Chris Hutley-Hurst
Partner
Guernsey
KEY TAKEAWAYS:
Welcome to the first Channel Islands' Regulatory Update. Every quarter the Walkers Channel Islands' Regulatory & Risk Advisory Team will reflect on some of the key regulatory developments in the Channel Islands.
Owing to the significant increase in activity in the data protection landscape over recent months this update will focus on data protection, providing an overview of the recent (and noticeable) publications, findings and reports issued during the period January 2024 to July 2024, including in the UK and the European Union ("EU") where they are relevant to Guernsey and Jersey.
In this edition front and centre is the recent confirmation by the European Commission that Guernsey and Jersey continue to provide an adequate level of protection. This adequacy status enables personal data to move to and from Guernsey/Jersey and the EU without the need for controllers to implement additional safeguards (for example, contractual clauses).
In the UK, the Information Commissioner's Office ("the ICO") has issued new guidance on fining and transfer risk assessments for organisations seeking to make restricted transfers of personal data to the United States. Elsewhere, the Court of Justice of the European Union has been busy and handed down two noticeable judgments concerning data breaches, accountability, and processing of personal data.
The Office of the Data Protection Authority (the "ODPA") was noticeably busy during January 2024, publishing a number of key, new guidance notes. Among these guidance notes was:
In February 2024, the ODPA also successfully took six companies to court for the non-payment of registration fees. The ODPA were awarded judgment in full along with costs in all cases. Related to this, the ODPA announced on 5 June 2024 that the Committee for Home Affairs have approved an increase of the registration fees payable to the ODPA. The new fees are expected to take effect in January 2025.
The ODPA has also released its latest breach statistics. They confirmed that during Q2 of 2024 there had been 39 personal data breaches, which affected 14,019 people. In O2, 13 breaches involved "special category data", specifically, information relating to people's health, sex life, trade union membership, racial/ethnic background, and religious/philosophical views, and 12 out of the 39 breaches met the risk criteria where the organisation were required to tell those people whose data had been affected.
The ODPA has also published its Annual Report for 2023 which details the ODPA's activities under the DP Law. Some of the key highlights in the 2023 report include (i) the publication by the ODPA of 12 new guidance notes to help organisations understand and comply with the DP Law; (ii) the ODPA receiving 56 new data protection complaints; (iii) the ODPA opening 16 new investigations and 7 inquiries; (iv) 151 breaches being reported; and (iv) 9 sanctions being imposed by the DAP under section 73 of the DP Law.
The ODPA has also been very busy with enforcement cases:
Finally, the ODPA has moved to new premises in the heart of St Peter Port in Guernsey. The ODPA believe this will allow them to consolidate resources in a more convenient location, while also making efficiency savings which can be put toward better serving the Guernsey community.
In January 2024, following a review by the European Commission, Jersey successfully retained its adequacy status. As Jersey is considered a 'third country', this decision is of huge importance as it demonstrates that Jersey has a robust data protection regime, and it means that personal data can continue to flow freely between Jersey and Europe.
In February 2024, the Jersey Office of the Information Commissioner (the "JOIC") issued a statement in support of the ICO enforcement action in respect of a Jersey company, which undertook processing activity outside of Jersey (the "Statement"). The company (and related entities) were issued enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. The Statement highlighted that both the JOIC and the IOC take the matter of employee surveillance extremely seriously and that the processing of biometric data, which is special category data, needs to be very carefully considered in terms of genuine requirements, security, alternative options, data sharing/transfers. All Jersey based employers utilising employee biometric data and/or employee surveillance mechanisms should have particular regard to the Statement, which also highlights that "lessons must be learned in that the processing of personal information must be appropriate, fair and proportionate. Especially the use of biometric data and employee surveillance mechanisms".
The JOIC participated in the annual Global Privacy Enforcement Network ("GPEN") Sweep where 26 data protection authorities around the world examined more than 1,000 websites and mobile applications (apps) and published a report finding that nearly all of them used one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions citing issues such as complex language, repeatedly asking users to reconsider their account deletion, and obstacles in accessing privacy information.
Following on from the GPEN's findings, the JOIC noted that when designing platforms, a "data protection by design and by default" approach should be considered at a design stage and that "good design" includes default settings that best protect privacy; an emphasis on privacy options; neutral language and design to present privacy choices in a fair and transparent manner; fewer clicks to find privacy information, log out, or delete an account; and 'just-in-time' contextually relevant consent options. The JOIC also has earlier published guidance on data protection by design and by default available on its website.
The JOIC published its Annual Report for 2023. Some of the key highlights in the 2023 report include:
In the UK, the ICO seems to have been equally busy, issuing new guidance of its own in relation to:
Aside from issuing generally applicable data protection guidance the ICO has published new guidance for employers in relation to information sharing in mental health emergencies at work. The intention of the guidance is to provide employers with some certainty around sharing personal information about their staff in the event of a mental health emergency and provides advice on when and how it is appropriate to share staff information in such an emergency. A key message the guidance imparts is that data protection does not function as a barrier to necessary and appropriate information sharing where a mental health emergency occurs. It furthermore outlines that the primary focus should be protecting the mental and physical health of the person involved and of any others who may be impacted.
On 5 March 2024, ICO closed its consultation on draft employment practices and data protection relating to recruitment and selection. A draft of the guidance on recruitment and selection is available here. This guidance is aimed at employers and organisations which conduct recruitment on behalf of employers, such as recruitment agencies, head-hunters, or consultancies. It covers recruitment in the context of all potential employment relationships, including employees, contractors, volunteers or gig and platform workers.
Whilst ICO guidance isn't applicable in Guernsey and Jersey, it is important for Channel Islands' entities to This guidance is aimed at employers and organisations which conduct recruitment on behalf of employers, such as recruitment agencies, head-hunters, or consultancies. It covers recruitment in the context of all potential employment relationships, including employees, contractors, volunteers or gig and platform workers periodically familiarise themselves with this guidance as:
On 7 June 2024, the High Court (King's Bench Division) handed down an important decision in relation to Data Subject Access Requests ("DSAR's") and the ground upon which a controller can rely when refusing to comply with a request. In Harrison v Cameron and another [2024] EWHC 1377 (KB) the Court stated that when refusing DSAR for the identities of the people to whom data in scope of the request has been disclosed, a controller can rely on the "rights of other exemption" due to a significant risk of those individuals facing intimidation from the requester.
Further abroad, the Court of Justice of the European Union ("CJEU") published a significant judgment relating to data breaches, accountability and non-material damages. This judgment concerned the Bulgarian National Revenue Agency and a request that had been made in proceedings between a natural person and the National Revenue Agency, Bulgaria (the "NAP") concerning compensation for non-material damage that that person claimed to have suffered as a result of an alleged failure by that authority to fulfil its legal obligations as a controller of personal data. In its judgment, the CJEU made several key findings including that:
Although this is a decision of the CJEU, it is likely that should a similar dispute arise in Guernsey or Jersey then the ODPA and JOIC respectively will consider the findings above persuasive. At the very least, this judgment provides insight into the criteria for appropriate security measures.
In another significant decision in OQ v Land Hessen, SCHUFA Holding AG (Case C 634/21), the CJEU has confirmed that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes "automated individual decision-making", where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.
Further, on 7 March 2024, the CJEU confirmed in a decision that the concept of processing has a broad scope and that the concept of processing can therefore cover the oral disclosure of personal data.
Moving away from CJEU decisions, data protection authorities elsewhere in Europe have also been active with the CNIL (the French data protection authority) on 16 February 2024, publishing its 2023 assessment of its enforcement action. In the assessment the CNIL confirmed that it had imposed forty-two fines totalling nearly €90 million, 168 formal notices and 33 reminders of legal obligations. The assessment states that the number of sanctions is increasing, due to the combined effect of the implementation of the so-called "simplified sanctions" procedure , an increase in complaints and European cooperation.
The European Commission has also been in the spotlight following the European Data Protection Supervisor's announcement on 11 March 2024 that the European Commission's ("EC") use of Microsoft 365 infringed data protection law for EU institutions and bodies. Following an extensive investigation, the EDPS found that the EC has infringed several key data protection rules when using Microsoft 365.
In particular, the EC failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an equivalent level of protection as guaranteed in the EU/EEA. In its decision, the EDPS imposes corrective measures on the Commission.
On 25 July 2024, the European Commission reported that it has published its second report on the application of the GDPR (the "Report"). According to the Report the GDPR "continues to deliver effectively for individuals and businesses, ensuring strong protection for data subjects and risk-based obligations for controllers and processors". The Report also identified some key areas to improve the application of GDPR including swift adoption of the Commission's proposal for a GDPR Procedural Regulation to ensure robust enforcement with quick remedies.
Walkers' Channel Islands' Regulatory & Risk Advisory Team can advise on all aspects of Guernsey and Jersey data protection, including data protection policies, procedures, privacy notices, data subject access requests and data protection audits.
We have a dedicated team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey and Jersey regulation, including financial services, AML, sanctions, data protection, consumer protection, competition, tax, economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics.
Authors
Partner, Walkers (CI) LP/Jersey
Senior Counsel/Guernsey
Senior Counsel/Jersey
Senior Counsel/Jersey
Senior Associate/Guernsey
Key Contacts
Partner, Walkers (CI) LP
Jersey
Senior Counsel
Guernsey
Senior Counsel
Jersey
Senior Associate
Guernsey