A quick guide to data protection in tax-efficient jurisdictions
by Shoosmiths LLP
Modern data protection rules are being introduced to tax-efficient jurisdictions like Bermuda and the Cayman Islands. It's increasingly vital to understand how to handle data in some less familiar territories for data protection.
Advisers are familiar with the data protection laws which apply in the jurisdictions where many commercial businesses operate like the UK Data Protection Act, the UK/EU GDPR and the California Privacy Protection Act. However, for some sectors there are important but less well-known data protection compliance frameworks corresponding to jurisdictions where organisations may wish to do business such as the British Overseas Territories and British Crown Dependencies where corporate laws can be favourable for the financial services sector. These countries are adopting modern data protection standards so it’s increasingly vital to understand the rules which apply to handling data in some less well-trodden territories.
Bermuda shorts
Bermuda is an important jurisdiction for the financial services sector where advantageous tax and corporate confidentiality regimes make it an obvious choice to do business. As a British Overseas Territory (BOT) the country is not directly subject to the UK GDPR and it has therefore passed its own comprehensive data protection laws which will come fully into force on 1 January 2025, to be enforced by the Privacy Commissioner, known as PrivCom.
In 2023 it joined both the Global Privacy Assembly Enforcement Cooperation Arrangement, designed to enhance privacy investigations in the private sector, and the Global Privacy Enforcement Network (GPEN) for law enforcement. PrivCom is also the first non-APEC regulator to recognise the Cross Border Privacy Rules (known as CBPR) as a certification mechanism for overseas data transfers.
PIPA at the gates of dawn
Bermuda’s Personal Information Protection Act 2016, or PIPA, rests on eight international privacy principles modelled on the GDPR. Bermuda already has relevant sectoral legislation, particularly in banking and Fintech, but from 2025, PIPA will prevail over other data protection laws.
There will be considerable compliance work for all in-scope organisations, as new duties include appointment of a privacy officer, privacy notices, data breach reporting and response to data subject rights requests. PIPA provides for penalties including criminal liability for senior stakeholders who connive in a corporate offence.
Get breach body ready
Organisations used to a lighter regulatory regime may find the waters somewhat bracing, so the changes were announced in June 2023 to give companies 18 months to get ready. PrivCom is now issuing regular guidance on topics such as data mapping, CCTV and dealing with cyberattacks. In 2024 it joined GPEN’s annual global “privacy sweep” for the first time, and found large scale non-compliance with privacy notice requirements, showing that there is work to do to ensure that companies subject to PIPA are not caught out from next January.
Let’s chat BOT
Of the other BOTs, or British Overseas Territories, the British Virgin Islands (BVI) and Cayman Islands are key from a commercial point of view.
The BVI Data Protection Act 2021 is theoretically in force, although an Information Commissioner has not yet been appointed to oversee and enforce the applicable rules. Even when fully operational, as drafted this will be a less comprehensive regime than in Bermuda since the laws only apply to transactions “of a commercial nature” including the supply or exchange of goods or services, agency, investments, financing and insurance.
There is no requirement to appoint a data protection officer (DPO), nor to register as a data controller, nor report data breaches, and there are no mandatory processor contracts. The current rules consist of a requirement to adhere to applicable principles, together with limited data subject access rights, and obligations in relation to privacy notices. The most restrictive requirements will be the need to get express data subject consent to most processing, including cross border transfers, and for non-BVI controllers to appoint an in-country representative. However, affected companies should keep a close eye on developments as the framework becomes operational.
Islands in the data stream
The Cayman Islands, the most populous of the BOTs, also confirmed new data protection laws in 2021. Its data protection ecosystem is more mature than either Bermuda or the BVI. Inspired clearly by the GDPR, its Data Protection Act and Regulations are based on the same eight principles as the Bermudan law and develop many familiar themes. The Ombudsman is fully functioning and has published useful guidance on the main principles, as well as having extensive enforcement powers. The laws allow for data subject rights requests, there are mandatory contracts with data processors and overseas transfer controls, and data breaches must be reported. The regulator recommends, though does not mandate, appointment of a data protection officer. Non-Cayman controllers must appoint an in-country representative in certain circumstances.
Jersey sure
It's not only overseas territories which are relevant for financial service providers. The British Crown Dependencies (BCDs) of Jersey, Guernsey and the Isle of Man also provide business-friendly tax and compliance regimes, and understanding their data protection laws may be part of getting an internationally structured project off the ground.
In Jersey, the Data Protection (Jersey) Law 2018 aligns very closely with the UK GDPR. Appointment of a DPO, handling data subject rights requests, and the provisions on transfers and territoriality will be familiar to anyone working with the GDPR. The new chair of its data protection authority is none other than Elizabeth Denham, former UK Information Commissioner, who says: “Small jurisdictions like Jersey have advantages in the digital era; they are nimble, are close to the citizens, and have a clear view onto the effects that follow from developments in technology and laws”. She was tough on enforcement, so watch this space.
Man united to the GDPR
Another significant territory for financial services providers is the Isle of Man, which has an even closer link to the GDPR than Jersey: it has incorporated the GDPR and Law Enforcement Directive directly into its own law through the Data Protection Act 2018. Its Information Commissioner, the Barrantagh Fysseree, has issued guidance for organisations and is an active enforcer.
Understanding the transfers market
Jersey and the Isle of Man have “adequacy decisions” from the EU and the UK, so international exports of data that are subject to the UK GDPR and GDPR can be made without needing another transfer mechanism. For the BOTs, being awarded adequacy is the anticipated prize for updating their data protection laws, although until the frameworks have matured they are unlikely to achieve this and they are not yet on the shortlist in either the EU or the UK. This means that to be lawful, most transfers of personal data from the UK and EU to the BOTs will require additional safeguards, usually in the form of standard contractual clauses. For businesses with a complex corporate structure, this may be achieved efficiently through use of a bespoke intra-group data transfer agreement designed to cover continuing data flows.
Key takeaways:
- The first step towards compliance will be understanding the data processing role each entity is taking on for any data processing activity – laws, and regulator interpretation, vary between countries
- Although laws are similar, there are key differences, for example definitions of “personal data” (which may include deceased individuals, for example)
- Some BOTs require in-country registration for controllers, or an in-country representative, depending on corporate structures
- There may be mandatory processing contracts and/or terms which apply to the processing supply chain
- Transfers of personal data from GDPR-regulated organisations into BOTs will need extra work and may benefit from an intra-group agreement or Binding Corporate Rules
- Rules on exports of personal data out of BOTs will need careful consideration as they may not yet have official frameworks such as standard clauses (SCCs).