The post-Brexit regulatory landscape continues to throw up challenges and jurisdictional arbitrage, but there are some areas where consistency and stability are welcome. The recent confirmation from the European Commission that 11 jurisdictions had retained their “adequacy” status from a data protection perspective has left many breathing a (long anticipated) sigh of relief. All three of the Crown Dependencies (Guernsey, Jersey and the Isle of Man) have retained the coveted status.
First published in Privacy Laws & Business, March 2024
International data transfers remain a source of concern, as risk assessments are often required, plus there has been uncertainty as to the efficacy of certain safeguards used previously. The “adequacy” status provides a good degree of comfort, as data flows to those jurisdictions can continue as they have done for years, without additional requirements.
The term “adequate” always seems slightly underwhelming, given the variety of superlative terms available to describe success – it feels akin to “could do better”. However, in the data protection world, “adequate” or more specifically “adequacy” is a much sought-after status afforded to a small, but growing number of jurisdictions.
The news that Guernsey had its “adequacy” status confirmed1 by virtue of the European Commission (Commission) report of 15 January 2024 (including the Commission Staff Working Document) (Report) on the functioning of the existing “adequacy” decisions adopted under Directive 95/46/EC was therefore welcomed and celebrated in equal measure. Alongside our fellow Crown Dependencies of Jersey and the Isle of Man, the Report means that the flows of personal data required to facilitate business in today’s digital economy can continue as they have done for many years, without additional requirements. It also follows the UK government’s decision of 7 July 2023 confirming Guernsey’s “adequacy” status for law enforcement data transfer purposes2, the first of its kind issued by the UK government.
WHY ADEQUACY IS VITAL FOR GUERNSEY
Guernsey has a long history as an offshore international financial centre, known for its stability, robust approach to compliance and good governance. The financial services industry contributes significantly to the island’s GDP and is the major employing industry outside of the public sector. Guernsey’s ability to service a global client base in an increasingly digital marketplace is vital to maintaining its success, alongside facilitating the flow of capital across the globe. As such, there is no sense of underachievement, rather that this is a validation of the high standards being implemented and recognition that “trust” plays a vital part in today’s remote economy.
Importantly, it is also recognition of the hard work carried out by the States of Guernsey’s team (led by the Head of Data Protection, Callie Loveridge) and the collaborative approach adopted through liaison with industry working groups to develop and finalise evolutionary legislation in a challenging timeframe.
Since the final text of the EU General Data Protection Regulation (GDPR) was adopted in 2016, Guernsey’s authorities worked quickly and efficiently to develop and debate policy and create the framework for legislation “essentially equivalent” to GDPR. This led to the Data Protection (Bailiwick of Guernsey) Law, 2017 (Law) coming into force on the same day GDPR began to be enforced, 25 May 2018. Guernsey’s previous legislation dated back to 2001 and as such required supplementing to meet the GDPR standards, albeit the fundamental principles remained the same. The new enforcement powers of the local regulator in particular provided “teeth” to the requirements under the Law.
As a piece of legislation touching all aspects of island life, one might anticipate that support for it (in light of the GDPR and our close relationship with the EU and the UK) would be immediate and overwhelming. As one of the islands occupied by the Nazi army during the Second World War, memories of the misuse of personal data to identify groups of individuals for deportation provide a stark reminder to many of the importance of safeguarding such data. In that context, it was perhaps not surprising that the Law did not face any substantive opposition.
The “human” factor highlighted by the Report as a condition for stable and competitive data flows has been something that our former Data Protection Commissioner, Emma Martins, (through the team at the Office of the Data Protection Authority (ODPA)) consistently promoted as the core underlying driver, bringing with it trust and an associated growth in business. Having recently finished her term of office, Emma leaves a strong legacy for the new incumbent, Brent Homan, to progress. Homan brings with him a wealth of experience from Canada, such that the future of the regime and focus on the “human factor” are in good hands.
The “business case” for achieving equivalence was also clear and obvious – the close ties to the UK and other European countries are vital not only for our own economic prosperity, but for maintaining flows of capital and investment to the UK (£57 billion according to a recent report by Frontier Economics) and the wider global community. As the Report acknowledges, convergence between privacy systems encourages economic and cultural growth.
As an offshore jurisdiction with our own government and legislative process (and being outside the EU/EEA), questions were thus focused more around how to adapt and supplement the provisions of GDPR to suit the local environment. Whilst GDPR is an “umbrella” piece of legislation, its precise application in any given circumstance is often open to a wide range of interpretation, evidenced by the continuous stream of cases seeking clarification through the Court of Justice of the European Union (CJEU) and in the courts or tribunals of individual jurisdictions. Local variations are not only necessary, but expressly recognised.
Our somewhat unique constitutional and geographic situation meant that additional provisions were required to meet the wider GDPR standards, whilst ensuring that the practical application of data protection law to trusts, foundations and investment and insurance structures was effective. Whilst international transfers of data continue to evolve across the globe (and by way of example), we implemented an Addendum to the EU Standard Contractual Clauses (SCCs) in order to better reflect the legal status of our island.
The review process leading to the Report was signposted by Article 97 of GDPR. The process was anticipated to be undertaken on a four-year cycle, however the CJEU judgment in the Schrems II case3 impacted the process as a consequence of it clarifying certain elements of the “adequacy” standard. The current iteration for 11 jurisdictions including Guernsey, Jersey and the Isle of Man having been only recently adopted in January 2024, and with other countries being interested in consideration for “adequacy” status, it is unclear what the timetable for any further review might be. However, the Report does note that “adequacy” decisions are “living instruments” and as such, it will in any case be important to maintain and adapt existing standards to meet changing global conditions.
REPORT METHODOLOGY
The Report builds on the “adequacy” decisions adopted previously, considering subsequent developments in the data protection frameworks of those jurisdictions and overlaying the requirements of GDPR, whilst also taking into account CJEU case law and the guidance of the European Data Protection Board (EDPB)4.
It is important to remember that the key wording is “essentially equivalent” – the local framework does not have to be identical to that of the EU, rather the means of achieving an adequate level of protection can vary, provided they are effective. This is similar to the growth of more risk-based, outcomes-focused regulation that we have seen in the past decade. It is particularly important in jurisdictions such as Guernsey, where the size of the population, resourcing, legal history and nature of the economy means that a nuanced approach is required in order to make such legislation effective.
Given the issues highlighted in case law and the CJEU’s decisions in invalidating the Safe Harbor and Privacy Shield mechanisms, the Report also looks at the protections in place surrounding access by public authorities and law enforcement, particularly in relation to access/processing for national security purposes. Clear rules around access, safeguards and effective redress mechanisms are all key requirements.
The Commission undertook a lengthy and intensive process of information gathering from local government, law enforcement, regulatory authorities, publicly available materials and local experts to identify and understand the development of the regimes and their operation in practice. Consultation with relevant EU institutions and bodies was also undertaken, with affected jurisdictions being afforded the opportunity to validate the factual accuracy of the information provided. As such, whilst the process has been time and resource intensive, the outcome is robust.
REPORT FINDINGS
The introduction of the Law is recognised as a significant and welcome development, modernising the pre-existing framework and bringing greater convergence with the European position. At its core, the risk-based approach is followed, dovetailing with the “essential equivalence” requirements, as there is flexibility to achieve a workable outcome.
The definitions adopted largely mirror those under GDPR, with some limited local modifications. The definition of “special category data” was expanded to include biometric and genetic data. Core areas such as the data protection principles (already present in Guernsey’s 2001 legislation) remain as foundations. The Law is very much evolutionary, rather than revolutionary.
Individuals’ rights are at the heart of the legislation; additional rights (such as not being subject to a decision based on automated decision making) were introduced, recognising the advance of technology. In an age where interest in AI is at frenzy level, and with the EU’s AI Act being approved, this is an important future-proofing provision. Further, exercising those rights is facilitated. Whereas previously an individual had to apply to Court to exercise their right to rectification/erasure, the request is now directed to the controller, for example. In line with existing European law, such rights are not without limits. The exemptions set out in the Law are reflective of those under GDPR, with some additional provisions arising from local law (such as that limiting the access to data held in the context of trusts), but they are similarly narrowly construed in order to be human rights compliant.
The territorial scope provisions were modified to follow those under Article 3 GDPR; whilst there continues to be debate as to the “reach” of such provisions, it is nevertheless helpful to be able to consider CJEU case law in that context, particularly in an e-commerce context.
Given that data security (whether cyber-related or otherwise) is one of the core areas of concern for individuals and businesses alike, the introduction of a formal “breach reporting” regime on the same lines as the GDPR was an important development. The process and requirements are very similar to those under the GDPR, such that aside from the (likely) additional obligation to notify the ODPA, the similarities make what is undoubtedly a stressful process smoother for those seeking to understand their obligations across a number of jurisdictions, given the harmonisation.
THE ODPA’S INDEPENDENCE
The ODPA is praised for its outreach and development of guidance, though it is perhaps its degree of independence that is most important/notable. Aside from a formal process for the appointment of its members and the Commissioner, the funding model has moved to one based on fee income, a move away from government funding and thus any perceived lack of independence. The introduction of a formal enforcement framework provides the ODPA with the tools to sanction where required, but also provides for forms of redress for individuals (via complaints, court proceedings, or judicial review of decisions of the ODPA).
International transfers is another area where the Guernsey position is expressly aligned, recognising as it does the EU SCCs, and other mechanisms such as Binding Corporate Rules (BCRs), whilst also noting that for transfers authorised by the ODPA, consideration should be given to EDPB Opinions and Guidance, demonstrating further alignment.
One of the key “hurdles” in international terms has been the extent of different jurisdictions’ approach to government/law enforcement access to data and/or surveillance. The Report details the various mechanisms by which local government/law enforcement can obtain access, all of which have evolved from or developed in line with, international obligations such as the European Convention on Human Rights, Convention 108, or anti-money laundering and combating the financing of terrorism (AML/CFT) obligations developed by organisations such as the Financial Action Task Force (FATF) and the OECD.
The European Convention on Human Rights was extended to Guernsey in 1953 and similar obligations as arise under the EU’s Law Enforcement Directive apply in Guernsey. Restrictions on individuals’ ability to exercise their rights are limited. The relevant authority has to demonstrate prejudice to the statutory purpose they are seeking to achieve in order to rely on any exemptions. For example, providing personal data included within a Suspicious Transaction Report might “tip off” a suspected money launderer that the authorities were investigating their affairs. Actions taken in pursuit of such purposes have to be “necessary and proportionate in a democratic society” (a phrase which will be familiar to many) and due consideration evidenced.
Whilst the various aspects of government/ law enforcement access are governed separately (by the Police Powers and Criminal Evidence (Bailiwick of Guernsey) Law, 2003, the Regulation of Investigatory Powers (Bailiwick of Guernsey) Law, 2003 and the various pieces of AML legislation), the fundamental principles are the same. Access for law enforcement, for surveillance and/or access to communications, or to investigate encrypted data are all subject to oversight either by procedural safeguards, statutory office holders’ approval or consideration by the judiciary. In all cases, there are checks and balances around the proportionality and necessity of the relevant steps and redress mechanisms provided for affected individuals. In addition, the Regulatory Powers Commissioner is required to publish an annual report, highlighting any issues, in line with transparency and accountability principles. The majority of such matters are locally focused and involve assisting local law enforcement to investigate border, drug and financial crime issues. As such, there are procedural safeguards against potential abuse.
CONCLUSION
Whilst the above does not address all of the Report in detail, the theme is of alignment and convergence. This is perhaps unsurprising that given the strategic objective of achieving “essential equivalence”, and the societal and economic imperatives of meeting international standards.
It was vital that Guernsey’s position was endorsed and the outcome is welcomed. The regulatory regime will continue to evolve, in line with international standards and to ensure that the island’s position in the marketplace is safeguarded, both from the perspective of institutions wanting to do business here, but for individuals knowing that this is a trusted jurisdiction. Such endorsement is equally important for Guernsey in its relations internationally, having the comfort that other jurisdictions are meeting similar standards.
Discussions are already taking place around the impact of AI and ESG reporting, so watch this space.
For further information, please contact:
Richard Field, Partner, Appleby
rfield@applebyglobal.com
1 See Commission Decision 2003/821/EC of 21 November 2003 on the adequate protection of personal data in Guernsey, OLJ 208, 25.11.2003, p.27.
2 Recognising the equivalence of the (Data Protection (Law Enforcement and Related Matters) (Bailiwick of Guernsey) Ordinance, 2018 (Law Enforcement Ordinance)).
3 Judgment of the ECJ of 16 July 2020 in Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems (Schrems II), ELI:EU:C:2020:559.
4 See Adequacy Referential, WP 254 rev.01, 6 February 2018.