How can we strengthen privacy and digital resilience within the Kingdom in a sustainable manner? That question was central to the symposium ‘Borderless digital data and privacy’. The meeting was organized by the Personal Data Protection Supervisory Committee for Bonaire, Sint Eustatius, and Saba (CBP BES) on January 28, 2026—International Privacy Day. It became clear that data protection in the Caribbean Netherlands, Curaçao, Aruba, and Sint Maarten is an urgent administrative and constitutional issue. Delay has direct consequences for supervision, data exchange, and trust within the Kingdom.
From identity documents and civil affairs to voting and social services: more and more public tasks in the Caribbean Netherlands are being digitized and are dependent on data. This makes services more accessible and efficient, but also increases vulnerability in terms of privacy and data security. Glenn Thodé, chairman of CBP BES and former governor of Bonaire, points out the sensitivity of this in a small-scale island context: "Because everyone knows each other, people in the Caribbean Netherlands are more easily traceable. That makes careful handling of personal data crucial for trust in the government." According to him, privacy protection and cybersecurity are therefore inextricably linked and administratively relevant.
Personal data is becoming increasingly valuable and is often shared in chains or with external parties on the islands. This increases vulnerability. Roëlla Pourier, director-secretary of CBP BES, says: "Data is the new gold. Careless protection not only leads to data leaks, but above all undermines trust and legitimacy." She therefore also sees privacy as an administrative prerequisite. "Privacy and cyber resilience are not obstacles to digitization; they form the basis for the trust of citizens and entrepreneurs in a digitizing government."
"Privacy is a fundamental right," says Pourier. "Data protection is about the rules and measures that guarantee that right. In the Caribbean, fragmented rules mean that this fundamental right is not adequately protected. Treaty 108+, the GDPR, and Directive 2016/680 are necessary for secure data exchange." Thodé sees where the problem lies in practice: "Administrators often have good intentions, but these come under pressure as soon as rules conflict with the need for personal information. That is precisely when administrative discipline is needed: no requesting personal data or mentioning names in public meetings and debates, unless this is strictly necessary for a decision." According to him, it is not just about knowledge of rules and systems, but above all about attitude and behavior. "By handling personal data with care, administrators create a culture in which privacy is a natural part of professional and reliable service provision."
According to Pourier, privacy legislation is still too often seen as a restriction. "That's a shame, because the law is not a barrier, but rather provides guidance for careful digitization." In practice, CBP BES sees that organizations reflexively store everything without asking themselves whether it is really necessary. That's where "privacy by design" comes in: thinking from the outset about how to embed privacy in your organization. CBP BES makes this concrete in workshops, for example with identity documents: "A photo can also reveal sensitive characteristics. Not everything that is possible is necessary. That realization is the basis of true data security."
In the early years of CBP BES, the focus was mainly on raising awareness, and privacy was hardly a topic of discussion. "Enforcement without basic knowledge is not fair," says Pourier. Now, 12 years later, citizens and organizations are more aware of the supervisory authority. "Good supervision is shifting from control to a perspective of action: showing what is possible within the law," emphasizes Pourier. "That is an important milestone."
This increases shared responsibility for privacy: public and private organizations now cooperate voluntarily. Pourier: "After discussions with the press, local media now anonymize personal data as standard in the event of incidents." Where necessary, CBP BES also uses instruments such as penalty payments, which increases compliance. Due to increasing digitization, support remains necessary. That is why CBP BES organizes targeted, interactive workshops, which are often quickly booked up.
According to Pourier, privacy and data security are not separate IT projects but an administrative responsibility that affects the entire organization. "Managers set priorities, make choices, and shape the organizational culture," says Pourier. "Technology is developing rapidly, and risks are shifting. Those who structurally incorporate privacy and cyber resilience into their decision-making are investing in professional and reliable services and, with that, in trust."
The small scale and geopolitically vulnerable position of the Caribbean Netherlands requires a conscious balance between self-reliance and cooperation within the Kingdom, Thodé points out. "Not everything has to be solved locally. Where self-reliance is possible, there must be room for it; where capacity is lacking, solidarity is needed." By this he means structural support within the Kingdom. Pourier: “Privacy and data security do not stop at national borders. Cooperation within the Kingdom is indispensable for shaping digitization in a future-proof way.”
