BRIDGETOWN, Barbados--Governments are now asking for more personal data than ever before and doing so openly, as a matter of routine policy rather than targeted investigation. The recent US proposal requiring visa-waiver travellers to disclose years of social media history, email addresses, and phone numbers is a clear example. It has prompted understandable concern, but it also reflects a longer trajectory. Governments have always balanced security duties against privacy rights. What has changed is the scale, the visibility, and the assumption that digital identity is fair game.
Privacy is not a new or optional right. It is a long-standing human right that predates the Internet, recognised in international agreements long before social media, cloud services, or automated screening systems existed. Modern privacy laws are built on the idea that personal information is part of private life, family life, and personal communication. The real question facing societies today is not whether governments should protect people and borders, but how far that protection can go before it begins to undermine trust and the very rights it claims to defend.
The new normal in
border surveillance
Under the Trump administration’s proposal, visitors from visa-waiver countries would have to disclose several years of social media activity, along with past email addresses, phone numbers, and other identifying details. This information would not be collected secretly or only when someone is under investigation. It would be required from everyone as part of routine travel approval.
What makes this moment significant is not just the volume of data being requested, but what it represents. By embedding these requirements into border policy, governments signal a move away from investigating specific threats toward assessing people in advance based on their digital footprint. Identity is no longer judged only by who someone is, but by what they have posted, shared, or interacted with online over time. Social media has crossed a line from a personal communication space into a routine tool of government surveillance, where international travel depends on handing over a significant portion of one’s digital history.
This trend extends far beyond immigration. Around the world, digital identity is increasingly treated as a security asset rather than a private part of personal life. That raises serious questions about fairness, necessity, and proportionality.
The CLOUD Act and
cross-border data access
While border policies determine what information governments ask for directly, another legal framework determines what data they can later demand from private companies. In the United States, that framework is the CLOUD Act and its reach extends well beyond American shores.
The CLOUD Act allows US authorities to require US-based technology companies to hand over data they control, even if that data is stored outside the United States. In practical terms, where the data is stored matters less than who owns or controls the service. This is especially important in a world where emails, file storage, messaging apps, and business systems are often run by US-based companies. Data belonging to non-US citizens can fall under US legal authority, even when it is hosted in another country.
The law also allows the United States to enter agreements with other countries so their law enforcement agencies can request data directly from US technology companies for serious criminal cases. This avoids slower legal processes that normally exist between governments. While some safeguards remain, the overall effect is that data can be accessed across borders more easily than before. Control over digital infrastructure now brings legal consequences that reach far beyond national boundaries.
What this means for
Caribbean businesses
For Caribbean countries and businesses, these developments create serious operational challenges. Consider a company in Barbados that fully complies with local data protection laws and stores its data in the region. That company may still find that customer information can be accessed through a foreign legal order if its service provider falls under US jurisdiction.
This risk is heightened by the Caribbean’s telecommunications structure. The region relies heavily on just two major providers, FLOW and Digicel, both of which have ownership structures that place them within reach of the US CLOUD Act. For businesses, this creates a fundamental tension: local regulators may require transparency, strict limits on data use, and protections against unauthorised access, while foreign laws may require data to be handed over without notifying the affected individuals or even the business itself.
The implications extend to everyday business decisions. When selecting cloud providers, Caribbean organisations must now consider not just price and performance, but jurisdictional exposure. Contractual obligations to clients around data confidentiality may be impossible to guarantee if underlying infrastructure falls under foreign legal authority. Due diligence on vendors must include questions about corporate ownership and data routing that would have seemed exotic a decade ago. For regulated industries financial services, healthcare, legal services, these considerations are not merely prudent but essential to compliance.
Surveillance tech
in the Caribbean
At the same time, Caribbean governments are increasingly adopting advanced surveillance technologies from foreign suppliers. These include facial recognition systems, biometric databases, and data-driven policing tools. They are often introduced to improve security or reduce crime, but frequently with limited public debate or independent oversight.
Jamaica’s deployment of Chinese-manufactured surveillance cameras across Kingston, Trinidad and Tobago’s expansion of CCTV networks with facial recognition capabilities, and Barbados’ growing use of biometric data collection at ports of entry all reflect this pattern. These systems generate vast amounts of personal data, yet the frameworks governing their use, retention, and potential sharing with foreign entities remain underdeveloped in most Caribbean jurisdictions.
The concern is not that Caribbean and US surveillance systems are equivalent; they operate at different scales and under different legal frameworks. Rather, they reflect a wider pattern: governments around the world are collecting more data, keeping it longer, and linking digital behaviour to identity, inching ever closer to something resembling a social credit model, not by design, perhaps, but by accumulation. What differs is how openly these systems are discussed and how strong the rules are that govern them.
The normalisation of
extensive data collection
Taken together, expanded data collection, cross-border legal reach, and growing surveillance capabilities point to a quiet but meaningful escalation. This escalation is not driven primarily by secrecy, but by normalisation. When extensive data collection becomes routine and administrative, the question shifts from what governments can do to what societies are prepared to accept as ordinary.
For Caribbean businesses and policymakers, this moment calls for deliberate attention. Strengthening regional data protection frameworks, building independent oversight capacity, and making informed choices about technology procurement are not luxuries; they are preconditions for maintaining meaningful control over how citizens’ data is collected, stored, and accessed. The alternative is to accept, by default, a world in which digital privacy is whatever distant legal systems and foreign technology providers choose to allow. ~Barbados Today~
