The Isle of Man Cabinet Office recently released a revised draft of the Isle of Man's GDPR legislation. We are pleased to note that some of our comments have been addressed but there are still some quirks to the Isle of Man's approach to implementing GDPR.
The Isle of Man is not a member of the European Union so the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) does not automatically apply to the Isle of Man. However, GDPR has extraterritorial effect and applies directly to any business that offers goods or services to, or monitors the behaviour of, individuals resident in the EU, regardless of whether that business is based in the EU. Many Manx businesses would therefore need to comply with the GDPR in any event, in order to continue to offer services to customers in the EU.
In light of this, and given the desire to retain the Isle of Man's current data protection adequacy status, the Isle of Man will be implementing GDPR into domestic law. We now know that this will be by way of the Data Protection Bill 2018 (GDPR Act), the Data Protection (Application of GDPR) Order 2018 (GDPR Order) the Data Protection (Application of LED) Order 2018 (LED Order) and GDPR and LED Implementing Regulations 2018 (GDPR Regulations and together with the GDPR Act, the GDPR Order and the LED Order the IOM GDPR Legislation).
The Isle of Man is playing catch up with the other Crown Dependencies, as the first draft of the IOM GDPR Legislation was only published towards the end of January, whilst Guernsey and Jersey both published draft legislation in November 2017. There is a feeling that this legislation has been rushed, and it was criticised in Tynwald (the Isle of Man's parliament) as being "lastminute.com".
Rather than closely following the UK's data protection bill, the Manx approach has been to implement a short framework Act to enable the implementation of GDPR and the Law Enforcement Directive (LED) through secondary legislation. We understand that the Manx government's original intention was for there to be no new primary legislation at all, but to use the European Communities Act 1973 to give effect to GDPR. However the initial feedback was negative, with many uncomfortable that there would be no data protection in primary legislation. Whilst that feedback has been addressed, the GDPR Act is just seven clauses long, most of which are interpretation etc. so there is no real substance. Unusually the GDPR Act made its way through the Tynwald whilst still out for consultation, so is currently just awaiting royal assent.
The GDPR Order applies GDPR to the Isle of Man virtually word for word, save for minor amendments such as including references to the Island wherever the term "Member State" is used. The LED Order will only be of relevance to those concerned with law enforcement.
The GDPR Order and GDPR Regulations have extra-territorial effect in the same way as GDPR, so any person providing services to Isle of Man customers will need to be aware of the Isle of Man regime.
The GDPR Regulations put the meat on the bone and set out specific Isle of Man provisions. For example, matters which will constitute "substantial public interest" grounds for processing special category data, which include processing health data of certain relatives of an applicant for life insurance which recognises the Island's successful life insurance sector. There is also a specific ground justifying the processing of information relating to criminal convictions (which is given special consideration in the GDPR) where it falls within the scope of screening obligations imposed under anti-money laundering and countering the financing of terrorism legislation.
We are however disappointed not to see any provisions to address the difficulties of trustees who hold personal data for beneficiaries. We would have welcomed exemptions relating to personal data in respect of a trust, particularly where responding to subject access requests, as Jersey and Guernsey have adopted.
The revised draft of the GDPR Regulations now clarify the Isle of Man's position on sanctions for noncompliance, with a maximum fine for breaches of the GDPR as applied to the Isle of Man set at just £1,000,000 in stark contrast to the position under GDPR itself which sets maximum fines of up to €20,000,000 or up to 4 % of total worldwide annual turnover for certain infringements. How the imposition of fines for multi-national corporate groups will work in practice is yet to be seen, but it may be that a lower fine regime could encourage some businesses to relocate to the Isle of Man.
We were pleased to see that our comments around transfers of personal data outside of the Isle of Man and EU to jurisdictions without adequacy findings have been addressed. The revised draft GDPR Regulations now clearly allow the use of EU model clauses whereas the initial draft indicated that the consent of the Information Commissioner would be required in all but a handful of circumstances.
It is also worth noting that the Isle of Man will retain a notification requirement. Data controllers and data processors who are subject to the GDPR Regulations must submit details including their name and address, country of incorporation, nature of business or trade, contact details of the data protection officer or other point of contact and a description of the measures to be taken to comply with the principle of integrity and confidentiality to the Information Commissioner annually.
Variance from the UK's proposed regime means that guidance released by the UK Information Commissioner's Office can no longer be relied upon, which could put a further strain on the resources of the Isle of Man Information Commissioner to produce local guidance in addition to his new powers and obligations under the IOM GDPR Legislation.
With a lack of guidance in the Isle of Man and across Europe there are still many questions to be answered but, with GDPR becoming enforceable on 25 May, sitting and waiting is no longer an option.
The argument in favour of setting out all of the vital rights about personal data and the serious obligations on data controllers and processors in secondary legislation is that the regulations can be easily amended. But does that really protect a data subject's rights? Does that diminish the level of scrutiny that will be given to any change? Why do other jurisdictions not consider it appropriate to set these out in secondary legislation so that it can be more easily amended?
The IOM GDPR Legislation appears to be an interim way of implementing GDPR and the LED, with the Council of Ministers advising that their legislative programme includes another data protection bill and that they will look at the issue again with two or three years' experience of how it is working, to see whether they can craft a perfect piece of legislation for the Manx context.
GDPR is then at least being implemented in the Isle of Man and there is a plan to 'see how things go', give businesses a 'bedding in' period to adjust to additional requirements and for the legislators to learn what needs to be changed from practical experience and produce a carefully crafted bespoke piece of legislation further down the line.
Where the Isle of Man has moved away from the GDPR itself, such as the reduced fines, this introduces uncertainty over the status of the Isle of Man's adequacy finding issued by the European Commission once it comes up for review. Any new data protection bill would need to consider guidance and case law coming from Europe. We will be watching with interest to see how other jurisdictions which have introduced their own bespoke laws fare when the European Commission come to review their adequacy status, and how the UK is assessed following Brexit.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.