The New Data Protection Law in the Cayman Islands

In recent years advances in technology and easy cross-border transfers of information have resulted in the increasing collection, processing and sharing of personal data. In today’s connected world, data breaches are reported almost on a daily basis. According to the World Economic Forum the annual cost of cybercrime to the global economy could rise to $500 billion.  Identity theft was the number one concern of internet users in 2017.   Failing to keep personal data safe could carry significant reputational risks and have a long-lasting impact on the success of businesses, organisations and government. Consequently, a robust standard for the use and misuse of personal information has become an absolute prerequisite, especially for large financial centres like the Cayman Islands.

In March 2017, the Data Protection Bill was tabled and passed by the legislative assembly of the Cayman Islands. The bill followed a legislative drafting exercise undertaken by a Data Protection Working Group appointed by the Cabinet, with broad representation from various industry groups and stakeholders including, amongst others, the Law Society, the Bar Association, the Chamber of Commerce, the Bankers Association, the Monetary Authority, the Information and Communications Technology Authority and the Information Commissioner’s Office/Office of the Ombudsman.

The need for a Data Protection Law (DPL) has been apparent in the Cayman Islands for a number of years. A number of the international agreements which Cayman has engaged in require a legal data protection regime. The new law embodies the call for the protection of family and private life in s.9 of the Cayman Islands Bill of Rights, which confirms the prominence of data privacy as a fundamental human right. The DPL complements the Freedom of Information Law, which was enacted in 2007, although its ambit is at the same time more specific (since the DPL applies to personal information only) and wider (since the DPL sets expectations for broadly defined processing rather than disclosure only, in both public and private sectors). Furthermore, a number of new technologies such as CCTV and radio-frequency identification (RFID) license plates were introduced locally without the benefit of a legislative framework for the protection of the personal data that are being collected and processed.

The DPL is modelled on the data protection legislation currently in effect in Jersey and the UK, based on the EU’s Data Protection Directive (95/46/EC), and updated by the more recent General Data Protection Regulation (EU/2016/679). The Cayman Islands DPL shares most principles and approaches with the EU legislation, including key definitions and basic rights of data subjects, as well as obligations of data controllers and processors. The European model is generally considered the most rigorous data privacy regime in the world. Cayman is joining other financial centres in adopting this model, and over 100 jurisdictions with data privacy legislation around the world.

The European Commission formally recognises jurisdictions with adequate protection in order to allow the free flow of personal data to and from the member states of the European Economic Area (EEA) and ‘adequacy’ countries. The Cayman Islands is expected to submit an application for ‘adequacy status’ to the Commission in order to join this network of trusted countries. A recent landmark case in the European Courts found that ‘adequate protection’ should be interpreted as offering essentially equivalent protection to that guaranteed within the EU.  ‘Adequacy’ is assessed on the basis of the rule of law, respect for human rights, applicable data protection legislation and rules, the existence and effectiveness of an enforcement body, and international commitments of the jurisdiction.

The DPL applies to all ‘data controllers’ i.e. businesses, organisations and public authorities in the Cayman Islands that control the processing of personal information in any medium. The Law returns control of the use and sharing of personal data to individuals, but also provides conditions and exemptions enabling businesses, organisations and government to continue to provide their services, for which many rely on the personal information of their clients, employees, members and others, the so-called ‘data subjects’.

At the centre of the Law are eight common-sense data protection principles, which require, among other things, that personal data must be processed fairly, for specified purposes, and subject to certain conditions. All processing must be accurate, up to date, adequate and relevant, but may not be excessive. Personal data must be protected by appropriate technical and organisational measures, and must not be kept for longer than necessary for the purpose(s) for which they were gathered. Personal data may not be transferred abroad, except to a jurisdiction with ‘adequate’ protection, as explained above.

The Law enshrines a number of important rights for data subjects, including the right to access their own personal information and be provided with certain key aspects of its source, use and distribution. This is known as a ‘subject access request’ (SAR). Where information is inaccurate, data subjects have a right to seek its rectification, blockage, erasure or destruction. Since the information belongs to the data subject in the first place, he or she has a right to demand that the processing cease, not, however, in cases where the processing results from a contractual agreement or is mandated by law. The Law also grants rights restricting direct marketing and automated decision making.

Data controllers are obliged to process data in accordance with the data protection principles, respond in a timely manner to SARs, and notify the data subject and the Ombudsman within five days after a personal data breach has occurred. Breach notification is important in the light of the heightened risks associated with undisclosed breaches for both individual customers and long-term reputational damage to the data controller.

Each of the above rights and obligations have limited exemptions relating to processing in specific circumstances, including for national security, law enforcement, health, social work, education, legal professional privilege, trusts and wills, negotiations and journalism, to name but a few.

The DPL grants significant enforcement powers to the Ombudsman, who receives and investigates complaints, and is authorised to enforce the Law in a variety of ways, including by issuing information orders, enforcement orders and monetary penalty orders, while the offences identified in the Law are tried in Court. The Office of the Ombudsman is also charged with promoting the requirements of the Law and the rights of data subjects, and to that end is developing general guidance with further practical examples.

In practical terms, when personal data is gathered the individual should be provided with a privacy notice explaining the purpose(s) for which the data is processed, and the data should not be used for any incompatible purposes. In most cases in a commercial context the first principle’s fairness conditions will be met where processing takes place in pursuance of a contract or with the freely-given, informed consent of the individuals whose data are being processed. Businesses gathering personal data will have to ask themselves if the data they collect is truly relevant to the intended purpose. For instance, would you really need to know the buyer’s date of birth to sell a pair of shoes? Depending on the risk represented by the nature of the personal data and the processing activities, various technical and organisational security measures may be appropriate, including access controls and encryption, as well as senior management engagement and staff training. The Law recognises a number of conditions and mechanisms for transferring data abroad, for instance where it is necessary for the performance of a contract between data subject and controller, or where appropriate contractual arrangements are in place between the data controller and a data processor abroad.

With the enactment of the Data Protection Law 2017, the Cayman Islands has taken an important step forward in aligning itself with the expectations of its international business partners, advancing its cybersecurity readiness, and enhancing the legal framework underpinning the digital economy.

The Cayman Islands’ Data Protection Regulations are currently being finalised and will be available for public consultation in the near future. The Data Protection Law is expected to come into effect in January 2019.

Jan Liebaers
Deputy Ombudsman (Information Rights)