At an unspecified date in 2019, the Cayman Islands will introduce far stricter privacy protection rules affecting every business that processes customers’ or clients’ personal information.
The Data Protection Law was approved in the 11th hour of the previous government administration. The legislation and accompanying regulations will have major implications for local businesses and international firms in Cayman. The law is seen as a boon to the financial services industry, which is keen to access European markets – most of which have been operating under data protection laws since the mid-1990s.
Acting Information Commissioner Jan Liebaers, who is responsible for the training program leading up to the law’s implementation and for enforcement of the law once it goes into effect, said all of the specifics of the data protection regulations have not been worked out yet. That will be the main task of the data protection working group, which Liebaers leads, for the next 18 months.
The Data Protection Law applies to everyone in the Cayman Islands, public and private sector alike. It also applies to a number of entities outside the Cayman Islands that have certain data processing functions in the jurisdiction.
“No country wants to export information to another country if it … doesn’t know what the rules are [for data processing] in that country,” Liebaers said. “[The legislation] has an impact on so many different levels and contexts … an impact on education, health, finance, tourism, churches, strata, sports organizations … any of those are very likely to be ‘data controllers’ under the Data Protection Law.”
Those data controllers are given the responsibility of using an individual’s records “fairly,” processing that information only for the legal purpose for which it was provided. For instance, a bank teller giving out details of a person’s accounts to a third party, or an accounts receivables clerk leaving records of personal information out in a space where they can be viewed by other individuals, could land their employer – the “data controller” – in trouble under the new law.
Cybersecurity is vital to anyone receiving or processing a customer’s information online and becomes even more critical with initiatives such as e-government that Cayman is now moving toward, Liebaers said. He said a number of entities would probably have to look at basic encryption methods for data kept on computers and flash drives.
Compliance with the law can be particularly important in instances of data breaches that are largely beyond the control of the company or entity involved, according to Maples attorney Martin Livingston.
“The law requires that a data controller has appropriate organizational and technical safeguards to ensure that there is no unauthorized use of personal data, or loss, damage or destruction of personal data,” Mr. Livingston said. “Therefore, [a company] will have a duty to implement such safeguards.
“Any liability for a hacking would therefore presumably depend on the extent to which the company has complied with such a duty and is able to demonstrate steps taken for the purposes of such compliance. It should also be noted that there is a duty to report any personal data breaches and what steps have been taken to mitigate against the adverse effects of the same.”
The law sets punitive measures for those who mishandle data, but protections have also been inserted for companies or public entities to allow them to make representations in their own defense to the information commissioner/data protection commissioner. Violations of the data protection requirements can draw up to $250,000 in fines, according to the law.
The legislation raises concerns, not only in the protection of business or public sector data, but in the publication of those records if they are disclosed.
One example where data protection laws could have been invoked – if they existed at the time – involve the April 2016 leak of thousands of documents held by Panamanian law firm Mossack Fonseca, excerpts of which were published in various news media around the world. Panama does not have data protection legislation.
Liebaers said the “leak” of those records would likely be punishable under the Cayman Islands version of the law, if it happened here, but he declined to speculate about whether the journalists who reported the data would be taken to task.
The Cayman legislation creates, for the first time, a formal complaints process that can be used against news organizations, as well as against other public and private entities that process personal information. Complaints of data misuses or violations would first go to the newly created ombudsman’s office and, on appeal, to the Grand Court.
However, the law also sets out a number of exemptions from its application, including national security, police and court matters and certain functions of the Crown. Included among those is a “special purpose” exemption for the sake of journalism, literature or art. That means certain requirements under the Data Protection Law, such as turning over someone’s personal records kept by the organization or person that holds them, would not apply to journalists or artists.
There are some caveats to that exception. The person or organization processing the personal data must ensure that task is “undertaken with a view to the publication by a person of any journalistic, literary or artistic material.”
Also, the person or organization processing the information must “reasonably believe” that publication of the matter would be in the public interest and that compliance with data protection legislation is “incompatible” with the special purpose exemption.
A working group consisting of both private sector leaders and government employees will review the law to help draw up plans to implement the paradigm shift in local privacy protection.
The seven-member working group, chaired by Liebaers, will include local attorneys Peter Broadhurst, Tim Dawson and Peter Colegate, as well as Cabinet Office staffers Nadira Lord and Garfield Ellison, and Paul Morgan of OfReg, Cayman’s utilities and commodities regulator.
“In the course of drafting the regulations, the working group will likely consult with a wide variety of stakeholders, and we are also anticipating a general public consultation, subject to approval by the Cabinet,” Liebaers said. “This is an important initiative that will protect the privacy rights of individuals and bring Cayman in line with its international business competitors.”
Liebaers said Cayman businesses should start preparing now for the advent of data protection, but noted that many of the larger financial firms and law firms are already quite familiar with the concept and adhere to international best-practices. However, many smaller, locally operating companies may be unfamiliar or entirely unaware of what is required.
Mr. Liebaers said he hopes the legal changes will generally be viewed as positive.
“We’re at a point where … either individuals, by means of good laws and regulations, are going to retain some control over their personal information, or that control is going to be entirely lost and be entirely in the hands of private business and big government,” he said.
Driving the data protection project has been a behind-the-scenes push by the territory’s financial services sector to obtain “adequacy status” – as determined by the European Commission – for personal records.
In the EU, businesses or government are allowed to export personal data only to a country that provides adequate protection of that data. Without obtaining adequacy status, multinational companies that want to do business with European entities – which in financial services terms generally involves customers’ sensitive financial and personal details – must either create legally binding corporate rules or potentially be shut out.
The issue has obvious ramifications for the future of the financial services industry here, which has been seeking inroads to European markets for a number of years. Once data protection is implemented, a group of EU regulators known as the “Article 29 working group” would have to come to Cayman and review its data protection processes, write a report to the European Commission and state whether the territory has adequate privacy protections.
The adequacy status requirement has been the subject of some legal battles between the U.S. and Europe in recent years, and many countries outside the EU do not maintain that status, including the U.S., China and India.
All three British Crown dependencies, Guernsey, Jersey and the Isle of Man, have EU adequacy status with regard to privacy protection. None of the British overseas territories has enacted similar legislation, although both Cayman and Bermuda are expected to implement their own versions of the legislation before the decade ends.