Data protection ‘removes’ right to trial

Few people understand legislation proposed to protect privacy rights in Cayman, and the Data Protection Bill (2014), if passed in its current form, may end up violating other human rights, including the right to a fair trial, according to the Cayman Islands Human Rights Commission.

Commission members spent time studying the proposed legislation, which could come before the Legislative Assembly for a vote within the year, and identified a number of areas they believe could be improved or removed.

“It is envisaged that the broader community will have great difficulty in understanding, and therefore fulfilling their duties, under the revised bill should it become law,” the Human Rights Commission noted in its letter to the Cabinet office on Tuesday.

The Progressives-led administration has indicated its intention to pass a data bill during the current government fiscal year to come into line with European directives regarding protection of personal information.

According to a signed statement submitted to the Cabinet office by Human Rights Commission Acting Chairman James Austin-Smith, the commission agrees the government has an obligation “to ensure that the laws provide adequate protection against the unjustified disclosure of personal information.” However, Mr. Austin-Smith warned lawmakers against approving the bill in its current form.

He noted that the initial European [Union] Directive of 1995 on data protection and the English and Welsh Data Protection Act of 1998, upon which the Cayman Islands data protection proposal is largely based, have serious legal issues.

First, the European directive is now 20 years old and was made during the “infancy” of the Internet, at which time cloud computing and most social media websites did not exist. The EU has drafted new directives regarding data protection legislation that are anticipated to come into force sometime in 2015.

“The impact of this will be that compliance with the 1995 [EU] directive will become meaningless when the new European law takes effect,” Mr. Austin-Smith wrote. “It is clear that the revised [Data Protection] Bill will need to be redrafted once the new European law takes effect if Cayman wishes to comply with it.”

The Human Rights Commission also noted that the England-Wales version of the data protection act has been harshly criticized in the courts of those jurisdictions as “inelegant” and “cumbersome.”

“It is convoluted and complex legislation, even for lawyers,” Mr. Austin-Smith said.

Both draft Data Protection Bills in Cayman, the former 2011 version and the current revised legislation, appear to have similar characteristics.

Understanding the proposed legislation is key, particularly for those designated in the bill as “data controllers” – those responsible for handling private, personal information.

Several sections of the Data Protection Bill [2014] provide prison sentences, in some cases up to five years, for breaches of its requirements.

“Whilst this is a draconian penalty, it is not, of itself, a human rights concern, until one considers the way in which the rest of the revised bill’s provisions are drafted,” Mr. Austin-Smith writes.

Under the legislation, the Cayman Islands Information Commissioner – who is not a judge – is given the power to rule on whether a breach of data protection requirements has occurred. A person found in breach of the legislation who wishes to challenge the commissioner’s decision must go to the Grand Court by way of a judicial review application. This means engaging in the expensive and time-consuming process of court hearings and hiring lawyers.

“It also, effectively, introduces a reverse burden of proof requiring the aggrieved applicant to demonstrate that the [information] commissioner has acted contrary to the principles of lawful administrative action,” Mr. Austin-Smith said.

When anyone fails to comply with an enforcement order of the information commissioner regarding data protection, the legislation allows the commissioner to write to the Summary Court about the failure, at which time that person shall be deemed to have committed an offense.

“This is a quite extraordinary provision,” the commission’s letter states. “It effectively allows the [information] commissioner, acting as prosecutor, to certify guilt and send a person for sentencing – removing the right to a trial. This provision is fundamentally contrary to all accepted international human rights norms, various international treaties and Cayman’s own Constitution.”

The Human Rights Commission urged lawmakers to remove that last provision, under section 53 of the bill, and advocated for far more public education about the requirements of data protection prior to the law being enacted.

“The Data Protection Bill will impact community at large and, as such, it is imperative that persons understand this highly significant legislation,” Mr. Austin-Smith states.


  1. I do not hope to again open Pandora Box, but I continue to truly voice my thoughts that The Government should always protect and stand by its citizens with Laws that will provide adequate protection against disclosures of personal information. Furthermore they should not allow any outside body to force, threaten them in their rightful decisions.. It should not matter whether you are home grown or imported. Once you have Cayman status and Permanent resident that person should shelter under the same umbrella of rights.

  2. Most people forget about 2 key factors in Data Protection, Scope and Accuracy.

    We are asked for our personal data on a daily basis and it has become second nature to give such information without hesitation. What we should be protected from is companies who gather ‘extra’ data outside the scope of what they NEED to complete a transaction, often in such a manner that the consumer is not aware that the data is being gathered for ‘marketing’ purposes. The law should require companies to be explicit when information is required and when it is optional.

    For example a Bank NEEDS your address and income information but SHOULD NOT be asking about Shoe size, hobbies, music preferences and where you are thinking about taking a holiday.

    Accuracy is also often overlooked – when did you last check that a company held correct and up to date information on you – Yet that can manifest itself in subtle ways. In the US, a significant number of people are overpaying for Mortgages because data used to compile their ‘credit score’ is faulty, incomplete or out of date. The law needs provision to allow the customer to check, change or challenge the data a company holds. Much of the time paper forms are used and data can be mis-keyed when the record is stored – even those paper forms need to be disposed off carefully – putting them in the trash is not acceptable.

    Yes we should be worried that our data is not ‘stolen’ but in many cases companies sell your data – this must not happen without your consent, it should be assumed that you opt out Unless you have specifically given your permission.

Comments are closed.