Introduction

In 2018, significant changes occurred within the data protection landscape. Supervisory Authorities began enforcing GDPR, and jurisdictions across the world developed or adopted legislation of varying degrees of equivalence. Jersey introduced two new laws, the Data Protection (Jersey) Law, 2018 (the Law), and the Data Protection Authority (Jersey) Law 2018 (the Authority Law) (collectively the Jersey Laws). The Jersey Laws were built on the foundations of the existing legislation.

Jersey had received an adequacy decision from the European Commission dating back to 2008. Recognizing the importance of GDPR and the free flow of data, Jersey enacted the Jersey Laws with the intention of maintaining that 'adequacy.' While the Jersey Laws are similar to the GDPR and founded on the same principles, there are nuances in their application and some variations to consider.

While a Crown Dependency, Jersey is separate from the United Kingdom and is not a member of the EU. This introduces certain additional considerations when dealing, in particular, with matters such as e-commerce and international transfers of personal data.

Being an international finance center, keeping abreast of technological developments is vital. The Jersey laws contain sufficient flexibility to accommodate their application to both current and future technologies.

This Insight Article gives a broad overview of a few pertinent areas that we see arising regularly. It is not intended to serve as a complete guide to the law, nor does it cover all variations from GDPR, rather it focuses on some of the more common areas of difference.

Core definitions

The Jersey Laws apply to the processing of personal data, whether entirely or partially automated, that is integrated into a filing system. The processing must take place in the context of a controller or processor established in Jersey or relate to the processing of the personal data of Jersey residents elsewhere, usually in relation to the offering of goods or services to those residents or monitoring their behavior. The underlying data protection principles, including lawfulness, fairness and transparency, purpose limitation, minimization, etc. are the same as those under the GDPR. Consequently, individuals familiar with the GDPR will find the legislation's broad scope and underlying objectives very familiar.

Defined terms such as 'personal data,' 'data controller,' 'filing system,' 'processing,' 'profiling,' and 'personal data breach' follow the GDPR, with certain additional clarifications in specific instances. For example, an employee of a controller is expressly defined as not being a 'processor' simply by virtue of their employment by the controller.

There is necessarily a different approach in relation to the definition of 'main establishment' and 'representative,' given Jersey's geographical and legal status. Unlike the EU, where the concept of 'main establishment' holds significance for business operations across multiple Member States, the Jersey laws do not provide a specific definition for 'main establishment' since they apply to a single jurisdiction.

However, 'establishment' is nevertheless defined with reference to the "effective and real exercise of activity through arrangements that are stable" and which do not need to take a particular legal form. It includes entities incorporated or formed under the Jersey laws, offices, branches or agencies, regular practices, and partnerships, for example. The wording will be familiar to those with experience of the GDPR and the European Data Protection Board's (EDPB) guidance notes. In most cases, determining whether an entity is 'established' in Jersey is a straightforward factual assessment, though in the digital age, e-commerce businesses or administered entities might need to look more carefully at their operations to check their position.

A 'representative' is only required under the Jersey laws in the instance where a controller or processor is not established in Jersey, but uses equipment in Jersey for processing, excluding transit through Jersey. Whilst this is a more complex analysis in some cases, it is again likely that in most cases, it will be clear whether the appointment of a representative in Jersey is required. It may also be the case that if an EU Representative is required, then they should be appointed in addition to any required Jersey representative.

In broad terms, the definitions and their scope closely mirror those of the GDPR and are designed to be equivalent to those used in the GDPR.

Registration

Controllers and processors established in Jersey, as defined earlier in relation to the establishment test, are required to register with the Jersey Office of the Information Commissioner (JOIC) prior to processing personal data. The process is undertaken by completing an online form and paying the relevant fee, which varies depending on the size and risk profile of the controller/processor concerned. Registration is renewed annually and it is a criminal offence for someone who ought to be registered to process personal data without completing the registration process.

It is important to note that registration is not required under the GDPR, so this is an additional requirement to be aware of and underlines the importance of local advice in this area, particularly around the establishment test.

International transfers of personal data

Jersey's status as an 'adequate' jurisdiction means that international transfers to Jersey are permitted, relying on the adequacy decision. Transfers from Jersey to third countries (non-adequate, non-EEA jurisdictions or territories) are only permitted to the extent that contracts or other similar recognized mechanisms are put in place to safeguard the data and ensure an adequate and equivalent level of protection.

These contracts can be implemented to manage data transfers with third-party processors or between members of the same group of companies. The Jersey laws also set out several exemptions from the transfer restriction, for example where the data subject's consent has been obtained, if the transfer is in the public interest, or if JOIC has authorized the transfer.

It is common for businesses to use the EU's model contractual clauses (SCCs), data transfer agreements, the EU-US Data Privacy Framework (for US transfers), or BCRs for this purpose. It should be noted that for transfers from Jersey involving the use of SCCs, the JOIC has mandated the Jersey Addendum. This Addendum, designed to tailor the SCCs more relevant to Jersey, must be appended to the SCCs and completed in the usual manner.

The Jersey Addendum was introduced as certain provisions of the SCCs were not relevant and not workable from a Jersey perspective. For example, the choice of applicable law, which originally referred to the law of an EU Member State. Given that the SCCs are modular, it is important to consider the Jersey Addendum at the same time and align the provisions of the two sets of clauses.

Right of access

While the right itself is framed in similar terms, it is important to note that the response period under the Jersey laws is four weeks (as opposed to one month in the GDPR) and any extension of that period can only be affected up to eight weeks (and not two months as under GDPR). In practice, this can sometimes mean that deadlines need to be met sooner than expected.

GDPR provides for a number of exemptions which might mean that certain personal data is not disclosed to a data subject in response to a data subject access request (DSAR). While some are similar, others are understandably jurisdiction-specific. For example, Jersey's legislation concerning Anti-Money Laundering and Countering the Financing of Terrorism means that any disclosure of the fact or content of a Suspicious Activity Report (SAR) made to a police officer might mean that a 'tipping off' offense is committed. There is also an exemption for data relating to Jersey law trusts, to the extent that such information would not otherwise be available under the Jersey trusts legislation.

Personal data breaches

Reporting breaches is mandatory to the JOIC within 72 hours of becoming aware of the breach. The definition of a 'personal data breach' aligns with that established in the GDPR.

There is an online breach reporting system available, and the JOIC has issued guidance on breach reporting. The Jersey laws specify the nature and information required to be covered in a breach notification, which is aligned with that required under GDPR.

In practice, JOIC recognizes that breach incidents are fast-moving scenarios and as such, understands that it is often the case that information as to the nature and extent of the incident evolves and that it is often very difficult to identify the full extent of an issue in the early days. As such, while the initial notification timescale remains, JOIC is content to be provided with regular updates as the situation unfolds.

There is no obligation to notify affected individuals unless there is a high risk to their rights and freedoms. It is commonplace for a strategy to be developed in order to manage the notification and response to maintain customer trust, notwithstanding the lack of a direct obligation to notify in some cases.

Enforcement

The JOIC, as a regulator, has a range of investigatory powers similar to those of EU regulators. Nevertheless, the fines regime varies in that the maximum fines available are £5,000,000 or £10,000,000, with a maximum of £300,000 or 10% of global annual turnover, whichever is higher. The GDPR equivalents are €10million and €20million, or up to 4% global annual turnover, whichever is higher. Up to the present, there have been no substantive fines issued.

It is worth noting that as Jersey is not a member of the EU, it is not part of the one-stop-shop structure envisaged by the GDPR and as such, there is no formal mechanism for other regulators to have input into an enforcement decision of the JOIC. Nonetheless, the JOIC has established good working relationships with overseas regulators, such that cooperation would be forthcoming to the extent applicable to the situation.

Finally, while GDPR does not provide for criminal offenses (this being a matter of sovereignty for individual Member States), the Jersey laws provide for a number of criminal offenses, including unlawful obtaining, use, concealment, or destruction of data; failure to register; altering, destroying, or concealing information to prevent disclosure to the JOIC. This is in addition to other potentially relevant offenses under legislation such as the Computer Misuse legislation.

Conclusion

The Jersey laws were introduced to revamp the data protection framework, aligning it with the GDPR standards. This step aimed to uphold Jersey's standing in the global marketplace and ensure equivalent protections for its citizens. As such, much of the terminology and approach will be recognizable to those familiar with the GDPR, although as set out above, the local nuances are important, and specialist local advice is recommended.

Richard Field Partner
[email protected]
Appleby, Guernsey