Morven McMillan, Maples and Calder
Morven McMillan at Maples and Calder explores the impact of the growing awareness surrounding data protection on private client confidentiality.
Confidentiality has long been a central theme in the fiduciary relationship of trust and confidence that exists between a beneficiary and a trustee. As practitioners in the financial services industry are well aware, in recent years, technological developments and changing business practices have combined to create a wealth of accessible personal information. In parallel, national security concerns, the drive to augment domestic tax revenues, political pressures, the continuing fight against international crime and the seemingly unquenchable thirst for so-called celebrity gossip have combined to gradually erode traditional notions of personal privacy and confidentiality.
One of the notable recent changes to legislation in the Cayman Islands is therefore in relation to our confidentiality statute, not because of any substantive change from the prior iteration (with one major exception), but more because it is another example of the way that we are becoming encouraged to regulate accessibility to personal, and what until very recently would have been regarded as private information.
One consequence of the drive to increase financial transparency and maximise tax revenues has been an increasing focus on private client confidentiality and in particular, those jurisdictions that gave statutory protection to the confidentiality of such information. In the Cayman Islands for example, the Confidential Relationships (Preservation) Law (CRPL) provided that a breach by disclosure of confidential information about property outside the “normal course of business” and without the consent of one’s “principal” would, potentially, carry criminal penalties ranging from fines to imprisonment.
That this gave statutory force, among other things, to a common law duty that a trustee already has to its beneficiaries, did not sit well in the new international landscape, exacerbated at least in part, by the threat of criminal sanction for a breach of that duty. Consequently, it was decided to repeal the CRPL, and in July 2017 a new statute came into force, the Confidential Information Disclosure Law (CIDL), emphasising the disclosure rather than preservation of confidential information.
Broadly, the CIDL modernises the approach to confidential information in the Cayman Islands and illustrates Cayman’s commitment to respect for personal privacy, but within a framework acknowledging its obligations in the fight against international crime and consistent with its commitment to the automatic exchange of information. It abolishes the criminal sanctions that so vexed everyone and creates a statutory framework for the common law duty of confidence, setting out the circumstances in which disclosure of confidential information is permitted.
What is confidential information for the purposes of the CIDL? For trustees, confidential information is information that arises in or is brought into the Islands concerning “property” of a “principal” to whom a duty of confidentiality is owed. Important to the operation of the statute in practice is the “normal course of business”, that is, “the ordinary and necessary routine involved in the efficient carrying out of the instructions of the principal”. The principal in a trust context, depending on the circumstances, is likely to be a beneficiary, settlor, protector or enforcer.
The CIDL applies to confidential information about property, so what property are we talking about? It is defined as:
Every present, contingent and future interest or claim, direct or indirect, legal or equitable, positive or negative, in any money, moneys worth, realty or personalty, movable or immovable, rights and securities thereover and all documents and things evidencing or relating thereto.
In other words, it is a definition of property likely to encompass any confidential information about property in a trusts context.
But what are the exceptions? When can a trustee disclose confidential information without fear of breaching the statute? Many of the following exceptions are retained from the CRPL:
with the prior consent of the principal or in the normal course of business;
in compliance with requests by a regulator or local law enforcement, eg, the Cayman Islands Monetary Authority (CIMA) or the police;
pursuant to international requests from overseas regulators through the CIMA or the court;
in the investigation of a criminal complaint to a police officer with the rank of inspector or above in relation to a crime alleged to have been committed in the Cayman Islands;
to the Financial Reporting Authority under the Proceeds of Crime Law or the Terrorism Law;
to the Anti-Corruption Commission under the Anti-Corruption Law;
in compliance with the direction of a judge of the Grand Court; or
in accordance with any other right or duty created by any other Law or Regulation, for example pursuant to a TIEA, FATCA or CRS.
Interestingly, there is one new exception permitting the disclosure of confidential information “on wrongdoing” or where there is a:
Serious threat to life, health, safety of a person or in relation to a serious threat to the environment, shall have a defence to an action for breach of the duty of confidence, as long as the person acted in good faith and in the reasonable belief that the information was substantially true and disclosed evidence of wrongdoing, of a serious threat to the life, health, safety of a person or of a serious threat to the environment.
This effectively introduces the concept of a “whistleblowing” defence into Cayman Islands law consistent with disclosure in the public interest. As for penalties for a breach of the new disclosure law, there are no express provisions so the court will apply common law and equitable rules.
One final important point for trustees to remember: the CIDL does not remove the obligation on trustees, or any other person who owes a duty of confidence, to seek directions from the Grand Court before they give evidence in or in connection with any proceedings “being tried, inquired into or determined by any court, tribunal or other authority whether within or without the Islands and the evidence consists of or contains any confidential information within the meaning of the Law”, if the giving of that evidence would involve provision of otherwise confidential information without the permission of their principal.
The giving of evidence includes making a witness statement or affidavit, testifying during a hearing, producing documents, deposition or answering interrogatories. This will have relevance for trustees who may be joined to overseas divorce proceedings, for example, and directed to provide confidential information or documentation to the parties in the divorce and do not have the consent of their principals to disclosure. This may also have relevance, for example, to trustees who wish to disclose confidential trust documentation in the context of an overseas arbitration and do not have the consent of the relevant principal or as may be the case on occasion, the relevant principal is, for example, a patient, and cannot give consent for themselves.
It remains a matter for the discretion of the Grand Court as to the manner in which that information is provided. The Court will have regard to whether such restrictions would deny the rights of an individual in enforcing a just claim, bearing in mind the rights of the claimant, whether any offer of compensation or indemnity has been given and generally, whether disclosure would be in the interests of justice.
The changes to Cayman’s confidentiality statute are only part of the wider negotiation and co-operation with the OECD and international law enforcement. An important part of that cooperation has been the attempt to regulate accessibility to and the accuracy of records containing private personal information.
Data protection laws have been passed in several countries governing the collection, storage and use of such information. The European Union passed a directive in 1995, directive 95/46/EC, containing a number of basic principles for the regulation of the holding and processing of private data that were to be enshrined in the domestic laws of European member states. That directive in turn gave rise to, for example, the Data Protection Act of 1998 (DPA) in England and Wales.
The Cayman Islands passed its own Data Protection Law (DPL) in early 2017. At the time of writing, the DPL has not yet been given a commencement date. This means that it has been passed by the legislature but, perhaps because supplemental rules or regulations are required, it has not yet become effective. However, the parameters of the DPL are clear from the published statute and it is of particular interest to private client practitioners, among other things, because of the stated exceptions to its provisions.
Broadly, the DPL will have application to “personal data” and its processing, meaning – for the purposes of the DPL – “obtaining, recording or holding data, or carrying out any operation or set of operations on personal data”. Anyone processing personal data shall be obliged to do so in accordance with eight guiding principles set out at schedule 1 to the statute. The individual whose information is being processed (the “data subject”) will be entitled, on payment of a fee to the data controller, to be informed of certain information in relation to that data, as set out at section 8 of the DPL.
For private client practitioners, one point of particular interest is likely to be the fact that pursuant to section 30 of the DPL, personal data will be exempt from the subject information provisions of the DPL if “the data consists of information in respect of which legal professional privilege applies” or it arises in relation to:
any structure or arrangement that is an ordinary trust;
any structure or arrangement that is a trust established pursuant to the Trusts Law (2011 Revision); or
any will made pursuant to the Wills Law (2004 Revision).
The wider practical consequences of the introduction of data protection legislation will of course become clearer once the DPL has been in operation for a time. It does seem clear, however, that section 30 will be an obstacle to beneficiaries who try to obtain confidential trust information from sources other than the trustee, as happened in England in Dawson-Damer v Taylor Wessing LLP, Michael Morrison and James Burns  EWCA Civ 74. The principal difference in that case was of course that the English DPA has no express carve-out in relation to trusts similar to section 30 of the Cayman statute.