Data protection legislation put off until fall

Cayman Islands lawmakers will try for a fourth time to enact data protection legislation – aimed at protecting the privacy of personal information – with an amendment bill scheduled to be brought before parliament in September.

Acting Information Commissioner Jan Liebaers
Acting Information Commissioner Jan Liebaers

The legislation is part of a package of legal changes the Progressives-led administration is contemplating in order to fall in line with European directives related to privacy protection and tax information exchange, the government said Wednesday in a statement issued from London.

The Data Protection Bill was expected to come before the Legislative Assembly for a vote during a meeting that ended last week, but lawmakers were called away for Thursday’s Anti-Corruption Summit hosted by U.K. Prime Minister David Cameron.

Premier Alden McLaughlin said the data protection proposal put into effect in the European Union in recent weeks had raised some concerns with the local financial services industry, which was still in the process of reviewing the bill during the recent assembly meeting.

“Acknowledging privacy as a basic human right, in September new data protection legislation will … be introduced that is on par with what is in place in the European Union,” the government statement Wednesday read.

Acting Information Commissioner Jan Liebaers, who has assisted in drafting the data protection plan since its inception in Cayman some seven years ago, said Tuesday that he was uncertain what concerns the financial services industry may have expressed about the bill in its current form. However, Mr. Liebaers said it appears the legislation will comply will all EU requirements.

One area of concern for Mr. Liebaers has been the position of the information commissioner’s office as overseer and enforcer of data protection requirements. In order to obtain EU “adequacy status” for such legislation, the information commissioner said that office must be seen by EU officials as “completely independent.”

The Progressives-led government has proposed placing the information commissioner’s office under a “super-ombudsman” with oversight of several other government watchdog posts.
“In the EU … you’re only allowed to export personal data to a country that provides adequate protection [of that data],” Mr. Liebaers said.

Without obtaining that adequacy status, multinational companies that wish to do business with European entities – which in financial services terms, generally involves customers’ sensitive financial and personal details – must either create legally binding corporate rules or potentially be shut out of that business.

The issue has ramifications for Cayman’s financial services industry, which has been seeking inroads to European markets for a number of years.

If the Data Protection Bill is passed during the September legislative session, a group of EU regulators known as the “Article 29 working group” would have to come to Cayman and review its data protection processes, write a report to the European Commission and essentially state whether the territory has adequate privacy protections.

Mr. Liebaers said the adequacy status requirement has been the subject of some legal battles between the U.S. and Europe in recent years, and that many countries outside the EU do not maintain that status, including America, China and India.

“There is still a lot of uncertainty about international data flows,” Mr. Liebaers said.

All three British Crown dependencies, Guernsey, Jersey and the Isle of Man, have achieved EU adequacy status with regard to privacy protection. None of the overseas territories has enacted similar legislation, though Mr. Liebaers said Cayman and Bermuda have gone “far down the road” with the issue.