New Guidance on Cayman Monetary Penalty Orders under the Data Protection Law 2017

18 November 2019

The Cayman Islands (“Cayman”) Ombudsman has issued new Guidance on Monetary Penalty Orders v1.0 under the Cayman Data Protection Law 2017 (“DPL”) (“Guidance”)

The guidance, dated 7 November 2019, concerns the Ombudsman’s ability to serve a data controller with a monetary penalty order (“MPO”) and concerns what power the Ombudsman has to impose an MPO; when they might do so; and what factors determine how high they set the penalty. For more information on the DPL, the relevant principles and terms such as “data controller”, “data subject” and what actions constitute the processing of data, please see our earlier article here

What is an MPO?
An MPO is an order requiring the data controller to pay a monetary penalty for a breach of the DPL, which cannot exceed CI$250,000.(US$300,000 approx) Before imposing an MPO, the Ombudsman must set out in a notice of intent (“Notice”) the amount of the MPO and the period in which it must be paid. The Notice invites the data controller to make representations within 21 calendar days on any factors in favour or against the imposition of an MPO and its amount. The Ombudsman will then consider the data controller’s representations and decide whether to serve the MPO, and if she decides to do so, how much it will be and the period in which it must be paid.

What power does the Ombudsman have to impose an MPO?
The Ombudsman’s power to serve a data controller with an MPO comes from section 55 of the DPL. The Ombudsman needs to be satisfied, on a balance of probabilities, that:

  • there has been a serious contravention of the DPL by the data controller
  • the contravention was of a kind likely to cause substantial damage or substantial distress to a data subject or subjects

The Guidance explains that the purpose of an MPO to act both as a sanction and as a deterrent against non-compliance with the statutory requirements of the DPL.

What happens if the data controller does not comply?
A data controller who fails to comply with an MPO commits an offence and is liable on conviction to a fine of CI$100,000 (US$140,000 approx) or to imprisonment for a term of five years, or both.

Can a data controller challenge an MPO?
Under section 47 of the DPL, within 45 days of receipt of the MPO the data controller can apply to the Cayman Grand Court (“Court”) for judicial review.

What factors will the Ombudsman consider?
The Guidance explains that when deciding whether to impose an MPO and its amount, the Ombudsman may take into account factors which appear to be relevant to her in the particular circumstances of the case in question. Without creating an exhaustive list, the Guidance suggests factors which will make it more likely the Ombudsman will impose an MPO and those which make it less likely. These include: the seriousness of the breach and how it came about; whether the data controller was responsible or whether there were external circumstances outside the data controller’s control; previous breaches and how they arose and/or were dealt with. The list of factors which make it less likely the Ombudsman will impose an MPO includes whether the contravention took place within the first six months following the commencement of the DPL.

Points to remember
The penalties for DPL breaches are potentially significant and everyone affected need to ensure that by 1 April 2020 they have their DPL ducks in a row as it is now apparent that 6 months after implementation is as much leeway as is going to be given for enforcement.

Key Contacts