Within the next two years, the Cayman Islands will introduce far stricter privacy protection rules affecting every business that processes customers’ or clients’ personal information.
The Data Protection Law was approved in a heavily amended form during the waning hours of the last Legislative Assembly meeting held before the May 24 general election. Acting Information Commissioner Jan Liebaers, who is responsible for both the training program leading up to the law’s implementation and the enforcement of the law once it takes effect, said all of the specifics of the data protection regulations have not been worked out yet.
However, Mr. Liebaers said during an interview with the Cayman Compass Tuesday that local businesses should be taking steps now to prepare themselves for the law’s implementation.
The legislation and accompanying regulations have major implications for local businesses and international firms in Cayman. It is seen as a boon to the financial services industry here, which is keen to access European markets – most of which have been operating under data protection laws since the mid-1990s.
“No country wants to export information to another country if it … doesn’t know what the rules are [for data processing] in that country,” Mr. Liebaers said.
He said many larger financial services firms, law firms, accountancy firms and banks are very familiar with data protection requirements, but a number of other local companies likely are not. He said he hopes the legal changes will be viewed as generally positive by the Cayman business community.
“We’re at a point where … either individuals, by means of good laws and regulations, are going to retain some control over their personal information, or that control is going to be entirely lost and be entirely in the hands of private business and big government,” he said.
The Data Protection Law applies to both public and private sectors in the Cayman Islands, as well as to entities outside the islands that have certain data processing functions here.
The government has been trying to pass the legislation in one form or another since 2009.
Mr. Liebaers said several key changes to the law were made from previous versions of the bill, most notably the exclusion of a requirement for government to maintain a register of all “data controllers” – those workers or business entities whose job it is to handle personal information.
“It has an impact on so many different levels and contexts … an impact on education, health, finance, tourism, churches, strata, sports organizations … any of those are very likely to be ‘data controllers’ under the Data Protection Law,” he said.
Those data controllers are given the responsibility of using an individual’s records “fairly,” processing that information only for the legal purpose for which it was provided. For instance, a bank teller giving out details of a person’s accounts to a third party, or accounts receivables clerk leaving records of personal information out in a space where they can be viewed by other individuals, could land their employer – the “data controller” – in trouble under the new law.
Cybersecurity is absolutely vital when conducting business online, and becomes even more critical with initiatives such as e-government that Cayman is now moving toward, Mr. Liebaers said. He said a number of entities would probably have to look at basic encryption methods for data kept on computers and flash drives.
“Those are just common sense things that I hope most businesses already apply, but now there is a legal standard for businesses to comply with,” he said. “It needs to be done up front; you can’t wait until the law is in force. That may look like a very daunting task, but we do hope to assist and have some tools available to help make that as easy as possible.”
The law sets punitive measures for those who mishandle data, but protections have also been inserted for companies or public entities to allow them to make representations in their own defense to the information commissioner/data protection commissioner. Violations of the data protection requirements can draw up to $250,000 in fines, according to the law.
Driving the data protection project has been a behind-the-scenes push by the territory’s financial services sector to obtain “adequacy status” – as determined by the European Commission – for personal records.
In the EU, businesses or government are allowed to export personal data only to a country that provides adequate protection of that data. Without obtaining adequacy status, multinational companies that want to do business with European entities – which in financial services terms, generally involves customers’ sensitive financial and personal details – must either create legally binding corporate rules or potentially be shut out.
The issue has obvious ramifications for the future of the financial services industry here, which has been seeking inroads to European markets for a number of years. Once data protection is implemented, a group of EU regulators known as the “Article 29 working group” would have to come to Cayman and review its data protection processes, write a report to the European Commission and essentially state whether the territory has adequate privacy protections.
The adequacy status requirement has been the subject of some legal battles between the U.S. and Europe in recent years, and many countries outside the EU do not maintain that status, including the U.S., China and India.
All three British Crown dependencies, Guernsey, Jersey and the Isle of Man, have achieved EU adequacy status with regard to privacy protection. None of the British overseas territories has enacted similar legislation, although both Cayman and Bermuda are expected to implement their own versions of the legislation before the decade ends.