The Cybercrime Bill 2024 in Barbados has raised deep concerns across society, leading to the formation of a Joint Select Committee (JSC) by the government to evaluate whether the Bill, as currently written, could infringe on citizens' freedoms, particularly freedom of expression and privacy. The Committee reviewed both oral and written submissions from a range of stakeholders, including civil society organizations, legal experts, and the Barbados Bar Association. The overwhelming feedback highlighted issues with the Bill’s vague definitions, broad enforcement powers, and severe penalties.

Main Concerns Raised by Stakeholders

Vague Language and Broad Definitions
A critical concern is the Bill’s use of broad and subjective terms, which many argue opens the door to arbitrary enforcement. Despite the JSC’s revision to remove some terms, such as “embarrassment,” the Bill still includes provisions that allow penalties based on causing “humiliation,” “intimidation,” “anxiety,” or “substantial emotional distress.” This subjective language creates ambiguity around what might constitute a criminal offense, potentially criminalizing a wide range of expressions online.

The continued inclusion of criminal defamation in the Bill is particularly contentious. The submissions to the JSC by the Office of the Director of Public Prosecutions (DPP) and the Barbados Bar Association expressed serious concerns about this provision, arguing that it is outdated and poses a risk to freedom of expression. Criminal defamation laws have been criticized globally for suppressing free speech and are often misused against journalists, bloggers, and other public commentators. The United Nations and the European Court of Human Rights have condemned such laws as unjust and a violation of human rights, suggesting that defamation cases be handled as civil matters rather than criminal offenses.

Increased Penalties and Potential Intimidation
The Committee’s response to concerns about the penalties was unexpected: rather than lowering fines and prison terms, it increased the maximum fine from $70,000 to $100,000 and extended possible prison terms from 7 to 10 years. These penalties are seen as disproportionately harsh for a range of online offenses that may be subjective in nature, potentially creating an atmosphere of fear around online expression. Critics argue that the severe fines and prison terms could have the effect of deterring citizens from exercising their right to free speech for fear of legal repercussions.

Broad Enforcement Powers for Law Enforcement
The Bill grants sweeping powers to law enforcement agencies, raising concerns about the protection of citizens’ digital privacy and the potential for abuse. Key sections, such as Part III, 23 (1-6) on Search and Seizure, enable authorities to seize devices and access data, including sensitive personal information, under vague conditions. Additionally, Part III, 28 (1-3) on Data Preservation requires individuals to assist law enforcement in data collection for criminal proceedings, which may infringe on personal privacy rights and lacks adequate oversight.

Critics argue that these provisions could lead to excessive surveillance and potential abuse if law enforcement does not have clear and stringent guidelines. The Bill does not include robust safeguards to prevent misuse, such as requiring judicial oversight or transparent reporting on how data is accessed, retained, or shared. This concern is amplified by a history of data breaches in government agencies, which has eroded public trust in the state’s ability to securely handle personal information.

Issues Specific to Malicious Communications and Cyberbullying Provisions
The Malicious Communications (Part II, 19(3)) and Cyberbullying (Part II, 20(1)) sections have drawn significant criticism for their broad language and high penalties. Malicious Communications criminalizes the distribution of any content that is false and causes or is likely to cause “humiliation” or “injury.” This provision could be used to punish individuals for online commentary that might be critical but not necessarily harmful or defamatory. Legal experts warn that such broad definitions are vulnerable to misuse, potentially silencing voices critical of government or influential individuals.

Similarly, the Cyberbullying section includes language that could criminalize a wide range of online activities that cause “humiliation,” “intimidation,” “anxiety,” or “substantial emotional distress.” Critics argue that these terms lack clear definitions, making it difficult to distinguish between harmful cyberbullying and general online interactions. In contrast, international cyberbullying laws tend to focus primarily on specific, objectively harmful behaviors such as direct threats, hate speech, or harassment. The inclusion of vague emotional terms raises concerns about subjective enforcement, which may lead to inconsistent or unfair penalties.

The Cybercrime Bill’s Disregard for Restorative Justice for Youth
The Bill’s provisions on cyberbullying are particularly worrisome in relation to youth offenders. Adolescents are among the highest users of social media, and their online behaviors are often characterized by risk-taking and impulsivity. The Bill’s strict penalties—up to $100,000 in fines and 10 years of imprisonment—are deemed excessive for young individuals who may lack full awareness of the consequences of their actions. Critics argue that instead of punitive measures, the Bill should prioritize restorative justice approaches, which focus on educating young offenders, helping them understand the impact of their actions, and providing opportunities for rehabilitation.

Lack of Provisions for Identity Theft and Child Protection
The Bill has been criticized for its lack of specific provisions to address identity theft and child protection. While it focuses on asset protection, it does not directly address the personal impact of identity theft, such as financial or emotional harm. The absence of cross-references to the new Child Protection Act also leaves gaps in safeguarding minors from cyber-related abuse.

International Scrutiny and Recommendations
The Loyal Opposition, a collection of concerned citizens and civil society organizations, applied for a hearing before the Inter-American Commission on Human Rights (IACHR), emphasizing the Bill’s potential to infringe on basic human rights. During the November 11, 2024 hearing, IACHR President Edgar Stuardo Ralón Orellana underscored the need for the Barbados government to balance national security with the protection of individual freedoms, such as freedom of expression and thought. He also urged the government to clarify ambiguous language within the Bill and to ensure the legislative process reflects democratic principles. The IACHR’s willingness to assist in refining the Bill highlights the international significance of these concerns, placing pressure on the Barbados government to consider human rights standards.

Overreach in Criminalization of Actions and Lack of Cybersecurity Expertise
The Bill’s Part II, 5 (1-3) on Unauthorized Access and Modification of Data criminalizes actions that may involve modern uses of software or data processing, potentially penalizing cybersecurity professionals, researchers, or activists who work in the public interest. The broad language of the Illegal Access section may inadvertently criminalize beneficial activities, such as security testing, if law enforcement lacks the expertise to discern between legal and illegal actions.

This lack of expertise is further concerning given the historical failures of government agencies to protect public data, demonstrated by several high-profile data breaches in recent years:

Electoral Office Data Leak (2021): Personal data of over 264,000 Barbadians was exposed online, creating risks of financial fraud and identity theft.
Queen Elizabeth Hospital Breach (2022): A cybersecurity breach disrupted critical healthcare services.
IDB Pre-Test Controversy (2023): A school-administered test gathered intrusive personal information from students without parental consent, sparking ethical concerns.
Barbados Revenue Authority Breach (2024): Sensitive personal and corporate data was stolen and offered for sale online.
These incidents reveal a lack of technical capacity within government agencies to safeguard data, raising doubts about their ability to implement and enforce the Cybercrime Bill responsibly.

Conclusion and Calls for Action
The Cybercrime Bill 2024 has been widely criticized for its lack of clarity, excessive penalties, and broad enforcement powers. The Barbados Bar Association, civil society, and the IACHR have called for significant revisions to the Bill to better align it with democratic values, human rights, and international standards. The primary recommendations include:

Clarify Definitions: Remove ambiguous language to ensure offenses are clearly defined.
Safeguard Free Expression: Avoid criminalizing expressions that fall within the realm of free speech.
Implement Proportionate Penalties: Reduce excessive fines and prison terms.
Introduce Oversight and Transparency: Establish mechanisms to monitor and report on law enforcement’s use of powers.
Focus on Restorative Justice for Youth: Offer educational and rehabilitative measures rather than punitive penalties for young offenders.

By addressing these areas, the government can create a balanced approach to cybersecurity that protects both national security and individual freedoms. However, if the Bill is passed without substantial revisions, it may face serious challenges, both legally within Barbados and in terms of international scrutiny, for failing to uphold human rights principles.