Global Data Privacy Guide |
|
Cayman Islands |
|
(Latin America/Caribbean)
Firm
Walkers
Contributors
Lucy Frew |
|
What is the key legislation? | The key legislation in the Cayman Islands are:
Note: CIDA governs the broad duty on persons not to disclose confidential information while the DPA governs the processing of personal data and associated requirements. Generally, CIDA is considered to codify the common law position which recognized a general equitable duty of confidentiality applicable to persons coming into possession of information in circumstances where it would be unconscionable to disclose it. The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another. The DPA came into force on September 30, 2019. The DPA requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf by means of a written contract. The DPA deals also with data security, data breaches and the rights of individual data subjects. |
What data is protected? | "Confidential information" is protected. Note: The definition of confidential information is as follows: "information, arising in or brought into the Islands, concerning any property of a principal, to whom a duty of confidence is owed by the recipient". Within that definition: "Principal" means a person to whom a duty of confidence is owed; and "Property" includes every present, contingent and future interest or claim, direct or indirect, legal or equitable, positive or negative, in any money, money's worth, realty or personalty, movable or immovable, rights and securities thereover and all documents and things evidencing or relating thereto. The scope of data protected under DPA: Personal data is protected, personal data is defined as: "data relating to a living individual who can be identified and includes data such as:
|
Who is subject to privacy obligations? | Application of CIDA: The CIDA applies to any person in receipt of confidential information as defined above. Application of DPA: The DPA applies to "data controllers" being the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative. The term “processing”, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data. The DPA only applies to data controllers in respect of personal data if:
There are also obligations that data controllers must apply to data processors through contract. "Data processor" means any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller. |
What are the principles applicable to personal data processing? | The collection of personal data is regulated under the DPA. In particular, a data controller must comply with the following eight data protection principles, which are set out below and further expanded on in the DPA:
|
How is the processing of personal data regulated? | Use and disclosure under the CIDA: CIDA lists a number of categories under which the duty to keep the information confidential can be overridden. Note: The CIDA lists a number of categories under which the duty to keep the information confidential can be overridden. Disclosure of confidential information does not give rise to a civil action when made:
Adding further background to the two most common methods of disclosure: Ordinary course of business Disclosures made in "the ordinary and necessary routine involved in the efficient carrying out of the instructions of a principal" will not be actionable. This exception is designed to ensure that service providers (and similar) are not prevented or delayed in carrying out routine operations by the need to deal with confidentiality issues or to seek specific consent. Consent Disclosure may be always made with the consent of the principal. The confidentiality that exists in the information belongs to the principal, and as such is theirs to waive. Consent from a principal is specific and individual. For example, there is no authority to disclose confidential information relating to an entire class of persons on the basis that consent has been obtained from the majority. Additionally, there is a statutory defense in the CIDA to claims for breach of confidence in cases where there is a serious threat to the life, health or safety of a person or where there is a serious threat to the environment. The party seeking to rely on the defense must have acted in good faith and reasonably believed that the information was true and disclosed such a serious threat. Use and disclosure under the DPA: Personal data cannot be processed unless a relevant condition under the DPA is satisfied. Personal data cannot be processed unless at least one of these conditions is met:
|
How are storage, security and retention of personal data regulated? | The DPA requires that appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. There are different aspects to this principle, including:
|
What are the data subjects' rights? | There are rights of access to the records of public authorities. In addition, the DPA provides individuals with a right to access their own personal data and receive information about its use. Note: The Freedom of Information Act (2021 Revision) provides rights of access to the records of public authorities but not personal data. Under the DPA, individuals must make a subject access request ("SAR") in writing. A data controller has thirty days to respond to a request and cannot impose a fee to deal with a request except in exceptional circumstances. There are some limited exemptions to this right to access. |
Are there restrictions on cross-border data transfers? | There are no provisions regarding the extra-territorial effect under the CIDA. The eighth data protection principle of the DPA ("DPP8") provides that personal data must not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Note: CIDA There are no provisions regarding the extra-territorial effect under the CIDA. The likely practical effect of the CIDA is limited to information that is either held within the Cayman Islands or held overseas by entities that maintain a physical presence within the Cayman Islands. Once confidential information is passed to a third party located outside of the Cayman Islands, it is likely the CIDA will cease to apply to that third party and the information will then be held subject to the confidentiality laws applicable in the recipient country. DPA There are a number of bases on which cross-border transfers may be considered to provide an adequate level of protection under the DPA. This includes:
There are also specified circumstances where the cross-border transfer restrictions under DPP8 will not apply. These are:
|
Are there any notification requirements for data breaches? | Entities licensed by the CIMA should consider making a disclosure to CIMA. All CIMA licensees are under a general duty to "conduct [their] affairs with [CIMA] in a transparent, open and honest manner always sufficiently disclosing to [CIMA] anything that [CIMA] would reasonably expect notice of." In addition, the DPA requires that a data controller must notify the Ombudsman and the affected data subject(s) of a personal data breach without undue delay (but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the data controller to address it and the measures recommended to mitigate the possible adverse effects of the breach. A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed. |
Who is the privacy regulator? | In respect of obligations under the DPA, the Ombudsman is the Cayman Islands regulator. The courts resolve civil disputes. Note: The DPA provides a detailed framework for complaints to the Ombudsman and the Ombudsman’s power to investigate and make information orders, enforcement orders and monetary penalty orders. The DPA also provides for a number of offenses and fines. Where an offense under the DPA has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offense. |
What are the consequences of a privacy breach? | The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another. There are no criminal penalties for breach of confidence. The DPA provides that if the personal data breach processes are not adhered to, this is an offense liable on conviction to a fine of CI $100,000. |
How is electronic marketing regulated? | Entities licensed by CIMA are subject to regulation regarding the use of the internet (including electronic marketing). Note: The relevant confidentiality requirement under the CIDA is as follows:
|
Are there any recent developments or expected reforms? | The DPA and related Data Protection Regulations, 2018 are in effect as of September 30, 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman interprets certain provisions of the DPA. |
Global Data Privacy Guide
The key legislation in the Cayman Islands are:
- the Confidential Information Disclosure Act 2016 ("CIDA")
- the Data Protection Act, (2021 Revision) ("DPA").
Note: CIDA governs the broad duty on persons not to disclose confidential information while the DPA governs the processing of personal data and associated requirements.
Generally, CIDA is considered to codify the common law position which recognized a general equitable duty of confidentiality applicable to persons coming into possession of information in circumstances where it would be unconscionable to disclose it.
The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another.
The DPA came into force on September 30, 2019.
The DPA requires a data controller to comply with eight data protection principles when processing personal data and to ensure that those principles are complied with in relation to personal data processed on the data controller’s behalf by means of a written contract. The DPA deals also with data security, data breaches and the rights of individual data subjects.
"Confidential information" is protected.
Note: The definition of confidential information is as follows:
"information, arising in or brought into the Islands, concerning any property of a principal, to whom a duty of confidence is owed by the recipient".
Within that definition:
"Principal" means a person to whom a duty of confidence is owed; and
"Property" includes every present, contingent and future interest or claim, direct or indirect, legal or equitable, positive or negative, in any money, money's worth, realty or personalty, movable or immovable, rights and securities thereover and all documents and things evidencing or relating thereto.
The scope of data protected under DPA: Personal data is protected, personal data is defined as:
"data relating to a living individual who can be identified and includes data such as:
- the living individual’s location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
- an expression of opinion about the living individual; or
- any indication of the intentions of the data controller or any other person in respect of the living individual."
Application of CIDA:
The CIDA applies to any person in receipt of confidential information as defined above.
Application of DPA:
The DPA applies to "data controllers" being the person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed and includes a local representative.
The term “processing”, in relation to data, means obtaining, recording or holding data, or carrying out any operation or set of operations on personal data.
The DPA only applies to data controllers in respect of personal data if:
- the data controller is established in the Cayman Islands and the personal data are processed in the context of that establishment; or
- the data controller is not established in the Cayman Islands but the personal data are processed in the Cayman Islands otherwise than for the purposes of the transit of the data through the Cayman Islands.
There are also obligations that data controllers must apply to data processors through contract. "Data processor" means any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller.
The collection of personal data is regulated under the DPA. In particular, a data controller must comply with the following eight data protection principles, which are set out below and further expanded on in the DPA:
- Lawfulness, fairness and transparency - Personal data shall be processed fairly. In addition, personal data may be processed only if at least one of a number of conditions, discussed below, for lawful processing is met. Data subjects also have the right to be informed, as also discussed below.
- Purpose limitation - Personal data shall be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Data minimization - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
- Accuracy - Personal data shall be accurate and, where necessary, kept up to date.
- Storage limitation - Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
- Data subject rights - Personal data shall be processed in accordance with the rights of data subjects under the DPA.
- Integrity, confidentiality and security - Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Cross-border transfer - Personal data shall not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Use and disclosure under the CIDA:
CIDA lists a number of categories under which the duty to keep the information confidential can be overridden.
Note: The CIDA lists a number of categories under which the duty to keep the information confidential can be overridden. Disclosure of confidential information does not give rise to a civil action when made:
- in compliance with evidential directions of a court;
- in the normal course of business or with the consent (express or implied) or a principal;
- to constables of the rank of Inspector or above investigating offenses alleged to have been committed within the Cayman Islands;
- in compliance with orders or search warrants;
- in compliance with orders made pursuant to the Mutual Legal Assistance (United States of America) Law (2015 Revision);
- in compliance with an order for evidence made by the Grand Court;
- to the Cayman Islands Monetary Authority ("CIMA") where the disclosure is made pursuant to the duty under the Monetary Authority Act (2020 Revision) or other local regulatory laws;
- to the Financial Reporting Authority pursuant to a duty imposed by the Proceeds of Crime Act (2020 Revision) or Terrorism Act (2018 Revision);
- to the Anti-Corruption Commission pursuant to a duty imposed by the Anti-Corruption Act (2019 Revision); and
- in accordance with or pursuant to a right or duty created by any other local law or regulation.
Adding further background to the two most common methods of disclosure:
Ordinary course of business
Disclosures made in "the ordinary and necessary routine involved in the efficient carrying out of the instructions of a principal" will not be actionable. This exception is designed to ensure that service providers (and similar) are not prevented or delayed in carrying out routine operations by the need to deal with confidentiality issues or to seek specific consent.
Consent
Disclosure may be always made with the consent of the principal. The confidentiality that exists in the information belongs to the principal, and as such is theirs to waive.
Consent from a principal is specific and individual. For example, there is no authority to disclose confidential information relating to an entire class of persons on the basis that consent has been obtained from the majority.
Additionally, there is a statutory defense in the CIDA to claims for breach of confidence in cases where there is a serious threat to the life, health or safety of a person or where there is a serious threat to the environment. The party seeking to rely on the defense must have acted in good faith and reasonably believed that the information was true and disclosed such a serious threat.
Use and disclosure under the DPA:
Personal data cannot be processed unless a relevant condition under the DPA is satisfied.
Personal data cannot be processed unless at least one of these conditions is met:
- Consent - The data subject has given consent to the processing. In order to be valid, consent needs to meet a number of tests. Moreover, it can be withdrawn at any time;
- Contract - The processing is necessary for the performance of a contract to which the individual data subject is a party or the taking of steps at the request of the data subject with a view to entering into a contract;
- Legal obligation - The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
- Vital interests - The processing is necessary in order to protect the vital interests (generally understood to mean matters of life and death) of the data subject;
- Public functions - The processing is necessary for the exercise of public functions, namely the administration of justice; any functions conferred on any person by or under any enactment; any functions of the Crown or any public authority; or of any other functions of a public nature exercised in the public interest by any person; or
- Legitimate interests - The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
The DPA requires that appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. There are different aspects to this principle, including:
- organizational measures, such as staff training and policy development;
- technical measures, such as physical protection of data, pseudonymization and encryption; and
- securing ongoing availability, integrity and accessibility, for example by ensuring backups.
There are rights of access to the records of public authorities. In addition, the DPA provides individuals with a right to access their own personal data and receive information about its use.
Note: The Freedom of Information Act (2021 Revision) provides rights of access to the records of public authorities but not personal data.
Under the DPA, individuals must make a subject access request ("SAR") in writing. A data controller has thirty days to respond to a request and cannot impose a fee to deal with a request except in exceptional circumstances. There are some limited exemptions to this right to access.
There are no provisions regarding the extra-territorial effect under the CIDA.
The eighth data protection principle of the DPA ("DPP8") provides that personal data must not be transferred to a country unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Note:
CIDA
There are no provisions regarding the extra-territorial effect under the CIDA.
The likely practical effect of the CIDA is limited to information that is either held within the Cayman Islands or held overseas by entities that maintain a physical presence within the Cayman Islands.
Once confidential information is passed to a third party located outside of the Cayman Islands, it is likely the CIDA will cease to apply to that third party and the information will then be held subject to the confidentiality laws applicable in the recipient country.
DPA
There are a number of bases on which cross-border transfers may be considered to provide an adequate level of protection under the DPA. This includes:
- member states of the EU and European Economic Area where the EU General Data Protection Regulation ("GDPR") is implemented are regarded as ensuring an adequate level of protection;
- any European Commission finding that a country outside the EU does, or does not, have “adequate protection” will be determinative for the Cayman Islands; and
- a data controller may consider other countries to have an adequate level of protection under criteria specified under the DPA.
There are also specified circumstances where the cross-border transfer restrictions under DPP8 will not apply. These are:
- Consent - The data subject has consented to the transfer.
- Contract performance - The transfer is necessary for the performance of a contract between the data subject and the data controller or the taking of steps at the request of the data subject with a view to the data subject’s entering into a contract with the data controller.
- Contract conclusion - The transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject; or the performance of such a contract.
- Public interest - The transfer is necessary for reasons of substantial public interest.
- Legal claim - The transfer is necessary for the purpose of, or in connection with, any legal proceedings, for the purpose of obtaining legal advice; or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
- Vital interests - The transfer is necessary in order to protect the vital interests of the data subject.
- Public register - The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by a person to whom the data are or may be disclosed after the transfer.
- Approved terms - The transfer is made in terms of a kind approved by the Ombudsman as ensuring adequate safeguards for the rights and freedoms of data subjects.
- Authorized transfer - The transfer has been authorized by the Ombudsman as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.
- International cooperation arrangements - The transfer is required under international cooperation arrangements between intelligence agencies to combat organized crime, terrorism or drug trafficking.
Entities licensed by the CIMA should consider making a disclosure to CIMA.
All CIMA licensees are under a general duty to "conduct [their] affairs with [CIMA] in a transparent, open and honest manner always sufficiently disclosing to [CIMA] anything that [CIMA] would reasonably expect notice of."
In addition, the DPA requires that a data controller must notify the Ombudsman and the affected data subject(s) of a personal data breach without undue delay (but no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of that breach). The notification should include specified information including but not limited to a description of the nature and consequences of the breach, the measures proposed or taken by the data controller to address it and the measures recommended to mitigate the possible adverse effects of the breach.
A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or, access to, personal data transmitted, stored or otherwise processed.
In respect of obligations under the DPA, the Ombudsman is the Cayman Islands regulator. The courts resolve civil disputes.
Note: The DPA provides a detailed framework for complaints to the Ombudsman and the Ombudsman’s power to investigate and make information orders, enforcement orders and monetary penalty orders. The DPA also provides for a number of offenses and fines. Where an offense under the DPA has been committed by an entity, a director, member, secretary or similar officer of that entity may also be regarded as having committed that offense.
The CIDA operates on a model based on civil remedies for any breach of the duty of confidence owed by one party to another. There are no criminal penalties for breach of confidence.
The DPA provides that if the personal data breach processes are not adhered to, this is an offense liable on conviction to a fine of CI $100,000.
Entities licensed by CIMA are subject to regulation regarding the use of the internet (including electronic marketing).
The DPA introduces an absolute right for individuals to demand that direct marketing cease or not begin. Direct marketing is defined as the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals.
Note: The relevant confidentiality requirement under the CIDA is as follows:
- "Licensees should take appropriate measures to preserve the confidentiality of key information gathered over the Internet.
- Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or stored in databases."
The DPA and related Data Protection Regulations, 2018 are in effect as of September 30, 2019. The Office of the Ombudsman has issued a Guide for Data Controllers which aims to explain how the Ombudsman interprets certain provisions of the DPA.