KEY TAKEAWAYS:
- Welcome to the first Walkers Channel Islands' Regulatory Update
- This update will focus on data protection
- We will provide an overview of the recent (and noticeable) publications, findings and reports issued during the period January 2024 to July 2024
Welcome to the first Channel Islands' Regulatory Update. Every quarter the Walkers Channel Islands' Regulatory & Risk Advisory Team will reflect on some of the key regulatory developments in the Channel Islands.
Owing to the significant increase in activity in the data protection landscape over recent months this update will focus on data protection, providing an overview of the recent (and noticeable) publications, findings and reports issued during the period January 2024 to July 2024, including in the UK and the European Union ("EU") where they are relevant to Guernsey and Jersey.
In this edition front and centre is the recent confirmation by the European Commission that Guernsey and Jersey continue to provide an adequate level of protection. This adequacy status enables personal data to move to and from Guernsey/Jersey and the EU without the need for controllers to implement additional safeguards (for example, contractual clauses).
In the UK, the Information Commissioner's Office ("the ICO") has issued new guidance on fining and transfer risk assessments for organisations seeking to make restricted transfers of personal data to the United States. Elsewhere, the Court of Justice of the European Union has been busy and handed down two noticeable judgments concerning data breaches, accountability, and processing of personal data.
Guernsey
The Office of the Data Protection Authority (the "ODPA") was noticeably busy during January 2024, publishing a number of key, new guidance notes. Among these guidance notes was:
- A simple guide to data sharing and is for anyone who works with information about people and wants to share that information with others, when appropriate, and in a way that complies with the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DP Law"). it is important to remember here that data sharing can involve sharing personal data with a third party for joint purposes, for the third party's own purposes or to enable the third party to handle, store or otherwise use certain personal data on the controller's behalf.
- A helpful note on the registration requirements for sole traders and small business.
- Detailed guidance on the application of section 16 of the DP Law. This is directed at anyone who needs to respond to an individual's data subject access request ("DSAR") in the specific circumstances where the information the individual is requesting includes information about other people. Whenever faced with a DSAR of this nature, it is important that the controller balances the rights of everyone involved, allowing it to come to a well-reasoned decision over whether to disclose or withhold the other people's information.
- Guidance on what the ODPA has described as "one of the most misunderstood aspects of data protection law" being consent. This guidance is for anyone who works with information about people who want to understand how to use the 'lawful processing condition' known as "consent" properly. For the purposes of the DP Law, consent given by a data subject means any specific, informed, and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the data subject.
- Guidance on Data Collection which is intended to help individuals who collect personal data to do so in a way that complies with the DP Law. The collection of personal data is a means of processing and must be done in accordance with the DP Law and, in particular, the data protection principles. One of the principles is that personal data should not be collected except for a specific, explicit and legitimate reason. Controllers must also be able to demonstrate that they were transparent about their collection practices.
- Helpful guidance on "Information sharing in health emergencies at work". This guidance is designed to help employers understand how to share information about an employee experiencing a health emergency in a way that complies with the principles of the Data Protection law.
- Guidance to help comply with the DP Law when controllers / processors are using third parties to do certain tasks using people's data.
In February 2024, the ODPA also successfully took six companies
to court for the non-payment of registration fees. The ODPA were
awarded judgment in full along with costs in all cases. Related to
this, the ODPA announced on 5 June 2024 that the Committee for Home
Affairs have approved an increase of the registration fees payable
to the ODPA. The new fees are expected to take effect in January
2025.
The ODPA has also released its latest breach statistics. They confirmed that
during Q2 of 2024 there had been 39 personal data breaches, which
affected 14,019 people. In O2, 13 breaches involved "special
category data", specifically, information relating to
people's health, sex life, trade union membership,
racial/ethnic background, and religious/philosophical views, and 12
out of the 39 breaches met the risk criteria where the organisation
were required to tell those people whose data had been
affected.
The ODPA has also published its Annual Report for 2023 which
details the ODPA's activities under the DP Law. Some of the key
highlights in the 2023 report include (i) the publication by the
ODPA of 12 new guidance notes to help organisations understand and
comply with the DP Law; (ii) the ODPA receiving 56 new data
protection complaints; (iii) the ODPA opening 16 new investigations
and 7 inquiries; (iv) 151 breaches being reported; and (iv) 9
sanctions being imposed by the DAP under section 73 of the DP
Law.
The ODPA has also been very busy with enforcement cases:
- Issuing public statement (1) in which the ODPA confirmed that the Policy & Resources Committee were ordered to release an employment reference and issuing public statement (2) in which the ODPA confirmed that it had opened an inquiry into a data breach at the Revenue Service which is alleged to involve a significant volume of personal information;
- Issuing a reprimand to the Committee for Health and Social Care ("HSC") for delayed breach notification. It was found that the HSC failed to notify the ODPA and affected individuals of a personal data breach within the period required by the DP Law. HSC failed to notify these individuals until, in one case 50 days, and in the other two cases 62 days, after becoming aware of the breach.
Finally, the ODPA has moved to new premises in the heart of St Peter Port in Guernsey. The ODPA believe this will allow them to consolidate resources in a more convenient location, while also making efficiency savings which can be put toward better serving the Guernsey community.
Jersey
In January 2024, following a review by the European Commission,
Jersey successfully retained its adequacy status. As Jersey is
considered a 'third country', this decision is of huge
importance as it demonstrates that Jersey has a robust data
protection regime, and it means that personal data can continue to
flow freely between Jersey and Europe.
In February 2024, the Jersey Office of the Information Commissioner
(the "JOIC") issued a statement in
support of the ICO enforcement action in respect of a Jersey
company, which undertook processing activity outside of Jersey (the
"Statement"). The company (and related entities) were
issued enforcement notices ordering them to stop using facial
recognition technology and fingerprint scanning to monitor employee
attendance. The Statement highlighted that both the JOIC and the
IOC take the matter of employee surveillance extremely seriously
and that the processing of biometric data, which is special
category data, needs to be very carefully considered in terms of
genuine requirements, security, alternative options, data
sharing/transfers. All Jersey based employers utilising employee
biometric data and/or employee surveillance mechanisms should have
particular regard to the Statement, which also highlights that
"lessons must be learned in that the processing of personal
information must be appropriate, fair and proportionate. Especially
the use of biometric data and employee surveillance
mechanisms".
The JOIC participated in the annual Global Privacy Enforcement
Network ("GPEN") Sweep where 26 data
protection authorities around the world examined more than 1,000
websites and mobile applications (apps) and published a report
finding that nearly all of them used one or more deceptive design
patterns that made it difficult for users to make
privacy-protective decisions citing issues such as complex
language, repeatedly asking users to reconsider their account
deletion, and obstacles in accessing privacy information.
Following on from the GPEN's findings, the JOIC noted that when
designing platforms, a "data protection by design and by
default" approach should be considered at a design stage and
that "good design" includes default settings that best
protect privacy; an emphasis on privacy options; neutral language
and design to present privacy choices in a fair and transparent
manner; fewer clicks to find privacy information, log out, or
delete an account; and 'just-in-time' contextually relevant
consent options. The JOIC also has earlier published guidance on
data protection by design and by default available on its
website.
The JOIC published its Annual Report for 2023. Some of the key
highlights in the 2023 report include:
- there are 7,366 registered organisations in Jersey;
- the JOIC received 119 general queries, 81 data protection complaints and inquiries, and 215 self-reported breaches, noting that over 50% of the reported breaches were unlikely to 'result in a risk to the rights and freedoms of natural persons' but encouraged organisations to continue reporting as it helped the JOIC understand the breach landscape in Jersey and shape its guidance;
- the JOIC being recognised internationally with highlights including, in addition to the European Commission's finding of adequacy, chairing the Global Privacy Assembly working group on data sharing for the public good, and being represented on working groups on ethics in data protection and artificial intelligence, as well as being selected to host the Global Privacy Assembly Annual Conference in October 2024; and
- areas of focus for the remainder of 2024 include emerging technologies of artificial intelligence and facial recognition technology.
United Kingdom
In the UK, the ICO seems to have been equally busy, issuing new guidance of its own in relation to:
- Transfer risk assessments. This guidance is relevant to controllers / processors if they are making a restricted transfer of personal data and who use one of the transfer mechanisms, such as the IDTA, the Addendum or BCRs.
- Fining. This guidance sets out the circumstances in which the Commissioner would consider it appropriate to exercise administrative discretion to issue a penalty notice. The Commissioner will have regard to this guidance when deciding whether to issue a penalty notice and when setting the amount of any fine.
Aside from issuing generally applicable data protection guidance
the ICO has published new guidance for employers in relation to
information sharing in mental health emergencies at work. The
intention of the guidance is to provide employers with some
certainty around sharing personal information about their staff in
the event of a mental health emergency and provides advice on when
and how it is appropriate to share staff information in such an
emergency. A key message the guidance imparts is that data
protection does not function as a barrier to necessary and
appropriate information sharing where a mental health emergency
occurs. It furthermore outlines that the primary focus should be
protecting the mental and physical health of the person involved
and of any others who may be impacted.
On 5 March 2024, ICO closed its consultation on draft employment practices and
data protection relating to recruitment and selection. A draft
of the guidance on recruitment and selection is available here. This guidance is aimed at employers and
organisations which conduct recruitment on behalf of employers,
such as recruitment agencies, head-hunters, or consultancies. It
covers recruitment in the context of all potential employment
relationships, including employees, contractors, volunteers or gig
and platform workers.
Whilst ICO guidance isn't applicable in Guernsey and Jersey, it
is important for Channel Islands' entities to This guidance is
aimed at employers and organisations which conduct recruitment on
behalf of employers, such as recruitment agencies, head-hunters, or
consultancies. It covers recruitment in the context of all
potential employment relationships, including employees,
contractors, volunteers or gig and platform workers periodically
familiarise themselves with this guidance as:
- entities may find it a useful resource, particularly in circumstances where they operate from multiple jurisdictions; and
- whilst the Channel Islands' regimes will not always adopt the ICO's stance on areas, the ICO's guidance may nonetheless be helpful from a horizon scanning perspective on the guidance that may be issued by the ODPA and JOIC in the future.
On 7 June 2024, the High Court (King's Bench Division) handed down an important decision in relation to Data Subject Access Requests ("DSAR's") and the ground upon which a controller can rely when refusing to comply with a request. In Harrison v Cameron and another [2024] EWHC 1377 (KB) the Court stated that when refusing DSAR for the identities of the people to whom data in scope of the request has been disclosed, a controller can rely on the "rights of other exemption" due to a significant risk of those individuals facing intimidation from the requester.
European Union
Further abroad, the Court of Justice of the European Union ("CJEU") published a significant judgment relating to data breaches, accountability and non-material damages. This judgment concerned the Bulgarian National Revenue Agency and a request that had been made in proceedings between a natural person and the National Revenue Agency, Bulgaria (the "NAP") concerning compensation for non-material damage that that person claimed to have suffered as a result of an alleged failure by that authority to fulfil its legal obligations as a controller of personal data. In its judgment, the CJEU made several key findings including that:
- The fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting 'non-material damage";
- The principle of accountability of the controller must be interpreted as meaning that, in an action for damages under Article 82 of that regulation, the controller in question bears the burden of proving that the security measures implemented by it are appropriate;
- The appropriateness of the technical and organisational measures implemented by the controller must be assessed by the national courts in a concrete manner, by considering the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks;
- The principle of effectiveness of EU law must be interpreted as meaning that, to assess the appropriateness of the security measures implemented by the controller under that article, an expert's report cannot constitute a systematically necessary and sufficient means of proof; and
- The controller cannot be exempt from its obligation to pay compensation for the damage suffered by a data subject solely because that damage is a result of unauthorised disclosure of, or access to, personal data by a 'third party', in which case that controller must then prove that it is in no way responsible for the event that gave rise to the damage concerned.
Although this is a decision of the CJEU, it is likely that should a similar dispute arise in Guernsey or Jersey then the ODPA and JOIC respectively will consider the findings above persuasive. At the very least, this judgment provides insight into the criteria for appropriate security measures.
In another significant decision in OQ v Land Hessen, SCHUFA Holding AG (Case C 634/21), the CJEU has confirmed that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes "automated individual decision-making", where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.
Further, on 7 March 2024, the CJEU confirmed in a decision that the concept of processing has a
broad scope and that the concept of processing can therefore cover
the oral disclosure of personal data.
Moving away from CJEU decisions, data protection authorities
elsewhere in Europe have also been active with the CNIL (the French
data protection authority) on 16 February 2024, publishing its 2023 assessment of its enforcement action. In
the assessment the CNIL confirmed that it had imposed forty-two
fines totalling nearly €90 million, 168 formal notices and 33
reminders of legal obligations. The assessment states that the
number of sanctions is increasing, due to the combined effect of
the implementation of the so-called "simplified
sanctions" procedure , an increase in complaints and European
cooperation.
The European Commission has also been in the spotlight following
the European Data Protection Supervisor's announcement on 11
March 2024 that the European Commission's
("EC") use of Microsoft 365 infringed
data protection law for EU institutions and bodies. Following an
extensive investigation, the EDPS found that the EC has infringed
several key data protection rules when using Microsoft 365.
In particular, the EC failed to provide appropriate safeguards to
ensure that personal data transferred outside the EU/EEA are
afforded an equivalent level of protection as guaranteed in the
EU/EEA. In its decision, the EDPS imposes corrective measures on
the Commission.
On 25 July 2024, the European Commission reported that it has
published its second report on the application of the GDPR (the
"Report"). According to the Report the
GDPR "continues to deliver effectively for individuals and
businesses, ensuring strong protection for data subjects and
risk-based obligations for controllers and processors". The
Report also identified some key areas to improve the application of
GDPR including swift adoption of the Commission's proposal for
a GDPR Procedural Regulation to ensure robust enforcement with
quick remedies.
Walkers Channel Islands' Regulatory & Risk Advisory Team
Walkers' Channel Islands' Regulatory & Risk Advisory
Team can advise on all aspects of Guernsey and Jersey data
protection, including data protection policies, procedures, privacy
notices, data subject access requests and data protection
audits.
We have a dedicated team of regulatory experts spanning all
practice areas who regularly advise on all aspects of Guernsey and
Jersey regulation, including financial services, AML, sanctions,
data protection, consumer protection, competition, tax, economic
substance, FATCA and the CRS. Our team can also provide training to
staff on a broad range of topics.
On 30 January 2024 the Economic Secretary to HM Treasury issued a statement to MPs on the long-awaited first equivalence assessment under the Overseas Fund Regime ("OFR"). Following a 'detailed assessment', European Economic Area ("EEA") states have been deemed to be equivalent under the OFR.
The OFR, introduced under the Financial Services Act 2021, provides for the offering of non-UK funds to UK retail investors post-Brexit. This decision applies to UCITS domiciled in the EEA, including European Union member states and provides welcomed clarity for fund managers.
Funds will not be required to comply with any additional UK requirements as part of the equivalence determination at this time. The statement notes that this decision will be monitored in light of UK and EEA regulatory developments.
Notably the temporary marketing arrangements, which were due to expire at the end of 2025, will be extended until the end of 2026 to enable a smooth transition to the OFR.
This decision does not cover Money Market Funds due to ongoing regulatory development in this area. The statement also refers to sustainable disclosure requirements, noting that the UK Government will consult on whether to broaden its scope to include funds that are recognised under the OFR.
The FCA consultation on the OFR Framework is due to close 12 February 2024. Walkers will issue an update once the final policy statement and final Handbook rules are published.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.