Another oft-debated and much-maligned proposal – the Data Protection Bill – suddenly appeared before Cayman Islands lawmakers Wednesday, in the midst of their ongoing debate over the controversial Legal Practitioners Bill.
The data legislation, which seeks to regulate specific protections of personal privacy rights and which instructs private sector businesses and government agencies on how they must handle personal records, was put before the Legislative Assembly last April and later withdrawn.
Two previous attempts to pass data protection legislation failed to make it to the House floor, largely because of an uproar from the Cayman business community after its members eyed the cost of implementing such a plan for their operations.
Moreover, Acting Information Commissioner Jan Liebaers said last spring that the current draft of the Data Protection Bill would likely fail any European Union “adequacy test” it was measured against. This, Mr. Liebaers said, is due to a lack of independence for the government official charged with implementing and enforcing data protection.
Under the current legislation, the information commissioner would be responsible for that implementation and enforcement, but that office is proposed to be placed under the direction of a “super ombudsman” post – a person not yet appointed. The proposals creating that ombudsman position are also due to come before the Legislative Assembly in the current meeting.
Lawmakers have only eight more regular business days to conclude all proposals before the Legislative Assembly is dissolved ahead of the next general election.
On Wednesday, the Data Protection Bill was read and set down for debate later in the meeting.
East End MLA Arden McLean questioned how the measure, which had been objected to during previous public reviews, had changed since it was brought before the assembly nearly a year ago.
Attorney General Sam Bulgin said the bill had not been amended. However, Mr. Bulgin said, it was the government’s intention to propose a number of amendments in legislative committee in response to the concerns received.
Those amendments have not been made public.
A similar process is ongoing with the Legal Practitioners Bill, which was brought before the assembly in October and which reappeared during the current meeting. Close to 200 amendments were proposed for that bill.
Mr. Bulgin did not indicate how many changes were being considered for the data protection legislation.
At the heart of Cayman’s continued efforts since 2009 to formulate some sort of personal data protection regime is a push by the territory’s financial services sector to obtain “adequacy status” – as determined by the European Commission – for personal records.
“In the EU … you’re only allowed to export personal data to a country that provides adequate protection [of that data],” Mr. Liebaers said during an interview last year.
Without obtaining that adequacy status, multinational companies that wish to do business with European entities – which in financial services terms, generally involves customers’ sensitive financial and personal details – must either create legally binding corporate rules or potentially be shut out of that business.
The issue has obvious ramifications for the future of the financial services industry here, which has been seeking inroads to European markets for a number of years.
If the Data Protection Bill is approved by local lawmakers, a group of EU regulators known as the “Article 29 working group” would have to come to Cayman and review its data protection processes, write a report to the European Commission and essentially state whether the territory has adequate privacy protections.
Mr. Liebaers said the adequacy status requirement has been the subject of some legal battles between the U.S. and Europe in recent years and that many countries outside the EU do not maintain that status, including the U.S., China and India.
All three British Crown dependencies, Guernsey, Jersey and the Isle of Man have achieved EU adequacy status with regard to privacy protection. None of the British overseas territories have enacted similar legislation, although Mr. Liebaers said both Cayman and Bermuda have gone “far down the road” with the issue.
The Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike, as well as entities outside the islands that have certain data processing functions here.
Mr. Liebaers said several key changes to the proposal have been made since its last iteration in the bill presented to lawmakers in April 2016, most notably that a requirement for government to maintain a register of all “data controllers” – those who handle personal information – has been dropped.
In addition, certain protections have been put in place for companies or public entities that mishandle personal data, to allow them to make representations in their own defense to the information commissioner/data protection commissioner. Violations of the data protection requirements can cost up to $250,000 in fines, according to the bill.
If the legislation is approved, its timeline for implementation is somewhat unclear. Mr. Liebaers said certain sectors of Cayman’s business community are “ready to go” with requirements contained in the legislation while others, typically smaller “mom-and-pop” operations, may find the data protection requirements to be “new to them.”
Also, the Information Commissioner’s Office will likely need additional funding and staff to put in place training and education programs before the onset of the law.