Cayman Islands: Data Protection in the Financial Sector
1. Governing Texts
The Data Protection Act (2021 Revision) ('the Act') was passed in March 2017 and came into force on 30 September 2019. The Office of the Ombudsman ('the Ombudsman'), is responsible for enforcing the Act.
The Act was drafted with a view towards achieving EU adequacy status in order to enable personal data to move freely between EU Member States and the Cayman Islands. Its provisions include a set of EU-style data protection principles which data controllers must adhere to, including that data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly consented to by data subjects. Any personal data collected must be adequate, kept up-to-date, and should not be retained for longer than is necessary to fulfil the collection purpose.
The Act adopts similar definitions to those found in most EU data protection laws.
Personal data: Drafted widely, including any data relating to a data subject, and defined in the Act as data relating to a living individual who can be identified and includes data such as:
- the living individual's location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the living individual;
- an expression of opinion about the living individual; or
- any indication of the intentions of the data controller or any other person in respect of the living individual.
Data controller: The person who, alone or jointly with others, determines the purposes, conditions, and means of the processing of personal data. If you are not established in the Cayman Islands but you nevertheless process personal data in the Cayman Islands (for other than transit purposes) you must nominate a local representative.
Data subject: An identified living individual, or a living individual who can be identified directly or indirectly by means reasonably likely to be used by the data controller or by any other person.
Data processor: Any person who processes personal data on behalf of a data controller, excluding the data controller's employees.
Sensitive personal data: Includes data regarding the data subject's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, medical data, sex life, commission or alleged commission of an offence, or any proceedings for any offence committed or alleged to have been committed.
Biometric data: This is generally information relating to an individual's physical, physiological, or behavioural characteristics, is not separately protected under the Act, but recommended best practice would be to treat such information as sensitive personal data.
1.2. Supervisory authorities
The supervisory authority responsible for enforcing the Act is the Ombudsman.
2. Personal and Financial Data Management
2.1. Legal basis for processing
'Processing' in relation to personal data includes obtaining, recording, holding, organising, adapting, or altering data, disclosing the data by transmission, dissemination, or otherwise making it available, blocking, erasing, or destroying data.
Broadly, personal data can only be processed by a data controller for the purposes notified to the data subject on or before the collection of the data. Data controllers must process personal data in a secure manner.
Prior to the processing of sensitive personal data, the data controller must satisfy additional conditions, including obtaining separate consent and only using the data if it is necessary for the performance of an employment contract, protecting a data subject's vital interests, or for any legal proceedings.
Where the processing of personal data is carried out by a third-party data processor on behalf of a data controller, the Act requires that a contract be put in place between the two under which the data processor is to act only on the data controller's instructions and comply with obligations equivalent to those imposed on a data controller.
Whether the data is being processed by or on behalf of the data controller, when collecting personal data, data controllers must provide the data subject with a description of:
- the types of personal data being collected;
- the purposes for which the personal data is to be processed by or on behalf of the data controller;
- the recipients or classes of recipients to whom the personal data may be disclosed;
- any countries or territories outside the Cayman Islands to which the data controller transfers (or intends to transfer) the data; and
- the general technical and security measures in place to keep that data secure.
This information should be provided within a separate privacy notice at each point of data capture so that the data subject can make a clear and informed decision as to whether to proceed.
No separate cybersecurity legislation has been enacted in the Cayman Islands. However, in 2016 the Cayman Islands Monetary Authority ('CIMA') sent each of its licensees a notice making it clear that, going forward, the CIMA would be reviewing each licensee's approach to cybersecurity.
The Act requires that 'appropriate' technical and organisational measures be taken against unauthorised or unlawful processing of, accidental loss or destruction of, or damage to, personal data. The technical safeguards need to be appropriate to the types of personal data being processed.
Under the Act, data controllers and processors must ensure the personal data that they hold is accurate and is not kept for longer than necessary to fulfil the original collection purpose. Prescribed data retention periods are not specified in the Act, but an analysis should be undertaken to determine how long data should be kept for. Similarly, it will be important for both data controllers and data processors to evaluate how personal data can be securely purged once the purposes for holding it have been fulfilled by the organisation.
International standards of anti-money laundering and counter terrorist financing ('AML/CFT') are set by the Financial Action Task Force ('FATF'). As a member of the Caribbean FATF, the Cayman Islands implements recommendations promulgated by the FATF. All Cayman Islands-incorporated entities are subject to the Proceeds of Crime Law (2020 Revision) which sets out the principal money laundering offences. Certain 'relevant' businesses (which would include, for instance, entities caught within Cayman Islands financial services regulations and other entities thought to be at a higher risk of money laundering) are further caught within the Anti-Money Laundering Regulations (2020 Revision) which prescribe certain identification, record keeping, and internal control procedures for such businesses.
No consent is required for the processing of personal data in connection with:
- safeguarding national security;
- the prevention, detection, or investigation of a crime;
- the assessment or collection of any fees or duty in the Cayman Islands;
- monitoring, inspection, or regulatory functions connected with public safety;
- the prevention, investigation, detection, or prosecution of criminal offences or breaches of ethics for regulated professions;
- an important economic or financial interest of the Cayman Islands; or
- disclosures required by law or made in connection with legal proceedings.
There are also exemptions under the Act to allow personal data to be processed without consent for the purposes of journalism, literature, and art. There is also a general exemption for corporate finance transactions which include:
- underwriting in respect of issues of or the placing of issues of, any instrument; and
- advice to undertakings on capital structure, industrial strategy and related matters, and advice and service relating to mergers and the purchase of undertakings.
The Confidential Information Disclosure Law, 2016 (Law 23 of 2016) ('CIDL') came into effect in 2016 and was enacted to dispel the misconception that the Cayman Islands is a secrecy jurisdiction. The CIDL better reflects the principles of transparency and cooperation, which the Cayman Islands has committed to for well over a decade, including for tax information exchange and mutual legal assistance.
The CIDL sets out the different ways that confidential information can be disclosed, including:
- the codification of some of the common law exceptions to the duty of confidence;
- by compulsion under specific Cayman Islands laws; and
- seeking the court's direction for disclosure in proceedings.
Exceptions to the duty of confidence include disclosure of confidential information in the normal course of business, with the implied or express consent of the principal, where such disclosure is compelled under law to a specific authority, and upon direction of the court pursuant to an application under the CIDL.
Any breach of the common law duty of confidence must give rise to a right of remedy, including a claim for damages or an injunction.
The CIDL defines 'confidential information' as information, arising in or brought into the Cayman Islands, concerning any property of a principal to whom a duty of confidence is owed by the recipient of the information. The term duty of confidence is not defined, but will be interpreted in accordance with the common law at the time. To the extent that any confidential information also contains personal data, the use and onward disclosure of any personal data will be governed by the Act.
To the extent that any collection or processing involves personal data, the provisions of the Act will apply.
To the extent that any collection or processing involves personal data, the provisions of the Act will apply.
The Cayman Islands has not yet achieved adequacy status from the EU.
Transfers outside the Cayman Islands are permitted, but personal data must not be transferred to a country or territory that does not ensure an adequate protection level for processing personal data.
Where the recipient country or territory cannot demonstrate an adequate level of protection, contracts or Binding Corporate Rules can be put in place to control data transfers with third-party processors, or between members of the same group of companies. The Act also sets out a number of exemptions from transfer restriction, for example in instances where the data subject's consent to the transfer has been obtained, the transfer is in the public interest, or the Ombudsman has authorised the transfer.
In the event of a personal data breach, the data controller must, without undue delay and no more than five days after the data controller becomes aware of the breach, notify the Ombudsman and any affected data subjects, describing the:
- nature of the breach;
- consequences of the breach;
- measures proposed or taken by the data controller to address the breach; and
- measures the data subject may take to mitigate possible adverse effects caused by the breach, as recommended by the data controller.
A data controller who fails to notify a breach is deemed to have committed an offence and is liable on conviction to a KYD 100,000 (approx. €106,770) fine.
In November 2020, the CIMA introduced a new cybersecurity requirement for all entities regulated by the CIMA, including, among others, those entities under the Banks and Trust Companies Law (2018 Revision), the Insurance Law (Law 32 of 2010), the Mutual Funds Law (2019 Revision), the Securities Investment Business Law (2019 Revision), and the Building Societies Law (2014 Revision).
Regulated entities must demonstrate that data protection is part of their strategy and that their cybersecurity framework takes into consideration the provisions of the Act. A regulated entity's cybersecurity policies and procedures are expected to be documented and subjected to internal audit or assessment. An accompanying statement provides guidance on risk identification and assessment, risk monitoring and reporting, incident response, containment and recovery, use of the internet, employee training and awareness, outsourcing arrangements, and data protection.
Also in 2020, the Cayman Islands introduced the Virtual Assets (Service Providers) Act 2020 ('the VASP Act'). The VASP Act derives its provisions from recommendations made by the FATF and provides for the regulation of virtual asset businesses and for the registration and licensing of persons who are providing 'virtual asset services'.
Virtual asset services are defined as the issuance of virtual assets or the business of providing one or more of the following services or operations for or on behalf of a natural or legal person or legal arrangement:
- exchange between virtual assets and fiat currencies;
- exchange between one or more other forms of convertible virtual assets;
- transfer of virtual assets;
- virtual asset custody service; or
- participation in, and provision of, financial services related to a virtual asset issuance or the sale of a virtual asset.
The regulatory framework for the VASP Act is now being implemented in two phases. Phase one will focus on AML/CFT compliance, supervision, and enforcement, and other key areas of risk including data protection and cybersecurity. Under phase one, entities already providing VASP services in the Cayman Islands or looking to provide VASP services after 1 February 2021 were required to register with the CIMA by 31 January 2021. Details on the implementation of phase 2 of the VASP Act are still awaited.
The Ombudsman is responsible for overseeing the Act and can issue guidance as to compliance requirements, investigate complaints of breaches of the Act, and initiate its own investigations. Enforcement under the Act is generally administrative and consultative in nature, but criminal sanctions are also available.
Data controllers are not required to register with the Ombudsman or any other authorities and while it is considered best practice to appoint a separate data protection officer, this is not a mandatory requirement.
Refusal or failure to comply with an order issued by the Ombudsman is an offence.
The data controller is liable on conviction to a fine of KYD 100,000 (approx. €106,770), or imprisonment for up to five years, or both.
The Ombudsman may also issue a monetary penalty order of up to KYD 250,000 (approx. €266,960), payable by the data controller.
Importantly, the Ombudsman also has the right to 'name and shame' data controllers found in breach of the Act.
Where an offence has been committed by a body corporate, a director, company secretary, or similar officer, these individuals could be held liable.
Any breach of the common law duty of confidence will give rise to a right of remedy, including a claim for damages or an injunction.
11. Additional Areas of Interest
Data subjects are entitled to request that any inaccurate data is corrected and to access their personal data and any information available regarding the source of that personal data. The data access request must be made in writing to the data controller, who is entitled to charge a reasonable fee for responding. Following receipt of the written request and fee, the data controller is required to respond within 30 days. The data controller can request a further period of time to respond to the request, provided that this request is notified to the data subject within the initial 30-day period.
While there is no requirement under the Act to disclose the document which holds the personal data, the requested information needs to be provided to the data subject in an intelligible form.
The Act recognises a number of exemptions from the right to access, including:
- data to which legal professional privilege applies; and
- data relating to any structure or arrangement that is an 'ordinary trust.'
Under the Act, direct marketing means the communication, by whatever means, of any advertising, marketing, promotional, or similar material, that is directed to particular individuals. Prior express consent is not required, but data subjects have the right to unsubscribe from receiving direct marketing materials at any time.
Peter Colegate Partner
Appleby, Grand Cayman