Richard Field discusses key aspects of Jersey’s recently enacted data protection legislation in comparison to GDPR, including definitions, registration requirements, international data transfers, and enforcement measures.
INTRODUCTION
2018 saw significant changes across the data protection landscape. Supervisory Authorities began enforcing GDPR and jurisdictions across the world developed or adopted legislation of varying degrees of equivalence. Jersey introduced two new laws, the Data Protection (Jersey) Law, 2018 and the Data Protection Authority (Jersey) Law, 2018 (the DP Law and the Authority Law respectively, collectively the Jersey Laws), both of which built on the foundations of the existing legislation.
Jersey has an adequacy decision from the European Commission dating back to 2008 and as such, recognising the importance of GDPR and the free flow of data, Jersey enacted the Jersey Laws with a view to maintaining that “adequacy”. Whilst the Jersey Laws are similar to GDPR and founded on the same principles, there are nuances around its application and some variations to consider.
Whilst a Crown Dependency, Jersey is separate from the United Kingdom, and neither is it a Member State of the European Union. This brings certain additional considerations when dealing in particular with matters such as e-commerce and international transfers of personal data.
As an international finance centre, keeping abreast of technological developments is vital. The Jersey Laws contain sufficient flexibility to allow for their application to current and future technologies.
This piece gives a broad overview of a few pertinent areas which we see arising regularly. It is not a complete guide to the law, nor does it cover all variations from GDPR, rather it focuses on some of the more common areas of difference.
CORE DEFINITIONS
The Jersey Laws apply to the processing of personal data which is undertaken either wholly or partly by automated means and which forms part of a filing system. The processing must take place in the context of a “controller” or “processor” established in Jersey, or relate to the processing of Jersey residents’ personal data elsewhere (usually in relation to the offering of goods or services to those residents, or monitoring their behaviour). The underlying data protection principles (such as lawfulness, fairness and transparency, purpose limitation, minimisation, etc.) are the same as those under GDPR, such that the broad overall scope of the legislation and its underlying aims will be very familiar with those with knowledge of GDPR.
Defined terms such as “personal data”, “data controller”, “filing system”, “processing”, “profiling”, “personal data breach” follow GDPR, with some clarificatory additions in places (for example, an employee of a controller is expressly defined as not being a “processor” simply by virtue of their employment by the controller).
There is necessarily a different approach in relation to the definition of “main establishment” and “representative”, given Jersey’s geographical and legal status. There is no definition of “main establishment” in the Jersey Laws (there being only one jurisdiction addressed, as opposed to the position in the EU, where assessing whether a business is established in a particular Member State may have various consequences). However, “Establishment” is nevertheless defined with reference to the “effective and real exercise of activity through arrangements that are stable” and which do not need to take a particular legal form. It includes entities incorporated or formed under Jersey law, offices, branches or agencies, regular practices and partnerships, for example. The wording will be familiar to those with experience of GDPR and the European Data Protection Board’s (EDPB) guidance notes. In most cases, determining whether an entity is “established” in Jersey is a straightforward factual assessment, though in the digital age, e-commerce businesses or administered entities might need to look more carefully at their operations to check their position.
A “representative” is only required under the Jersey Laws in the instance where a controller or processor not “established in Jersey”, but uses equipment in Jersey for processing (otherwise than for transit through Jersey). Whilst this is a more complex analysis in some cases, it is again likely that in the vast majority of cases, it will be clear whether the appointment of a representative in Jersey is required. It may also be the case that if an EU Representative is required, then they should be appointed in addition to any required Jersey representative.
In broad terms, the definitions and their scope follow GDPR and are designed to be equivalent to those used in the GDPR.
REGISTRATION
Controllers and processors established in Jersey (see above for reference to the “establishment” test) are required to register with the Jersey Office of the Information Commissioner (JOIC) prior to processing personal data. The process is undertaken via completion of an online form and payment of the relevant fee, which varies depending on the size and risk profile of the controller/processor concerned. Registration is renewed annually and it is a criminal offence for someone who ought to be registered to process personal data without being registered.
Registration is not required under GDPR, so this is an additional requirement to be aware of and underlines the importance of local advice in this area, particularly around the “establishment” test.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
Jersey’s status as an “adequate” jurisdiction means that international transfers to Jersey are permitted via reliance on the “adequacy” decision. Transfers from Jersey to “third countries” (non-adequate, non-EEA jurisdictions or territories) are only permitted to the extent that contracts or other similar recognised mechanisms are put in place to safeguard the data and ensure an adequate (and equivalent) level of protection.
Contracts can be put in place to control data transfers with third party processors or between members of the same group of companies. The Jersey Laws also set out a number of exemptions from the transfer restriction, for example where the data subject’s consent has been obtained, if the transfer is in the public interest or if JOIC has authorised the transfer.
It is common for businesses to use the EU’s model contractual clauses (SCCs), data transfer agreements, the EU-US Data Privacy Framework (for US transfers) or BCRs for this purpose. Please note that for transfers from Jersey involving the use of SCCs, the JOIC has mandated that the Jersey Addendum (released to make the SCCs more relevant to Jersey) is appended to the SCCs and completed in the usual fashion.
The Jersey Addendum was introduced as certain provisions of the SCCs were not relevant and/or not workable from a Jersey perspective (for example, the choice of applicable law as being that of an EU Member State). Given that the SCCs are modular, it is important to consider the Jersey Addendum at the same time and align the provisions of the two sets of clauses.
RIGHT OF ACCESS
Whilst the right itself is couched in similar terms, it is important to note that the response period under the Jersey Laws is four weeks (as opposed to one month) and any extension of that period can only be effected up to eight weeks (and not two months as under GDPR). In practice, this can sometimes mean that deadlines need to be met sooner than expected!
GDPR provides for a number of exemptions which might mean that certain personal data is not disclosed to a data subject in response to a data subject access request (DSAR). Whilst some are similar, others are understandably jurisdiction-specific. For example, Jersey’s legislation concerning AML/CFT means that any disclosure of the fact of (or content of) a Suspicious Activity Report (SAR) made to a police officer might mean that a “tipping off” offence is committed. There is also an exemption for data relating to Jersey law trusts, to the extent that such information would not otherwise be available under the Jersey trusts legislation.
PERSONAL DATA BREACHES
Breach notification is mandatory to the JOIC, and within 72 hours of becoming aware of the breach. The definition of “personal data breach” follows that under GDPR.
There is an online breach reporting facility and the JOIC has issued guidance on breach reporting. The Data Protection Laws specify the nature and information required to be covered in a breach notification, which is aligned with that required under GDPR.
In practice, JOIC recognises that breach incidents are fast-moving scenarios and as such, understands that it is often the case that information as to the nature and extent of the incident evolves and that it is often very difficult to identify the full extent of an issue in the early days. As such, whilst the initial notification timescale remains, JOIC is content to be provided with regular updates as the situation unfolds.
There is no obligation to notify affected individuals, unless there is a “high risk” to their rights and freedoms. It is commonplace for a strategy to be developed in order to manage the notification and response to maintain customer trust, notwithstanding the lack of a direct obligation to notify in some cases.
ENFORCEMENT
The JOIC as regulator has a range of investigatory powers similar to those of EU regulators. The fines regime varies in that the maximum fines available are £5,000,000 or £10,000,000, with a maximum of £300,000 or 10% of global annual turnover, whichever is higher. The GDPR equivalents are €10m and €20m, or up to 4% global annual turnover, whichever is higher. There have to date been no substantive fines issued.
It is worth noting that as Jersey is not a member of the EU, it is not part of the “one stop shop” structure envisaged by GDPR and as such, there is no formal mechanism for other regulators to have input into an enforcement decision of the JOIC. That said, JOIC has established good working relationships with overseas regulators, such that cooperation would be forthcoming to the extent applicable to the situation.
Finally, whilst GDPR does not provide for criminal offences (this being a matter of sovereignty for individual Member States), the Jersey Laws provide for a number of criminal offences, including unlawful obtaining, use, concealment or destruction of data; failure to register; altering, destroying or concealing information to prevent disclosure to JOIC. This is in addition to other potentially relevant offences under legislation such as the Computer Misuse legislation.
CONCLUSION
The Jersey Laws were brought in to overhaul the data protection regime to mirror that the GDPR, to maintain its position in the global marketplace and to ensure equivalent protections for its citizens. As such, much of the terminology and approach will be recognisable to those familiar with GDPR, although as set out above, the local nuances are important and specialist local advice is recommended.
First published on OneTrust DataGuidance, an industry-leading privacy and data protection research platform, September 2023
For further information, please contact:
Richard Field, Partner, Appleby
rfield@applebyglobal.com