The man who is to be largely responsible for the implementation of Cayman’s data protection legislation, if and when it is approved by lawmakers, has warned that the bill may not pass muster with the European Union if government moves to a combined “ombudsman” office, as is currently planned.
Acting Information Commissioner Jan Liebaers said Tuesday in an interview with the Cayman Compass that the proposed merger of his office with the complaints commissioner’s office and several other independent functions – including data protection – may cause EU regulators to balk at the arrangement and fail to award Cayman a coveted “adequacy status” for personal data protection.
According to European regulations, the entity that is supposed to handle data protection must be completely independent and Mr. Liebaers suggests the current proposal to merge the independent offices would not provide that independence.
The Data Protection Bill, 2016, is due to come before the Legislative Assembly later this month. It’s the third time government has attempted to put in place legislation regulating specific protections of personal privacy rights and instructing private sector businesses and government entities on how they must handle personal records. The previous two attempts to pass such legislation failed to make it to the Legislative Assembly floor.
At the heart of Cayman’s continued efforts since 2009 to formulate some sort of personal data protection regime is a push by the territory’s financial services sector to obtain the “adequacy status” – as determined by the European Commission – for personal records.
“In the EU … you’re only allowed to export personal data to a country that provides adequate protection [of that data],” Information Commissioner Jan Liebaers said.
Without obtaining that adequacy status, multinational companies that wish to do business with European entities – which in financial services terms, generally involves customers’ sensitive financial and personal details – must either create legally binding corporate rules or potentially be shut out of that business.
The issue has obvious ramifications for the future of the financial services industry here, which has been seeking inroads to European markets for a number of years.
If the Data Protection Bill is passed during the next legislative session, a group of EU regulators known as the “Article 29 working group” would have to come to Cayman and review its data protection processes, write a report to the European Commission and essentially state whether the territory has adequate privacy protections.
Mr. Liebaers said the adequacy status requirement has been the subject of some legal battles between the U.S. and Europe in recent years and that many countries outside the EU do not maintain that status, including America, China and India.
“There is still a lot of uncertainty about international data flows,” Mr. Liebaers said.
All three British Crown dependencies, Guernsey, Jersey and the Isle of Man have achieved EU adequacy status with regard to privacy protection. None of the overseas territories have enacted similar legislation, although Mr. Liebaers said both Cayman and Bermuda have gone “far down the road” with the issue.
The Data Protection Bill, 2016, is similar to legislation approved by the European Union and the United Kingdom in the 1990s, which has been updated just recently by the EU.
It generally seeks to regulate the processing of personal data to ensure records are maintained fairly, accurately and kept from those with no right to see them. The proposal also has major implications for the territory’s Freedom of Information Law and how journalists, writers and artists can make use of personal information.
The Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike, as well as entities outside the islands that have certain data processing functions here.
Mr. Liebaers said several key changes to the proposal have been made since its last iteration, most notably that a requirement for government to maintain a register of all “data controllers” – those who handle personal information – has been dropped.
In addition, certain protections have been put in place for companies or public entities that mishandle personal data, to allow them to make representations in their own defense to the information commissioner/data protection commissioner. Violations of the data protection requirements can cost up to $250,000 in fines, according to the bill.
If the legislation is approved, its timeline for implementation is somewhat unclear. Mr. Liebaers said certain sectors of Cayman’s business community are “ready to go” with requirements contained in the legislation while others, typically smaller “mom-and-pop” operations may find the data protection requirements to be “new to them.”
Also, the Information Commissioner’s Office will likely need additional funding and staff to put in place training and education programs prior to the onset of the law.
In all, it has been estimated the legislation could take up to two years to put into force.