Guernsey confirmed as leading non-EU jurisdiction for safe and secure data
Guernsey has been assessed by the European Commission as one of only 11 countries or territories worldwide that have achieved ‘EU data adequacy status’, such that data transfers from the EU to these countries or territories can take place without additional requirements.
The finding, announced on 15 January after the EU’s first review of the functioning of the adequacy decisions adopted under the Data Protection Directive, means that EU Member States and institutions view the Bailiwick of Guernsey’s legislative framework as ensuring an adequate level of protection – comparable to that of EU Member States – for the safe flow of data between the EU and Guernsey.
“This is a great achievement for the Bailiwick,” said Stephen Hare, Managing Director of Sovereign Trust (Channel Islands) Ltd. “It reinforces our position as adhering to international standards in respect of data and, by reassuring businesses and clients operating across multiple jurisdictions, it will hopefully lead to more businesses considering Guernsey as a place to establish their operations and for individuals to relocate here.”
Guernsey is home to many global businesses that rely heavily on the flow of data to and from EU Member States, and this is particularly crucial for parts of the financial services sector. This decision enables the Bailiwick’s business sectors to continue to transfer data unhindered. In addition to private sector requirements, Guernsey’s public authorities also routinely share data in crucial areas such as policing and security, healthcare and education.
A negative outcome would have resulted in additional safeguards being required before data could be shared between the Bailiwick and EU Member States, as required by the EU’s General Data Protection Regulation (GDPR).
Achieving data adequacy is therefore a significant achievement for Guernsey as a ‘third country’ to the EU, which as part of the assessment process had to demonstrate that it met the higher data protection standards contained within the GDPR. The assessment process focussed on both the contents of the Guernsey’s legislation and its practical implementation across the jurisdiction.
The Commission said it welcomed the developments in the Guernsey legal framework since the adoption of the adequacy decision, including legislative amendments and activities of oversight bodies, which had contributed to an increased level of data protection. In particular, Guernsey had significantly modernised its data protection framework by adopting the Data Protection (Bailiwick of Guernsey) Law 2017, which had applied since 2019 and aligned the Guernsey regime closely with the GDPR.
In the area of government access to personal data, it said, public authorities in Guernsey were subject to clear, precise and accessible rules under which they could access and subsequently use data transferred from the EU for public interest objectives, in particular for criminal law enforcement and national security purposes.
These limitations and safeguards followed from the overarching legal framework and international commitments, notably the European Convention on Human Rights (ECHR) and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), as well as from Guernsey data protection rules, including the specific provisions for the processing of personal data in the law enforcement context set out in the Data Protection (Law Enforcement and Related Matters) (Bailiwick of Guernsey) Ordinance 2018.
In addition, said the Commission, Guernsey law imposed a number of specific conditions and limitations on the access to and use of personal data for criminal law enforcement and national security purposes, and it also provided oversight and redress mechanisms in this area. It therefore concluded that Guernsey continued to provide an adequate level of protection for personal data transferred from the EU.
‘We have many global businesses in the Bailiwick that need to be able to legitimately and appropriately share data.,” said Neil Inder, President of Guernsey’s Committee for Economic Development.
“While this decision guarantees they can continue to do so across all EU Member States, it also acts as a significant marker for other regions we work in across the world that the Bailiwick is recognised as being a safe and secure place in which to do business.”