Jermaine Case
Senior Associate | Legal
Cayman Islands
Jermaine Case
Senior Associate
Cayman Islands
The advent of large language models and other generative artificial intelligence systems is rapidly reshaping industries across the globe.
The Cayman Islands is no exception, with a number of Cayman entities, firms and other organisations across all sectors already integrating artificial intelligence (AI) solutions into their day-to-day operations. While AI adoption helps drive efficiency and promote innovation, it brings complex legal, regulatory, ethical and governance considerations that Cayman firms need to navigate.
At the core, AI systems are data driven. They rely on large volumes of personal and other data to train, refine and deploy models. This means Cayman firms implementing AI solutions should consider their compliance with the Data Protection Act (Revised) (DPA) and other sector-specific regimes. Alongside these statutory data protection obligations, Cayman firms may also need to ensure that their implementation of any AI solution will not result in unauthorised disclosure or use of confidential or privileged information. The treatment of intellectual property rights concerning AI outputs is also very quickly becoming an area of uncertainty and will likewise require careful handling.
In part one of this two-part series on AI in the Cayman Islands, we examine how AI development and use may trigger data protection obligations under the DPA and what Cayman firms should be considering in this regard.
The Cayman Islands' data protection regime, established under the DPA, is broadly aligned with the European Union General Data Protection Regulation (GDPR) and reflects internationally recognised standards for the protection of personal data.
The DPA applies to any data controller established in the Cayman Islands that processes personal data, regardless of how or where such processing occurs. The DPA may also extend to entities outside the jurisdiction where Cayman-based processing activities or infrastructure are involved.
Under the DPA, a data controller is any person who, alone or jointly with others, determines the purposes, conditions and manner in which personal data relating to an identifiable living individual (a data subject) are, or are to be, processed. In turn, processing is defined very broadly to include obtaining, recording or holding data or carrying out any operation or set of operations on personal data. Personal data means data relating to a living individual who can be identified.
A Cayman firm that uses or directs the processing of personal data by AI will fall within the scope of the DPA as a data controller. In practice, this means Cayman entities including investment funds, administrators, investment managers, banks, trust companies and corporate services providers must comply with the DPA whenever they handle personal data relating to a data subject, including in the context of that entity's development or implementation of any AI solution.
When a Cayman firm acts as a data controller it must comply with the eight data protection principles provided for under the DPA. The scope of these obligations does not change when AI is involved. Rather, their operational application may become more difficult, with certain data protection principles becoming harder to satisfy. As AI can increase the scale, speed and opacity of personal data use, more robust data protection compliance programmes may be required to comply with the obligations under the DPA in this fast-moving space.
Many Cayman data controllers appoint third parties to process personal data on their behalf. In those cases, the third party will likely be a data processor under the DPA provided it does not also determine the purposes for which the personal data are processed and acts solely on the data controller’s instructions.
A person that is solely a data processor does not have any primary obligations under the DPA. The data controller therefore remains ultimately responsible for compliance with the DPA and must ensure that the data processing arrangement is documented by a written contract which contains certain prescribed assurances regarding the secure processing of the personal data. Where AI systems are deployed as part of the processing arrangement, the data processing agreement must be structured to enable the data controller to discharge its obligations under the DPA, including with respect to the use of automated processing and any new risk factors that AI may introduce (which are likely to be identified in any data protection or AI impact assessment).
Data controllers have plenty to consider when complying with the data protection principles in the context of the development or implementation of any AI solution.
At a minimum, reflecting the application of the overlapping first and second data protection principles (fair and lawful processing and purpose limitation, respectively), Cayman firms implementing AI solutions to process personal data (including sensitive personal data) should be clear on the following matters:
The emphasis on fairness and transparency also aligns with the expectations set out in the Guide for Data Controllers (2023) published by the Cayman Islands Ombudsman (the Guide). The Guide, while not legally binding, articulates standards that Cayman firms are expected to observe when deploying AI solutions for personal data processing. It requires data controllers to disclose the use of AI in data processing and to provide a clear explanation of its purpose to data subjects. Where the purposes of processing are not fully determined at the outset, data controllers must advise data subjects of the intended uses and issue updated privacy notices as necessary. Any material change to the purposes for which personal data are processed must be communicated to data subjects in advance of commencement of such processing. The Guide also considers that measures such as “just-in-time” notices and the adoption of user dashboards can help to facilitate transparency and afford data subjects ongoing control over their personal data.
Data minimisation is the third data protection principle. It requires data controllers to identify the minimum amount of personal data needed to fulfil a lawful purpose. Data controllers should process that personal data, but no more. If asked to do so by the Cayman Islands Ombudsman, a data controller should be in a position to demonstrate that it has appropriate processes to ensure that it only collects and holds the personal data it needs. As AI models generally operate on large datasets, it may be practically difficult (but not impossible) to comply with the data minimisation principle where AI solutions are being deployed and Cayman firms should confirm their legal position before proceeding with deployment.
While certain AI output may be probabilistic (that is to say, they predict likely answers rather than retrieving fixed facts), Cayman firms are obligated to ensure that personal data used or generated by an AI system is sufficiently accurate and kept up to date where necessary, as required by the fourth data protection principle. Where a Cayman firm maintains inaccurate personal data about a data subject, it must also be able to observe a data subject's rights under the DPA to have the inaccurate data corrected. This requires Cayman firms to consider the technical specifications of an AI solution and confirm whether or not any related processing using that AI solution will meet the data accuracy requirements and enable correction (or possible erasure) of inaccurate personal data.
The fifth principle requires data controllers to keep personal data only for as long as required. This may present some challenges as certain AI solutions, especially those that are cloud-based or involve third-party providers, may retain or reuse personal data in ways that are not immediately transparent or originally agreed or intended. Such unauthorised use may breach the DPA. Cayman firms should therefore ensure that retention periods are actively controlled and that adequate mechanisms are in place to ensure that appropriate retention periods are strictly observed as required by the DPA.
The sixth principle requires respect for a data subject's rights including the rights to access, rectification, objection to processing, to stop processing for direct marketing and to not be subject to automated decision making processes. It is the right in relation to automated decision-making that is brought more sharply into focus when AI solutions are being used. A data subject has the right to be informed if a data controller makes solely automated decisions, including those based on profiling, that may have a significant effect on the data subject, and to opt out of such decisions being made on a solely automated basis. Where a data subject is notified that a decision significantly affecting them was made on a solely automated basis (for example, using an AI system), the data subject will have an opportunity to require the data controller to reconsider the decision or take a new decision otherwise than on an automated basis.
As noted in the Guide, decision making processes are "automated" for DPA purposes where there is no human involvement in the process. Accordingly, decisions made with a mere "token human involvement" will likely be seen as automated processing under the DPA. This means that it may be inappropriate to deploy AI solutions to make critical decisions on an entirely automated basis in respect of, for example, employment, creditworthiness or eligibility for social or financial goods or services. Appropriate evaluations will therefore be required to determine potential legal feasibility in each proposed use case involving automated operations.
The seventh principle requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and accidental loss, destruction of or damage to personal data. The eighth principle restricts transfers of personal data outside the Cayman Islands unless there is an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of that personal data.
The use of AI will likely involve cross-border data flows and reliance on external vendors or processors. This places greater emphasis on ensuring that appropriate technical and organisational measures are in place, including measures to ensure that any personal data breach can be identified, contained and remediated. Additionally, where a Cayman firm transfers personal data outside the Cayman Islands or directs such a transfer, it should ensure that the transfer takes place only where there is an adequate level of protection in keeping with the eighth data protection principle.
While these obligations are not new, AI makes the route to compliance with the DPA more complex, particularly where personal data are processed through cloud-based tools, third-party platforms or systems whose retention, access, security and onward transfer arrangements are not fully transparent. Cayman firms should ensure that proper safeguards are in place at every stage of the AI development and implementation lifecycle, including vendor due diligence, contractual controls, access management, retention controls, breach response procedures and ongoing monitoring.
AI adoption can change a Cayman firm’s data protection risk profile quickly through routine operational uses (for example, outsourcing, model training, analytics and automated workflows) that may not be easily visible unless specifically mapped and governed.
To remain compliant with the DPA and to mitigate the risk of penalties, enforcement action and reputational damage, Cayman firms should consider implementing a robust programme of practical measures, including reviewing and updating privacy notices, data processing agreements and other contractual arrangements and implementing (or refreshing) AI acceptable use, AI governance, cybersecurity and internal controls policies. Any such measures should be proportionate and aligned to the risks identified through a data privacy assessment and / or an AI impact assessment.
Cayman firms should also consider where they may be required to inform employees, clients, customers or counterparties that it is using AI to process personal data in keeping with the Guide thereby ensuring transparency and ensuring data subjects' control over their personal data.
Ongoing internal training is also an important part of any AI or data protection compliance programme, particularly for teams selecting, configuring or using AI tools, and for staff involved in onboarding vendors, handling data subject requests, security incidents (including personal data breaches) and operational decision making.
Ogier provides specialist regulatory legal advice on the adoption of AI. We ensure our clients get the right advice in diverse and cross-border situations.
For further information or assistance, reach out to your usual Ogier contact.
Ogier is a professional services firm with the knowledge and expertise to handle the most demanding and complex transactions and provide expert, efficient and cost-effective services to all our clients. We regularly win awards for the quality of our client service, our work and our people.
This client briefing has been prepared for clients and professional associates of Ogier. The information and expressions of opinion which it contains are not intended to be a comprehensive study or to provide legal advice and should not be treated as a substitute for specific advice concerning individual situations.
Regulatory information can be found under Legal Notice
Sign up to receive updates and newsletters from us.
Sign up