19 December 2019
Jersey's data protection law reform - new charging model approved
The Data Protection (Jersey) Law 2018 (“DPJL”) and the Data Protection Authority (Jersey) Law 2018 (“DPAJL”) came into force on 25 May 2018.
Under Article 17 of the DPAJL, controllers and processors established in Jersey are required to register with the Jersey Office of the Information Commissioner (“JOIC”).
Article 18 of the DPAJL makes provision for appropriate fees to be charged in order to fund the activities of JOIC and the Jersey Data Protection Authority, which oversees JOIC.
As part of the transitional arrangements in relation to notification and fees, the Data Protection (Registration and Charges) (Jersey) Regulations 2018 (the “2018 Regulations”) essentially “grandfathered” the previous notification and charging regime (although extended both processors as well as controllers), under which a flat fee of £50 per year was charged.
The intention has been to replace the Regulations with a risk based system of tiered annual payments. The JOIC issued a consultation paper proposing a tiered risk based model which was akin to the model adopted by the UK Information Commissioner.
The model initially proposed was relatively complex and (critically) made no provision for entities administered by financial services companies, which form a large category of controllers and processors in their own right.
The States of Jersey have approved the Data Protection (Registration and Charges) (Amendment) (Jersey) Regulations 2019 (the “2019 Regulations”). The 2019 Regulations are more straightforward and treat administered entities as a separate class. This will make it far more straightforward for regulated financial services providers to deal with registration and fee issues in relation to the entities which they administer.
The new funding model
The new funding model seeks to balance the risks arising from data processing with the size and resources of Jersey businesses – whilst also aiming to be understandable and easy to administer.
Under the 2019 Regulations, the annual processing charges which controllers and processors will now incur consist of up to three elements:
- the number of Full-time Employees involved
- the level of Past-Year Revenue
- whether the relevant entity is a regulated financial services provider (or otherwise subject to the Money Laundering (Jersey) Order 2008 or in the alternative if the entity is not regulated but otherwise processes special category data.
Although the maximum fee under this new model is £1,600, the proposals are based on the assumption that only 0.1% of data controllers or processors would be likely to incur such a charge, with the majority of businesses paying £70.
There are some (very limited) exemptions for those acting in the public interest such as public authorities, candidates for a public election, provided schools and those processing data as required by the law.
Those entities administered by a regulated trust company business (“TCB”) or fund services business (“FSB”) will not be eligible for an exemption but will instead be required to pay a fixed annual charge of £50. Those entities which do not process personal data will not be either controllers or processors and accordingly no fee will be payable. However, for an entity to process no personal data whatsoever will be rare.
An annual charge falls due on 1st January of the year to which the charge relates and must be paid by the last day of the following month. Accordingly, the first payments under the new scheme will be due in January 2020.
Where controllers or processors have already paid an annual charge in respect of any portion of 2020, the pro rata amount of the payment attributable to that year will be subtracted from the amount to be paid as the annual charge for 2020.
The annual processing charge for controllers and processors (other than those administered by a TCB/FSB) is set out below.
Annual processing charge for controllers and processors
Full-time equivalent employees
When calculating number of full-time equivalent (“FTE”) employees of a Payer:
- a person employed for no more than 9 hours a week is treated as 25% of a FTE employee;
- a person employed for more than 9 hours but no more than 18 hours a week is treated as 50% of a FTE employee;
- a person employed for more than 18 hours but not more than 27 hours a week is treated as 75% of a FTE employee; and
- a person employed for more than 27 hours a week is treated as a FTE employee.
Past-Year Revenues are defined as a Payer’s gross revenues that are generated by or on behalf of that part of the payer’s business that is established in Jersey for the year before the year to which an annual charge relates.
These 2019 Regulations have the advantage of relative simplicity in comparison to the model previously proposed.
The devil (if any) is likely to be in the detail of how registration and fee payment is managed in practice – particularly for administered entities. If this could be combined with other payments (such as the companies registry fee) which service providers already need to make, this would be a welcome development. Past-Year Revenues are defined as a Payer’s gross revenues that are generated by or on behalf of that part of the payer’s business that is established in Jersey for the year before the year to which an annual charge relates.