New safe-harbour provisions allow transfer of personal data from the Cayman Islands to US companies
The European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework that (subject to compliance with the European Union rules on the transfer of personal data) will now allow the transfer of personal data to companies in the United States.
On the back of the EU and the US agreeing the EU-US Data Privacy Framework in March of last year and President Biden signing an Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities” in October of last year, the European Commission has now completed the implementation process of the EU-US Data Privacy Framework by assessing that the US does now ensure an adequate level of protection for personal data transferred from the EU to US companies. This is an important development for the global flows of personal data between companies in different countries given the large and strong economic relation between the EU and the US and concludes three years in which there was no clear safe-harbour for the transfer of personal data from the EU to US companies.
When is the European Commission’s adequacy decision effective?
The European Commission’s adequacy decision became effective on 10 July 2023.
How does it impact the Cayman Islands data privacy rules?
The eighth data principle[1] in the Cayman Islands Data Protection Act states that transfers to third countries (such as the US) cannot take place unless there is an adequate level of protection for the rights and freedoms of persons whose personal data is being transferred to third countries or the relevant transfer would otherwise fall within one of a few limited exemptions (eg where the relevant natural person whose personal data is being transferred consents to that transfer or the transfer is necessary to perform a contract between the entity holding and controlling that person’s personal data and the natural person).
Under the Cayman Islands Data Protection Act, the definition of adequate level of protection is met only when the transfer of personal data is to a member state of the EU or with respect to a positive European Commission adequacy assessment on a third country’s level of protection for personal data.
Hence, the European Commission’s decision to adopt an adequacy decision for the EU-US Data Privacy Framework is a welcome conclusion of three years in which Cayman Islands entities did not have a key safe-harbour provision to transfer personal data to US companies.
Are data processing agreements with entities in the US still required?
Yes, the European Commission’s adequacy decision only confirms that the US is a country that offers an adequate level of protection for the processing of personal data. Hence, a data processing agreement with a relevant data processing organisation in the US is still required.
Does the European Commission’s adequacy decision only apply to sharing personal data between companies?
Although, the European Commission’s press release refers to the transfer of personal data to US companies, the decision applies more broadly to all organisations in the US (see paragraph (9) of the European Commission’s Implementing Decision of 10 July 2023 (the Implementing Decision)).
How does the European Commission’s adequacy decision impact Cayman Islands registered investment managers’ ability to also register with the SEC?
We understand that Cayman Islands registered investment managers that seek to register with the US Securities and Exchange Commission are asked to provide a Cayman Islands legal opinion that confirms that the relevant investment manager is able to transfer personal data to that regulator.
Even though the Implementing Decision does generally state (see paragraph (89)) that transfer of personal data to US public authorities is permitted if such transfer is in the public interest, there is insufficient clarity on whether the Cayman Islands Data Protection Act would allow such a transfer to take place in the public interest[2]. For this reason, we believe that the better view is that it is not possible to rely on the Implementing Decision to issue a Cayman Islands legal opinion that states that Cayman Islands registered investment managers are able to transfer personal data to the Securities and Exchange Commission.
Any other practical implications?
Yes. The European Commission adequacy decision may still be subject to a legal challenge. However, EU and US policymakers are said to be confident that the EU-US Data Privacy Framework will survive any privacy advocacy activists’ legal challenge in the EU.
A copy of the Implementing Decision can be found here.
For more information or guidance, reach out to the authors or your usual Harneys contact.
[1] See our update from 9 September 2019 explaining the eight data principles that underpin the Cayman Islands Data Protection Act.
[2] The Cayman Islands data protection Ombudsman’s Guidance on the Data Protection Act states that when transfers of personal data take place under the public interest exemption, that public interest has to be “necessary for important reasons of substantial public interest”. Neither the Ombudsman has issued further guidance or a general authorisation clarifying what is an important and substantial reason in the public interest for a transfer to take place, nor has there been any further regulation clarifying the circumstances in which a transfer in the public interest can take place.