DATA PROTECTION AUTHORITY (JERSEY) LAW 201-
Introduction
We live and work in a digitally connected society, where the Internet has become a feature of everyday life and where businesses and consumers rely on the ability to share and access personal information online, with confidence and clarity.
The protection of this personal data is essential for the protection of our human rights, particularly those accorded by Article 8 of the European Convention on Human Rights (i.e. the rights to private and family life, home and correspondence).
Personal data is the lifeblood of the financial services industry in particular, and as the digital economy develops and the use of online technology becomes ubiquitous, it is important that Jersey continues to provide a safe environment for processing data, with clear and robust data protection legislation that is monitored and enforced by an effective regulator.
Background and Policy
The Current Data Protection Regime in Jersey
Jersey currently has a well-established data protection regime. The Island enacted its first data protection legislation in 1987 and has therefore long considered the need to provide robust assurances for personal data.
The Office of the Information Commissioner implements, and ensures compliance with, the current legislation, the Data Protection (Jersey) Law 2005 (the “2005 Law”). This piece of legislation was aligned with the relevant UK and EU laws, and the EU Commission issued a decision that the Island provides ‘adequate’ protection for personal data. This means that personal information can be shared freely between the EU and Jersey. This is important for all business sectors in Jersey.
The European context
The outgoing EU data protection regime (based on Directive 95/46/EC – the “Directive”) was introduced at a time when the Internet was in its infancy, and prior to the widespread adoption of email and social media, or the rise of cloud computing or big data analytics. Further, in implementing the Directive, different EU member states have applied differing approaches, resulting in disparity between the various compliance regimes across Europe.
Given this disparity, the extent to which technologies have developed, and the ways in which people and businesses communicate and share information have changed, the EU has enacted two new pieces of legislation to modernise, standardise and increase the level of protection for personal data across the EU. The GDPR replaces the Directive for most purposes. In addition, the EU has enacted the ‘LED, which is concerned with the protection of personal information processed for the purposes of policing and public protection.
To retain adequacy with the GDPR and assure adequacy with the LED Jersey now has to introduce new data protection legislation that will provide ‘essentially equivalent’ protection to the GDPR and LED.
Engagement with the European Commission indicates that Jersey’s adequacy decision will be ‘grandfathered’ (i.e. it will continue in effect) until the jurisdiction is reassessed (probably in 2020). However, putting new legislation in place for May 2018 remains a matter of urgency as it reduces the risk of challenges to Jersey’s existing status. Failure to secure continued adequacy with the EU would likely have detrimental economic consequences, particularly to the financial services sector, which relies heavily on the unrestricted flow of personal data to and from EU member states (and elsewhere relating to EU citizens). Failure to update our data protection regime would also result in people in Jersey being afforded a lower standard of individual rights in respect of data than their European counterparts.
A summary of the most important changes introduced by the GDPR and LED
A brief summary of the most important requirements introduced by the GDPR is set out below.
In terms of new requirements, businesses and organisations processing personal data will be required to:
- provide better and more information about how they process personal data in a clearer and more accessible way;
- evidence that they design and build new services and products from the earliest stage of development in a way that protects ‘privacy by design’ and default;
- notify the local independent ‘supervisory authority’ of any data breach within 72 hours where that is feasible and notify the individuals concerned without undue further delay;
- appoint a Data Protection Officer who will be responsible for ensuring compliance with the requirements of the GDPR where they conduct ‘large scale’ processing operations or ‘systemic and regular monitoring’ as part of their ‘core activities’; and
- demonstrate that where individual consent is used as a basis for processing that consent was freely given, specific, informed and indicated by an affirmative action (e.g. the person must actively tick a box rather than untick one that has been pre-ticked).
The GDPR also confers additional rights on individuals including:
- an enhanced right of access to their personal data;
- the right to withdraw consent to the processing of their data in a particular way and the right to erasure (or right to be forgotten as it is often referred to in the press) providing there is no legitimate reason for it to be retained by the data controller; and
- a right to require the transfer of their personal data between service providers. This right to “portability”, will promotes competition and removes barriers to entry to markets, is consistent with the principles of Jersey’s Digital Policy Framework.
The GDPR provides for the following tougher enforcement mechanisms to protect individuals:
- the new European Data Protection Board will be responsible for ensuring consistency in enforcement of the GDPR across the EU;
- individual Member States will be required to continue to have their own Independent Supervisory Authority, and will need to ensure that it has robust enforcement powers; and
- substantial fines; failure to comply with the requirements of the GDPR will leave businesses and organisations liable to much more significant fines. Serious breaches of the GDPR may result in a maximum penalty which is the greater of 20 million Euros or 4% of global annual turnover, or in less serious cases a maximum penalty which is the greater of 10 million Euros or 2% global annual turnover. (There is flexibility to go for lower fine schemes).
Why this legislation is essential
It is clear that new legislation is required if Jersey is to provide essentially equivalent protection for personal data to that set out in the GDPR and LED.
On the 20th February 2017, the Assistant Chief Minister made a Ministerial Decision approving instructions to the Law Draftsman to repeal the Data Protection (Jersey) Law 2005 and to prepare new legislation that will replace it and set out the new powers, functions and funding arrangements for the data protection regulator.
This draft Law and the draft Data Protection (Jersey) Law 201- (the “Data Protection Law”), which has been lodged at the same time, replace the 2005 Law. It places privacy obligations on data controllers and processors and rights on data subjects that are equivalent to those imposed by the GDPR and the LED.
This draft Law establishes and sets out the powers and functions of the new Data Protection Authority (the “Authority”), which will provide robust, effective and independent regulation of the requirements in the Law. The establishment of the Authority is essential to ensuring equivalent protection for personal data to that provided under EU law. This Law reforms the governance and funding arrangements for the regulator to ensure that the Authority has sufficient guarantees of structural independence. It also provides the Authority with powers to investigate breaches of the law and impose effective and dissuasive sanctions for breaches of this draft Law.
The primary policy objectives of both this draft Law and the Data Protection Law is to provide effective protection for personal data and maintain Jersey’s adequacy under the new European regime. Where there is doubt as to whether a particular approach to the drafting would provide equivalent protection to that provided in the EU, the draft legislation closely reflects the GDPR and the LED. However, where there is scope to be flexible with the approach of our legislation in a way that might benefit Jersey the legislation seeks to do so.
Research and consultation
To inform policy development on data protection the Chief Ministers Department and Law Officer’s Department conducted considerable analysis.
There were two principal work-streams comprised in the research project: one considered what was required for Jersey’s data protection regime to continue to be deemed adequate by the EU Commission, the other assessed what the Island could do above and beyond to gain a competitive advantage. To inform this second work-stream, the Chief Minister’s Department commissioned specialist researchers to review what opportunities there might be in how the Island implemented new data protection legislation. The outcomes of this consultancy have informed the policy development and the law drafting instructions for both pieces of legislation.
In developing the policy and drafting the legislation, the government has engaged widely with stakeholders across Jersey and internationally.
International Engagement
With the assistance of the Channel Islands Brussels Office, the government has engaged with officials from the European Commission to begin the process of renewing the adequacy decision. A pan-Island delegation met with representatives from the Directorate-General for Justice in February 2017. This was well-received by the Commission, which was positive about Jersey’s data protection regime and approach to the new legislation and was supportive of the Island’s commitment to continued adequacy.
The Government of Jersey has also engaged with other third countries that are currently considered adequate by the European Commission and are updating their legislation to ensure continued adequacy. There has been positive dialogue with New Zealand and Canada where officers have sought to share best practice.
Throughout the process the Government of Jersey has engaged closely with the UK. Whilst it is still a member of the EU, the UK will be implementing the GDPR as an EU Member State. The UK Government has introduced a draft Data Protection Bill to the House of Lords in September 2017, to address aspects of the GDPR where it has scope to derogate and to implement the LED. The UK has indicated that it intends to maintain parity with EU data protection standards after Brexit and that it will be looking to ensure that data can continue to flow freely between the EU and UK after Brexit, which may be achieved through seeking an adequacy decision like Jersey’s.
Local Stakeholder Engagement
During the process there has been close engagement with stakeholders. Clear policy and drafting guidelines were set out in early conversations and have been adhered to. These guidelines were welcomed by industry.
The business community has been supportive of Jersey’s policy goals. It recognises the critical importance for businesses in Jersey of maintaining the ‘adequacy’ decision from the EU Commission as this enables the free flow of data to and from the Island from residents of EU member states.
A programme of industry engagement has been conducted, including a series of roundtables and workshops, news releases and industry updates. There have been regular updates to key stakeholder groups including the Jersey Financial Services Commission, Jersey Finance, Digital Jersey and Jersey Business.
This draft Law and the draft Data Protection Law were reviewed by an expert stakeholder group with representatives from the financial services sector, legal services, the digital economy and public bodies in August and September 2017. There were eighteen written and two verbal submissions to this expert consultation. The information gained from these responses was complemented by feedback from around fifty participants at two stakeholder events in October 2017 and a submission from the Office of the Information Commissioner. The consultation feedback was constructive, often focussing on highly technical elements, and has helped improve the legislation. A key theme of the feedback was to ensure data controllers and processors have clarity as to what is required. Another theme was that government should, where possible, avoid gold-plating the new EU regime by placing any additional burdens on business through our own legislation.
Also of critical importance was the protection of Jersey citizens and their personal and sensitive data. Through this legislation Jersey residents will be as well protected as EU citizens.
The Data Protection Authority (Jersey) Law 201-
The draft Law provides that the Authority will have robust governance structures, commensurate to its obligations and powers, which are expanded under this draft Law compared with the 2005 Law. This is not only appropriate for the regulator but also a necessary step in ensuring continued adequacy with Europe.
Under this Law the Information Commissioner will be the Chief Executive Officer of the Authority. This is a change to how the Authority is structured under current data protection legislation, where the Commissioner herself is the independent statutory authority responsible for regulating.
In effect, this means that the Commissioner’s role becomes primarily operational, and that the Authority, governed by a Board, becomes the principle corporate body responsible for regulating compliance with the new Data Protection Law. The Board sits above the Commissioner and provides governance advice as well as setting policy and strategic direction. This structure effectively mirrors the structure of existing authorities in Jersey for financial services and other areas such as competition law.
The new legislation introduces greater enforcement powers so it is therefore appropriate to provide greater separation than there currently is between the Commissioner as an individual and the Authority as the entity responsible for regulating. It also provides more robust institutional independence including a fuller separation between government and regulation.
The draft Law provides that the decision on whether to apply the highest rates of fines and to authorise certain investigative powers will sit with the Board rather than the Commissioner.
Article 3 sets out the constitution of the Authority which consists of the Chairman and no fewer than three and no more than eight other voting members. The Chairman and other voting members are appointed by the Minister and must have the appropriate qualities including:
- the qualifications, experience and skills necessary;
- a strong sense of integrity; and
- the ability to maintain confidentiality.
The Board is appointed for a term of up to five years and is eligible for reappointment up to a maximum period of nine years.
Article 5 provides for the appointment of the Commissioner who is in charge of the day-to-day operations of the Authority. The Commissioner holds office for a term of 5 years and is eligible for re-appointment.
Article 9 requires that the Authority must meet no fewer than four times a year. To future proof the legislation, and in light of the international nature of data protection, a meeting may take place by telephone or video conference.
Article 11 sets out the functions of the Authority that are necessary to ensure the fit and proper regulation of data processing in the Island.
Under Article 15, the Authority must take steps to develop international cooperation mechanisms. These are a key part of ensuring continued adequacy with Europe.
Part 3 – Registration and Charges
Part 3 of the draft Law deals with registration and charges. Article 18 sets out that Regulations may require registered controllers, processors or both to pay a charge to the Authority in order to pay for the remuneration, salaries, fees, allowances and other emoluments, costs and expenses of the establishment of the Authority and the Authority’s operations.
Part 4 – Enforcement by the Authority
This Part, together with Schedule 1 to the draft Law provides a range of investigatory and enforcement powers that can be exercised by the Authority to secure compliance with the draft Data Protection Law. There are limits on the administrative fines that can be issued by the Authority, depending on the severity of the breach.
Article 29 makes it clear that nothing in the Law authorises the Authority to investigate, inquire into or determine any matter, or exercise any of its other powers in relation to processing operations carried out by a court or tribunal acting in its judicial capacity.
Part 5 – Administrative Provisions
The administrative provisions are set out in this Part. These are to ensure the proper governance of the Authority and are similar to those for other regulatory bodies in Jersey.
Collective responsibility under Standing Order 21 (3A)
The Council of Ministers has a single policy position on this proposition, and as such, all Ministers, the Assistant Chief Minister acting as rapporteur and the Assistant Minister for eGov and Digital Jersey, are bound by the principle of collective responsibility to support the proposition, as outlined in the Code of Conduct and Practice for Ministers and Assistant Ministers (R.11/2015 refers).
Statement of financial implications
There are new financial implications arising from the draft Law.
The Authority, constituted under this draft Law has an expanded role to properly regulate the new Data Protection Law. The Authority will be required to adopt a more proactive approach and to employ a wider and more robust range of regulatory powers and sanctions, with less emphasis placed on the role of courts to resolve disputes. The Authority has an improved governance structure. It is established as a body corporate, governed by a Board, and with a separation of the role of the Information Commissioner as an individual and the Authority as the entity responsible for regulating. The Authority will operate with greater independence from Government, which is an important consideration for an adequacy decision.
This will place a considerably greater burden on the Authority and it will be essential to provide it with additional resources commensurate with that burden, to allow it to carry out its new duties.
A revenue model has been proposed that will both meet the requirements of the new legislation in respect of industry registration fees and provide revenue to enable the Authority to implement and enforce that legislation, and its increased function.
The recommendation is a risk-based tiered administrative charge. With this option, organisations acting as data processors or controllers would be assessed and classified according to the risk of their processing activities, then allocated to a tiered-band defined by their perceived risk. A flat annual fee for this tier would be then be levied against the organisation.
Under the current data protection regime there is a pan-Island regulator, with costs split between Jersey and Guernsey. The original financial and operational models for the new Authority were calculated for a continuation of this approach, with the anticipation that the Authority would become self-funded by the end of the current MTFP. The States of Guernsey has decided that it no longer wishes to continue with a joint regulator. As a result, the priority for the government is to ensure a fit for purpose Jersey only regulator. This has an impact on the costs and revenue of the regulator.
There will also be a transitional period to the end of the MTFP during which time the Authority will roll out the operating and fees model. Additional funding is required to support these implementation costs and to meet the Authority’s increased running costs during the transitional period.
The annual cost of the current Office of the Information Commissioner will increase by an estimated £1.1 million to £1.65 million per annum. There will also be a need for an additional £350,000 to support one-off implementation work.
From 2020, the longer term costs will be offset by increased revenues from business which should allow the funding to return to close to levels forecast for the next MTFP.
These are high levels maximum estimates and work will continue to be done in advance of the debate to create more accurate and cost-effective costings.
The current Information Commissioner has highlighted the fact that if there were to be a legal challenge to a decision of the new Authority, there could be the need for supplementary expenditure in respect of litigation. As with other legislation this is not unique and provision has been made for an annual budget for legal costs. In addition, consideration will be given to allowing the Authority access to the Court and Case Costs contingency fund for high cost legal advice and litigation.
Timetable for implementation
The government aims to enact the legislation at the same time as the new EU framework comes into force. This will provide certainty and consistency for citizens, businesses and public authorities. Given the relationship between the Law and the Data Protection Law the government needs to enact both pieces of legislation to the same timetable.
Proposed timetable:
- December 2017 – Legislation lodged for debate by the States Assembly
- January 2018 – Legislation debated by the States Assembly
- February 2018 – Legislation sent for Royal Assent
- 25 May 2018 – Legislation comes into force
gov.je