The issue of personal data protection took center stage in Washington D.C. this week as Facebook founder Mark Zuckerberg tried to explain to Congress how information belonging to 87 million social media users was improperly shared with a company now accused of attempting to influence U.S. elections via the use of some of that data.
Meanwhile, in Cayman, the same general privacy protection matters appear to be receiving little public attention following last year’s hastily passed Data Protection Law and accompanying regulations which are now out for public comment through the end of this month.
The Cayman Islands Data Protection Law is due to come into force in early 2019, applying to both local and internationally operating firms as well as the government itself.
The substance of the data protection issue was summarized during Tuesday’s question-and-answer session with Mr. Zuckerberg on Capitol Hill.
Senator Richard Durbin of Illinois asked: “Mr. Zuckerberg, would you be comfortable sharing with us the name of the hotel you stayed in last night?”
“No,” Mr. Zuckerberg answered.
“If you messaged anybody this week, would you share with us the names of the people you’ve messaged?” Senator Durbin asked.
“I would probably not choose to do that publicly, here,” Mr. Zuckerberg replied.
“That may be what this is all about: your right to privacy,” Senator Durbin said. “The limits of your right to privacy and how much you give away … in the name of, quote, ‘connecting people around the world.’ What information [is] Facebook collecting, who they’re sending it to and whether they ever asked me, in advance, my permission to do that.”
The Cayman Islands Cabinet has proposed a start date of January 2019 for strict privacy protection rules that will affect every private and public sector entity involved in processing someone’s personal information. It will be Cayman’s first attempt at a law to protect personal data.
A “working group” consisting of both private sector leaders and government employees is reviewing the legislation to help draw up plans to implement the paradigm shift in local privacy protection. The group, chaired by Deputy Ombudsman Jan Liebaers, includes local attorneys Peter Broadhurst, Tim Dawson and Peter Colegate, as well as Cabinet Office staffers Nadira Lord and Garfield Ellison, and Paul Morgan of OfReg, Cayman’s utilities and commodities regulator.
The group has produced draft regulations to accompany the law that further set out how individuals can access and monitor their own personal information held by public agencies, as well as data held by private sector vendors and other companies who require the information for business purposes. Access to a person’s data should be provided, free of charge, to that person if they request it, save for in cases of repetitive or fraudulent requests.
The release of certain personal data, such as details which could cause “mental or physical harm” to the person, personal educational records and some personal health records can be withheld from the person to whom they belong in certain circumstances, under the regulations.
The Data Protection Law itself sets out certain circumstances where a person’s data, held by a government agency, could not be accessed. For instance, if a police investigation is ongoing against a person, that person could not then request police to release data pertinent to that case before it goes to court.
Once the Data Protection Law takes effect, enforcement and monitoring will be the responsibility of the newly created Office of the Ombudsman.
The legislation and accompanying regulations have major implications for local businesses and international firms in Cayman, as well as for any outside entities that have data processing functions here. The law’s enactment is seen as vital to the financial services industry, which is keen to access European markets – most of which have been operating under data protection laws since the mid-1990s.
Mr. Liebaers has said that Cayman businesses should start preparing for the advent of data protection, but noted that many of the larger financial firms and law firms will already be familiar with the concept and already adhere to international best practices. However, many smaller, locally operating companies may be unfamiliar with or unaware of what is required.
Several key changes to the law were made from previous versions of the bill, most notably the exclusion of a requirement for government to maintain a register of all “data controllers” – those workers or business entities whose job it is to handle personal information.
The data controllers are given the responsibility of using an individual’s records “fairly,” processing that information only for the legal purpose for which it was provided. For instance, a bank teller giving out details of a person’s accounts to a third party, or an accounts receivables clerk leaving records containing personal information out in a space where they can be viewed by other individuals, could land their employer – the “data controller” – in trouble under the new law.
Cybersecurity is vital when conducting business online, and becomes even more critical with initiatives such as e-government that Cayman is now moving toward.
Compliance with the law can be particularly important during instances where data breaches occur.
“The law requires that a data controller has appropriate organizational and technical safeguards to ensure that there is no unauthorized use of personal data, or loss, damage or destruction of personal data,” Maples attorney Martin Livingston said, discussing the issue with the Cayman Compass last year. “Therefore, [a company] will have a duty to implement such safeguards.
“Any liability for a hacking would therefore presumably depend on the extent to which the company has complied with such a duty and is able to demonstrate steps taken for the purposes of such compliance. It should also be noted that there is a duty to report any personal data breaches and what steps have been taken to mitigate against the adverse effects of the same.”