Your address will show here +12 34 56 78


With the Data Protection Act (2020) taking full effect on December 1, 2023, the #1 question you, as a business owner, should be asking yourself is: am I ready/ am I compliant? Spoiler alert: if you haven’t thought about this question yet, the answer is probably no. Anyone who collects any personally identifiable information (PII) like names, addresses, contact information, etc. from persons in Jamaica will be regulated by the Data Protection Act as of December 1, 2023. Of course, medical practitioners, attorneys, pharmacies, schools, financial institutions and others who collect sensitive personal information will have higher compliance requirements, but the way the Act is written, even if you are an artist or a boutique shop and you collect email addresses for your mailing list, you are required to register with the Information Commissioner. Failure to do so could result in civil and/or criminal liability.
Your readiness and compliance will be dependent on a few factors. As we briefly explore the Act, you will get a better sense of who you are, as a business owner, in relation to the Act. This is not a comprehensive breakdown of the Act, but rather an introduction to the concepts of the Act. We recommend that our clients and prospective clients seek legal advice as it pertains to their business and their state of readiness.


  • Personal Data as defined in the Act is, “information (however stored) relating to a living individual or an individual who has been deceased for less than thirty years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller; and includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other persons in respect of that individual” This would include, for example, Names, Addresses (both mailing, email, IP), Telephone/ Fax numbers, Social Security numbers, Tax Registration Number (TRN), NIS number, Passport number, drivers licence number, credit card information/numbers, bank account number/information etc.
  • Sensitive Personal Data defined in the Act is, “Personal data consisting of any of the following information in respect of a data subject, [that being ] genetic data or biometric data; filiation, or racial or ethnic origin; political opinions, philosophical beliefs, religious beliefs or other beliefs of a similar nature; membership in any trade union; physical or mental health or condition; sex life; the alleged commission of any offence by the data subject or any proceedings for any offence alleged to have been committed by the data subject” This would include, for example, fingerprints, facial recognition, eye/iris scans and voiceprints, mouth/tongue swabs, ‘DNA’, ancestry, health records etc.
  • Data Subject defined in the Act is, “a named or otherwise identifiable individual who is the subject of personal data, and in determining whether an individual is identifiable account shall be taken of all means used or reasonably likely to be used by the data controller or any other person, to identify the individual, such as reference to an identification number or other identifying characteristics (whether physical, social or otherwise) which are reasonably likely to lead to the identification of the individual.” In other words, if you give your Personal Data to someone else, you are a Data Subject.
  • Process defined in the Act is, “in relation to information or personal data means obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including organisation, adaption or alteration of the information or data; retrieving, consulting or using the information or data; disclosing the information or data by transmitting, disseminating or otherwise making it available; or aligning, combing, blocking, erasing or destroying the information or data, or rendering the data anonymous”. If you collect Personal Data, and store it (like on a mailing list), you are processing Personal Data under the Act.
  • Data Controller defined in the Act is, “any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data are processed only for purposes for which they are required under any enactment to be processed, the person on whom the obligation to process the personal data is imposed by or under that enactment is for the purposes of this Act a Data Controller.”
  • Data Processor defined in the Act is, “in relation to personal data, means any person, other than an employee of the data controller, who processes the data on behalf of the data controller.”

Having looked at these key definitions, you should be closer to having an idea of who you are in relation to the Act, and how it might apply to you. If you are a business owner, you are mostly going to be either a Data Controller or a Data Processor, and in some cases you will also be a Data Subject. The distinguishing feature between a controller and a processor is that the Controller determines the purpose and manner in which the personal data or sensitive personal data will be processed, as opposed to the Processor, who follows the instruction of the Controller as to the processing of the Personal Data.

The customers/clients/ patients/ persons that you, as a business owner, provide goods and/or services to, would be considered Data Subjects under the law because you have in your possession personal data and/or personal sensitive data that identifies who they are. It should also be noted that your employees are also Data Subjects because of the personal data that you have in your possession that identifies them (e.g., their HR/Personnel File).


Having identified who you are under the Act, it should be highlighted that there are many limbs to compliance, starting with the requirements of Data Controllers. If you are a Data Controller – in other words, if you collect or process information of a Data Subject whether living, or dead within the last thirty years, then you are required by the Act to register with the Information Commissioner, and pay the applicable fee. Many – if not most – businesses in Jamaica will fall into this category. In addition, if you are a Data Controller that collects or processes Sensitive Personal Data – like health information, biometric data like fingerprints (including for attendance – like sometimes used in time clocks or to access secure areas), information on criminal records or religious or political beliefs – or if you collect or process Personal Data on a large scale (this is not defined in the Act), you are required to appoint a Data Protection Officer. A Data Protection Officer is an “appropriately qualified person,” who independently monitors your compliance with the Act, and reports periodically to the
Information Commissioner

You will also need to have a plan in place, including appropriate security measures (technical and organisational) with respect to collecting and processing of Personal Data, as well as a plan for what to do when and if a breach occurs, not just to assess the damage, but also to report the breach to the Information Commissioner within 72 hours of the breach. This includes but is not limited to a Data Protection Impact Assessment, Privacy by design practices and Data Protection Breach Response Plan.
Data Controllers are required to adhere to certain standards governing the collection and maintenance of Personal Data.

For example:

  • You can only collect or process personal data for one or more specified and lawful purpose, where the Data Subject has consented (and in circumstances of Sensitive Personal Data, the consent should be in writing) and has not withdrawn their consent.
  • The Personal Data you collect or process should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed – in other words, don’t collect more information than you need.
  • You should ensure that the Personal Data collected or processed is accurate, and kept up to date, and it should not be kept longer than is necessary.
  • You should ensure that you use appropriate technological and organizational measures (e.g., limit the number of people who have access to the data, and make sure they are trained on how to protect data – have you ever accidentally bcc’d ) to protect against unauthorized or unlawful processing or a security breach.
  • You must ensure that you don’t transfer Personal Data to a territory/state/country outside of Jamaica UNLESS that country/territory/state has adequate protection for the rights and freedoms of Data Subjects (this is particularly important when you store information in the cloud – make sure you know the physical location of the servers on which your data is stored!).
  • And last, but definitely not least, you must make sure that the collecting and processing of Personal Data is done in accordance with the rights of Data Subjects (and collecting or processing Personal Data for the purposes of direct marketing without the consent of the Data Subject is NOT considered to comply – it is a breach of the Act).


For most – if not all – businesses in Jamaica, your preparedness for December 1, 2023 will require an operational and administrative shift, if your business has not had Data Protection as a priority before now. A start however, would be to ask yourself the following questions:

  1. How would my business be classified under the Act?
  2. What information do we collect?
  3. What information do we NEED to collect?
  4. Where do we store the information, and who has access to it? Is it secure enough?
  5. Have we gotten explicit consent from persons to collect or process their data?
  6. Are we required by the Act to appoint a Data Protection Officer?

For more information, or to schedule a free 15 minute consultation about how the Data Protection Act might apply to you, please contact us at or (876) 855-6676 and mention code ROCKDPA.



Introduction: In a first-of-its-kind ruling, a Canadian court has recognized that a “thumbs up”
emoji can be a legally binding acceptance of a contract. Yes, you heard that right – emojis now
have a place in the world of legal contracts. Welcome to the South West Terminal Ltd. v Achter
Land, 2023 SKKB 116 (CanLII) case aka, the “Canadian Emoji Case,” where a simple thumbs-
up emoji played a crucial role in determining the acceptance of a contract.

The Case Unveiled: In Saskatchewan, a farmer, Chris Achter, received a text from a grain
buyer, Kent Mickleborough, offering a contract to purchase Mr. Achter’s flax. Mickleborough
sent a photo of the contract and asked Achter to “please confirm flax contract.” In response,
Achter replied with a thumbs-up emoji. Little did he know that this seemingly innocuous gesture
would become the focal point of a legal decision that would garner international attention.
Justice T. J. Keene awarded SWT $82,200 in damages, plus interests and court costs in a
summary judgment in Swift Current on June 8.

The Changing Landscape of Communication: As technology shapes our daily lives, the
different ways in which we communicate can affect the ways that we enter into contracts. Once
upon a time, a contract was a formal document which had to be printed and signed in ink; with
the advent of email and electronic signature services, it has become much easier to enter into
written contracts – so it has become increasingly important to communicate clearly and
deliberately to avoid misunderstandings. The recent ruling by the Canadian court acknowledges
the growing influence of emojis in modern communication methods. Emojis have become a
concise and expressive language, with the power to convey intent and acceptance in
contractual relationships. This new landscape requires us to adapt to the changing ways in
which agreements are formed.

Decoding the Elements of a Contract: To understand the court’s decision, we must examine
the essential components of a valid common law contract: offer, acceptance, and consideration.
In the “Canadian Emoji Case,” Mickleborough’s text message served as the offer for the flax
contract. Achter’s response, in the form of a thumbs-up emoji, was deemed an acceptance of
the contract’s terms. Consideration was evident in the agreed-upon price and the expectation of
flax delivery. These seemingly small symbols played a significant role in establishing a legally
binding agreement.

The Battle of Interpretation: The case sparked a battle of interpretation, with each party
offering their own perspective on the meaning behind the thumbs-up emoji. Mickleborough
argued that Achter’s response indicated his agreement to the contract’s terms, while Achter
claimed it was merely an acknowledgment of receipt. The court carefully analyzed the parties’
past interactions and concluded that Achter’s thumbs-up emoji constituted an acceptance of the

A Word of Caution: While emojis now have legal significance in contracts, caution is
necessary. Emojis can be open to interpretation and may carry different meanings for different
individuals. When engaging in business discussions via text, it is crucial to ensure clarity and
mutual understanding. Misinterpretation of emojis can lead to unexpected legal consequences.
Exercise prudence and seek clarity to avoid potential misunderstandings.

In Conclusion: Balancing Law and Modern Communication: With a common law ruling the
“Canadian Emoji Case” has thrust us into a world where a simple thumbs-up carries the weight
of acceptance of a complete contractual agreement. We must navigate this evolving landscape
carefully, particularly where corresponding by informal methods like iMessage, WhatsApp
has become the norm. Emojis have now become a part of our modern communication methods, and
it is essential to understand their legal implications. Pause before you respond, and make sure
that you are not inadvertently agreeing to something you didn’t mean to agree to. And, consult
with an experienced attorney about different procedures like email disclaimers that you can put
in place to avoid this kind of situation.

-Nathanael Amore and Sarah Hsia
Rockstone Legal

Case Citation: South West Terminal Ltd. v Achter Land, 2023 SKKB 116 (CanLII)

Disclaimer: The views expressed in this article are those of Rockstone Legal and do not
constitute legal advice.