After a rigorous two year assessment programme, Jersey has recently achieved a positive assessment for adequacy of its data protection regime from the European Commission.
The Data Protection (Jersey) Law 2005 ("DP Law") was adopted by the States of Jersey on 30 June 2004. The DP Law was modelled on the UK data protection legislation and was aimed specifically to satisfy the requirements of the EU Directive 94/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data.
As a result most provisions of the DP Law would be very familiar to UK and European practitioners. It basically embodies the eight data protection principles, inter alia, permitting only fair and lawful processing of personal data which is adequate, relevant, not excessive and accurate, up-to-date and timely, for specified lawful purposes only and imposing upon data controllers security obligations and restrictions on transferring personal data outside the European Economic Area and countries assessed as adequate (the "eight data protection principle").
Accordingly the DP law grants similar rights to data subjects including access rights, rights to stop processing which causes distress/damage or for direct marketing and provides rights in relation to automated decision-making. It also grants remedies to the data subject including compensation. The DP Law imposes a similar structure of notification requirements and other obligations on data controllers. However, the DP Law and subordinate legislation issued under it have been modified in Jersey to take into account the special nature of the Island and its highly successful finance industry.
Data Protection and the Disclosure of Trust Documents
For instance, trustees naturally often find themselves under pressure from beneficiaries to account for their actions. One aspect of this is the frequent call from beneficiaries for the disclosure of trust documentation, including accounts and letters of wishes. On a few occasions the Royal Court of Jersey has provided useful clarification of trustees' obligations (as set out in the Trusts (Jersey) Law 1984 and the customary law of Jersey generally) to disclose documents, particularly in cases such as Re Rabaiotti's Settlements ( JLR 173) and In the Matter of the M Trust ( JRC 002A).
Generally, beneficiaries of trusts are entitled to inspect trust documents (which would usually catch the trust instrument, any subsidiary documents, and the accounts of the trust) and to require disclosure of such documents by trustees. However, this right does not extend to documents which would or might disclose the reasons behind the exercise of a trustee's discretion. Therefore, documents such as agendas and minutes of trustees' meetings, correspondence between trustees and individual beneficiaries and any other documents disclosing the deliberations of trustees as to the manner in which they should exercise a discretionary power or disclosing the reasons for an individual decision or material upon which such reasons were or might have been based can be withheld from beneficiaries. There are proposals to amend trust legislation to provide further clarification of the beneficiaries rights in this regards.
The interrelationship between the rights of trustees to refuse disclosure under the general rules and the rights of beneficiaries as individuals to access personal data under data protection law is potentially problematical. Specifically, without a suitable data protection exemption, the trustees' rights to withhold certain information from beneficiaries as expounded by both trust case law and statute and the beneficiaries' rights of access to information about themselves held by the trustees would be diametrically opposed.
A beneficiary on a "fishing exercise" before embarking on action against trustees would probably welcome the ability to request trustees to provide to him or her all information relating to the beneficiary including sensitive information as to the reasons for the exercise of a particular discretion which might include expressions of opinion as to the beneficiary's character. That would have caused great difficulties for trustees in exercising their discretion and to settlors in expressing their wishes.
Therefore the Data Protection (Subject Access Exemptions) (Jersey) Regulations 2005 provide an exemption from the subject access rights for information the withholding of which is authorised by the Trust (Jersey) Law 1984 or the disclosure of which would be contrary to a prohibition or restriction under any rule of law of Jersey. Similar exemptions are provided for foreign law trusts.
This means that generally beneficiaries will not be entitled to be informed by trustees that any such personal data is being 'processed' by the trustees nor will trustees have to give to beneficiaries a description of such data being held or processed by the trustees, the purposes for which it is processed and the persons to whom it may be disclosed by the trustees. Similarly beneficiaries will not be entitled to have access to such information itself. However, personal data not falling into this or another relevant exemption may be caught by the subject access rights.
Guernsey and Isle of Man
Balancing the specific needs of Jersey's finance industry with the implementation of the DP Law in the Island has been undertaken successfully, leading to the positive assessment by the European Commission. Jersey now joins the other Crown Dependencies of Guernsey and Isle of Man in achieving that status. They too have data protection legislation similar to that of the United Kingdom. However, the position is very different in other offshore jurisdictions.
Bermuda has not implemented any specific data protection legislation, although the Island has been considering and undertaking consultation exercises on developing a data protection regime for some time.
However under the Electronic Transactions Act 1999 (the "ETA"), the Minister of Telecommunications & E-Commerce may make regulations prescribing the standards for the processing of "personal data". This is defined to cover any information relating to an identified or identifiable natural person. The ETA recognises an "identifiable natural person" to be an individual who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physiological, mental, economic, cultural or social identity.
To date no regulations have been made. The ETA states the areas in which the Minister may make regulations. Essentially the ETA tries to balance the approaches of the EU and the USA, postponing the precise method of data protection until the major jurisdictions agree a "safe harbour" compromise permitting the transfer of personal data out of their jurisdictions, but allowing the Minister to issue suitable regulations and to partially deal with the issue in the Ministry of Telecommunications & E-commerce Standard for Electronic Transactions (the "Standard").
The Standard is an advisory paper (although compliance with it is mandatory). The Standard applies to intermediaries (which means a person who, on behalf of another person, sends, receives or stores an electronic record or provides other services with respect to that electronic record) and E-commerce service providers who carry on trade or business or are conducting commercial transactions or services in or from Bermuda, whose transactions or services either themselves take place electronically or which assist others to do so, or which relate to business carried out electronically.
The Standard is similar to the US model of the data "Safe Harbour" and provides that best principles regarding data protection when dealing with personal data be followed with regard to respect, privacy, accuracy and security. The Standard seeks to ensure confidentiality of personal information and that information gathered is used for the purpose for which it is intended.
Nevertheless Bermuda has not been assessed as adequate by the European Commission for data protection purposes and so European data controllers wishing to transfer personal data to the island must ensure compliance with their obligations under the eighth data protection principle, for example, by coming to their own conclusions as to adequacy in the particular circumstances pertaining, by using EC standard contracts or by ensuring that data subjects have consented to the transfer and use of their personal data.
British Virgin Islands
There are no specific data protection laws in the BVI so unsurprisingly it has not been assessed as adequate by the European Commission. Accordingly, European data controllers transferring personal data to BVI must again be conscious of their obligations under the eighth data protection principle.
Similarly there are no specific data protection laws in Cayman. Notably it has two parallel and complementary regimes for the protection of confidential information. The Confidential Relationships (Preservation) Law (1995 Revision) imposes criminal sanctions for the disclosure of particular types of confidential information in certain circumstances whereas the rules of common law and equity provide civil remedies for wrongful disclosures. So once more data controllers transferring personal data to Cayman will need to consider the eighth data protection principle.
While some jurisdictions such as Mauritius and Hong Kong have sophisticated data protection legislation, most others do not. So the eight data protection principle will be relevant to the transfer of most personal data offshore.