Significant developments this year, both in legislation and business practice, demonstrate the evolving nature of confidentiality regimes and considerations in the Cayman Islands, writes Simon Dickson and Rhiannon Williams.

The repeal of the Confidential Relationships (Preservation) Law (2015 Revision) and the publication of the Data Protection Bill, 2016, plus enhanced awareness of the importance of cyber security, all play a role in the framework balancing transparency with adequate and internationally recognised safeguards to protect the confidential information of both individuals and businesses.

CONFIDENTIAL INFORMATION DISCLOSURE LAW, 2016: A WELCOME REFORM

On 22 July 2016 the Cayman Islands Government published the Confidential Information Disclosure Law, 2016 (the CID Law) which repeals the Confidential Relationships (Preservation) Law (2015 Revision) (the CRP Law) and establishes a new statutory regime in the Cayman Islands for the disclosure of confidential information.

The CRP Law dates back to 1976 and was enacted with a view to maintaining the confidentiality of commercial activities which take place in, or in connection with, the Cayman Islands. The CRP Law applied to certain categories of individual and set out what constituted confidential information, certain gateways through which information could be lawfully disclosed and prescribed penalties for unlawful disclosure of confidential information.

Penalties for breaching provisions of the CRP Law were severe and included fines, imprisonment and the disgorgement of profits. However, given that there have been no prosecutions in the almost 40 year period since the CRP Law was introduced, it could be argued that these strict penalties were practically ineffectual.

The CID Law appears to be more of an enabling piece of legislation compared to the punitive approach adopted by the CRP Law. The key differences can be summarised as follows:

  • the abolition of the criminal offence of disclosure;
  • it must be established that the information imparted was subject to a duty of confidence before any breach can be established (instead of the automatic protection of information imparted to a person carrying on business of a professional nature); and
  • an additional "whistleblowing" gateway through which information can be lawfully disclosed in certain circumstances if it is in relation to "a serious threat to the life, health, safety of a person or in relation to a serious threat to the environment."

The decriminalisation of disclosure is welcome, not least because it was an ineffective deterrent. However, notwithstanding such decriminalisation, businesses should remain vigilant to their on-going obligation to maintain confidentiality. The CID Law does not contain any specific penalties for contravening its provisions, and so the court will apply common law and rules of equity in the event of any breach. The publication of the CID Law and the amendments to the statutory framework which it enacts play a key role in balancing the Cayman Islands' obligations to be financially transparent with its duty to protect the confidentiality of lawful business activities.

THE DATA PROTECTION BILL: A WORLDWIDE CONCERN

The Data Protection Bill, 2016 (the DPB) was published by the Cayman Islands Government on 1 April 2016. This draft legislation aims to balance the rights of individuals to expect that their personal data will be kept safe, and the legitimate requirements of businesses and public authorities to collect and use such data.

The need for data protection legislation has become increasingly urgent over recent years. Exponential increases in technical innovations and applications have meant that more public and private entities are collecting and maintaining personal data, and the ease with which this data can be transferred across national boundaries has significantly improved. The negative consequences of such personal data being used illegitimately, both to the individual concerned personally and to the reputation of the disclosing entity, are a worldwide concern and have led to data protection legislation being implemented in most developed countries.

The DPB is modelled on the UK's Data Protection Act 1998, with some simplification and enhancements customised to the Cayman Islands. The UK legislation is itself based on the EU's Data Protection Directive, which is generally considered to be the most rigorous data protection standard globally. The key purpose of aligning the DPB with the EU legislation is that it is hoped that the EU Commission will consider the DPB to be an "adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data" in the Cayman Islands, as required by Principle 8 below; the effect of such a decision is that personal data can flow from EU member states and other countries which have adequately adopted these principles to the Cayman Islands without any further safeguards being required. If and when this legislation comes into force businesses operating here will also need to ensure that they comply with each of the Principles at all times, and Principle 8 in particular when dealing with their overseas clients and colleagues.

THE PRINCIPLES

The DPB is centred around eight Data Protection Principles (the Principles)

  1. Personal data shall be processed fairly and only if specific conditions are met (for example, consent has been given). Additional conditions apply to sensitive personal data.
  2. Personal data shall be only obtained and processed for specified lawful purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are collected or processed.
  4. Personal data shall be accurate and, where necessary, kept up-to-date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of individuals as specified under this Data Protection Law.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Although each of the Principles is important, the last two are interconnected and of particular interest. Principle 8 is relevant due to the importance for the Cayman Islands of operating internationally, as discussed above.

The obligations imposed by Principle 7 play a vital role in enabling private and public entities to adhere with the obligations imposed by Principle 8 (and the other Principles).

All such public and private entities should take note that any failure to adhere to Principle 7 (and indeed all of the Principles) is a breach which could give rise to enforcement action by the Information Commissioner, which includes monetary penalties and criminal prosecutions; given the necessity for increasingly complex information security systems as discussed further below, it is clear that maintaining "appropriate technical and organisational measures" will be both expensive and an evolving process.

CYBER SECURITY: AN OVERRIDING CONSIDERATION

In addition and complementary to any legal obligations, recently there has been tremendous commercial focus on the importance of maintaining appropriate information security systems in light of well-publicised breaches of, and unauthorised disclosure of data by, professional firms and government entities, causing severe financial and reputational loss. The Cayman Islands, on account of its role as an international finance centre, is particularly vulnerable to cyber attack. Due to the increasing threat of such attacks, on 25 May 2016 the Cayman Islands Monetary Authority (CIMA) issued guidance to its licensees to raise awareness generally and remind licensees to remain focussed on their organisations' data security.

CIMA's guidance notes that as well as reviewing and strengthening its own security strategy, CIMA strongly encourages its licensees to assess their cyber security risks and strategies and to test their information security systems for vulnerabilities. In future, CIMA plans to review its licensees' approaches to data security risk management by examining the technical controls, incident response and / or staff training a licensee has in place, as appropriate to its business and risk profile.

CAYMAN: TRANSPARENCY, CONFIDENTIALITY, SECURITY

These legislative and commercial developments are part of the evolution of confidentiality regimes in the Cayman Islands which are important in maintaining its reputation and position as an international finance centre.

They also demonstrate the balance which needs to be struck between operating in a transparent manner whilst protecting the confidentiality of lawful business activities, and also between the protection of individuals' data and the legitimate requirements of business and public authorities to use such data.

Awareness of and adherence to good information security practices is of the utmost importance, both to enable compliance with the legislation and in response to the escalating risk of cyber attacks on the Cayman Islands generally.

About the Authors

Simon is a Partner in the Litigation and Insolvency Department in the Mourant Ozannes Cayman Islands office. Prior to this, he was a barrister in chambers in London. Simon has extensive experience in insolvency and restructuring, fraud and asset tracing and regulatory matters. Simon graduated from Durham University in 1996. He was called to the Bar of England and Wales in 1998 (currently non-practising) as a Harmsworth Scholar and the Cayman Islands Bar in 2002. He is a member of the Honourable Society of the Middle Temple.

Rhiannon specialises in all areas of corporate, finance and commercial work, with a particular focus on investment funds. Rhiannon advises on joint venture arrangements, mergers and acquisitions, corporate finance, corporate governance and regulatory issues, as well as the establishment, management and restructuring of Cayman investment funds. Rhiannon is an Attorney of the Grand Court of the Cayman Islands and a Solicitor of the Senior Courts of England and Wales (currently non-practising). Rhiannon studied Economics at Churchill College, Cambridge and studied law at the BPP Law School in London.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.