JAMAICA Broilers Group (JBG) has ignited a storm of criticism after refusing to allow its external auditors to conduct forensic searches of internal e-mails — a move one attorney has labelled “a strategic over-application of privacy law that creates a dangerous shield for financial transparency”, essentially accusing the company of using privacy rules too aggressively to block scrutiny.

Chukwuemeka Cameron, attorney-at-law and founder of Design Privacy — a company specialising in data protection — says JBG’s stance represents more than a procedural disagreement. It is, he argues, “a warning shot for every investor, regulator, and stakeholder in Jamaica’s capital markets” because “if privacy can be invoked to shut down a forensic review, then transparency, accountability, and market integrity are all at risk”.

The controversy stems from the company’s audited financial statements for the year ended May 3, 2025, which were released on Friday. The external auditors issued a qualified opinion, a serious designation (less severe than an ‘adverse’ opinion but more significant than an ‘emphasis of matter’) indicating they could not obtain all the evidence needed for a clean report. The specific hurdle was an internal investigation into accounting irregularities within the company’s US operations. The auditors stated that this investigation “did not include certain forensic electronic communication searches ordinarily expected” and, as a result, they were “unable to obtain sufficient appropriate evidence regarding the completeness of the full extent of the accounting irregularities”.

In its statement Jamaica Broilers defended its position, revealing that it had asked the auditors to include a note explaining that, following legal consultation, it “could not agree to the review of the e-mail communications as it would represent a breach of Jamaica’s Data Protection Act and multi-jurisdictional data privacy acts in the United States”. The auditors rejected this request.

“This is a classic case of weaponising compliance,” Cameron contends in a LinkedIn post Sunday. “The company is leveraging legitimate privacy concerns as a legalistic cudgel to avoid a more penetrating investigation,” he added, arguing that “while data protection is critical, it should not be used as a blanket justification to obscure potential financial malfeasance. The outcome is an audit that, by the auditors’ own admission, is incomplete — and that should unsettle everyone.”

Cameron argues further in an interview with Jamaica Observer that JBG’s justification reflects a fundamental misunderstanding of the purpose and structure of the Data Protection Act (DPA). He emphasised that the Act is designed to enable the lawful sharing of personal data, not restrict the disclosure of information relevant to corporate accountability.

“The purpose of the Data Protection Act is to enable the sharing of personal data,” he told Business Observer. “The premise of the Act is to allow for the free flow of information. The DPA is the law that allows companies to process personal data once they meet the conditions.”

He explained that those conditions include ensuring there is a lawful basis for processing, limiting the data to what is necessary, and applying safeguards such as redaction and minimisation — requirements designed to protect individuals while still allowing legitimate investigations and regulatory oversight to proceed.

He added that invoking the Act in general terms is insufficient. “What they should have said is, ‘because of section A and section B, we cannot share’. Instead, they said: ‘Because of the Data Protection Act, we can’t share.’ That is fundamentally wrong.”

Cameron noted that the Act includes provisions permitting disclosure “in furtherance of an investigation”, which would typically encompass a forensic review linked to suspected accounting irregularities. And even if personal data is present in e-mails, he said the standard practice is to apply safeguards, not deny access outright.

“Even if there was personal data, the auditors don’t necessarily need to see the names of individuals. You redact the information. If it is necessary for them to complete their job, you share it with appropriate safeguards. If it cannot be redacted and there is potential harm, then you withhold it. But you must be guided by necessity and proportionality, not by a blanket refusal.”

Asked how companies should approach situations involving sensitive data and audit requests, Cameron said the process is straightforward if organisations maintain proper governance.

“The first thing companies should do is ensure their senior management are trained on data protection and they hire or engage a data protection officer,” he said. Boards and executives must understand their obligations to navigate the interface between privacy and transparency responsibly.

Cameron said companies should assess whether the auditors’ request is necessary, ask the auditors to clarify their lawful basis for processing personal data, and apply redaction where appropriate. “Worst-case scenario, ask the information commissioner for advice. The Act is designed to support accountability, not obstruct it.”

Separately, in a notice to shareholders, the company said its recently completed asset revaluation would yield a “significant positive change” to shareholder equity, to be reflected in December’s publication of updated figures. This promised boost comes as the company seeks to reassure stakeholders amid the transparency crisis and a reported negative equity position of $10.03 billion.

Despite these assurances, Cameron warns that JBG’s handling of the forensic review could set a precedent that threatens transparency across the capital market.

“The big danger is I’m a shareholder and I don’t know where the problem was or who the problem was,” he said. “I don’t know whether the board must fire the CEO or whether I must sell my shares. I don’t know if I can still have confidence in the leadership because I don’t have enough information.”

Cameron said he would not prescribe regulatory action given his role with the Jamaica Stock Exchange but insisted that shareholders have the power to act. “The problem identified was non-disclosure. It is disingenuous to perpetuate the non-disclosure by using this legislation that is only meant for transparency.”

CAMERON…If privacy can be invoked to shut down an audit, then transparency, accountability, and market integrity are all at risk.