• Work continues to prepare the Channel Islands for new data protection legislation

    WORK is continuing to prepare the Channel Islands for new data protection legislation which is due to come into force in 2018, says the islands’ independent data protection regulator.

    Emma Martins said she and her pan-Island team were working hard to support both governments and businesses in the islands, recognising the potential economic benefits for those who engage with the opportunities created by the EU’s General Data Protection Regulation (GDPR).

    Her comments come after it was announced by the States of Jersey and the States of Guernsey that the data protection commissioner will be leaving her post in March 2018. The governments also confirmed that the pan-Island role will end, with each island introducing their own dedicated data protection commissioner post at that time.

    ‘After the recent decision for the Islands to move away from a pan-island data protection regulator, we will continue to work hard to ensure the Islands are as prepared as possible for the new data protection legislation in May 2018,’ said Mrs Martins, who is the Data Protection Commissioner in Guernsey and the Information Commissioner in Jersey.

    ‘The decision is regrettable after the two islands have come such a long way together and in light of the significant work done in recent years to create a pan-island presence. To a certain degree, it reflects the fast evolving nature of the data economy.’

    Important work to prepare the islands for GDPR will, however, continue to be carried out by Mrs Martins and her team.

    ‘These events should not and must not distract from the important work that lies ahead and on which industry and citizens are entitled to our complete focus and attention. There are very real economic opportunities for any jurisdiction that embraces those opportunities in an intelligent and enlightened way,’ added Mrs Martins.

    Read more >
  • Information Commissioner to leave her post

    Below is replicated a press release made by the States of Jersey taken from




    The pan-Island Information Commissioner has announced that she will be leaving her post in March 2018 after 14 years working for Jersey.

    Emma Martins took on responsibilities for data protection in Jersey in 2004, and has provided professional leadership since then as the importance of data in our private and professional lives has grown significantly.

    Since 2011 she has supported both Jersey and Guernsey, including preparing to implement new EU Data Protection Regulations.

    Assistant Chief Minister, Senator Paul Routier, said “Data protection is essential for Islanders and businesses – now more than ever. Mrs Martins has played an important role in Jersey and I thank her and wish her all the very best for the future.”

    Following an extensive consultation process, the new legislation in Jersey has recently been approved by the Council of Ministers for presentation to the States Assembly in December, in line with the agreed timetable.

    Dedicated Jersey Commission

    The States of Guernsey have decided that they would like to avoid a pan-Channel Island Information Commissioner managing two different sets of legislation and are intending to establish their own Information Commission. Jersey’s government will bring forward plans for a dedicated Jersey Information Commission to maintain a GDPR-equivalent regime and a properly resourced regulatory body.

    Senator Routier continued “Jersey places the highest importance on data protection matters, and our new legislation will serve the needs of Islanders and businesses for the future. We will continue to work constructively with Guernsey on a wide range of matters, but as the importance of data will continue to grow, so it is right that we appoint a dedicated Jersey regulator to oversee our compliance with the new legislation.”

    A recruitment process is now beginning to find a replacement for Mrs Martins. The new legislation in Jersey is expected to be in place in May, 2018.

    Read more >
  • Irish Data Protection Regulator questions transfer of Facebook data to US

    The Irish High Court has asked the Court of Justice of the European Union (CJEU) for a preliminary ruling on whether or not the transfer of Facebook user data to Facebook Inc in the US is lawful. Facebook operates its international business via a separate company in Ireland called Facebook Ireland Ltd, which handles the data of 85% of all Facebook users outside the US and Canada.

    The court agreed that the absence of effective remedies in the US may violate European fundamental rights under the European Charter of Fundamental Rights, when data is sent to the US under Standard Contractual Clauses (SCCs). European data protection law requires that data can only be transferred outside the EU if the personal data is “adequately protected”. This is in conflict with US law (FISA 702) which requires US companies (including Facebook Inc.) that are “electronic communication service providers” to hand over data, as and when required, to the US national security authorities.

    The court found that the Irish Data Protection Commissioner has “well-founded concerns” that the SCC Decision by the European Commission (2010/87/EU) may be invalid. The court further found that the DPC may be able to suspend data flows under the SCCs in line with Article 4 of the SCC decision and Article 28 of Directive 95/46/EC.

    The case is ongoing and further clarification in a second decision from the CJEU  is awaited. The latest ruling can be found by clicking on the link below.

    2017.10.04 – Irish DPA v Facebook Ireland.


    Read more >
  • International Conference of Data Protection and Privacy Commissioners

    The 39th International Conference of Data Protection and Privacy Commissioners is currently underway in Hong Kong at which the Channel Island data protection authorities are represented.

    The Conference which seeks to provide leadership at international level in data protection and privacy, links more than a hundred privacy and data protection authorities and serves as a reminder of the global nature of digital environment.

    More information about the conference can be found here.

    Read more >
  • New UK Data Protection Bill introduced into the House of Lords

    The UK Government has yesterday introduced the new UK Data Protection Bill to the House of Lords which, if passed, will overhaul the current UK data protection regime.

    In most respects the bill, which will come into force next May, will transfer the European Union’s General Data Protection Regulation into UK law. The legislation will also be maintained after Brexit.

    Whilst the proposals impose much heavier fines on those who do not protect personal data, the government said it had negotiated “vital” exemptions to create a more “proportionate” regime for Britain.

    The government had already unveiled other key provisions of the Data Protection Bill in August, including:

    • Making it simpler for people to withdraw consent for their personal data to be used
    • Letting people ask for data to be deleted
    • And making re-identifying people from anonymised or pseudonymised data a criminal offence

    In addition, UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover.

    The current maximum fine firms can suffer for breaking data protection laws is £500,000.

    To read the proposed UK Data Protection Bill in full, please click here.

    Read more >
  • Grand Chamber judgment Barbulescu v. Romania – monitoring of an employee’s electronic communications

    The Grand Chamber of the European Court of Human Rights this week released its judgment that the monitoring of an employee’s electronic communications had amounted to a breach of his right to a private life.

    The judgment (attached in full here) found that the individual had not been made aware that there would be monitoring of his electronic communications, prior to its commencement or the nature and extent of the monitoring which included the possibility of the employer seeing the full contents of such communication.

    Read more >
  • Government to strengthen UK data protection law

    People to have more control over their personal data and be better protected in the digital age under new measures announced by Digital Minister Matt Hancock.

    In a statement of intent the Government has committed to updating and strengthening data protection laws through a new Data Protection Bill. It will provide everyone with the confidence that their data will be managed securely and safely. Research shows that more than 80 per cent of people feel that they do not have complete control over their data online.

    The full article from the UK Government website can viewed here.

    Read more >
  • Shadow Chair for Data Protection Authority

    The States of Jersey and Guernsey are recruiting a Shadow Chair for the Data Protection Supervisory Authorities of the Channel Islands. The Shadow Chair will help shape the way data protection is regulated in the Channel Islands, and will provide independent advice to the respective States, as well as to the Supervisory Authorities, on exercising their responsibilities under new data protection legislation. The Shadow Chair will be recruited from outside Jersey and Guernsey.

    The full article can be found by following the link below:

    Read more >
  • Statement regarding data breach by the Parish of St Helier

    Jersey’s Information Commissioner Emma Martins said: ‘The Parish of St Helier informed my office of a data breach during the afternoon of Friday 14th July 2017. The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients was included, and therefore disclosed. It appears the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box.

    ‘It is not mandatory for data controllers to report data breaches to my office under the current legal regime (Data Protection (Jersey) Law 2005). However, it will be mandatory from 2018 when new data protection legislation is due for implementation. As such, we welcome the proactive position taken in respect of this matter by the Parish of St Helier.’

    She added: ‘The Office of the Information Commissioner has received a number of complaints and enquiries relating to this incident. We will now seek further, detailed information from the Parish of St Helier to better understand how the incident happened and the steps they now propose to take. While this investigation remains ongoing, it would be inappropriate to comment further at this stage.’

    Read more >
  • GDPR: One year to go

    WITH one year to go until the General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25th May 2018, the Office of the Information Commissioner and Data Protection Commissioner is today launching a website, which will contain advice and guidance to help island businesses get to grips with the new legislation.

    ‘With one year to go I’m delighted that industry is talking about GDPR. I’ve spoken at dozens and dozens of briefings, seminars and other events over the past few months and am pleased to say that GDPR is certainly on the radar of the businesses I have spoken with – awareness is far greater than it was even six months ago,’ said Emma Martins, Data Protection Commissioner / Information Commissioner.

    ‘With 365 days to go we have launched a microsite which will become a useful portal for businesses looking for guidance. I urge islanders to keep an eye on this as we will be uploading information as it becomes available. I also want to give reassurance to businesses that GDPR is not a revolution, it’s an evolution of current data legislation, so if you’re compliant currently, you have a great base from which to work.

    ‘Local legislation is currently being drafted and both Jersey and Guernsey’s governments have committed to a harmonised approach to this,’ added Mrs Martins. ‘When this legislation is finalised we can then start to develop more detailed guidance. To date every island business has been sent general guidance on GDPR but we know we’ve got work to do to make sure businesses have access to specific guidance. We are working very hard behind the scenes to make sure that our office is ready for the changes.’

    In order to be prepared, business can begin by ensuring they have a detailed understanding of the data they hold and how they process this. This underpins the accountability aspect of GDPR. Any effective data governance strategy has to begin with a comprehensive data audit, which can be obtained by answering the following key questions:

    • What personal data do you hold? Do you hold any special category data?
    • Where is it from and where is it sent?
    • Why is it processed? For what purpose?
    • How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

    When it comes into force, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses. GDPR is set to be the largest change to the protection of personal data across Europe since the implementation, in 1995, of the EU Data Protection Directive, which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the islands.

    The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission, as well as key stakeholders, to ensure the islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

    For more information, business can go to

    Read more >