The Cayman Islands Data Protection Law, 2017 ("DPL"), which was expected to come into force in January 2019, will not come into force until September 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman will interpret certain provisions of the DPL. Businesses are therefore well-positioned to prepare.
Overview of the DPL
International financial sector businesses will find many similarities between the data protection law of the Cayman Islands and of other jurisdictions where they are active. The DPL requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller's behalf. The DPL deals also with data security, data breaches and the rights of individual data subjects.
The DPL applies to personal data processed by "data controllers" and "data processors". Financial sector entities established in the Cayman Islands will generally be "data controllers", "data processors" or both. The DPL applies to processing carried out by data controllers established within the Cayman Islands. In certain cases, it applies to data controllers outside the Cayman Islands that process personal data within the Cayman Islands.
A "data controller" is the person which determines the purposes, conditions and manner in which any personal data are, or are to be, processed.
A "data processor" is any person which processes personal data on behalf of a data controller but does not include an employee of the data controller.
The term "personal data" means data relating to an identifiable living individual - referred to as a "data subject". The data subject does not need to be in the Cayman Islands.
The term "processing", in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data.
Even those financial services businesses whose clients and counterparties are all entities will nevertheless process personal data. For example, an investment fund with an entity investor will typically process personal data of that investor's individual representatives, directors and beneficial owners.
Data controllers and data processors in practice
It is possible for the same entity to be a data controller for some purposes but a data processor for others. For example, in the context of providing typical services to clients, a service provider will often not be regarded as a "data controller" because the client entity, rather than the service provider, determines the purposes, conditions and means of the processing of personal data. However, the same service provider may be regarded as a data controller in other contexts, for example in its capacity as an employer or in complying with its own obligations.
A data controller which engages a data processor must ensure that the engagement is based on a written contract under which the data processor agrees to act only on instructions from the data controller, subject to certain exceptions, and to take appropriate measures to ensure the security of processing. In practice, data controllers will invariably wish to include a number of other important requirements to ensure that the data controller is in a position to comply with its own obligations.
Data controllers remain ultimately responsible when processing personal data. However, data processors which breach their contractual obligations may be liable for damages to the data controller.
The eight data protection principles
A data controller must comply with the following eight data protection principles, which are set out below and further expanded on in the DPL.
- Lawfulness, fairness and transparency - Personal data shall be processed fairly. In addition, personal data may be processed only if at least one of a number of conditions, discussed below, for lawful processing is met. Data subjects also have the right to be informed, as also discussed below.
- Purpose limitation - Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Data minimisation - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
- Accuracy - Personal data shall be accurate and, where necessary, kept up to date.
- Storage limitation - Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- Data subject rights - Personal data shall be processed in accordance with the rights of data subjects under the DPL.
- Integrity, confidentiality and security - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Cross-border transfer - Personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Conditions for lawful processing of personal data
Personal data cannot be processed unless at least one of these conditions is met.
- Consent - The data subject has given consent to the processing. In order to be valid, consent needs to meet a number of tests. Moreover, it can be withdrawn at any time, which could be problematic as a financial sector business is unlikely to be able to cease processing instantly. Often a financial sector business of dealing with an entity client or counterpart and will not be in a position to obtain direct consent from underlying individuals.
- Contract - The processing is necessary for the performance of a contract to which the individual data subject is a party; or the taking of steps at the request of the data subject with a view to entering into a contract. This condition does not apply to processing of an individual's details who is not party to the contract.
- Legal obligation - The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. The Ombudsman regards a "legal obligation" to refer to an obligation applicable under Cayman Islands law.
- Vital interests - The processing is necessary in order to protect the vital interests (generally understood to mean matters of life and death) of the data subject.
- Public functions - The processing is necessary for the exercise of public functions, namely the administration of justice; any functions conferred on any person by or under any enactment; any functions of the Crown or any public authority; or of any other functions of a public nature exercised in the public interest by any person.
- Legitimate interests - The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Pursuant to the eighth data protection principle, personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Financial sector businesses typically need to process personal data outside the Cayman Islands and therefore need to consider whether the other country in which data is processed ensures an adequate level of protection.
Countries regarded as ensuring an adequate level of protection
Member states of the EU (namely Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom) and European Economic Area (meaning the EU member states plus Lichtenstein, Norway, and Iceland) where the EU General Data Protection Regulation ("GDPR") is implemented are regarded as ensuring an adequate level of protection.
Also, any European Commission finding that a country outside the EU does, or does not, have "adequate protection" will be determinative for the Cayman Islands. At the time of writing, the European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection. By implementing the DPL, the Cayman Islands is beginning the process towards achieving a positive determination.
Other countries may be assessed as ensuring an adequate level of protection
A data controller may consider other countries to have an adequate level of protection. The DPL specifies a number of criteria ("Country Criteria") to which a data controller must have regard in determining whether the level of protection in a country is adequate including, but not limited to, the law in force in that country, the international obligations of that country and any security measures taken in respect of the data in that country. As the data controller will be held accountable for its decision, and in order to obtain certainty, the data controller may wish to request a specific authorisation for the transfer from the Ombudsman as discussed below.
Transfers to which the prohibition of cross-border transfer does not apply
The DPL sets out certain transfers to which the prohibition of cross-border transfer of personal data under the eighth data protection principle does not apply as set out below.
- Consent - The data subject has consented to the transfer. The comments in relation to consent as a possible lawful basis of processing apply equally to cross-border transfer.
- Contract performance - The transfer is necessary for the performance of a contract between the data subject and the data controller or the taking of steps at the request of the data subject with a view to the data subject's entering into a contract with the data controller.
- Contract conclusion - The transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject; or the performance of such a contract.
- Public interest - The transfer is necessary for reasons of substantial public interest.
- Legal claim - The transfer is necessary for the purpose of, or in connection with, any legal proceedings, for the purpose of obtaining legal advice; or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
- Vital interests - The transfer is necessary in order to protect the vital interests of the data subject.
- Public register - The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by a person to whom the data are or may be disclosed after the transfer.
- Approved terms - The transfer is made on terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the rights and freedoms of data subjects.
- Authorised transfer - The transfer has been authorised by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
- International cooperation arrangements - The transfer is required under international cooperation arrangements between intelligence agencies to combat organised crime, terrorism or drug trafficking.
The "Consent", "Contract performance" and "Contract conclusion" transfer scenarios above are subject to the same caveats as discussed above in relation to "Consent" and "Contract" for lawful processing of personal data.
The Ombudsman has approved the following "Approved terms" as ensuring adequate safeguards:
- agreements incorporating standard contractual clauses to be published by the Ombudsman; or
- agreements which replicate the rights and obligations contained in the EU "standard contractual clauses" pursuant to the GDPR (albeit appropriately amended to reflect that cross-references to provisions of EU data protection law need to be replaced with cross-references to corresponding provisions of the DPL).
For the purposes of "Authorised transfer", the Commissioner will take into account the Country Criteria.
Rights of data subjects
The DPL sets out a number of rights of individual data subjects which are, in brief summary, as follows.
- Individuals have the right to access their own personal data and receive information about its use. To do so, individuals must make a subject access request ("SAR") in writing. A data controller has thirty days to respond to a request and cannot impose a fee to deal with a request except in exceptional circumstances. There are some limited exemptions to this right to access. Generally, however, data controllers should be prepared for the possibility that data may need to be disclosed. We have experience of SARs being used by disgruntled clients in a financial services context in other jurisdictions.
- Individuals have a right to have inaccurate personal data rectified, blocked, erased or destroyed.
- The DPL introduces a right for individuals to demand that processing cease. However, this right is not absolute.
- The DPL introduces an absolute right for individuals to demand that direct marketing cease or not begin. Direct marketing is defined as the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals.
- Where a decision is made solely by automated means (without human involvement), an individual has the right to require that it be reconsidered on a different basis.
- An individual has the right to complain to the Ombudsman about any perceived violation of the DPL, and to seek compensation for damages in the courts.
Data subjects also have the right to be informed, as discussed further below.
Data privacy notice
Personal data shall not be treated as processed fairly unless the data subject has, as soon as reasonably practicable, been provided with, at a minimum, the identity of the data controller and the purpose for which the data are to be processed. However, information on certain additional points should be provided in the privacy notice as a matter of good practice and may be required on grounds of fairness, as well as reducing the likelihood of SARs.
The Ombudsman's expectation is that privacy information will be provided in the form of a privacy notice. Privacy information must be provided to individuals "as soon as reasonably practicable", which in practice means at the time personal data is gathered. For example, an investment fund will typically include the privacy notice within its subscription agreement or equivalent.
Data security, integrity and confidentiality
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Compliance with the DPL overlaps to a significant degree with businesses' cybersecurity measures. However, there are different aspects to this principle, including:
- organisational measures, such as staff training and policy development;
- technical measures, such as physical protection of data, pseudonymisation and encryption; and
- securing ongoing availability, integrity and accessibility, for example by ensuring backups.
In circumstances where a data processor is involved, the data controller will invariably wish to take certain steps and include certain provisions within the contract to ensure compliance.
Personal data breaches
A data controller must notify the Ombudsman and the affected data subject(s) of a personal data breach without undue delay (but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the data controller to address it and the measures recommended to mitigate the possible adverse effects of the breach.
A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or, access to, personal data transmitted, stored or otherwise processed.
It is important to have a plan dealing with how a breach would be identified and handled in practice and have robust breach detection, investigation and internal reporting procedures in place. No business will wish to only be considering these matters for the first time when a breach actually occurs.
Internal data protection policy
Although there is no specific requirement under the DPL for a data controller to have an internal data protection policy, the Ombudsman's view is that having documented policies and processes in place will be very helpful when a data subject exercises his or her rights, when a data breach occurs, or the event of an investigation by the Ombudsman.
The DPL contains a number of partial exemptions in relation to the following, all of which are expanded on in the DPL and Guide:
- National security
- Crime prevention and prosecution
- Government fees and duties
- Health, education or social work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Corporate finance
- Legal professional privilege
- Exemptions by regulations
However, the exemptions are only very limited exemptions from the DPL. Thus, even if an exemption applies, personal data is exempt only from a narrow subset of the overall provisions. The majority of the requirements in the DPL continue to apply.
The DPL provides a detailed framework for complaints to the Ombudsman and the Ombudsman's power to investigate and make information orders, enforcement orders and monetary penalty orders. The DPL also provides for a number of offences and fines. Where an offence under the DPL has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offence.
Cayman Islands entities may wish to consider the following steps:
- Consider whether, and in what circumstances, the business will be considered a data controller or data processor under the DPL and the extent of any exemptions that may apply.
- Conduct an analysis of how and when personal data is currently processed.
- Consider what lawful basis of processing can be used for the processing of personal data.
- Consider what "adequate safeguards" can be relied upon if data is processed outside the Cayman Islands
- To the extent necessary, prepare, review and update documents (for example, client agreements, agreements with service providers, offering and transactional documents, employment contracts,).
- Prepare a privacy notice.
- Prepare or update an internal data protection policy.
- Establish and maintain a plan to deal with a potential data breach.
- Ensure procedures are in place to allow staff to recognise and promptly respond to a subject access request and react to a data breach.
- Train relevant staff.
This advisory provides an overview of the DPL. In addition to the DPL itself it is necessary to consider the potential extra-territorial effect of the EU Global Data Protection Regulation. The application of data protection requirements will need to be considered on a case by-case basis. Walkers' Regulatory & Risk Advisory practice group comprises a team of dedicated specialist lawyers who will be happy to advise on all aspects of data protection requirements, as well as reviewing and preparing privacy notices, data protection policies and agreements with processors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.