Click here to print page

Is Amazon subject to our Data Protection Act?

Chukwuemeka Cameron

Wednesday, December 11, 2019

Coming out of the first round of consultations initiated by the joint select committee appointed by Parliament to review the Data Protection Bill, @Digicel and the @JamaicaComputerSociety raised issues about the limited application of the Bill to local data controllers found in our section 3. The Bill, as it then read, stated that the Act will only apply to organisations (data controllers) established in Jamaica and processing personal data in Jamaica or, though not established in Jamaica, uses equipment in Jamaica for processing the data. The ministry, in considering the issues raised by the stakeholders, recommended that the joint select committee adopt wording similar to the General Data Protection Regulation (GDPR) — the European version of our Data Protection Bill. The relevant section of the GDPR states:

“This regulation applies to the processing of personal data of data subjects who are in the union by a controller or processor not established in the union, where the processing activities are related to:

“a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the union; or

“b) the monitoring of their behaviour as far as their behaviour takes place within the union.”

In the last sitting of the joint select committee, held on December 6, 2019, Senator Mark Golding put what otherwise was an esoteric concept into a practical example of what an application of the Act could look like. He asked if a Jamaican were to buy goods from Amazon, would that make Amazon subject to our Data Protection Bill? The unequivocal answer was yes. The reason posited for that was that Amazon would be processing the data of Jamaican data subjects and as such Amazon would be a data controller in possession of personal data of Jamaican citizens.

If Parliament were to take that approach based upon that single criterion they would be — in futility I must add — bestowing upon them selves extraterritorial jurisdiction greater than that which the European Union bestowed upon themselves. The effect of that would be that every e-commerce platform that Jamaicans' purchase online products or services from, regardless of where they are domiciled, will without more be subject our Data Protection Act.

If it is the ministry is indeed looking to adopt language similar to that of the GDPR it will be well served to look at the Guidelines 3/2018 on the territorial scope of the GDPR that was adopted by the European Data Protection Board (EDPB) on November 12, 2019. That board is responsible for issuing guidelines on the interpretation of core concepts of the GDPR to ensure the GDPR is interpreted and applied in a uniform manner across Europe. Prior to this issuance of this guidance note the basic understanding of privacy practitioners was that it was only in instances where an organisation, like an Amazon, specifically targets data subjects from third party countries that the organisation would be considered a data controller that would be subject to the local data protection laws. In other words, if an e-commerce website in addition to being in English would, for example, also have their website translated into the language of the country that it is targeting in addition to quote prices in the currency of the third party country one can conclude that it is intentionally targeting data subjects of that country.

Side note, given the fact that Amazon has recently put special arrangements in place to collect payments from Jamaican data subjects, they may well be considered as targeting Jamaican data subjects and as such ought properly be subject to our Data Protection Act.

It is important to note that the basis for side note that Amazon may be subject to our DPA is not because they process Jamaican data subjects' personal data, but because they intentionally target Jamaican data subjects. This interpretation has important consequences for local entrepreneurs who establish websites that any one across the world, in particular people from Europe, can access. The question I have been faced with is: If a European citizen purchases goods from my Jamaican website, would that make my Jamaican business operating the website subject to the GDPR? The answer is, without more, no. Unless one can establish that the website intentionally markets to and targets European data subjects the local data controller would not be subject the GDPR. Furthermore, it is the process that is subject to the GDPR and not the entity. Our tourist industry, however, that specifically targets European data subjects, would be subject to the GDPR.

The guidance note states that Article 3 of the GDPR defines the territorial scope of the regulation on the basis of two main criteria — the “establishment” criterion, as per Article 3(1), and the “targeting” criterion as per Article 3(2). For the purpose of this discussion we are concerned with the targeting criterion. The EDPB suggests that the determining element to the territorial application of the GDPR as per Article 3(2) lies in the consideration of the processing activities in question; that is, whether processing relates to the offering of goods or services or to the monitoring of data subjects' behaviour in the union.

The EDPB, in their guidance note, underlined that the fact of processing personal data of an individual in the union alone is not sufficient to trigger the application of the GDPR to processing activities of a controller or processor not established in the union. The element of “targeting” individuals in the EU, either by offering goods or services to them or by monitoring their behaviour, must always be present. This approach is consistent with the approach previously taken by privacy practitioners.

The EDPB in seeking to provide clarity on what intentional targeting is, outlined a number of factors one could take into consideration, possibly in combination with one another:

* the EU or at least one member state is designated by name with reference to the good or service offered;

* the data controller or processor pays a search engine operator for an Internet referencing service in order to facilitate access to its site by consumers in the union, or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;

* the international nature of the activity at issue, such as certain tourist activities;

* the mention of dedicated addresses or phone numbers to be reached from an EU country;

* the use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;

* the description of travel instructions from one or more other EU member states to the place where the service is provided;

* the mention of an international clientele composed of customers domiciled in various EU member states, in particular by presentation of accounts written by such customers;

* the use of a language or a currency other than that generally used in the trader's country, especially a language or currency of one or more EU member states; and

* the data controller offers the delivery of goods in EU member states.

 

One only has to substitute Jamaica for the EU and EU member state to get a better understanding as to how we should be interpreting our section 3 that was adopted from the GDPR.

The other question that was raised was if there was a data breach how should it be enforced? I was only able to find one such case where the the UK's data protection regulator, the Information Commissioner's Office, has issued an enforcement notice on a Canadian company that was not in any way established in the UK, Aggregate IQ. What we found is that the approach being taken as it relates to enforcement is that there is the development of mutual cooperation between supervisory authorities, where enforcement proceedings will be taken by supervisory authorities on behalf of other supervisory authorities. To date there does not seem to be any established framework to facilitate this and it is still a work in progress.

While the application of the Data Protection Act is going to fall to the appropriate commission that is to be established, Parliament should still be aware of how specific sections are being interpreted and applied in the jurisdictions where they adopt the specific section in the Act from. Failing to do so may have a chilling effect on Jamaican businesses which want to make their goods and services available on the Internet.

Is Amazon or other similar e-commerce platforms subject to our Data Protection Act? It depends. The mere fact that Amazon processes Jamaicans' personal data, if Parliament were to adopt the interpretation proposed by the EDPB, would not make them subject to our Data Protection Act.

 

Chukwuemeka Cameron is an attorney and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.