“Privacy Doesn’t Stop at the Border,” CBP BES Symposium Calls for Kingdom-Wide Action on Data Protection

Strengthening privacy protection and digital resilience across the Kingdom of the Netherlands was the central focus of the symposium “Borderless digital data and privacy,” organized by the Commission for the Supervision of Personal Data Protection Bonaire, St. Eustatius and Saba (CBP BES) on January 28, 2026, International Privacy Day. Participants underscored that data protection in the Caribbean Netherlands, Curaçao, Aruba and St. Maarten has become an urgent governance and rule-of-law issue, with delays carrying direct consequences for oversight, data exchange, and trust within the Kingdom.

As more public services become digital across the Caribbean Netherlands, from identity documents and civil affairs to voting and social services, organizers noted that accessibility and efficiency can improve, but so do privacy and data security risks. Glenn Thodé, Chairman of CBP BES and former Island Governor of Bonaire, emphasized the sensitivity of privacy in small island communities, stating that because people often know one another, individuals can be traced more easily, making careful handling of personal data essential to public trust in government. Thodé linked privacy protection and cybersecurity as inseparable, stressing their relevance to effective public administration.

CBP BES Director-Secretary Roëlla Pourier warned that personal data is increasingly valuable and frequently shared in “chains” or with external parties, increasing vulnerabilities. She described privacy as an administrative precondition for a functioning digital government, arguing that privacy and cyber resilience are not obstacles to digitization, but the basis for citizen and business confidence in government services. Pourier added that careless protection does not only increase the risk of breaches, it can also undermine legitimacy and trust.

Pourier stressed that privacy is a fundamental right, and that data protection is the set of rules and measures that safeguard that right. She pointed to fragmented rules in the Caribbean part of the Kingdom as a core weakness, and said secure cross-border data exchange requires alignment with frameworks such as Convention 108+, the General Data Protection Regulation (GDPR), and Directive (EU) 2016/680.

Thodé said the challenge is often seen in real-world decision-making, where leaders may have good intentions but face pressure when rules conflict with demands for personal information. He called for administrative discipline, including avoiding unnecessary requests for personal data and avoiding the use of names in public meetings and debates unless strictly necessary for decision-making. Both speakers emphasized that compliance depends not only on systems and knowledge, but also on leadership attitude and organizational culture.

CBP BES also highlighted the importance of “privacy by design,” integrating privacy considerations from the start rather than treating them as a last-minute check. Pourier said privacy law is too often seen as limiting, while in practice it provides direction for careful digitization. She pointed to a recurring issue where organizations store data by default without asking whether it is truly necessary, and noted that even something as routine as a photo on an identity document can reveal sensitive characteristics. CBP BES said it translates these principles into practice through workshops and targeted guidance.

Reflecting on 12 years of CBP BES, Pourier said early work focused largely on awareness because “enforcement without basic knowledge is not fair.” She noted that over time, citizens and organizations have become more familiar with the regulator and increasingly engage with it. She described supervision as shifting from control to an “action perspective,” helping organizations understand what is possible within the law.

CBP BES said cooperation is also increasing, including voluntary steps taken by organizations. Pourier cited discussions with the press as one example, noting that local media now anonymize personal data by default when reporting incidents. Where needed, CBP BES also uses enforcement tools, including orders subject to a penalty, to drive compliance. With digitization accelerating, the regulator said demand for its interactive workshops remains high and often fills quickly.

Both speakers stressed that privacy and data security should not be treated as a standalone ICT project, but as a management responsibility that affects the entire organization. Pourier said leaders set priorities, shape culture, and make decisions that determine whether privacy and cyber resilience become routine parts of professional public service.

Thodé described the Caribbean Netherlands as small-scale and geopolitically vulnerable, requiring a deliberate balance between self-reliance and support across the Kingdom. He argued that where local capacity is insufficient, solidarity and structural support are needed. Pourier echoed the symposium’s core message: privacy and data security do not stop at national borders, and cooperation within the Kingdom is indispensable to make digitization future-proof.

‍