Apex Regulatory Update: January 2017

On May 4, 2016 the General Data Protection Regulation “GDPR” (Regulation 2016/679) was published in the Official Journal, replacing the former Directive. This revised directive will be applicable in all EU Member States as of May 25, 2018 and does not require the implementation of national legislation.

One of the key items addressed as part of this new Regulation is the requirement for ensuring that companies established outside EU Member States apply the same rules when they are process personal data about an EU subject.

Key changes to be aware of:

1. Appointment of a Data Protection Officer (“DPO”): One of the new requirements issued as part of GDPR is that all organisations processing personal data on a large scale must appoint an independent data protection officer (DPO). This role can generally can be undertaken by the company’s Compliance Officer, however if required, the function can be delegated to an external consultant through a delegation agreement.
2. Extension of the extraterritorial scope: Processing of personal data, in the context of activities regarding the establishment of a controller (or even of a processor), in the European Union will fall under the GDPR regardless of whether the data processing takes place inside or outside of the EU. Other extension scenarios of the GDPR outside the EU are included for data controllers and data processors.
3. Personal Data Definition: An amended definition of personal data (meaning genetic, mental, cultural, economic or social information) is now in scope of the regime including pseudonymised data.
4. Customer’s consent: Companies now have the obligation to obtain and demonstrate proof of freely-given, valid, explicit and unambiguous consent in order to process personal data.
5. Right to be forgotten (“Erasure”): Individuals will now be able to withdraw their consent and require their own personal data be deleted by any company that used it, regardless of whether the company is inside or outside of the EU).
6. Data Breach Notification: There is now an obligation to inform all affected persons of a data breach with no delay. The breach must also be reported to the appropriate authorities (“DPA”) within 72 hours of awareness.
7. Privacy by Design: There is a requirement to consider privacy in products/services from inception of the business relationship. Companies are also only permitted to collect data if it is necessary in order to fulfil a specific purpose and when the data is no longer required it must be discarded immediately.
8. Encryption: GDPR formally recognises the privacy benefits of encryption, including the obligation to advise the individual if a breach has been committed using their personal data. This new requirement will have an impact on the company’s Operations as they will need to ensure a robust cyber security regime is in place to avoid any breaches.
9. Fines: Sanctions under the GDPR are stricter than those currently in place; failure to comply with the new requirements will mean risking fines of more than 4% of a firm’s annual global turnover, or €20 million.
10. One-stop shop: GDPR imposes an obligation on entities to keep data secure and allows regulators to take action against sub-contractors; this obligation effectively splits responsibility for controllers and sub-contractors and therefore the obligations between the two are likely to require clearer definition. To assist entities in meeting compliance, a new one-stop shop will be created with the intention of making it easier for companies to do business in the EU as they will only have to deal with one single supervisory authority.

The European Commission Publishes Draft ePrivacy Regulation:

On the 10^th January the European Commission (‘the Commission’) published the “Draft ePrivacy Regulation” , which intends to repeal Directive 2002/58/EC (‘the ePrivacy Directive’).

In light of the significant evolution that electronic communications services have undertaken in recent years, the Commission issued the Draft in order to ensure that the rules and developments in this area are in line with the General Data Protection Regulation (‘GDPR’). The intention was also to safeguard the potential for innovation whilst also maintaining appropriate levels of security and protection for customers.

Once passed, the ePrivacy Regulation will be applicable from 25 May 2018. Key items in the draft that ensure enhanced protection and new opportunities are:

1. Confidentiality of all communication content: The scope of the ePrivacy rules have been extended to include all electronic means of communications and ensure privacy for both content and metadata (time of a call and the location). The proposal includes the anonymisation or deletion of data if users have not given their consent for use.
2. Cookies: It is confirmed that users do not need to give consent for non-privacy intrusive cookies. Cookies that count visitor numbers on websites will no longer require consent.
3. Marketing calls: The proposal introduces the right to object to the receipt of marketing calls. Marketing callers will need to display their phone number, or use a special pre-fix that indicates a marketing call, to give the customer the opportunity to refuse the call.
4. Enforcement: There is an extension of the remedies provided under the GDPR to violations of its provisions.
5. Wider range of application (Country): New rules are in place to ensure that when personal data is handled by EU institutions and bodies, the customer is equally protected in each of the Member States under the GDPR.
6. Wider range of application (Means): the e-Privacy Proposal aims to expand the scope of the Directive which was previously limited to emails and online messages. Privacy rules will now also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.

GDPR will be enforced from May 2018 and will focus on data protection for individuals, further facilitating the control of personal data. The limitations of GDPR lie in its narrow focus on protecting individuals and their personal data. It does not extend to business-to-business communication or individuals in the instances where the communication does not include personal data

The Draft ePrivacy Regulation compliments GDPR to ensure that the fundamental right to protection, with respect to people’s private lives, is upheld throughout all digital communication.

The new ePrivacy rules give citizens and companies specific rights to protection that are not provided by the GDPR. For example, they guarantee the confidentiality and integrity of users’ devices (i.e. laptop, smartphone, tablets) as smart devices should only be accessed if the user has given their permission.

CRS Update: Cayman Islands “Second Tranche”

As an early adopter of the global Common Reporting Standards (CRS), in December 2016 the Cayman Islands Government approved the amendments to the CRS Guidelines applicable in Cayman (known as “Second Tranche”) to ensure an effective and appropriate implementation.

These amendments will be implemented in conjunction with the launch of the Cayman AEOI (Automatic Exchange of Information) portal to facilitate notification and filing (estimated completion by Q1 2017).

The Cayman Islands has also opted for a wider approach regarding CRS Due Diligence, taking into consideration that the list of Participating jurisdictions might be amended by the OECD at later stage, it now looks to identify the tax status of all investors and their controlling persons – not only the ones deemed reportable.

Click Here for CRS Services.

Notification Procedure:

CRS differs from FATCA in that every Cayman Financial Institution, whether classified Reporting or Non-Reporting, has an obligation to notify the Tax Information Authority (“TIA”) by April 30, 2017 via the updated Portal. In addition to the Principal Point of Contact, the notification must also include an individual that is authorised to provide the required information of any changes to TIA with respect to the notification.

The Financial Institutions that have already notified the TIA of their status, for FATCA purposes, must still update their notifications to confirm whether they are also reportable for CRS or not.

Reporting Requirements:

Along with the notification, CRS also imposes the obligation to report via the Cayman AEOI Portal by May 31, 2017. The reports will be applicable to:

• Any account deemed reportable.
• Any NIL return in respect to those Reportable Jurisdictions that have no Reportable Accounts.
• Despite the fact that it is mandatory, the CRS nil returns reporting procedures are expected to be much simpler than standard reporting.

Written Policies and Procedures:

Each reporting financial institution must establish and implement written policies and procedures to comply with CRS. These policies and procedures will have to address the obligations regarding due diligence, record keeping, notification and reporting to the TIA via the Cayman AEOI Portal, as well as information regarding the appointment of any third parties and cooperation with the TIA’s compliance measures.

By December 31, 2017, Financial institutions are expected to ensure that Due Diligence Procedures are completed, at a minimum, for low-value pre existing individuals accounts and for entities accounts.

UK FATCA:

Going forward into 2017, Cayman reportable financial institutions will report on UK Reportable Persons pursuant to the CRS Regulations instead of the UK Regulations.

Click Here for Apex FATCA Services | Click Here for the differences between FATCA and CRS

Penalties and Offences:

CRS offences are largely comparable to those detailed under FATCA, although the financial penalties for non-compliance are more severe – CRS penalties have increased:

• Penalties up to $5,000 under the regulations for US/UK FATCA
• Penalties up to $50,000 for any offence by a CFI or $20,000 for an offence by any other person.

Click Here for Apex Regulatory Services.