Data protection legislations in many jurisdictions are seen as toothless dogs – the bark is much stronger than the bite. On paper, these legislations purport to do so much to protect the best interests of the data subjects while holding those who compromise their rights accountable. The challenge though is that many regulators are woefully under resourced and lack the capacity to enforce the law effectively. Those impacted i.e. everyday citizens are therefore left to pursue recourse though the courts, relying on the provisions of respective legislations in the event they feel their rights have been breached. These people use the law as a sword to go after violators in the pursuit of justice. The framers of these legislations do not intend for these laws to be one-sided though and so similarly, alleged violators are able to use the same laws as a shield to justify actions that have been perceived by individuals as a violation of their rights.
As Jamaica approaches the one-year anniversary of the implementation of the Data Protection Act, 2020 (DPA), an important judgement was handed down in relation to a matter brought before the court by an individual who believed that her privacy rights were violated. This is significant because it is one of the first cases adjudicated in relation to this piece of legislation and therefore forms the anchor for related case law. According to the publicly available court documents, the claimant’s employment was terminated by Elephant Group Ltd in June of 2020 and the termination was contested which eventually led to proceedings before the Industrial Dispute Tribunal (IDT). The issues to be determined by the IDT also included the matter of compensation due to the claimant for the period of July 2020 to December 25, 2023.
In her filing, the claimant did not provide her employment history. To prepare its defence, Elephant Group Ltd contracted the services of a private investigations company to help ascertain whether the claimant was in fact out of employment for the stated period as purported. The investigation report revealed that the claimant had been employed by another company, AVC Communications Ltd (AVC) since July of 2020. Elephant Group Ltd therefore wrote to AVC requesting the employment history of the claimant citing legitimate interest and legal proceedings as basis for the request. AVC responded with the requested information which confirmed that the claimant was in fact employed by them from July 2020 until May of 2024.
The claimant brought a case against all three entities alleging that their disclosure and dissemination of her personal data was unlawful and in breach of the DPA. She therefore sought an interim injunction barring them from processing her personal data until the conclusion of the matter which was before the IDT. This action by the claimant emphasises the importance of agency: a data privacy legislation is only as effective as an individual’s ability to rely on its provisions as a sword to wield to prevent or remedy violation of their privacy rights. Under section 11 of the Jamaica DPA, a data subject has the right to object to the processing of their personal data and it was this that was relied upon in the court submission.
Herein lies the perceived challenge. Many entities seem to be of the view that data privacy legislations are unfairly skewed towards the data subject. This is not necessarily true. While data privacy legislations are designed to protect individuals from having their personal data misused, they are not intended to make it difficult for organisations to conduct their affairs. They do however provide a framework and a set of standards that must be observed and respected when the processing of personal data takes place. When these standards are met, data controllers can rely on data privacy legislations as a shield against allegations of a violation. To that end, data controllers often rely on the legitimate interest provisions as a way of ensuring that they do not fall foul of the law.
In this particular instance, the counsel for Elephant Group argued that it would have been unreasonable to expect their client to mount a thorough defence without accessing the information that was required. Given that that information was not made available by the claimant, Elephant Group Ltd argued that it had no other option available but to use other lawful and proportionate means to come by the information that it sought. The data protection laws allow for the processing of personal data in so far as it is necessary for the administration of justice.
That point is also tenuously connected to the argument of legitimate interest. The defendant had a legitimate interest in defending the claim brought before it at the IDT and in order to do so, three conditions needed to have been met:
- Purpose test – this determines whether there is a legitimate interest behind the processing.
- Necessity test - this determines whether the processing is necessary for the stated purpose.
- Balancing test - this determines whether the legitimate interest is overridden by the individual’s rights or freedoms.
What does all of this mean for organisations? It is important that organisations identify processes that require a Legitimate Interest Assessments (LIA) and complete these assessments ahead of time. When completing a Record of Processing Activities (RoPA), Securys helps organisations identify the lawful basis under which personal data is being processed and once it is established that the processing falls under legitimate interest, the next step becomes the application of the balancing test. This can be a tedious and delicate process which is why external data privacy subject matter expertise is often required. When this activity is done well, entities are able to reduce the risk of exposure that is often the result of unlawful data processing.
After careful consideration of the arguments advanced by the parties, the court refused the application that was made by the claimant. Ruling notwithstanding, the case was an important demonstration of the practical application of a data privacy law both from the perspective of a data subject who wishes to use it as a sword, and from the perspective of a data controller or processor who wishes to use it as a shield. This ultimately helps to give teeth to the legislation and remind organisations that the law is not intended to be unfair or one-sided. In fact, a good understanding of data privacy legislation coupled with a robust data privacy and protection programme often serve to protect the interests of the data controller in ways that help that to reduce their risk exposure and prevent reputational damage.