Privacy Laws in Cayman Islands

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Law in Cayman Islands

The Cayman Islands has not implemented a legislative framework that specifically addresses issues of data protection. There are, however, proposals to introduce a data protection regime in the Cayman Islands, potentially during the course of 2014, but the precise details and scope of any such regime are still to be finalized.

Notwithstanding the lack of specific data protection legislation, the Cayman Islands does recognize a duty of confidentiality in certain circumstances, under both the common law, and the provisions the Confidential Relationships Preservation Law (as revised) of the Cayman Islands (the “CRPL”). The CRPL provides a statutory framework which regulates disclosures of confidential information by professional persons, providing among other things for criminal sanctions for certain breaches of confidentiality obligations, in parallel to the civil remedies available at common law.

Definitions

Definition of Personal Data

There is no statutory definition of “personal data”.

At common law, information is generally to be regarded as “confidential” if it has a necessary quality of confidentiality and has been communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party who themselves is subject to a duty of confidentiality.

The CRPL does not provide an exhaustive statutory definition of confidential information, but specifies that it will include information concerning any right, interest or property, which a recipient is not, otherwise than in the normal course of business, authorised by the principal to divulge.

Definition of Sensitive Personal Data

There is no statutory definition of “sensitive personal data”.

National Data Protection Authority

There is currently no “Data Protection Authority” in the Cayman Islands.

However, it is likely that the Cayman Islands Information Commissioner (which at present primarily addresses freedom of information issues) would be tasked with such a role.

Registration

N/A (see National Data Protection Authority section).

Data Protection Officers

There is currently no requirement to appoint a data protection officer.

Collection & Processing

There are no statutory provisions that specifically address the collection and processing of personal information.

At common law, however, it is generally a breach of confidence to misuse or threaten to misuse confidential information. The concept of “misuse” is a broad one, but will often include any unauthorised disclosure, examination, copying or taking of confidential information. The precise scope of the term however will depend largely on the specific circumstances, including the relevant relationship and the nature of the information.

In the context of confidential information received by a professional person in the context of a professional relationship with a principal, the CRPL provides that a person is guilty of a criminal offence where he or she “clandestinely, or without the consent of the principal, makes use of” any confidential information for his or her benefit or the benefit of another.

Transfer

Absent a breach of an obligation of confidentiality at common law or pursuant to the provisions of the CRPL, there is no specific regulation of the transfer of information from or within the Cayman Islands.

Notably, the CRPL is intended to have an extraterritorial effect in that it is stated to apply to confidential information that is “brought into the [Cayman] Islands and to all persons coming into possession of such information at any time thereafter whether they be within the jurisdiction or thereout.”

Security

There are no statutory provisions mandating that specific measures be taken to protect against or prevent disclosure or other unlawful use of confidential information. However, a person who misuses or divulged confidential information (deliberately or otherwise) may be liable at common law or under the CRPL.

Breach Notification

There are no general requirements to notify any authority or any other person of a breach of confidentiality.

Enforcement

A breach of the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction. These remedies are to be sought through, and enforced by, the courts of the Cayman Islands.

Any person in breach of a duty of confidentiality under the CRPL is guilty of a criminal offence, and is liable, on conviction, to a fine and/or imprisonment for up to four years (depending on the circumstances).

Electronic Marketing

There are no specific restrictions addressing the use of confidential information in electronic marketing beyond those generally applicable to the use of confidential information.

Online Privacy

There are no specific restrictions addressing online privacy.