7-day free trial Book a demo
The Tension between Data Protection and Whistleblowing

The Tension between Data Protection and Whistleblowing

Posted by david-hand | 03 May 2018

A contributing author to Justis, Mukta Balroop, a Chevening Scholar, explores the relationship between data protection and whistleblowing in the wake of the Cambridge Analytica revelations. His discussion is focussed on the Caribbean region, and the differences found in countries’ different data protection laws.

With the world becoming increasingly digital, data is now a major resource and commodity. Different countries and regions now have laws in place to protect the personal data of individuals. Indeed, on the 25th of May 2018, the European Union’s (EU) General Data Protection Regulations (GDPR) becomes effective and directly applicable to EU countries, replacing the Data Protection Directive, 1995. The law of privacy developed in Europe in two aspects: i) personal privacy (as a human right) and; ii) informational privacy, concerned with the processing of an individual’s personal data. Though there may be some overlap they are two distinct aspects,[1] as reflected in the EU’s Charter of Human Rights 2000 under Articles 7 and 8. This article discusses the second of these aspects, informational privacy, and considers its development through statutory laws in the English-speaking Caribbean and its relationship to the act of whistleblowing.

Whistleblowing procedures “provide safe channels for staff or other informants to report fraud, corruption or serious wrongdoings in organisations. In the course of such a procedure, the processing of personal data (also known as personal information) will be necessary; for example, information relating to those suspected of wrongdoing as well that of the informants and/or other third parties such as witnesses.”[2]

The recent revelations by whistleblower Christopher Wylie, regarding the use of personal data derived from Facebook by Cambridge Analytica and its affiliate companies, have ignited inquiries in the US and UK. Regionally, Trinidad & Tobago’s government has signaled its intention to investigate the alleged use of its citizens’ data by the former government, who are now in opposition. This investigation relates to a promotional brochure released by Wylie, showing subsidiaries of Cambridge Analytica allegedly using citizens’ data in Trinidad. The brochure also named other countries in the region like Antigua and St Vincent as being test countries for the data analytical operations.

For these reasons, in addition to increased trans-border commercial data flows, it is therefore necessary not only to ensure countries have sufficient data protection laws in place, but to see that such laws do not impinge on whistleblowers’ work.

Trinidad and Tobago has partially enacted its Data Protection Act (DPA) since 2011; its remaining provisions remain highly contested, and as a result the current law is not serving its intended purpose.[3] The government has announced plans to review the current DPA soon[4] and make amendments as needed, in light of the main complaint that its currently the “journalism’s death knell.”[5]

There is a public perception that whistleblowers in Trinidad and Tobago suffer from prejudice or mal-consequences upon their involvement being known. Section 99 of the DPA offers specific protection for such acts, but this section is one of those that is not currently passed as law. In fact the entire DPA, although some provisions have been passed, is currently unenforced since the Office of the Information Commissioner, the statutory body charged with ensuring compliance of the Act by entities, has not been established. Yet, under the current version of the DPA, journalists were concerned with the extent of the powers of the Office of the Information Commissioner arguing that it would impinge on their ability to collect data for reporting purposes, so that the section 99 safeguard on its own is insufficient. Notably, there is a draft Whistleblower Bill[6] before parliament which would be useful to protect whistleblowers’ and journalistic interests and to ensure unhindered revelations of misconduct. Even so, Trinidad and Tobago’s DPA seems to conflate personal privacy and informational privacy, since it is an Act “to ensure that protection is afforded to an individual’s right to privacy and the right to maintain sensitive personal information as private and personal.”[7]

This is contrary to other countries which maintain informational privacy as the aim of the Act, for example, Antigua and Barbuda’s 2013 Data Protection Act.[8] An interesting example from outside of the Caribbean region can be found in Israel, which has a privacy law established in the 1980s (the Protection of Privacy Law, 5741 of 1981), which though providing for a tort of privacy, also protects the integrity of information in databases. In other words, the Israeli law protects both aspects within the same Act, but at least in distinct chapters. Trinidad and Tobago’s DPA appears to fuse both forms which may not augur well for the development of its jurisprudence. Nevertheless, in its current state, it appears whistleblowers are afforded little protection under statutory laws of Trinidad and Tobago.

Jamaica in 2011, by way of amendment to its constitution, recognised the right to respect for, and protection of, private and family life and communication. In 2017, they introduced the Data Protection Act to protect the privacy of certain data and related matters. Some may argue that the constitutional right to privacy may apply horizontally as between private citizens and companies in addition to between citizens and the government of Jamaica.[9] However, this remains to be determined for certain; in any event, the constitutional aspect appears to focus on privacy as a personal human right, as opposed to the informational privacy that the Data Protection Act is concerned with. In keeping with recent trends around the world, Jamaica’s attempts are well placed but the Data Protection Act is currently opposed by members of the Media Association. Similar to Trinidad and Tobago’s media personnel, they argue that the law would infringe on their work and as such requires certain exceptions. However, “[a]s Jamaica seeks to position itself as an attractive destination for data centers and business processing services, the Data Protection Act has been welcomed as a step in the right direction, particularly for potential investors from Europe and North America that promote high standards for data protection.”[10]

With calls in Barbados underway for relevant legislation to be enacted,[11] the Data Protection (Privacy of Personal Information) Act 2003 of Bahamas appears to be the most operational informational privacy law in the English-speaking Caribbean. The Act provides protection for the privacy of individuals’ information and regulates the processing and use of that information. In 2007, Bahamas established its Data Protection Commissioner’s Office to oversee compliance with its Data Protection law. While that law lacks specific exceptions for whistleblowers and journalistic activities, an exception is found in section 50 of the subsequently enacted Freedom of Information Act, 2012. As a measure to promote “openness”, section 50 provides protection for any person who reveals wrongdoing, despite having breached any legal or employment related obligation, provided that the person acted in “good faith and in the reasonable belief that the information was substantially true and disclosed evidence of wrong doing…”.[12]

Thus, this exception is in tandem with the need for informational privacy under the Bahamas Data Protection law. Still, the Information Commissioner Sharmie Farrington-Austin has expressed concern, between the tension of data protection and access to information generally, under the Freedom of Information Act.[13]

Certainly, no solution would be perfect and each is subject to being challenged. Nevertheless, this Bahamian approach perhaps represents a form which could be imitated by other Caribbean countries, to resolve as far as practicable the tension between data protection and whistleblowing, and to facilitate transparency whilst ensuring informational privacy, as regional societies become more technologically centred.

About the author

Mukta Balroop is a contributing author for Justis Publishing, specialising in Caribbean interests. Mukta graduated with an LL.B. (Hons) from the University of West Indies in 2012, where he went on to gain experience as an In-house counsel member at Tharuna Limited, and then joined the Judicial Research Counsel in the Court of Appeal for the Judiciary of Trinidad & Tobago. Recently Mukta received the prestigious Chevening Scholarship – the UK government’s global scholarship programme, funded by the Foreign and Commonwealth Office (FCO) and partner organisations – to study for an LL.M. at Queen Mary, University of London, majoring in Media Law.

Mukta has also worked for the Judicial Education Institute of Trinidad & Tobago and Hobsons Notaries Public and Trademark & Patent Agents, Attorneys-at-Law. Mukta was the overall winner at the Price Media Law Moot Court Competition Americas regional round in New York, also winning the prize for Best Oralist of the Finals. He progressed to the quarter finals at the international round of the same competition, at University of Oxford, and was distinguished as the Best Oralist Runner Up overall. Mukta has also won the Justice Jessel Hannays Memorial Prize for the highest score in Law of Remedies at the Hugh Wooding Law School.

 

References

[1] https://edps.europa.eu/node/3110#processing_pd

[2] https://edps.europa.eu/data-protection/data-protection/reference-library/whistleblowing_en

[3] http://www.guardian.co.tt/lifestyle/2016-10-25/challenges-data-protection-bill

[4] http://www.guardian.co.tt/news/2016-10-24/govt-review-data-protection-act

[5] http://archives.newsday.co.tt/2016/10/23/journalisms-death-knell/

[6] http://www.ttparliament.org/publications.php?mid=28&id=792

[7] http://www.ttparliament.org/legislations/a2011-13.pdf section 4

[8] https://dataprivacyfoundation.org/wp-content/uploads/2017/07/Antigua-and-Barbuda.pdf

[9] http://www.myersfletcher.com/resources/item/the-data-protection-act-a-step-in-the-right-direction.html

[10] https://www.lexology.com/library/detail.aspx?g=6e84b449-a66d-48d7-9e95-66e81606c509

[11] http://businessbarbados.com/legal/privacy-protection-legislation/

[12] http://laws.bahamas.gov.bs/cms3/images/LEGISLATION/PRINCIPAL/2012/2012-0010/FreedomofInformationAct2012_1.pdf

[13] http://www.tribune242.com/news/2015/may/15/commissioner-concerned-over-clash-between-data-pro/

Related Blogs

Posted by david-hand | 24th September 2019
To enable you to search the Irish Reports & Digests in greater detail, it is now possible to search across their headnotes in JustisOne. The Advanced Search form for cases...
Posted by david-hand | 12th September 2019
This is a notable entry from the Justis International Law & Technology Writing Competition 2019 in the category of The Future of Legal Technology, by Haitham Salman of City Law...
Posted by david-hand | 28th August 2019
Are you looking to secure a career in law, or perhaps you’re interested in technology and how this is changing within the legal field?  Do you want to stand out...