Cayman caught in shadow of EU data regulation
(CNS): As repercussions from the Facebook personal data scandal continue to reverberate around the world, a new directive from the European Union could have a major impact on the bottom line for any Cayman Islands company that holds any personal data of EU citizens. The Cayman Data Protection Law, which comes in to force next year, is intended to give Cayman a modern framework for protection against the misuse of individuals’ personal data. Based on international best practice, like most laws, it only legislates for the actions of people or companies within its borders.
However, the EU’s data protection (GDPR), which comes into force next month to regulate the export of personal data outside the European Union, has extra-territorial effect, which means that, regardless of where it is located, any entity that holds or processes personal data on an EU subject must comply with the EU directive or face some severe penalties.
So, if a company based in Cayman has any EU customers or engages in direct marketing activity there which could collect personal information, they would need to comply with the EU directive.
Demonstrating the strength of the EU’s desire to take back control of data privacy, the potential fines for being in breach of GDPR are immense at EUR 20 million or 4% of the company’s annual turnover, whichever is higher.
Under Cayman’s Data Protection Law, refusing to comply with an order would be an offence, with the data controller (the individual who determines what data is being processed and why) subject to a fine of CI$100,000 or five years in jail.
But establishing whether a company in Cayman will be subject to the provisions of GDPR is not as straightforward as simply performing an audit of clients to see if any are located in the EU.
The GDPR regulates all data being transferred out of the EU, and that could include any kind of monitoring behaviour or marketing activities, such as the collection of an email address or even an IP address or a cookie from a European individual that visited an international company’s website.
The EU legislation has raised some concerns in the investment fund industry, similar to Europe’s Alternative Investment Fund Managers Directive, which ushered in such a complex web of regulation for overseas managers targeting European investors that many US fund managers decided it wasn’t worth the trouble to offer services to them.
Now, US managers of Cayman funds are again examining if they will be caught by the directive by having either a branch office or affiliate in the EU, in addition to a marketing presence. Another key issue for funds and their operators is to ensure that any processing of data delegated by its service providers, such as administrators or accountants, is being done in line with the updated requirements, both from Cayman’s lawmakers and the EU’s where relevant.
Where the EU directive could have a more significant impact in Cayman is in the Cayman Enterprise City Special Economic Zone, where companies have been established on special terms in sectors like technology, finance, media, biomedical and pharmaceutical, on a platform designed for global growth, which means clients, customers and targets located in the EU.
It may also be possible that companies in Cayman’s tourism industry have databases on customers from EU countries, while engaging in direct marketing activities to families in member states.
Both the EU data protection regulations and Cayman’s Data Protection Law give various rights to data subjects and a number of duties to companies processing data. One clear difference is that the EU rules go to greater length to ensure that explicit consent has been given by individuals for companies to obtain and hold their personal data.
Data security has become a huge issue, highlighted by the Ashley Maddison hack, security breaches at Yahoo and Sony, where extortion attempts nearly brought down the company, plus in Cayman, law firm Appleby suffered a major security breach, which it declared was theft of client data and is now looking for damages in the UK courts.
While the Cayman Data Protection Law calls for appropriate measures to be taken to prevent unauthorised access to data, whether that happens by cyber-attack or by accident, the GDPR requirement for data controllers to have an overall strategy for data security includes steps to mitigate the impact of a breach, restore systems following a breach and constantly evaluate security to prevent breaches taking place.
In the event of a breach, both Cayman and EU require notifications to be made without undue delay, within 72 hours by the GDPR and no longer than five days according to Cayman’s Data Protection Law.
Appleby attorneys Peter Colgate and Kathryn Rowe said in a research note that compliance with the Cayman Data Protection Law, which is obligatory for all organisations handling personal data in the Cayman Islands, also puts you well on the way to compliance with the EU’s data regulations.
In addition to putting a plan in place for compliance with GDPR, lawyers advise undertaking a data mapping exercise to see exactly where the data that is held in an organisation comes from and ensure proper training takes place for all staff handling any personal data.
Category: Business
Anything that might lead to the abolition of ‘Facebook’ and ‘Twitter’ has to be a good thing.
This reads like it was written by someone with absolutely no experience of the way the UK’s DPA works, or more correctly doesn’t work. The fact is that both public and private sector in the UK have found so many ways to avoid releasing sensitive personal information they’re holding on you that the legislation has become almost worthless. If you want access to something fairly innocuous you’ll get it with no problems but if it’s info they shouldn’t be holding in the first place or that might prove embarrassing to them then forget it.
Cayxit
I know that it is really Cayman Finance and not our elected officials that run things in this area but it is time we did a cost benefit analysis on all of the jumping through EU hoops. Complying with EU data protection rules will cost hundreds of small Cayman businesses millions of dollars and will only benefit a few fund managers wanting to take on EU clients.
A simple solution is not to take any EU customers and if you already have some, get rid of them. Then again, that is a business decision you have to make.
The extraterritorial application of the EU Data Protection Directive is a non-tariff barrier to trade in services and is more about limiting competition from small jurisdictions than data protection. It is utter stupidity for Cayman to be forcing local small businesses to implement these EU rules for the sake of a few big finance people because as soon as we do they will come up with something else to try to keep us from competing with them.
Or maybe it’s to protect an individual’s personal information from incompetent business owners.
On the bright side, unlicensed beach chair vendors don’t require a copy of your identification to rent you a piece of the public beach so they should be protected under this new regime.
so what about when a security company was fingerprinting all the government employees in the glass house back in the 1990’s? a higher up put a stop to it immediately?
EU C.I is compliant, go bark up the face of Facebook and others that doesn’t care about anything but their own interests .
Importantly, until the Brexit divorce is final, this includes all UK Citizens too.
The EU is about to find out how far irs power reaches. There are many places such as China, India and the US which will have no intention of complying and their companies will just ring fence their EU operations.
govt going get sued left and right after it comes into effect….that is why the delay….everythimg in these islands revolve around the government?
Huh?