Protect us (please) from government’s Data Protection Bill

“It is convoluted and complex legislation, even for lawyers,” declared James Austin-Smith, who is an attorney and head of the Cayman Islands Human Rights Commission.

Say no more: Whatever “it” is, we’re against it.

The complexity of the proposed Data Protection Bill, as examined by Mr. Austin-Smith’s commission, constitutes only one reason for our opposition to the legislation. In addition to being inscrutable, it is burdensome to businesses, likely impossible to enforce and, if that weren’t enough, potentially threatening to civil liberties such as freedom of speech.

The current draft of the bill is so complicated that it is beyond the ready comprehension of most ordinary folks expected to comply with it. Those who do wish to understand it, particularly Cayman business owners, will purchase that knowledge through fees for lawyers, costs of changing internal office practices, increased risks of prosecution for inadvertent errors and, for many, higher payroll expenses associated with the new mandated position of data controller. (If you think the National Conservation Law is bad, at least it doesn’t force every company to employ a conservation officer.)

The less scrupulous members of the business community, who either do not care about or will not pay for complying with this opaque law, will simply add “data protection” to their lists of things to ignore, alongside pensions, healthcare and licensing requirements — their unchecked disregard of onerous regulations giving them a practical competitive edge over their law-abiding competitors.

The soundest rationale we’ve heard for instituting data protection legislation in Cayman is to comply with European directives and international standards, in order to make our financial services industry more attractive. By itself, however, that is not sound enough to warrant passage of this bill (or any law, for that matter) that has such a disproportionately negative impact on the country as a whole, for the sake of one specific sector, in the absence of significant, obvious and demonstrable need — accompanied by a detailed cost-benefit analysis that quantifies, and justifies, the associated expenses.

Summarizing some of the complaints about the data protection legislation (and its predecessor) that have been made by the Human Rights Commission and others, including the Chamber of Commerce, passing the bill into law would result in the following:

Increased compliance costs for all businesses
in Cayman
Potentially lead to government’s determination of who is, and who isn’t, an “official” journalist or artist
Place a heavy evidentiary and financial burden on those merely accused by the Information Commissioner of breaking the law

Create an entirely new layer of government bureaucracy at a time when our focus should be on reducing the size and expense of the public sector.

But because Cayman’s draft bill is based on European and U.K. legislation that dates back to the 1990s (the relative Stone Age of the Internet), passing it into law will likely not put Cayman into compliance with the relevant European and international standards at all, anyway.

Rather than following their plan of shoehorning this bad bill through the Legislative Assembly within the year, the Progressives-led government would be wise to wait to proceed until the EU begins to enforce its new, updated directives on data protection legislation, perhaps sometime in 2015.

They might be wiser still to drop the whole scheme altogether.

Support local journalism. Subscribe to the all-access pass for the Cayman Compass.

Subscribe now


  1. I’ve worked extensively with the UK’s DPA and these are the basics of it –

    1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless

    (a) at least one of the conditions in Schedule 2 is met, and

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

    2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

    3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

    4. Personal data shall be accurate and, where necessary, kept up to date.

    5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

    6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

    7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

    8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

    The most important aspect of it is that the law gives individuals access to a wide range of records containing personal information that were secret before DPA came into force.

    As a few examples – you can now access your credit history and your workplace personnel files. You can also access material relating to things like job applications (including references supplied by previous employers and even notes made during interviews) and your health records.

    In addition DPA restricts the transfer of personal data without your knowledge and/or consent and protects you from the unlicensed and/or unauthorised collection and retention of personal data.

    As a very simple example of the first point above, if you bulk send emails to a group of unconnected people you must use Bcc to protect the email addresses of other recipients. CCing the emails so that all recipients can see all the email addresses is a breach of DPA.

    As the saying goes – It’s not rocket science – so I don’t really understand why this is being made so complicated.

  2. Any ones that signs any bills shall understand and agree to every lines of the bill in question. If not perform this way on every bill, then please delete all mentions of the word honorable in politics. Honorable persons goes to great lengths and sacrifices in protecting and representing all of us. Those persons can sign for me.

  3. Well said David.

    The problem is not with the concept of the Bill – It is with the excess legal and government input – a lot will be the result of the government adding clauses and exemptions so that government departments can work to a lower standard.

    What is needed is something small and simple which lets people know what they should do. Think of the way the ‘highway code’ works with the traffic regulations.