The Tribune

By Neil Hartnell

Tribune Business Editor

nhartnell@tribunemedia.net

The Opposition’s finance spokesman believes the new Data Protection Act lacks sufficient enforcement powers to hold international operators accountable for misconduct and wrongdoing that occurs in The Bahamas.

Kwasi Thompson, the east Grand Bahama MP, told Tribune Business that the legislation which passed the House of Assembly’s committee stage on Wednesday “does not go far enough” in dealing with digital providers - such as Facebook/Meta and Google - whose headquarters and assets are domiciled overseas.

He suggested that the Bills should have mandated that their Bahamas-based “representative”, whether a corporate entity or individual, have sufficient assets domiciled in this nation to cover any penalties or fines imposed against them.

Otherwise, Mr Thompson warned they could simply appoint “a shell company” with no local assets to look after their interests in The Bahamas. Requiring them to have a more substantive presence here, he added, would also encourage such corporations to do real business in this nation, thus boosting employment and the country’s long-standing technology hub ambitions.

“They have introduced a definition of ‘representative’ in the Bill, but I don’t believe that goes far enough,” Mr Thompson told this newspaper, “because even if you have a representative in The Bahamas - if that representative does not have any money here, does not have any assets in The Bahamas; it’s a shell company - how can you be assured that any international company that may be guilty of wrongdoing can be assessed a fine or penalty.

“I don’t believe the Bill addressed this issue satisfactorily. The whole issue is you want to ensure you can hold the wrongdoer accountable. Even if they have a representative in The Bahamas, I don’t believe that goes far enough to be able to enforce the law. I think the Bill has to go further in ensuring enforcement.

“You have to do it by ensuring that the representative is a senior enough person or a company that has assets in The Bahamas, and sufficient assets to cover the cost of any fine or issues that they have here in The Bahamas,” Mr Thompson added.

“That does a number of things. That ensures there is adequate enforcement but also ensures that company has a presence in The Bahamas, which feeds into employment and building a technology industry as well. The law could have been amended to introduce these tougher provisions.”

The Organisation for Responsible Governance (ORG), in a statement issued yesterday, said the numerous changes made by the Government to the Bill’s final version bring it more into line with international standards, including the Commonwealth Model Provisions (CMP) on Data Protection; the Organisation for Economic Co-Operation and Development (OECD) privacy guidelines, and the European Union General Data Protection Regulation (GDPR).

Noting that it “incorporates revisions made in response to public feedback gathered in recent week”, ORG added that it backed these efforts “as evidence that public consultation can influence the development of modern and responsive governance frameworks, particularly those that protect citizens’ rights in the digital age”.

“Key improvements include expanded definitions and clarified terminology; strengthened individual rights, granting citizens the ability to access, correct, erase and object to the processing of their personal information; new accountability obligations for data controllers and processors, such as maintaining processing records, conducting risk assessments, and notifying authorities of data breaches; and defined penalties and enforcement measures that help ensure compliance and provide a basis for redress,” ORG said.

“ORG particularly notes Section seven, Clauses (five) and (six), which empower the minister - after consultation with the data protection commissioner - to make regulations exempting certain categories of data controllers from specific requirements under the Act, when such exemptions are ‘necessary and proportionate to reduce administrative burdens’. This provision offers positive potential by allowing flexibility for small businesses and non-profit entities, reducing compliance barriers and promoting ease of doing business in contexts where the scale and nature of data processing may be minimal.”

However, ORG added: “The current drafting provides limited criteria for these exemptions and lacks an independent review or appeals process. Without clear safeguards or transparent oversight, such discretion could be vulnerable to abuse or political influence, undermining both public trust and consistency in enforcement.

“In keeping with the Commonwealth model provisions, ORG recommends that any exemption framework include defined criteria, transparency in decision-making, and a right to review or appeal to the commissioner or an independent body to ensure fairness and accountability…

“ORG also highlights that while the amendments appear to incorporate public feedback, the amended Bill was not publicly circulated for review prior to its presentation in Parliament. Providing citizens with time and access to evaluate these changes can strengthen confidence in the process and further embody the principles of transparency and participatory governance,” the group continued.

“Ensuring that legislation and any subsequent amendments are shared openly and in advance enables citizens, businesses and civil society to better understand the rationale behind the revisions, anticipate their real-world implications and contribute meaningfully to implementation.”