By Jedidiah Bracy, CIPP
The government of the Cayman Islands is currently reviewing draft legislation that, if passed, would institute a robust data protection framework. The draft legislation comes four years after the Cayman Islands enacted the Freedom of Information (FOI) Law and will soon be available for public comment.
Sponsored by Cayman Island Attorney General Samuel Bulgin, the Cayman Island Data Protection Law (DPL) proposal has been drafted by the Data Protection Working Group (DPWG)—a group of public- and private-sector representatives—and submitted to the Cayman Islands Cabinet for review.
The DPL “is modeled after the EU Data Protection Directive (95/46/EC) and on the UK’s Data Protection Act 1998,” says Deputy Information Commissioner Jan Liebaers. “It is structured more concisely than its predecessors, with consecutive parts dealing with principles, rights of data subjects, notification responsibilities of data controllers, exemptions, functions of the information commissioner and enforcement.”
The draft contains many of the same components that make up the European framework, yet, Liebaers also points out that because changes to the EU Data Protection Directive are imminent and the European Commission has voiced criticism of the UK Data Protection Act for non-compliance, “it was necessary to progressively modify the source legislation in significant ways after a careful analysis of the available literature on the subject.”
According to Liebaers, the analysis “has resulted in what we consider significant improvements” in several areas. The proposal has more “robust basic definitions” for concepts like personal data, sensitive personal data and consent. It would also extend “basic rights” to data subjects; implement data breach notification requirements for data controllers; create “clearer and more extended enforcement powers” for the information commissioner, and provide “generally, a more concise and logical structure.”
Additionally, the proposal would place the DPL under the “auspices of the existing freedom of information commissioner. “As deputy information commissioner,” notes Liebaers, “I will likely play a central role in the planning and implementation of the new law and in the enforcement once it comes into effect.”
Liebaers says the driving force behind the draft bill is to gain adequacy status from the European Commission. Attaining adequacy, he says, would not only allow more fluid data flows, but also “strengthen links between businesses in the Caymans and the EU as well as multinationals which do business in the Cayman Islands.” Fluid, strengthened links would make it “easier for EU businesses to outsource certain operations involving personal data to the Cayman Islands.”
As a major financial center, the Cayman Islands has become a destination for multinationals over the years. Liebaers did not say if there are any special financial provisions in the draft bill.
“At an earlier stage of this project,” he says, “we did a mini-consultation with various business and financial associations to seek their input. However, at that time, the response was somewhat muted.”
Liebaers is hopeful that once the draft is presented for public consultation, “all the parties concerned, including the financial industry, will take another look and formulate any concerns or observations they may have.”
Since Liebaers played a similar role in the planning and implementation of the FOI Law in 2007, he says he is interested to see the similarities and differences with the new proposed data protection legislation.
“Although the DPL will encompass both the public and private sectors, and budgets are a lot tighter these days,” says Liebaers, “in contrast to 2007 when the Information Commissioner’s Office did not yet exist, we should now be in a better position to embark on this new venture.”