Data Protection in Jersey – venomous bite or toothless grin?

The current data protection legislation in force in Jersey is the Data Protection (Jersey) Law 2005 (“Data Protection Law”). The background to this law is the need to protect human rights, in particular the right to respect for private and family life under Article 8 of the European Convention on Human Rights.

The Data Protection Law gives individuals rights regarding their personal information (“personal data”) held, stored or processed by another. This includes information about religious and political beliefs, health and criminal convictions (“sensitive personal data”). There are limits on transfers of data to other jurisdictions, which must provide an “adequate level of protection”. Those responsible must ensure that data is used fairly and lawfully for specific stated purposes, used in a way that is adequate, relevant and not excessive, accurate and kept for no longer than is absolutely necessary, kept safe and secure and is not transferred outside the European Economic Area without adequate protection.

In Jersey, the Information Commissioner is responsible for the enforcement of the Law. It is important to note that a partner in a partnership, or a director, manager, secretary or other company officer may be guilty of an offence in addition to the company if the offence is proved to have been committed with their consent or attributable to their neglect. Fines under the Law are unlimited on indictment and up to £10,000 on summary conviction. Certain offences under the Law are punishable by imprisonment.

The Court Report

At the end of 2016 I made a request under the Freedom of Information (Jersey) Law 2011 as follows:

“How many people have been arrested, charged and/or convicted for offences under the Data Protection (Jersey) Law 2005?

Please also indicate how many convictions under the Data Protection (Jersey) Law 2005 were imposed by the Magistrate’s Court and the Royal Court respectively and the sentence of the court.”

The response received from the States of Jersey Central Freedom of Information Unit confirmed that the States of Jersey Police have no records of any data protection offences prior to 2009. All cases since 2009 that have proceeded to court have been dealt with at the Magistrate’s Court.

Between 2009 and 2014, 10 cases were dealt with. Three cases resulted in fines of £300, £300 and £1,000 respectively. In three cases there was insufficient evidence to go to court. In two cases the matter was dismissed at court. In one case the suspect was never identified and in the final case, the suspect left the Island permanently before any prosecution.

There were no cases identified in 2015 and there are currently two cases under investigation for 2016.

So, over the last 8 years there have only been 3 successful prosecutions. A pretty paltry number considering Jersey’s importance as a financial centre.

The future – more teeth?

In 2018 the General Data Protection Regulation (“GDPR”) will update the Data Protection Law and harmonise data protection law across the European Union. It will allow the digital economy to develop across the single market, put individuals in control of their own data so that they can request rectification and/or erasure of data. The GDPR will apply in Jersey from 25 May 2018 under which fines will be able to be levied up to €20 million or 4% of a company’s global annual turnover for serious contraventions of the rules. Seemingly hard-hitting stuff.

Will this mean more “bite” for the future data protection in Jersey?