date.
• Storage limitation: Personal data must not be kept for longer than is necessary and must be disposed of in accordance with any regulations (once passed) under the DPA.
• Rights of data subject: Personal data must be processed in accordance with the rights of the data subject;
• Implementation of technical and organisational measures: Personal data must be protected using appropriate technical and organisational measures so as to prevent unauthorised or unlawful processing of the data as well as any accidental loss or destruction of, or damage to, the data.
• Cross-border transfers: Personal data must not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.

Conditions for Processing Personal Data

The DPA stipulates that personal data must not be processed unless at least one of the following conditions has been met:

• the data subject has consented to the processing and has not withdrawn that consent;
• the processing is necessary (i) for the performance of a contract to which the data subject is a party; or (ii) for the taking of steps at the request of the data subject with a view to entering into a contract;
• the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
• the processing is necessary in order to protect the vital interests of the data subject;
• the processing is necessary (i) for the administration of justice; (ii) for the exercise of any functions conferred by or under any enactment; or (iii) for the exercise of any other functions of a public nature exercised in the public interest;
• the processing is necessary for the purposes of legitimate interests pursued by the data controller or by any third party to whom the personal data is disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject; or
• the data subject has published the personal data concerned.

Data Subject Rights

Right to be informed/right to access

A data subject has the right to be informed of whether his/her personal data is being processed by or on behalf of the data controller, and if so, he/she has the right to be provided with:

• a description of the personal data;
• the purposes for which the data is being processed; and
• the recipients to whom the disclosure is made.

Right to rectification

A data subject has the right to request that the data controller rectify any inaccuracy in his/her personal data which is in the data controller’s possession or control. For the purposes of the DPA, the term “rectify” means to amend, block, erase or destroy and the term “inaccuracy” includes any error or omission.

The right to prevent processing

A data subject has the right to prevent the processing of his/her personal data in specified circumstances such as:

• where the processingis likely to cause substantial damage or substantial distress to the data subject or to another person and where the damage or distress caused or likely to be caused (as the case may be) is unwarranted;
• where the processing of the data is incomplete or irrelevant;
• where the processing of the data is prohibited by law; or
• where the data has been retained by the data controller for a period longer than required by law.

The right to prevent processing for direct marketing purposes

A data subject has the right to prevent the processing of his/her personal data for the purposes of direct marketing unless the data subject gives his/her consent or is a customer of the data controller.

Right not to be subject to automated decision-making

A data subject has the right to request that a data controller does not make any decision which would significantly affect him/her solely on the basis of the results of automated processing. These decisions include matters relating to the evaluation of the data subject’s work performance, creditworthiness, reliability or conduct.

Compliance Checklist

Below is a detailed checklist of the “to dos” for organisations under the DPA.

Registration and record-keeping

All data controllers are required to register with the Information Commissioner before processing personal data. Data controllers must pay the prescribed registration fee and annual maintenance fee to keep the registration active.

Data controllers are also required to provide and maintain detailed processing records, including:

• data controller’s name/contact details;
• description of personal data processed;
• categories of data subjects;
• purpose(s) of processing; and
• recipients of personal data (including transfers abroad).

Data protection impact assessment

Unless otherwise indicated by the Information Commissioner, data controllers are required to annually submit to the Information Commissioner a data protection impact assessment (DPIA) in respect of all personal data in the custody or control of the data controller.

Data Protection Officer (DPO)

Data controllers that fall within any of the following categories are required to appoint a DPO:

• data controllers that are public authorities;
• data controllers that process or intend to process sensitive personal data or data relating to criminal convictions;
• data controllers that process personal data on a large scale; and
• data controllers that are designated by the Information Commissioner as requiring a DPO.

Compliance with data protection standards

All data controllers must comply with the eight data protection standards as outlined in the DPA. These standards are discussed above.

Breach notification

All data controllers are required to report any security breach in respect of the data controller’s operations which affects or may affect personal data to the Information Commissioner within 72 hours after becoming aware of the breach.

Data controllers are also required to report any security breach to each data subject whose personal data has been affected by such breach within 72 hours after becoming aware of the breach.

Incident and breach management

Data controllers are required to maintain records of breaches and any remedial actions taken.

Conditions for Processing Sensitive Personal Data

The DPA stipulates that sensitive data must not be processed unless at least one of the following conditions has been met:

• the data subject has consented in writing to the processing of the personal data;
• the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred, or imposed, by law on that data controller in connection with employment or social security benefits;
• the processing is necessary:
1. in order to protect the vital interests of the data subject or another individual, in any case where:
1. consent cannot be given by or on behalf of the data subject; or
2. the data controller cannot reasonably be expected to obtain the consent of the data subject, the data controller having exhausted all reasonable efforts to obtain that consent; or
2. in order to protect the vital interests of another individual, in any case where consent by or on behalf of the data subject has been unreasonably withheld;
• the processing:
1. is carried out in the course of legitimate actions by any body or association which:
1. is not established or conducted for profit; and
2. exists for political, philosophical, religious or trade-union purposes;
2. is carried out with appropriate safeguards for the rights and freedoms of data subjects;
3. relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and
4. does not involve disclosure of personal data to a third party without the consent of the data subject;
• the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject;
• the processing:
1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
2. is necessary for the purpose of obtaining legal advice; or
3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
• the processing is necessary for:
1. the administration of justice; or
2. the exercise of any functions conferred on any person by or under any enactment;
• the processing is:
1. either:
1. the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such organisation; or
2. any other processing by a person referred to in (i) above or another person of sensitive personal data so disclosed; and
2. necessary for the purpose of preventing fraud;
• the processing is necessary for medical purposes and is undertaken by:
1. a health professional; or
2. a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional; or
• (a) the processing: (i) is of sensitive personal data consisting of information as to racial or ethnic origin; (ii) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between individuals of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and (iii) is carried out with appropriate safeguards for the rights and freedoms of data subjects; or (b) the sensitive personal data is processed in circumstances specified in an order made by the relevant Minister.

Children’s Data

The DPA states that where the personal data being processed belongs to a minor, the rights granted to a data subject under the DPA may be exercised by a parent or legal guardian of the minor, or by the minor in any case where the law recognises the capacity of the minor to act on his/her own behalf.

The DPA also stipulates that where consent is required for processing, in the case of a minor, the consent must be given by a parent or legal guardian of the minor, unless the law recognises the capacity of the minor to give consent on his/her own behalf.

The DPA is silent with respect to the anonymisation of patient data for the purposes of product development or scientific research.

Note, however, that where the personal data is anonymised so that no individual can be personally identifiable from the information, the DPA would not be applicable. In those circumstances, the data can be used for product development or scientific research purposes.

Additionally, the DPA stipulates that personal data can be processed for research purposes so long as the following conditions are met:

• the personal data must not be processed to support measures or decisions with respect to particular individuals; and
• the personal data must not be processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

In Jamaica, we are not familiar with the European Health Data Space Regulation, nor do we have similar laws.

In Jamaica, we have not yet implemented specific requirements or guidance regarding the use of personal data in AI systems or models. Likewise, Jamaica does not yet have a comprehensive AI regulatory regime.

A data controller is required to report any security breach in respect of the data controller’s operations that affects or may affect personal data to the Information Commissioner within 72 hours of becoming aware of the breach. The notice must include:

• the facts surrounding the security breach;
• a description of the nature of the security breach, including the categories, the number of data subjects concerned, and the type and amount of personal data concerned;
• the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach;
• the consequences of the breach; and
• the name, address and other relevant contact information of the data controller’s DPO.

The notice must be submitted via the Information Commissioner’s online portal.

A data controller is also required to report any security breach to each data subject whose personal data has been affected by such breach within 72 hours of becoming aware of the breach. The notice must include:

• the nature of the security breach;
• the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
• the name, address and other relevant contact information of the data controller’s DPO.

Please note that as the DPA was only recently implemented, the investigative arm of the Information Commissioner has not yet been fully established. Additionally, the provisions under the DPA which give the Information Commissioner certain enforcement powers are not yet in effect.

In Jamaica, mass data privacy litigation is not common.

The Information Commissioner is the regulatory body which is designated to enforce the DPA and handle complaints, investigations, penalties and compliance.

The main powers, duties and responsibilities of the Information Commissioner include:

• monitoring compliance with the DPA and any regulations made thereunder;
• providing advice to the relevant Minister on any matter relating to the operation of the DPA or otherwise for the protection of personal data;
• promoting the observance of the requirements under the DPA and the following of good practice by data controllers;
• disseminating information to the public about the operation of the DPA and about good practice, and advising persons about any of those matters;
• preparing and disseminating guidelines under the DPA; and
• intervening as a party in any proceedings before a court, in respect of any matter concerning the processing of personal data or the enforcement of any provision of the DPA, other than proceedings for the prosecution of an offence.

Where the Information Commissioner is satisfied that a data controller has contravened, or is contravening, any of the provisions under the DPA, the Information Commissioner may commence proceedings against the data controller. Proceedings may also be triggered where a data subject has filed a complaint with the Information Commissioner against a data controller.

Guidelines issued by the Information Commissioner pursuant to the DPA would be binding in practice.

How an Enforcement Action or Investigation is Initiated

Any person who believes his/her rights under the DPA have been violated can lodge a complaint with the Information Commissioner, which would then trigger an investigation by the Information Commissioner.

The Information Commissioner may commence an investigation on its own initiative in circumstances where there is reason to suspect non-compliance by a data controller (for example, a serious breach, public interest concerns, or patterns of misconduct).

Investigations may also be triggered through referrals or media reports.

Enforcement Notices

If the Information Commissioner has reasonable grounds for believing that a data controller is non-compliant with the DPA, the Information Commissioner has the power to issue an enforcement notice to such data controller. This enforcement notice may require the data controller to cease processing, correct practices, or take specific steps to comply with the DPA. The enforcement notice typically sets a compliance deadline by which the data controller must act.

Information and Assessment Notices

The Information Commissioner has the power to issue information notices which would require data controllers to produce certain documents or evidence related to compliance. This would also give the Information Commissioner the power to inspect the data controllers’ premises, books, etc.

A request may also be made to the Information Commissioner by or on behalf of any individual who is, or believes himself/herself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been, or is being, carried out in compliance with the DPA.

Notice of Investigation

When an investigation begins, the Information Commissioner will typically provide formal notice to the data controller that an inquiry has been opened.

The notice should explain the scope of the investigation, the alleged non-compliance and any documentation required.

Response Timelines

The DPA generally requires data controllers to respond to the Information Commissioner requests within specified timeframes.

For example, data controllers are required to respond to data subject access requests within 30 days from the date of the request.

Available Sanctions and Remedies

Where a body corporate commits an offence under the DPA, the body corporate may be liable to a fine not exceeding 4% of its annual gross worldwide turnover of that body corporate for the preceding year of assessment in accordance with the Income Tax Act, 1955 (as amended).

Individuals who commit an offence under the DPA may also be subject to severe fines up to a maximum of JMD5 million (approx. USD31,100) and/or imprisonment up to a maximum of ten years.

In calculating the amount of monetary penalties, the courts will take into account:

• the estimated economic cost to consumers, users of the services concerned and any other persons, of the contravention giving rise to the offence;
• the estimated economic benefit derived by the body corporate from the commission of the offence;
• the period for which the contravention continued;
• the number and severity of any other offences under the DPA committed by the body corporate; and
• any other factors which the court considers relevant.

An individual who suffers damage by reason of any contravention by a data controller of any of the requirements under the DPA is entitled to compensation from the data controller for that damage. Additionally, an individual who suffers distress by reason of any contravention by a data controller of any of the requirements under the DPA is entitled to compensation, from the data controller, for that distress if:

• the individual also suffers damage by reason of the contravention; or
• the contravention relates to the processing of personal data for the special purposes.

Appeal Process

Any person aggrieved by a decision of the Information Commissioner, other than a decision in respect of an enforcement notice, assessment notice or information notice, may appeal to the Appeal Tribunal in accordance with such procedure as may be prescribed under the DPA. The appeal process has not yet been prescribed by the relevant Minister.

The most significant privacy trend in the last 24 months was the public campaign which was launched by the Information Commissioner requiring the registration of data controllers with the Information Commissioner. The Information Commissioner embarked on a major campaign over the past two years encouraging data controllers to register and advising of the potential risks for failure to do so. Note, however, that to date, the Information Commissioner has not taken any enforcement action against a data controller for failure to register.

The practical takeaway for organisations is that failure to register with the Information Commissioner would constitute an offence under the DPA which could result in severe fines and penalties. Consequently, organisations must cease any further processing of personal data unless and until they have registered with the Information Commissioner.

In Jamaica, as the DPA was only recently enacted, privacy litigation is in its infancy.

As mentioned in 1.8 Enforcement Proceedings and Fines, a claimant can bring a claim before the courts if he/she can prove that he/she has suffered some sort of damage due to any contravention by a data controller of any of the requirements under the DPA. The remedies available would be:

• compensation (damages);
• injunctions (including interim injunctions restraining further processing); and
• declaratory relief.

Additionally, an individual who suffers distress (ie, non-material damages) by reason of any contravention by a data controller of any of the requirements under the DPA can bring a claim before the courts for that distress if:

• the individual also suffers damage by reason of the contravention; or
• the contravention relates to the processing of personal data for so-called “special purposes” (such as journalism, art or literature).

Distress alone is not generally compensable and is recoverable only if:

• the claimant also suffered material “damage”; or
• the contravention relates to the “special purposes” (such as journalism, art or literature).

Morrison v Elephant Group Ltd (t/a Centerfield Jamaica) & others is one of the first reported Supreme Court decisions on the DPA regarding injunctive reliefand the lawful bases for processing in an employment context.

In this decision, the claimant alleged that her employer’s disclosure and dissemination of her personal data to a third-party company for the purposes of conducting background checks was unlawful and in breach of the DPA. The Supreme Court ruled that the employer’s processing of personal data for background checks was permissible under the DPA. The decision pointed out that the DPA allows for the processing of personal data in certain circumstances, which include confidential background checks related to prospective employment.

Note that privacy litigation is not yet common in Jamaica.

The DPA is silent with respect to collective redress. We do not have legislation in Jamaica which specifically governs collective redress.

We do not have laws and/or regulations in Jamaica relating to the protection and processing of non-personal data. We are not aware of any plans by the government to enact laws similar to the EU Data Act in the near future.

Not applicable in this jurisdiction.

Not applicable in this jurisdiction.

Not applicable in this jurisdiction.

Jamaica does not have a specific statute which governs cookies, SDKs and other device identifiers. Such identifiers would be governed indirectly by the DPA once they can be used to personally identify an individual.

In practice, the following are usually treated as personal data:

• IP addresses;
• mobile advertising IDs;
• persistent cookies and SDK identifiers;
• device fingerprints; and
• analytics or ad IDs tied to accounts, profiles or behavioural patterns.

In Jamaica, online tracking is legal only insofar as it complies with general data protection principles. Note, however, that unfair or excessive tracking would be unlawful, and consent is effectively required for most advertising and cross-platform tracking technologies.

Under the DPA, a data subject has the right to prevent processing of his/her personal data for direct marketing purposes unless the data subject gives his/her consent and/or is an existing customer of the data controller. This rule would also apply to sensitive or children’s data.

Where consent is relied on, it must be:

• freely given;
• specific;
• informed; and
• unambiguous.

Where sensitive data is involved (eg, health, biometrics), consent must also be explicit and in writing.

In Jamaica, the privacy rights of employees are governed by the DPA along with general privacy principles and existing employment law. While the DPA does not include employment-specific provisions, its standards and individual rights apply broadly to employee-related data processing, including recruitment, monitoring, remote work arrangements, IT/BYOD policies, background checks and the ongoing processing of personnel information.

When processing employee data, employers must ensure that the data is processed in accordance with the eight data protection principles as outlined under the DPA. These principles are as follows:

• Fairness and lawfulness: Employers may monitor employee activities (time tracking, system use, security monitoring) only in circumstances where it is necessary and justified, and employees must be informed of this monitoring. Monitoring must not be excessive, continuous or intrusive.
• Purpose limitation: Processing of employees’ data must be limited to employment-related purposes.
• Data minimisation: Employers may collect personal data from prospective applicants but only what is necessary for recruiting or assessing suitability (eg, CV details, contact info, background checks).
• Accuracy: Employers should collect only data necessary for HR, payroll, benefits and legal compliance, and keep it accurate and up to date.

• Storage limitation: Employees’ data must not be held for longer than needed, and employers are encouraged to implement retention policies which are to be shared with employee.

• Rights of data subject: Personal data must be processed in accordance with the rights of the employees.
• Implementation of technical and organisational measures: Employers should implement BYOD policies, IT policies and remote work arrangements which should be incorporated in the workplace.
• Cross-border transfers: Personal data of employees must not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of employees.

The DPA does not have specific provisions which govern M&A and asset deals in Jamaica. The general privacy principles as set out under the DPA would be applicable.

Due Diligence

With respect to due diligence, the acquiring entity should ensure that the target company is compliant with its legal obligations under the DPA such as registration with the Information Commissioner and appointment of a DPO. The acquiring entity should ensure that the target company has implemented certain policies to ensure compliance with the DPA, which include but are not limited to privacy policy, incident response policy, retention policy and BYOD policy. Lastly, the acquiring entity should ensure that the target company has implemented certain technical and organisational measures to prevent unauthorised access and/or disclosure of personal data such as access controls, VPNs, anti-virus software and security cameras.

Change of Control

The DPA requires data controllers to register with and notify the Information Commissioner of their processing activities. This includes providing organisational details and notifying it of changes such as a change of control of the data controller.

Notifications

Under the DPA, data controllers are required to be transparent about processing and provide privacy notices to data subjects. In the event that the acquiring entity intends to process personal data for new purposes beyond those originally disclosed by the target company, updated notices may need to be issued and fresh consent obtained where consent was the original basis.

Post-Closing Integration

After closing, the acquiring entity typically must:

• update privacy notices and public disclosures to reflect the new data controller’s identity and purposes;

• align data inventories and processing records across the combined organisation; and
• ensure ongoing compliance with the DPA.

The DPA stipulates that personal data must not be transferred to a State or territory outside of Jamaica unless that State or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The DPA further stipulates that with respect to cross-border transfers, the data controller must take into account the following:

• the nature of the personal data;
• the State or territory of origin of the information contained in the personal data;
• the State or territory of final destination of that information;
• the purposes for which and the period during which the personal data is intended to be processed;
• the law in force in the State or territory in question;
• the international obligations of that State or territory;
• any relevant codes of conduct or other rules which are enforceable in that State or territory (whether generally or by arrangement in particular cases); and
• any security measures taken in respect of the personal data in that State or territory.

The restrictions on cross-border transfers do not apply in the following circumstances:

• the data subject consents to the transfer;
• the transfer is necessary:
1. for the performance of a contract between the data subject and the data controller; or
2. for the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data controller;
• the transfer is necessary for the conclusion or performance of a contract, between the data controller and a person other than the data subject, which:
1. is entered into at the request of the data subject;
2. is in the interests of the data subject;
• the transfer is necessary for reasons of substantial public interest;
• the transfer;
1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);
2. is necessary for the purpose of obtaining legal advice; or
3. is otherwise necessary for the purpose of establishing, exercising or defending legal rights;
• the transfer is necessary in order to protect the vital interests of the data subject;
• the transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the personal data is or may be disclosed after the transfer;
• the transfer is made on terms (which may include contractual terms) that are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects;
• the transfer has been authorised by the Information Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects; or
• the transfer is necessary for the purposes of national security or the prevention, detection or investigation of crime.

There are no registrations, filings or approvals from authorities required for international transfers.

There are no data localisation or residency obligations by sector or data category.

No blocking or foreign-judgment control rules restrict foreign discovery, sanctions compliance or cross-border disclosures.

There have not been any recent developments in the regulation of the international transfer of personal data.