Data Protection Authority (Jersey) Law 201-

STATES OF JERSEY

r

DRAFT DATA PROTECTION AUTHORITY (JERSEY) LAW 201-

Lodged au Greffe on 5th December 2017 by the Chief Minister

STATES GREFFE

2017  P.117

DRAFT DATA PROTECTION AUTHORITY (JERSEY) LAW 201-

European Convention on Human Rights

In accordance with the provisions of Article 16 of the Human Rights (Jersey) Law 2000, the Assistant Chief Minister has made the following statement –

In the view of the Assistant Chief Minister, the provisions of the Draft Data Protection Authority (Jersey) Law 201- are compatible with the Convention Rights.

Signed:  Senator P.F. Routier, M.B.E.

Assistant Chief Minister

Dated:  1st December 2017

REPORT Introduction

We live and work in a digitally connected society, where the Internet has become a feature of everyday life and where businesses and consumers rely on the ability to share and access personal information online, with confidence and clarity.

The protection of this personal data is essential for the protection of our human rights, particularly those accorded by Article 8 of the European Convention on Human Rights (i.e. the rights to private and family life, home and correspondence).

Personal data is the lifeblood of the financial services industry in particular, and as the digital economy develops and the use of online technology becomes ubiquitous, it is important that Jersey continues to provide a safe environment for processing data, with clear and robust data protection legislation that is monitored and enforced by an effective regulator.

Background and policy

Summary:

• The  Data  Protection  (Jersey)  Law  2005  sets  out  Jersey's  current  data protection regime.
• On 25th May 2018, the European Union's General Data Protection Regulation ("GDPR") and Law Enforcement Directive ("LED") will come into effect in EU Member States.
• The GDPR and LED will give people greater control over their data and require data controllers and processors to protect and use it appropriately.
• This new legislation will give people in Jersey equivalent rights in respect of their personal data to people in the EU.
• The GDPR and LED include restrictions on the transfer of personal data to third countries outside the EU, unless they have an adequacy decision.
• Jersey already has an adequacy decision for the purposes of the GDPR, and the enactment of new data protection legislation is essential to maintain that status and achieve adequacy for LED purposes.

The Current Data Protection Regime in Jersey

Jersey currently has a well-established data protection regime. The Island enacted its first data protection legislation in 1987, and has therefore long considered the need to provide robust assurances for personal data.

The Office of the Information Commissioner implements, and ensures compliance with, the current legislation, the Data Protection (Jersey) Law 2005 (the "2005 Law"). This piece of legislation was aligned with the relevant UK and EU laws, and the EU Commission issued a decision that the Island provides adequate' protection for personal data. This means that personal information can be shared freely between the EU and Jersey. This is important for all business sectors in Jersey.

The European context

The outgoing EU data protection regime (based on Directive 95/46/EC – the "Directive") was introduced at a time when the Internet was in its infancy, and prior to the widespread adoption of e-mail and social media, or the rise of cloud computing or big data analytics. Further, in implementing the Directive, different EU member states have applied differing approaches, resulting in disparity between the various compliance regimes across Europe.

Given this disparity, the extent to which technologies have developed, and the ways in which people and businesses communicate and share information have changed, the EU has enacted 2 new pieces of legislation to modernise, standardise and increase the level of protection for personal data across the EU. The GDPR replaces the Directive for most purposes. In addition, the EU has enacted the LED, which is concerned with the protection of personal information processed for the purposes of policing and public protection.

To retain adequacy with the GDPR and to assure adequacy with the LED, Jersey now has to introduce new data protection legislation that will provide essentially equivalent' protection to the GDPR and LED.

Engagement with the European Commission indicates that Jersey's adequacy decision will be grandfathered' (i.e. it will continue in effect) until the jurisdiction is re-assessed (probably in 2020). However, putting new legislation in place for May 2018 remains a matter of urgency, as it reduces the risk of challenges to Jersey's existing status. Failure to secure continued adequacy with the EU would likely have detrimental economic consequences, particularly to the financial services sector, which relies heavily on the unrestricted flow of personal data to and from EU member states (and elsewhere relating to EU citizens). Failure to update our data protection regime would also result in people in Jersey being afforded a lower standard of individual rights in respect of data than their European counterparts.

A summary of the most important changes introduced by the GDPR and LED

A brief summary of the most important requirements introduced by the GDPR is set out below.

In terms of new requirements, businesses and organisations processing personal data will be required to –

1. provide better and more information about how they process personal data in a clearer and more accessible way;
2. evidence that they design and build new services and products from the earliest stage of development in a way that protects privacy by design' and default;
3. notify the local independent supervisory authority' of any data breach within 72 hours where that is feasible and notify the individuals concerned without undue further delay;
4. appoint a Data Protection Officer who will be responsible for ensuring compliance with the requirements of the GDPR where they conduct large scale' processing operations or systemic and regular monitoring' as part of their core activities'; and
5. demonstrate that where individual consent is used as a basis for processing that consent was freely given, specific, informed and indicated by an affirmative action (e.g. the person must actively tick a box rather than untick one that has been pre-ticked).

The GDPR also confers additional rights on individuals, including –

1. an enhanced right of access to their personal data;
2. the right to withdraw consent to the processing of their data in a particular way and the right to erasure (or right to be forgotten as it is often referred to in the press) providing there is no legitimate reason for it to be retained by the data controller; and
3. a right to require the transfer of their personal data between service providers. This right to "portability", will promotes competition and removes barriers to entry to markets, is consistent with the principles of Jersey's Digital Policy Framework.

The GDPR provides for the following tougher enforcement mechanisms to protect individuals –

1. the new European Data Protection Board will be responsible for ensuring consistency in enforcement of the GDPR across the EU;
2. individual Member States will be required to continue to have their own Independent Supervisory Authority, and will need to ensure that it has robust enforcement powers; and
3. substantial fines; failure to comply with the requirements of the GDPR will leave businesses and organisations liable to much more significant fines. Serious breaches of the GDPR may result in a maximum penalty which is the greater of 20 million Euros or 4% of global annual turnover, or in less serious cases a maximum penalty which is the greater of 10 million Euros or 2% global annual turnover. (There is flexibility to go for lower fine schemes).

Why this legislation is essential

It is clear that new legislation is required if Jersey is to provide essentially equivalent protection for personal data to that set out in the GDPR and LED.

On 20th February 2017, the Assistant Chief Minister made a Ministerial Decision approving instructions to the Law Draftsman to repeal the Data Protection (Jersey) Law 2005 and to prepare new legislation that will replace it and set out the new powers, functions and funding arrangements for the data protection regulator.

This draft Law and the Draft Data Protection (Jersey) Law 201- (the "Data Protection Law"), which has been lodged at the same time (see P.116/2017), replace the 2005 Law. It places privacy obligations on data controllers and processors, and rights on data subjects that are equivalent to those imposed by the GDPR and the LED.

This draft Law establishes and sets out the powers and functions of the new Data Protection Authority (the "Authority"), which will provide robust, effective and independent regulation of the requirements in the Law. The establishment of the Authority is essential to ensuring equivalent protection for personal data to that provided under EU law. This Law reforms the governance and funding arrangements for the regulator, to ensure that the Authority has sufficient guarantees of structural independence. It also provides the Authority with powers to investigate breaches of the law and impose effective and dissuasive sanctions for breaches of this draft Law.

The primary policy objectives of both this draft Law and the Data Protection Law is to provide  effective  protection for personal data,  and to  maintain Jersey's  adequacy under the new European regime. Where there is doubt as to whether a particular approach to the drafting would provide equivalent protection to that provided in the EU, the draft legislation closely reflects the GDPR and the LED. However, where

there is scope to be flexible with the approach of our legislation in a way that might benefit Jersey, the legislation seeks to do so.

Research and Consultation

Summary:

• The  government  undertook  an  extensive  programme  of  research  and consultation, commissioning expert advice, engaging closely with the Island's business community and opening dialogue with international stakeholders.
• The local business community is supportive of the government's policy goals. It recognises the criticality of consistency with the EU framework, as this will allow data to flow freely to and from the Island from Member States.

To inform policy development on data protection, the Chief Minister's Department and the Law Officers' Department conducted considerable analysis.

There  were  2  principal  work-streams  comprised  in  the  research  project:  one considered what was required for Jersey's data protection regime to continue to be deemed adequate by the EU Commission, the other assessed what the Island could do above and beyond to gain a competitive advantage. To inform this second work- stream,  the  Chief  Minister's  Department  commissioned  specialist  researchers  to review what opportunities there might be in how the Island implemented new data protection legislation. The outcomes of this consultancy have informed the policy development and the law drafting instructions for both pieces of legislation.

In developing the policy and drafting the legislation, the government has engaged widely with stakeholders across Jersey and internationally.

International Engagement

With  the  assistance  of  the  Channel  Islands  Brussels  Office,  the  government  has engaged  with  officials  from  the  European  Commission  to  begin  the  process  of renewing the adequacy decision. A pan-Island delegation met with representatives from the Directorate-General for Justice in February 2017. This was well-received by the  Commission,  which  was  positive  about  Jersey's  data  protection  regime  and approach to the new legislation and was supportive of the Island's commitment to continued adequacy.

The  Government  of  Jersey  has  also  engaged  with  other  third  countries  that  are currently considered adequate by the European Commission and are updating their legislation to ensure continued adequacy. There has been positive dialogue with New Zealand and Canada, where officers have sought to share best practice.

Throughout the process, the Government of Jersey has engaged closely with the UK. Whilst it is still a member of the EU, the UK will be implementing the GDPR as an EU Member State. The UK Government has introduced a draft Data Protection Bill to the House of Lords in September 2017, to address aspects of the GDPR where it has scope to derogate and to implement the LED. The UK has indicated that it intends to maintain parity with EU data protection standards after Brexit, and that it will be looking to ensure that data can continue to flow freely between the EU and UK after Brexit, which may be achieved through seeking an adequacy decision like Jersey's.

Local Stakeholder Engagement

During the process there has been close engagement with stakeholders. Clear policy and drafting guidelines were set out in early conversations and have been adhered to. These guidelines were welcomed by industry.

The business community has been supportive of Jersey's policy goals. It recognises the critical importance for businesses in Jersey of maintaining the adequacy' decision from the EU Commission, as this enables the free flow of data to and from the Island from residents of EU member states.

A  programme  of  industry  engagement  has  been  conducted,  including  a  series  of roundtables and workshops, news releases and industry updates. There have been regular updates to key stakeholder groups, including the Jersey Financial Services Commission, Jersey Finance, Digital Jersey and Jersey Business.

This  draft  Law  and  the  draft  Data  Protection  Law  were  reviewed  by  an  expert stakeholder  group  with  representatives  from  the  financial  services  sector,  legal services, the digital economy and public bodies, in August and September 2017. There were 18 written and 2 verbal submissions to this expert consultation. The information gained  from  these  responses  was  complemented  by  feedback  from  around 50 participants at 2 stakeholder events in October 2017, and a submission from the Office of the Information Commissioner. The consultation feedback was constructive, often focussing on highly technical elements, and has helped improve the legislation. A key theme of the feedback was to ensure that data controllers and processors have clarity as to what is required. Another theme was that government should, where possible, avoid gold-plating the new EU regime by placing any additional burdens on business through our own legislation.

Also of critical importance was the protection of Jersey citizens and their personal and sensitive data. Through this legislation, Jersey residents will be as well protected as EU citizens.

The Draft Data Protection Authority (Jersey) Law 201-

Summary:

• The  Data  Protection  Authority  (Jersey)  Law  201-  establishes  the  Data Protection Authority (the "Authority") (which will replace the Office of the Information Commissioner).
• It provides the Authority with robust investigatory and enforcement powers, including the power to impose administrative fines, which may be used to secure compliance with the draft Data Protection Law.
• Accordingly,  it  also  bolsters  the  Authority's  governance  structure  and oversight  arrangements.  A  Board  will  be  formed,  becoming  the  principle corporate  body  responsible  for  regulating  compliance.  The  Information Commissioner will become the Chief Executive Officer of the Authority.
• This expansion is appropriate both to enable the Authority to be effective and to ensure essential equivalence (adequacy') with the EU framework.

The draft Law provides that the Authority will have robust governance structures, commensurate to its obligations and powers, which are expanded under this draft Law compared with the 2005 Law. This is not only appropriate for the regulator, but also a necessary step in ensuring continued adequacy with Europe.

Under this Law the Information Commissioner will be the Chief Executive Officer of the Authority. This is a change to how the Authority is structured under current data protection legislation, where the Commissioner herself is the independent statutory authority responsible for regulating.

In effect, this means that the Commissioner's role becomes primarily operational, and that  the  Authority,  governed  by  a  Board,  becomes  the  principle  corporate  body

responsible for regulating compliance with the new Data Protection Law. The Board sits above the Commissioner and provides governance advice, as well as setting policy and strategic direction. This structure effectively mirrors the structure of existing authorities in Jersey for financial services and other areas such as competition law.

The new legislation introduces greater enforcement powers, so it is therefore appropriate to provide greater separation than there currently is between the Commissioner as an individual and the Authority as the entity responsible for regulating. It also provides more robust institutional independence including a fuller separation between government and regulation.

The draft Law provides that the decision on whether to apply the highest rates of fines and to authorise certain investigative powers will sit with the Board rather than the Commissioner.

Article 3 sets out the constitution of the Authority, which consists of the Chairman and no fewer than 3 and no more than 8 other voting members. The Chairman and other voting members are appointed by the Minister and must have the appropriate qualities, including –

• the qualifications, experience and skills necessary;
• a strong sense of integrity; and
• the ability to maintain confidentiality.

The Board is appointed for a term of up to 5 years and is eligible for re-appointment up to a maximum period of 9 years.

Article 5 provides for the appointment of the Commissioner who is in charge of the day-to-day operations of the Authority. The Commissioner holds office for a term of 5 years and is eligible for re-appointment.

Article 9 requires that the Authority must meet no fewer than 4 times a year. To future-proof the legislation, and in light of the international nature of data protection, a meeting may take place by telephone or video conference.

Article 11 sets out the functions of the Authority that are necessary to ensure the fit and proper regulation of data processing in the Island.

Under Article 15, the Authority must take steps to develop international co-operation mechanisms. These are a key part of ensuring continued adequacy with Europe.

Part 3 – Registration and Charges

Part 3 of the draft Law deals with registration and charges. Article 18 sets out that Regulations may require registered controllers, processors or both to pay a charge to the Authority in order to pay for the remuneration, salaries, fees, allowances and other emoluments, costs and expenses of the establishment of the Authority and the Authority's operations.

Part 4 – Enforcement by the Authority

This Part, together with Schedule 1 to the draft Law, provides a range of investigatory and enforcement powers that can be exercised by the Authority to secure compliance with the draft Data Protection Law. There are limits on the administrative fines that can be issued by the Authority, depending on the severity of the breach.

Article 29 makes it clear that nothing in the Law authorises the Authority to investigate, inquire into or determine any matter, or exercise any of its other powers in relation to processing operations carried out by a court or tribunal acting in its judicial capacity.

Part 5 – Administrative Provisions

The administrative provisions are set out in this Part. These are to ensure the proper governance of the Authority, and are similar to those for other regulatory bodies in Jersey.

Collective responsibility under Standing Order 21(3A)

The Council of Ministers has a single policy position on this proposition, and as such, all Ministers, the Assistant Chief Minister acting as  rapporteur, and the Assistant Minister  for  eGov  and  Digital  Jersey,  are  bound  by  the  principle  of  collective responsibility to support the proposition, as outlined in the Code of Conduct and Practice for Ministers and Assistant Ministers (R.11/2015 refers).

Financial and manpower implications

Summary:

• There are financial implications arising from this Law, as it expands the role of the Authority.
• In view of the need for more independent, proactive and robust regulation, the annual cost of running the Authority, compared with the current Office of the Information  Commissioner  will  increase  by  an  estimated  £1.1 million  to £1.65 million per annum. There will also be a need for an additional £350,000 to support one-off implementation work.
• However, from 2020 the increased annual costs will be offset by increased revenues from on business.

There are new financial implications arising from the draft Law.

The Authority constituted under this draft Law has an expanded role to properly regulate the new Data Protection Law. The Authority will be required to adopt a more proactive approach and to employ a wider and more robust range of regulatory powers and sanctions, with less emphasis placed on the role of courts to resolve disputes. The Authority has an improved governance structure. It is established as a body corporate, governed  by  a  Board,  and  with  a  separation  of  the  role  of  the  Information Commissioner  as  an  individual  and  the  Authority  as  the  entity  responsible  for regulating. The Authority will operate with greater independence from Government, which is an important consideration for an adequacy decision.

This will place a considerably greater burden on the Authority, and it will be essential to provide it with additional resources commensurate with that burden, to allow it to carry out its new duties.

A revenue model has been proposed that will both meet the requirements of the new legislation in respect of industry registration fees, and provide revenue to enable the Authority to implement and enforce that legislation, and its increased function.

The recommendation is a risk-based tiered administrative charge. With this option, organisations acting as data processors or controllers would be assessed and classified according to the risk of their processing activities, then allocated to a tiered-band defined by their perceived risk. A flat annual fee for this tier would be then be levied against the organisation.

Under the current data protection regime, there is a pan-Island regulator, with costs split between Jersey and Guernsey. The original financial and operational models for the new Authority were calculated for a continuation of this approach, with the anticipation that the Authority would become self-funded by the end of the current MTFP. The States of Guernsey has decided that it no longer wishes to continue with a joint regulator. As a result, the priority for the government is to ensure a fit-for- purpose Jersey-only regulator. This has an impact on the costs and revenue of the regulator.

There will also be a transitional period to the end of the MTFP, during which time the Authority will roll out the operating and fees model. Additional funding is required to support these implementation costs and to meet the Authority's increased running costs during the transitional period.

The annual cost of the current Office of the Information Commissioner will increase by an estimated £1.1 million to £1.65 million per annum. There will also be a need for an additional £350,000 to support one-off implementation work.

From 2020, the longer-term costs will be offset by increased revenues from business, which should allow the funding to return to close to levels forecast for the next MTFP.

These are high-level maximum estimates, and work will continue to be done in advance of the debate to create more accurate and cost-effective costings.

The current Information Commissioner has highlighted the fact that if there were to be a legal challenge to a decision of the new Authority, there could be the need for supplementary expenditure in respect of litigation. As with other legislation this is not unique, and provision has been made for an annual budget for legal costs. In addition, consideration will be given to allowing the Authority access to the Court and Case Costs contingency fund for high-cost legal advice and litigation.

Timetable for implementation

The government aims to enact the legislation at the same time as the new EU framework comes into force. This will provide certainty and consistency for citizens, businesses and public authorities. Given the relationship between the Law and the Data Protection Law, the government needs to enact both pieces of legislation to the same timetable.

Proposed timetable –

• December 2017 – legislation lodged for debate by the States Assembly
• January 2018 – legislation debated by the States Assembly
• February 2018 – legislation sent for Royal Assent
• 25th May 2018 – legislation comes into force.

Human Rights

The notes on the human rights aspects of the draft Law in the Appendix have been prepared by the Law Officers' Department and are included for the information of States Members. They are not, and should not be taken as, legal advice.

APPENDIX TO REPORT Human Rights Notes on the Draft Data Protection Authority (Jersey) Law 201-

These Notes have been prepared in respect of the Draft Data Protection Authority (Jersey) Law 201- (the "draft Authority Law") by the Law Officers' Department. They summarise the principal human rights issues arising from the contents of the draft Authority Law and explain why, in the Law Officers' opinion, the draft Authority Law is compatible with the European Convention on Human Rights ("ECHR").

These notes are included for the information of States Members. They are not, and should not be taken as, legal advice.

The draft Authority Law, together with the Draft Data Protection (Jersey) Law 201- (the "draft Data Law") will replace the existing Data Protection (Jersey) Law 2005 (the "2005 Law") with a new data protection regulatory regime that implements the General Data Protection Regulation 2016/679 (the "GDPR").

The purpose of the draft Authority Law is to make provision for the establishment, constitution, functions and powers of the new Data Protection Authority (the "Authority"), which will regulate compliance with the draft Data Law.

The draft Authority Law engages 3 rights under the ECHR. The right to private and family life in Article 8 ECHR, the right to the peaceful enjoyment of property in Article 1 of Protocol 1 to the ECHR ("A1P1") and the right to a fair trial in Article 6 of the ECHR.

The issues in respect of each of these rights and the reasons why the draft Authority Law is compatible with them are set out below.

Article 8 ECHR: Right to respect for private and family life

Article 8 of the ECHR provides –

"(1) Everyone has the right to respect for his private and family life, his

home and his correspondence.

(2)  There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

Specifically, Article 8 of the ECHR is engaged by –

• The power for the Authority to issue public statements (Article 14); and
• The Authority's investigatory powers, including the powers to require that information be provided, enter premises and, inter alia, take copies of any documents or other records (Article 22 and Schedule 1).

Power to issue public statements

Article 14 of the draft Authority Law provides the Authority with the power to issue a public statement in respect of a data breach, the outcome of an investigation or inquiry carried out by the Authority and any regulatory action taken by the Authority. The

public statement may include information describing or identifying any data subject whose personal data is or has been the subject of a data breach.

The European Court of Human Rights ("ECtHR") has held that the protection of personal data is of fundamental importance to a person's enjoyment of his or her right to respect for private and family life, as guaranteed by Article 8 of the ECHR. The domestic law must afford appropriate safeguards to prevent any such use of personal data as may be inconsistent with Article 8 ECHR. The domestic law should ensure that such data are relevant and not excessive in relation to the purposes for which they are stored; and preserved in a form which permits identification of the data subjects for no longer than is required. Domestic law must also afford adequate guarantees that retained personal data are efficiently protected from misuse and abuse.

The disclosure of personal data relating to a particular individual in a statement made pursuant to Article 14 may interfere with the individual's rights under Article 8(1) of the ECHR. However, such interference as might be caused will be in accordance with the law for the purposes of Article 8(2) of the ECHR. Further, the draft Authority Law provides appropriate safeguards in relation to the exercise of the Article 14 power to ensure that such interference is also proportionate to a legitimate aim.

In particular, Article 14(2) of the draft Authority Law states that –

"Where the Authority considers that because of the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so, the Authority may issue a public statement about any aspect of a matter to which this Article applies."

So a public statement may only be made where the Authority has considered the public interest in issuing a statement. Further, Article 14(4)(a) of the draft Authority Law requires that, where practicable, the Authority "consult any individual whose personal data would be made public by [the] public statement or who is otherwise likely to be identifiable from the statement".

These safeguards are sufficient to ensure that the Authority should exercise the power in a manner that is compliant with Article 8(2) ECHR.

Powers of Investigation

Article 22 of and Schedule 1 to the draft Authority Law provide that the Authority may issue an information notice, and that authorized officers of the Authority may exercise intrusive, investigatory powers to enter and search premises.

It is well-established that corporations, as well as private individuals, may rely on Article 8 of the ECHR in respect of business premises. It is also well established that searches of offices or other premises constitute a prima facie interference with the right to respect for private and home life. The exercise of powers to enter premises in Schedule 1 to the Authority Law will amount to interference with the right to respect for private and home life. Further, searching or seizing documents or information may constitute an interference with the right to respect for correspondence in Article 8(1) of the ECHR.

Any interference with the rights afforded by Article 8(1) ECHR must be justified in accordance with Article 8(2) ECHR. In order to justify interference, it must be in accordance with the law, be in pursuit of a specified legitimate aim and be necessary in a democratic society. In other words it must be proportionate to that aim.

The legitimate aim pursued by the exercise of the investigatory powers in Schedule 1 to the Authority Law is to uphold the rights of others'. In particular, to uphold the

rights of data subjects by enabling the Authority to ensure that controllers and processors are adhering to the requirements of the draft Data Law.

As to what is "necessary in a democratic society", this requires there to be a pressing social need for the interference in question. Powers to require the disclosure of information and to carry out entry onto premises to search for and to seize documents may be "necessary" for the purposes of Article 8(2) ECHR in order to obtain physical evidence of compliance or of offences, provided that appropriate safeguards are in place. Jersey will have a margin of appreciation as to what safeguards on investigatory powers are required within this particular regulatory framework.

The powers of entry and investigation in Schedule 1 to the draft Authority Law include a number of significant safeguards. The extent of the authorized officer's powers to enter and inspect premises without a warrant are clearly set out and limited by paragraph 2 of Schedule 1 to the draft Authority Law. They may be exercised only by persons who are authorized officers.

Paragraph 3 of Schedule 1 requires authorized officers to produce evidence of their authority when exercising powers of entry and to issue receipts in respect of any property seized. Further, pursuant to paragraph 4 of Schedule 1, the powers of entry can only be exercised in respect of a dwelling with either the consent of the owner or occupier of the premises; by giving at least 7 days' notice; or in accordance with a warrant issued under paragraph 5 of Schedule 1.

In view of the above, while the exercise of the powers of authorized officers may amount to an interference with Article 8(1) of the ECHR, such interference is capable of being justified as being in accordance with the law and proportionate to a legitimate aim for the purposes of Article 8(2) of the ECHR.

A1P1 – Right to Property A1P1 provides –

"Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except as provided for by law and by the general principles of international law.

The preceding provisions shall not, however, in any way impair the right of a State to enforce such laws as it deems necessary to control the use of property in accordance with the general interest or to secure the payment of taxes or other contributions or penalties."

There are 2 aspects of the draft Authority Law that engage A1P1 –

The requirement for a controller or processor to be registered and pay a charge in order to lawfully process personal data (Articles 17 and 18).

The power for inspectors to seize items (paragraph 2(3)(h) of Schedule 1). Requirement to register and pay charges

Article 17 of the draft Authority Law provides that those who are data controllers or processors within the meaning of the draft Data Law must, subject to exemptions provided for in Regulations made by the States Assembly under Article 17(2), be registered under the draft Authority Law. Article 18 provides that Regulations may require registered controllers and processors to pay a charge.

For the purposes of A1P1, a regime for the registration of controllers or processors of personal data will most certainly amount to a control of use' of any economic benefit (which will be a possession') associated with the processing of such data. So, there is potential for A1P1 to be engaged by a requirement to register and pay a charge.

For a measure constituting a control of use to be justified pursuant to A1P1, it must be in accordance with law and pursue the general interest'. The measure must also be proportionate to the aim pursued. The requisite balance will not be struck if the person concerned has had to bear an individual and excessive burden. However, States have a considerable margin of appreciation in determining the existence of a general public concern and in implementing measures designed to meet it.

The registration and charging regime provided for in the draft Authority Law is not new and would be in accordance with the law' for the purposes of A1P1 in that the requirements in Articles 17 and 18 are precise and foreseeable. The purpose of these provisions is to ensure that the rights of data subjects in Jersey and elsewhere are effectively protected, by ensuring that those processing personal data can be identified and regulated. The power to charge will help ensure that compliance with the draft Data Law is effectively policed in a way that provides equivalent protection to that enjoyed in the EU.

The registration and charging requirements of the draft Authority Law are proportionate to the general interest described in the paragraph above. While the imposition of charges may impose a burden on controllers and processors, this will not be excessive.

The requirements to register and pay charges in Articles 17 and 18 of the draft Authority Law are therefore compatible with A1P1.

Seizure of goods

Paragraph 2(3)(h) of Schedule 1 to the draft Law permit authorized officers to seize any equipment, device or other thing which is at premises entered, and to detain it for as long as the authorized officer considers necessary.

In A1P1 terms, the seizure of property ancillary to the enforcement of domestic legislation has generally been treated as a control of use of property rather than as a deprivation. In terms of justification, the general interest here is the protection of the fundamental rights of data subjects. That general interest would encapsulate the requirement that authorized officers should be able to seize items if that is required in order to ensure compliance with the draft Data Law. The power to seize items is, in principle, proportionate to the legitimate aim identified, and this view is supported by the presence of the safeguards on the use of these powers already mentioned above.

Therefore, the seizure power in the draft Authority Law is justifiable in principle for the purposes of A1P1, though it is vital that it is exercised in a proportionate manner in practice.

Article 6 ECHR – The right to a fair trial

Article 6(1) ECHR is engaged by a number of the provisions of the draft Authority Law. It provides –

"In the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law. Judgment shall be  pronounced publicly  but the  press  and public  may be excluded from all or part of the trial in the interests of morals, public order or national security in a democratic society, where the interests of juveniles or the protection of the private life of the parties so require, or to the extent strictly necessary in the opinion of the court in special circumstances where publicity would prejudice the interests of justice."

Article 6(1) ECHR requires that those who face a determination of their civil rights and obligations' must be entitled to a fair and public hearing by an independent and impartial tribunal'. The guarantees afforded by Article 6 of the ECHR will only be relevant to the extent that an act or a decision is determinative of a civil right' or obligation'.

The draft Authority Law contains provisions that require the Authority to make decisions affecting a person's ability to operate as a controller or processor. These include the powers to decide whether to investigate complaints, issue information notices, make breach determinations and impose sanctions or fines. These decisions made by the Authority under the draft Authority Law may attract Article 6(1) ECHR protection.

Article 6(1) ECHR requires that civil rights be determined by an independent and impartial tribunal'. The Authority's decision-making process in respect of regulatory matters will not afford all of the procedural guarantees required by Article 6 of an independent and impartial tribunal. However, it will be compatible with Article 6 ECHR for the Authority to make decisions that will determine a civil right if that decision is subject to subsequent control by a judicial body that has full jurisdiction and does provide the guarantees of Article 6(1).

The body in question here is the Royal Court, which will entertain proceedings or receive appeals against the Authority's decisions under Articles 31 and 32 of the draft Authority Law. The ability to bring proceedings or an appeal to the Royal Court is sufficient to make the process of determining civil rights and obligations under the draft Authority Law compatible, as a whole, with Article 6 of the ECHR.

Explanatory Note

This  Law,  which  is  being  lodged  alongside  the  draft  Data  Protection  (Jersey) Law 201- (P??/2017) ("the DPJL") contains certain provisions that are equivalent to and  consistent  with  the  General  Data  Protection  Regulation  (Regulation (EU) 2016/679 ("the GDPR"). While the DPJL is mainly concerned with the duties on controllers and processors and the rights of data subjects, this Law focuses largely on the establishment of the new Data Protection Authority ("the Authority") and its functions.

Part 1 – Introductory and setting up of Authority

Article 1 sets out the definitions and gives words and phrases defined in the DPJL the same meaning in this Law.

Article 2 establishes the Data Protection Authority as a body corporate with essentially the same powers as a natural person of full age and capacity.

Article 3 provides for the constitution of the Authority – a chairman, 4-8 other voting members and the Information Commissioner as an ex officio non-voting member. The appointments are made by the Chief Minister who must give notice of intention to appoint to the States. Appointments are for terms of up to 5 years to a maximum of 9 years and public sector employees are ineligible for appointment.

Article 4  provides  for  the  Chief  Minister  to  revoke  appointments  in  certain circumstances and for members to resign on giving notice to the Chief Minister.

Article 5 provides for the appointment of the Information Commissioner as Chief Executive of the Authority and sets out his or her duties.

Article 6 gives the Commissioner power to discharge the functions of the Authority subject to certain exceptions.

Article 7 provides for remuneration and expenses of the voting members and for the Authority to appoint and remunerate its staff as well as procure the necessary office facilities.

Article 8  provides  a  duty  of  confidentiality  of  information  for  members  of  the Authority and staff.

Article 9 provides a framework for how the Authority conducts its proceedings and Article 10 sets out its powers to delegate many of its functions to its staff.

Part 2 – Functions of Authority

Article 11 sets out the Authority's general functions, which are essentially to enforce the Law and the DPJL.

Article 12 provides for the Authority to act independently and in a manner free from external influence.

Article 13 provides a power for the Authority to issue opinions and guidance and Article 14 contains a power for it to issue public statements in relation to action it has taken as a regulator where it considers it is in the public interest to do so.

Article 15 requires the Authority to take steps to develop and facilitate international co-operation and Article 16 makes further provisions in this respect.

Part 3 – Registration and charges

Article 17  makes it an  offence  for  controllers and processors  of personal data  to process it without being registered, subject to any exemptions made by Regulations. The procedure for applying for registration is set out.

Article 18 provides for controllers and processors to pay charges if so provided for in Regulations.

Part 4 – Enforcement by Authority

Article 19 gives an individual the right to complain to the Authority where a controller or processor has contravened the DPJL and this affects the personal data or data subject right of the individual.

Article 20 provides a mechanism for the investigation of complaints and Article 21 enables the Authority to conduct an inquiry on its own initiative as to whether there is or is likely to be a contravention of the DPJL. Article 22 provides that the powers of the Authority in relation to investigations and inquiries are set out in Schedule 1.

Article 23 provides the procedure for determining the outcome of an investigation and Article 24 provides for action on completion of an inquiry.

Article 25 sets out the action that the Authority may take following a determination that a controller or processor has contravened or is likely to contravene the DPJL, which include issuing a reprimand, a warning of likely breach or ordering the controller or processor to take certain action. These provisions do not limit the power, in Article 26, to impose an administrative fine. Further provisions limiting the amount of these fines are in Article 27.

Article 28 sets out the procedure to be followed before taking action under the provisions outlined above.

Article 29 prevents the Authority using its powers in relation to processing of personal data by a court or tribunal acting in a judicial capacity.

Article 30 enables the Authority to bring proceedings in the Royal Court in respect of a contravention or likely contravention of this Law or the DPJL.

Article 31 is concerned with court proceedings against the Authority in respect of the handling of complaints.

Article 32 sets out the rights of appeal against determination or orders of the Authority.

Article 33 imposes a fine for any offence under the Law and sets out the general provisions regarding offences by bodies and partnerships and secondary parties to offences. Article 34 is concerned with proceedings against unincorporated bodies and secondary parties to offences.

Article 35 is a standard provision about making Rules of Court and Article 36 is about services of notices under the Law.

Part 5 – Administrative provisions

Article 37 enables the Chief Minister to give guidance to the Authority on matters concerning corporate governance.

Article 38 is about the Authority's fees and charges. Article 39 enables the States to make a grant to the Authority and Article 40 prevents the Authority from borrowing money without the consent of the Chief Minister.

Under Article 41 the Authority must comply with any guidelines as to the investment of funds specified by the Chief Minister. Article 42 provides for the Authority to be exempt from income tax.

Article 43 requires the Authority to have proper audited annual accounts and for the Chief Minister to lay the accounts before the States. Under Article 44 the Authority must prepare an annual report which the Chief Minister also has to lay before the States.

Article 45 limits liability for damages to cases of bad faith for anything done under the Law by the States, the Chief Minister or the Authority or its employees or agents.

Part 6 – Closing provisions

Article 46 is a general provision about Regulation and Order-making powers.

Article 47 and  Schedule 2 provide for transitional provisions and  Article 48 and Schedule 3 provide for consequential amendments to other legislation.

Article 49 names the Law and provides for it to come into force on 25th May 2018, (which is the day that the GDPR comes into force).

DRAFT DATA PROTECTION AUTHORITY (JERSEY) LAW 201-

Arrangement

Article

PART 1  25 INTRODUCTORY AND SETTING UP OF AUTHORITY  25

1  Interpretation .................................................................................................25 2  Establishment of Data Protection Authority .................................................26 3  Constitution of Authority ..............................................................................26 4  Vacation of office of voting members and vacancies ...................................27 5  Appointment of Information Commissioner .................................................28 6  Power of Commissioner to discharge functions of Authority .......................28 7  Remuneration and resources .........................................................................29 8  Confidentiality of information ......................................................................29 9  Proceedings of Authority ..............................................................................30 10  Delegation .....................................................................................................31

PART 2  31 FUNCTIONS OF AUTHORITY  31

11  General functions of the Authority ................................................................31 12  Authority to be independent ..........................................................................33 13  Power to issue opinions and guidance...........................................................33 14  Power to issue public statements ...................................................................33 15  Authority to take steps to develop and facilitate international

cooperation ....................................................................................................34 16  Further provisions as to international co-operation .......................................34

PART 3  35 REGISTRATION AND CHARGES  35

17  Registration of controllers and processors ....................................................35 18  Registered controllers and processors to pay prescribed charges .................36

PART 4  36 ENFORCEMENT BY AUTHORITY  36 19  Right to make a complaint ............................................................................36

Arrangement  Draft Data Protection Authority (Jersey) Law 201-

20  Investigation of complaints ........................................................................... 36 21  Inquiries ........................................................................................................ 37 22  Powers of investigation and inquiry ............................................................. 38 23  Determinations on completion of investigation ............................................ 38 24  Recommendations and determinations on completion of inquiry................. 39 25  Sanctions following breach determination .................................................... 39 26  Administrative fines ...................................................................................... 40 27  Limits on administrative fines ...................................................................... 42 28  Procedure to be followed before making breach determination or order

under this Part ............................................................................................... 43 29  Exclusion of courts and tribunals acting in a judicial capacity ..................... 44 30  Proceedings by the Authority........................................................................ 44 31  Proceedings against Authority ...................................................................... 44 32  Rights of appeal against determinations or orders of the Authority ............. 45 33  General provisions relating to offences ........................................................ 46 34  Proceedings concerning unincorporated bodies. ........................................... 47 35  Rules of Court ............................................................................................... 47 36  Service of notices etc. ................................................................................... 47

PART 5  49 ADMINISTRATIVE PROVISIONS  49

37  Guidance of Minister .................................................................................... 49 38  Fees and charges ........................................................................................... 49 39  Grants to Authority ....................................................................................... 50 40  Consent to borrowing.................................................................................... 50 41  Guidelines on investment .............................................................................. 50 42  Exemption from income tax.......................................................................... 50 43  Accounts and audit........................................................................................ 50 44  Annual reports............................................................................................... 51 45  Limitation of liability .................................................................................... 51

PART 6  52 CLOSING PROVISIONS  52

46  Regulations and Orders ................................................................................. 52 47  Transitional provisions.................................................................................. 52 48  Consequential amendments .......................................................................... 52 49  Citation and commencement......................................................................... 52

SCHEDULE 1  53 POWERS OF INVESTIGATION AND INQUIRY  53

1  Power to issue information notice................................................................. 53 2  General power of entry, search, etc. ............................................................. 54 3  Safeguards for general powers of entry, search, etc. .................................... 56 4  Entry to dwellings restricted. ........................................................................ 56 5   Warr ants for entry, etc. ................................................................................. 56 6  Exemptions from powers conferred by warrant ............................................ 58 7  Power to conduct or require data protection audits....................................... 58

Page - 22  P.117/2017  

SCHEDULE 2  60 TRANSITIONAL PROVISIONS  60

1  Interpretation .................................................................................................60 2  Registration ...................................................................................................60 3  Enforcement notices served under 2005 Law ...............................................60 4  Requests for assessment under Article 42 of 2005 Law................................61

SCHEDULE 3  62 CONSEQUENTIAL AMENDMENTS  62

1  Corruption (Jersey) Law 2006.......................................................................62 2  Register of Names and Addresses (Jersey) Law 2012 ..................................62 3  Data Protection (International Co-operation) (Jersey)

Regulations 2005 ...........................................................................................62 4  Employment of States of Jersey Employees (Jersey) Law 2005 ...................62 5  Public Employees (Pensions) (Jersey) Law 2014 .........................................63 6  Freedom of Information (Jersey) Law 2011..................................................63 7  Public Employees (Retirement) (Jersey) Law 1967 ......................................63 8  Public Finances (Jersey) Law 2005 ...............................................................63

DRAFT DATA PROTECTION AUTHORITY (JERSEY) LAW 201-

A LAW to provide for a new statutory body to oversee the protection of personal data and for connected purposes.

Adopted by the States  [date to be inserted] Sanctioned by Order of Her Majesty in Council  [date to be inserted] Registered by the Royal Court  [date to be inserted]

THE STATES, subject to the sanction of Her Most Excellent Majesty in Council, have adopted the following Law –

PART 1

INTRODUCTORY AND SETTING UP OF AUTHORITY

1  Interpretation

1. In this Law –

"Authority"  means  the  Data  Protection  Authority  established  under Article 2(1);

"authorized officer" means –

1. the Commissioner; or
2. any other employee of the Authority authorized by the Authority or the Commissioner to exercise of perform any function under this Law;

"breach determination", in relation to a controller or processor, means a determination by the Authority under Article 23(1) or 24(1)(b) that the controller or processor has contravened or is likely to contravene the Data Protection Law;

"Commissioner" means the Information Commissioner appointed under Article 5(1);

"Data Protection Law" means the Data Protection (Jersey) Law 201-1; "registered controller" means a controller registered under Article 17;

"registered processor" means a processor registered under Article 17.

2. Subject to paragraph (1), words and phrases used in this Law that are defined in the Data Protection Law have the same respective meanings as in that Law.

2 Establishment of Data Protection Authority

1. The Data Protection Authority is established.
2. The Authority is a body corporate with perpetual succession and a common seal and may –

1. sue and be sued in its corporate name;
2. enter into contracts and acquire, hold and dispose of any property; and
3. so far as is possible for a body corporate, exercise the rights, powers and privileges and incur the liabilities and obligations of a natural person of full age and capacity.

3. The application of the common seal of the Authority is authenticated by the signature of a person authorized by the Authority to sign on its behalf and every document bearing the imprint of the seal of the Authority is taken to be properly sealed unless the contrary is proved.

3 Constitution of Authority

1. The Authority consists of –
   1. the Chairman;
   2. no fewer than 3 and no more than 8 other voting members; and
   3. the Commissioner as an ex officio and non-voting member.
2. Subject to paragraph (4), the Chairman and the other voting members are appointed by the Minister who must have particular regard to the need to ensure that voting members of the Authority –

1. have the qualifications, experience and skills necessary to exercise and perform the functions of a member, in particular relating to the protection of personal data;
2. have a strong sense of integrity; and
3. are able to maintain confidentiality.

3. Before appointing any individual under this Article, the Minister may require the individual to provide, or to authorize the Minister to obtain, any information and references that the Minister reasonably requires to ascertain the individual's suitability for appointment as a voting member.
4. At least 2 weeks before making an appointment under this Article the Minister must present to the States a notice of the Minister's intention to make the appointment.
5. Each voting member is appointed for a term of 5 years or such shorter period as the Minister thinks fit in a particular case and is eligible for reappointment up to a maximum period of service of 9 years.

6. An individual is ineligible to be a voting member if the individual –

1. is, or has at any time during the preceding 12 months been, a member of the States of Jersey;
2. is a States' employee or is otherwise under the direction and control of the States; or
3. is engaged in any employment, occupation (whether or not remunerated) or business, or receives any benefits, that is incompatible with the functions of a member of the Authority.

4 Vacation of office of voting members and vacancies

1. The Minister may revoke the appointment of any voting member of the Authority if he or she is satisfied that the member –

1. is guilty of serious misconduct, as determined by a panel convened by the Authority in consultation with the Minister and consisting of 3 or more individuals, other than a member of the Authority or the Minister;
2. has been convicted of a criminal offence that is sufficiently serious to cast doubt on the member's suitability to continue in office;
3. has become bankrupt; or
4. is incapacitated physically or mentally from carrying out the duties of the office or is otherwise unable or unfit to discharge his or her functions; or
5. is ineligible to be a voting member under Article 3(6).

2. The Minister must not remove a voting member from office on the ground specified in paragraph (1)(a) unless a panel consisting of 3 or more individuals (none of whom is a member of the States) appointed by the Minister determines the voting member to be guilty of serious misconduct.
3. A panel convened under paragraph (2) may determine and adopt its own procedures to determine whether or not the voting member is guilty of serious misconduct.
4. The Minister must present to the States not more 2 weeks after terminating an appointment under this Article a notice of the termination.
5. Any voting member may resign from office at any time by giving notice to the Minister.
6. The Minister must take all reasonable steps to ensure that any vacancy under this Article that would reduce the number of voting members to below the requirements of Article 3(1) is filled as soon as practicable.
7. A person is not disqualified for holding office as a voting member of the Authority on account of being an officer, employee or agent of the Authority.
8. The rights and obligations of the Authority and the performance of the Authority's functions are not affected by any vacancy or defect in any appointment to the Authority.

5 Appointment of Information Commissioner

1. The Authority must appoint a person, to be known as the Information Commissioner, who is the chief executive and an employee of the Authority.
2. The Commissioner –

1. is responsible for managing the other employees of the Authority;
2. is in charge of the day-to-day operations of the Authority; and
3. has the functions conferred or imposed on him or her by this Law and any other enactment.

3. Subject to this Article, the Commissioner holds office under this Law subject to terms and conditions determined by the Authority.
4. The Commissioner holds office under this Law for –

1. a term of 5 years; or
2. such shorter term as may be specified in the terms and conditions of his or her appointment,

and is eligible for re-appointment.

5. The Authority may remove the Commissioner from office under this Law before the expiry of his or her term of office, but only on the grounds that the Commissioner –

1. is guilty of serious misconduct, as determined by a panel convened by the Authority in consultation with the Minister and consisting of 3 or more individuals, other than a member of the Authority or the Minister;
2. has been convicted of a criminal offence that is sufficiently serious to cast doubt on the Commissioner's suitability to continue in office;
3. has become bankrupt;
4. is incapacitated physically or mentally from carrying out the duties of the office; or
5. is otherwise unable or unfit to discharge his or her functions.

6. A panel convened under paragraph (5)(a) may determine and adopt its own procedures to determine whether or not the Commissioner is guilty of serious misconduct.
7. Subject to the Freedom of Information (Jersey) Law 20112, the Commissioner must not engage in any other employment, occupation (whether remunerated or not) or business, or receive any benefits other than the salary, allowances and other emoluments and expenses awarded by the Authority, except with the approval of the Authority.

6 Power of Commissioner to discharge functions of Authority

1. Subject to any policies, procedures and specific directions issued by the Authority, the Commissioner may exercise or perform, on behalf of the Authority and in its name, any function of the Authority under this Law or the Data Protection Law other than –

1. the issuing of a public statement under Article 14;
2. the making of an order to pay an administrative fine under Article 26;
3. the preparation of an annual report under Article 44; or
4. any other function specified by the Authority by written notice to the Commissioner.

2. A function exercised or performed by the Commissioner under paragraph (1) is treated for all purposes as having been exercised or performed by the Authority.
3. Nothing in paragraph (1) or (2) prevents the Authority from exercising or performing the function concerned.

7 Remuneration and resources

1. The voting members of the Authority are entitled to –

1. such fees, allowances and other emoluments as expenses as the Minister determines in consultation with the Authority and publishes; and
2. if the Minister so determines, reasonable out-of-pocket or other expenses occasioned in the course of carrying out the Authority's duties.

2. The Authority may appoint such officers, employees and agents as it considers necessary for the performance of its functions and may –

1. make those appointments on such terms as to remuneration, the payment of expenses and other conditions of service as the Authority thinks fit; and
2. establish and make such schemes or other arrangements as it thinks fit for the payment of pensions and other benefits in respect of such officers and employees.

3. The Authority may procure any accommodation, equipment, services or facilities it reasonably requires for the proper and effectual discharge of its functions.

8 Confidentiality of information

1. A person who is or has been a member of the Authority, a member of the Authority's staff or an agent of the Authority must not, except with lawful authority, disclose information that –

1. has been obtained by, or furnished to, the Authority under or for the purposes of this Law or the Data Protection Law;
2. relates to an identified or identifiable individual or business; and
3. is not at the time of the disclosure, and has not previously been, available to the public from other sources.

2. For the purposes of paragraph (1), a disclosure of information is made with lawful authority if –

1. the disclosure is made with the consent of the individual or of the person for the time being carrying on the business;
2. the information was provided for the purpose of its being made available to the public (in whatever manner) under this Law or the Data Protection Law;
3. the disclosure is made for the purposes of, and is necessary for, the discharge of a function under this Law or the Data Protection Law, or an obligation under an agreement, or other instrument, of the EU;
4. the disclosure is made for the purposes of any proceedings, whether criminal or civil and whether arising under, or by virtue of, this Law or the Data Protection Law or otherwise; or
5. having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest.

3. A person who knowingly or recklessly discloses information in contravention of paragraph (1) is guilty of an offence and liable to imprisonment for a term of 2 years and to a fine.

9 Proceedings of Authority

1. The Authority must meet –

1. at least once every 2 months; or
2. less frequently if resolved by the Authority, but no fewer than 4 times a year.

2. If the Authority resolves to meet less frequently than once every 2 months, it must record the reason in its resolution.
3. The person who presides at meetings is –

1. the Chairman, if the Chairman is present; or
2. if the Chairman  is not present, the  person elected to chair the meeting by, and from among, the other voting members present.

4. At a meeting –

1. a quorum is constituted by the nearest whole number of voting members above one half of the number of voting members for the time being in office;
2. decisions are made by a majority vote;
3. the Commissioner has no vote, but may participate in the Authority's proceedings;
4. each voting member other than the person presiding has one vote; and
5. the person presiding has no original vote, but in the event of equality in the votes of the other voting members present, the person presiding must exercise a casting vote.

5. The Authority may, if it thinks fit, transact any business by the circulation of papers to all members, and a resolution in writing approved in writing

by a majority of its voting members is as valid and effectual as if passed at a meeting by the votes of the members approving the resolution.

6. The Authority must keep proper minutes of its proceedings, including minutes of any business transacted as permitted by paragraph (5).
7. Subject to the provisions of this Article the Authority may regulate its own procedure.
8. The validity of any proceedings of the Authority is unaffected by –

1. a vacancy in its membership;
2. any defect in the appointment or election of any member;
3. any ineligibility of an individual to be a voting member; or
4. any lack of qualification of an individual to act as a member.

9. In this Article a reference to a meeting includes any meeting at which members of the Authority transact business remotely and communicate by any means of technology.

10 Delegation

1. The Authority may delegate any of its functions under this Law or the Data Protection Law wholly or partly to an officer or employee of the Authority.
2. Nothing in this Article authorizes the Authority to delegate –

1. this power of delegation;
2. the function of reviewing any of its decisions;
3. the issuing of a public statement under Article 14;
4. the making of an order to pay an administrative fine under Article 26; or
5. the preparation of an annual report under Article 44.

3. However, the functions mentioned in paragraph (2)(c) and (d) may be delegated to a committee consisting of such number of voting members as may be specified by the Authority.
4. The delegation of any functions under this Article –

1. does not prevent the performance of those functions by the Authority; and
2. may be amended or revoked by the Authority.

PART 2

FUNCTIONS OF AUTHORITY

11 General functions of the Authority

1. The Authority has the following functions –

1. to administer and enforce this Law and the Data Protection Law;

2. to monitor and report to the States on the operation of this Law and the Data Protection Law;
3. to advise the Minister and the States on any amendments that the Authority considers should be made to this Law or the Data Protection Law or on any other action required to be taken, in relation to the operation of either of those Laws;
4. to promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children;
5. to promote the awareness of controllers and processors of their obligations under this Law and the Data Protection Law;
6. on request, to provide reports and other information to the Minister or the States on any matter connected with the protection of personal data;
7. on request, to provide information to any data subject concerning the exercise of their rights under this Law and the Data Protection Law and, if appropriate, cooperate with competent supervisory authorities to this end;
8. to cooperate with, including sharing information and providing mutual assistance to, other supervisory authorities with a view to ensuring that the Data Protection Law is applied and enforced;
9. to monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
10. to encourage the drawing up of codes;
11. to keep confidential records of alleged contraventions of the Data Protection Law and of the exercise of any of its powers under this Law; and
12. any other function conferred or imposed on it by this Law, the Data Protection Law or any other enactment.

2. The Authority may impose a fee or charge for the performance of its functions in response to a request made by any person, where the fee or charge is authorized by this Law, the Data Protection Law, or any Regulations made under this Law.
3. Regulations made for the purposes of paragraph (2) may prescribe –

1. the fee or charge payable; or
2. the basis on which the amount of the fee or charge payable is to be calculated or ascertained.

4. Where the Authority receives a request to perform a task associated with any of its functions and the request is frivolous, vexatious, unnecessarily repetitive or otherwise excessive, the Authority may –

1. refuse to perform the task; or
2. in exceptional circumstances, perform the task but charge the requestor a reasonable fee for the administrative costs of doing so.

5. The Authority is not competent to supervise processing operations of courts and judges acting in their judicial capacity.

12 Authority to be independent

In exercising or performing its functions, the Authority must act independently and in a manner free from direct or indirect external influence.

13 Power to issue opinions and guidance

1. The Authority may issue, on its own initiative or on request by any person –

1. opinions or guidance on any issue related to the protection of personal data, including compliance with any provision of this Law or the Data Protection Law; and
2. guidance as to how the Authority proposes to exercise or perform any of its functions under those Laws.

2. The opinions or guidance may be issued to –
   1. the Minister;
   2. the States; or
   3. the public or any section of it.
3. An opinion or guidance issued under paragraph (1) is not legally binding but compliance or non-compliance with any position or recommendation in the opinion or guidance may be taken into account in determining whether or not a controller or processor has contravened or is likely to contravene this Law or the Data Protection Law.

14 Power to issue public statements

1. This Article applies to any of the following matters –

1. a notification of a personal data  breach made to the Authority under Article 20 of the Data Protection Law;
2. a recommendation or determination made under Article 23 or 24;
3. an action taken or order made under Article 25; or
4. any order to pay an administrative fine under Article 26.

2. Where the Authority considers that because of the gravity of the matter or other exceptional circumstances, it would be in the public interest to do so, the Authority may issue a public statement about any aspect of a matter to which this Article applies.
3. Without limiting the generality of paragraph (2), a public statement may include the following information –

1. details of any personal data breach;
2. information describing or identifying any data subject whose personal data is or has been the subject of a personal data breach;
3. information as to the nature and the progress of any complaint, investigation or inquiry; or
4. the outcome of any complaint, investigation or inquiry.

4. Before issuing a public statement, the Authority must, where practicable –

1. consult any individual whose personal data would be made public by that public statement, or who is otherwise likely to be identifiable from the statement; and
2. give written notice of the contents of the statement to any controller and any processor that is likely to be identifiable from the statement.

15 Authority to take steps to develop and facilitate international cooperation

The Authority must so far as practicable take steps to –

1. develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
2. provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and the significant interests of data subjects;
3. engage relevant stakeholders in discussion and activities aimed at furthering international co-operation in the enforcement of legislation for the protection of personal data; and
4. promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

16 Further provisions as to international co-operation

1. The Authority –

1. is the designated authority in Jersey for the purposes of Article 13 of the Convention for the Protection of Individuals with regard to Automatic  Processing of Personal Data, which  was opened for signature on 28th January 1981; and
2. is to be regarded as the competent supervisory authority for Jersey for any purposes related to the GDPR.

2. Regulations may make provision as to the functions to be performed by the Authority in its role as that designated or competent authority.
3. Regulations may make provision as to co-operation by the Authority with the European Commission or any other competent supervisory authority in connection with the performance of their respective duties including –

1. the exchange of information with the European Commission or the other supervisory authority; and
2. the exercise within Jersey at the request of a competent supervisory authority of functions conferred on the Authority by the Regulations.

4. Regulations may give effect to –

1. any agreement made under Article 15 between the Authority and any other competent supervisory authority or the European Commission; or
2. any of Jersey's international obligations.

5. Regulations may do all or any of the following –

1. confer additional powers and functions on the Authority;
2. regulate or restrict the functions conferred on the Authority by Article 15; and
3. create and impose duties on controllers, processors and recipients of personal data.

6. The Authority must also carry out any functions relating to the protection of individuals with respect to the processing of personal data that the States may by Regulations direct for the purpose of enabling Jersey to give effect to any of its international obligations.
7. Subject to Schedule 2, any Regulations made under Article 54 of the Data Protection (Jersey) Law 20053 that are in force at the time of commencement of this Article continue in force as if made under this Article.

PART 3

REGISTRATION AND CHARGES

17 Registration of controllers and processors

1. A controller or processor established in Jersey must not cause or permit personal data to be processed without being registered as a controller or processor under this Article.
2. However, Regulations may make such exemptions from the requirements to register under this Article as the States think fit.
3. An application for registration made to the Authority must –

1. include the fee as specified by the Authority;
2. be in a form and manner required by the Authority; and
3. include any information required by the Authority.

4. Upon receipt of an application made in accordance with paragraph (3), the Authority must register the applicant as a controller or processor as the case may be.
5. The Authority must –

1. maintain a register of controllers for the purposes of this Law; and
2. publish any such information as the Minister may by Order prescribe.

6. A person who contravenes paragraph (1) is guilty of an offence.

18 Registered controllers and processors to pay prescribed charges

1. Regulations may require registered controllers, registered processors or both, to pay a charge to the Authority in order to pay for the remuneration, salaries, fees, allowances and other emoluments, costs and expenses of –

1. the establishment of the Authority; and
2. the Authority's operations, including the exercise or performance of any functions of the Authority.

2. The Regulations must provide for –

1. the amount of the charge, or the basis on which the amount of the charge is to be calculated or ascertained;
2. the periods in respect of which, and the times at which, the charge must be paid, or a means for ascertaining those periods and times; and
3. the manner and form in which the charge must be paid.

3. The Regulations may –

1. impose duties on the Authority, registered controllers, or registered processors in connection with the collection or payment of the charge;
2. confer powers on the Authority in connection with the collection of the charge; and
3. exempt any person from paying the charge.

4. A person required by the Regulations to pay a charge must do so in accordance with the Regulations.
5. The Authority may recover any charge due and payable by any person to the Authority under the Regulations as a debt owed by the person to the Authority.

PART 4

ENFORCEMENT BY AUTHORITY

19 Right to make a complaint

An individual may make a complaint in writing to the Authority in a form approved by the Authority if –

1. the individual considers that a controller or processor has contravened or is likely to contravene the Data Protection Law; and
2. the contravention involves or affects, or is likely to involve or affect, any right in respect of personal data relating to the individual.

20 Investigation of complaints

1. Upon receiving a complaint, the Authority must –

1. promptly give the complainant a written acknowledgment of the receipt of the complaint; and
2. as soon as practicable and in any event within 8 weeks of receiving the complaint, determine in accordance with paragraph (2) whether or not to investigate it.

2. The Authority must investigate the complaint unless –

1. the complaint is clearly unfounded;
2. the complaint is frivolous, vexatious, unnecessarily repetitive or otherwise excessive; or
3. the Authority determines that it is inappropriate to investigate the complaint, having regard to any other action taken by the Authority under –

1. Article 14 or 15, or
2. any Regulations made under Article 16.

3. Where a complaint is investigated, the Authority must give the complainant and the controller or processor concerned –

1. as soon as practicable, and in any event within 8 weeks of receiving the complaint, written notice that the complaint is being investigated; and
2. at least once within 12 weeks of the notice under sub- paragraph (a), written notice of the progress and, if possible, the outcome of the investigation.

4. However, where the Authority considers that giving the notice within the time specified by paragraph (3) is likely seriously to prejudice the investigation, the Authority may delay giving the notice, in which case it must give the notice (including an update as to the progress of and, where applicable the outcome of the investigation) as soon as it is possible to do so without seriously prejudicing the investigation.
5. If the Authority determines not to investigate a complaint, the Authority must give the complainant written notice of its determination and the reasons for it within 8 weeks of receiving the complaint.
6. A notice under paragraph (4) must include information as to the complainant's right to bring proceedings under Article 31.

21 Inquiries

1. The Authority may conduct an inquiry on its own initiative into the application of the Data Protection Law, including into whether –

1. a controller or processor has contravened the Data Protection Law; or
2. any intended processing in the context of a controller or processor, or any intended act or omission of a controller or processor, is likely to contravene that Law.

2. An inquiry may be conducted –

1. on the basis of information or a request received from any person or any other basis;
2. together with, or in addition to and separately from, an investigation under Article 20.

3. Where the Authority decides to conduct an inquiry into any matter of a kind specified in paragraph (1)(a) or (b), the Authority must give the controller or processor concerned –

1. as soon as practicable, and in any event within 8 weeks of commencing the inquiry, written notice of the nature of the inquiry; and
2. at least once within 12 weeks of the notice under sub- paragraph (a), written notice of the progress and, if possible, the outcome of the inquiry.

4. However, where the Authority considers that giving the notice within the time specified by paragraph (3) is likely seriously to prejudice the inquiry, the Authority may delay giving the notice, in which case it must give the notice (including an update as to the progress of and, where applicable the outcome of the inquiry) as soon as it is possible to do so without seriously prejudicing the inquiry.
5. Nothing in this Article limits –

1. an individual's right to make a complaint under Article 19, or
2. the duties of the Authority under Article 20.

22 Powers of investigation and inquiry

Schedule 1 has effect in relation to the powers of the Authority in relation to any investigation or inquiry under this Part.

23 Determinations on completion of investigation

1. On completing an investigation, the Authority must determine whether or not –

1. the controller or processor concerned has contravened the Data Protection Law; or
2. any intended processing in the context of the controller or processor concerned, or any intended act or omission of the controller or processor concerned is likely to contravene that Law.

2. If the Authority makes a breach determination against a controller or processor, the Authority must also determine whether or not to impose a sanction under Article 25 on the controller or processor, and if so which one or more than one to impose, or whether to impose an administrative fine under Article 26.
3. As soon as practicable after making a determination under paragraph (1) or (2), the Authority must give the controller or processor concerned, and the complainant, written notice of –

1. the determination and the reasons for it; and

2. the right of appeal under Article 32.

24 Recommendations and determinations on completion of inquiry

1. On completing an inquiry, the Authority may do either or both of the following –

1. make such recommendation as the Authority thinks fit to the Minister or the States regarding the operation of this Law or the Data Protection Law; or
2. make a determination that –

1. a controller or processor has contravened the Data Protection Law, or
2. any intended processing in the context of a controller or processor, or any intended act or omission of the controller or processor concerned is likely to contravene that Law.

2. If the Authority makes a breach determination against a controller or processor, the Authority must also determine whether or not to impose a sanction under Article 25 on the controller or processor; and, and if so which one or more than one to impose, or whether to impose an administrative fine under Article 26.
3. As soon as practicable after making a determination under paragraph (1)(b) or (2), the Authority must give the controller or processor concerned written notice of –

1. the determination and the reasons for it; and
2. the right of appeal under Article 32.

25 Sanctions following breach determination

1. If the Authority makes a breach determination against a controller or processor, the Authority may by written notice to the controller or processor ("the recipient") take all or any of the following sanctions against the recipient –

1. issue a reprimand to the recipient;
2. issue a warning to the recipient that the intended processing or other act or omission is likely to contravene the Data Protection Law;
3. make an order under paragraph (3).

2. Paragraph (1) does not limit the Authority's power to impose an administrative fine under Article 26 in the case of a contravention of the Data Protection Law.
3. The Authority may order the recipient to do all or any of the following –

1. bring specified processing operations into compliance with the Data Protection Law, or take any other specified action required to comply with that Law, in a manner and within a period specified in the order;
2. notify a data subject of any personal data breach;

3. comply with a request made by the data subject to exercise a data subject right;
4. rectify or erase personal data in accordance with Article 31 or 32 of the Data Protection Law;
5. restrict or limit the recipient's processing operations, which may include –

1. temporarily restricting processing operations in accordance with Article 33 of the Data Protection Law,
2. ceasing all processing operations for a specified period or until a specified action is taken, or
3. suspending any transfers of personal data to a recipient in any other jurisdiction; and

6. notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on processing, in accordance with Articles 31 to 33 of the Data Protection Law.

4. Nothing in paragraph (3)(d), (e) or (f) limits paragraph (3)(c).
5. An order under subsection (3) may, in relation to each requirement in the order, specify –

1. the time at which, or by which, the requirement must be complied with; and
2. the period during which the requirement must be complied with (including the occurrence of any action or event upon which compliance with the requirement may cease).

6. The Authority may revoke or amend an order under paragraph (3) by giving written notice to the person concerned.
7. A recipient in respect of whom an order is made under paragraph (3) must comply with the order within any time specified for its compliance.
8. A person who contravenes paragraph (7) is guilty of an offence.

26 Administrative fines

1. Subject to Article 27 the Authority may order a controller or processor to pay to the Authority an administrative fine for any of the following –

1. failure to make reasonable efforts to verify that a person giving consent to the processing of the personal data of a child as required by Article 11(4) of the Data Protection Law is a person duly authorized to give consent to that processing in accordance with that provision;
2. breach of any duty or obligation imposed by Article 7 of, and any provision of Parts 3, 4 or 5 of, the Data Protection Law;
3. processing personal data in breach of any other provision of Part 2 or 6 of the Data Protection Law; or
4. transfer of personal data to a person in a third country or international organization in contravention of Article 66 or 67 of the Data Protection Law.

2. In determining whether or not to order a fine and, if ordered, the amount of the fine, the Authority must have regard to –

1. the nature, gravity and duration of the contravention of the Data Protection Law, taking into account the nature, scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
2. whether the contravention was intentional or negligent;
3. any action taken by the person concerned to mitigate the loss, damage or distress suffered by data subjects;
4. the degree of responsibility of the person concerned taking into account technical and organizational measures implemented by the person concerned for the purposes of any provision of the Data Protection Law;
5. any relevant previous contraventions by the person concerned;
6. the degree of cooperation with the Authority, in order to remedy the breaches and mitigate the possible adverse effects of the contravention;
7. the categories of personal data affected by the contravention;
8. the manner in which the contravention became known to the Authority, in particular whether, and if so to what extent, the person concerned notified the contravention to the Authority;
9. where an order under Article 25(3) has previously been made in respect of the person concerned with regard to the same subject- matter, compliance with any measures required to be taken by the order;
10. compliance or non-compliance with code or evidence of certification in respect of the processing concerned; and
11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the contravention.

3. In ordering any fine, the Authority must take into account the need for fines to –

1. be effective;
2. be proportionate; and
3. have a deterrent effect.

4. An order imposing a fine –

1. must specify the date by which the fine must be paid; and
2. may provide for the fine to be paid by instalments of any number and amounts and at any times specified in the order.

5. The Authority may, of its own motion or on the application of the person concerned, vary –

1. the amount of a fine; or
2. the number, amounts and times of the instalments by which the fine is to be paid.

6. The Authority may publish the name of the person concerned and the amount of the fine in any manner it considers appropriate.
7. The Authority may recover a fine as a debt owed and due to the Authority by the person concerned.
8. A fine imposed on an unincorporated body by an order of the Authority must be paid from the funds of the body.
9. Nothing in this Article authorizes the Authority to order a public authority other than one falling only within paragraph (k) of the definition of "public authority" in Article 1(1) of the Data Protection Law to pay a fine.
10. Any fine paid to or recovered by the Authority forms part of the annual income of the States.
11. In this Article –

"fine" means an administrative fine ordered under paragraph (1);

"person concerned" means the controller or processor against whom an administrative fine is ordered.

27 Limits on administrative fines

1. Subject to paragraphs (2) and (3) an administrative fine ordered against a person –

1. for any matter specified in Article 26(1)(a) and (b), must not exceed £5,000,000;
2. for any matter specified in Article 26(1)(c) or (d), must not exceed £10,000,000.

2. An administrative fine must not exceed £300,000 or 10% of the person's total global annual turnover or total gross income in the preceding financial year, whichever is the higher.
3. An administrative fine ordered against any person whose processing of data that gave rise to the fine was in the public interest and not for profit must not exceed £10,000.
4. Where a person contravenes several provisions of the Data Protection Law in relation to the same processing operations, or associated or otherwise linked processing operations, the aggregate of the administrative fines issued against the controller or processor in respect of those processing operations must not exceed the limit specified under paragraph (1)(a) or, if applicable to any such contravention, paragraph (1)(b).
5. The Minister may, by Order, amend any monetary amount set out in this Article and Regulations may amend Article 26 and other provision of this Article.

28 Procedure to be followed before making breach determination or order

under this Part

1. This Article applies where the Authority, otherwise than with the agreement of the person concerned, proposes to make –

1. a breach determination;
2. an order under Article 25(3); or
3. an order for the payment of an administrative fine.

2. Before making the determination or order, the Authority must give the person concerned notice in writing –

1. stating that the Authority is proposing to make the determination or order;
2. stating the terms of, and the grounds for, the proposed determination or order;
3. stating that the person concerned may, within a period of 28 days beginning on the date of the notice or any longer period that may be specified in the notice, make written or oral representations to the Authority in respect of the proposed determination or order in a manner specified in the notice; and
4. of the right of appeal of the person concerned under Article 32 if the Authority were to make the proposed determination or order.

3. The Authority must consider any representations made in response to a notice under paragraph (2) before giving further consideration to the proposed determination or order.
4. The Authority may reduce the period of 28 days mentioned in paragraph (2)(c) where the Authority considers it necessary to do so –

1. in the interests of data subjects, or any class or description of data subjects, or in the public interest; or
2. where there are reasonable grounds for suspecting any of the matters mentioned in paragraph (5).

5. The matters are –

1. that, if that period of notice were given, information relevant to or relating to the proposed determination or order would be concealed, falsified, tampered with or destroyed; or
2. that the giving of that period of notice is likely seriously to prejudice –

1. any criminal, regulatory or disciplinary investigation, or any prosecution, in Jersey or elsewhere,
2. co-operation or relations with investigatory, prosecuting, regulatory or disciplinary authorities, in Jersey or elsewhere, or
3. the performance by the Authority of its functions.

6. The Authority may dispense with the procedures in paragraphs (2) and

(3) altogether if it considers that the determination or order needs to be made immediately or without notice because of the interests or grounds mentioned in paragraph (4).

7. For clarity, where a notice under this Article relates to a proposed administrative fine under Article 26 the notice must state the amount of the proposed fine.
8. In this Article "person concerned" means the controller or processor against whom the breach determination or order is proposed to be made.

29 Exclusion of courts and tribunals acting in a judicial capacity

Nothing in this Law authorizes the Authority –

1. to investigate, inquire into or determine any matter; or
2. exercise any of its other powers,

in relation to processing operations carried out by, or any other act or omission of, a court or tribunal acting in its judicial capacity.

30 Proceedings by the Authority

The Authority may bring proceedings before the Royal Court in respect of any contravention or likely contravention of this Law or the Data Protection Law and if the court is satisfied that either of those Laws has been, or will be, contravened it may make such order as it considers appropriate, including –

1. an award of compensation for loss, damage or distress to any person in respect of the contravention;
2. an injunction (including an interim injunction) to restrain any actual or likely contravention;
3. a declaration that the controller or processor, as the case may be, has committed the contravention or that a particular act, omission or course of conduct on the part of the controller or processor would result in a contravention; and
4. requiring the controller or processor to give effect to any of the rights of data subjects under Part 6 of the Data Protection Law.

31 Proceedings against Authority

1. Proceedings may be brought in the Royal Court –

1. by a  complainant where  the  Authority has omitted to give  the complainant a written acknowledgement of receipt of a complaint, or a notice as to whether or not the complaint is being investigated in accordance with Article 20;
2. by a complainant where the Authority has made a decision not to investigate a complaint under Article 20(2); and
3. by a person affected by a notice, decision or determination given by the Authority in relation to a complaint under Article 20,

on the grounds that the action or omission by the Authority was unreasonable in all the circumstances of the case.

2. The proceedings must be brought within 28 days of –

1. in the case of proceedings under paragraph (1)(a), the end of the 8 week period mentioned in Article 20(1)(b) or (5); or
2. in any other case, the date on which the person receives notice of the relevant notice, decision or determination from the Authority.

3. On receipt of the application the Royal Court may, on such terms as the court considers just, suspend or modify the effect of the notice, decision or determination in question pending the outcome of the proceedings.
4. On the hearing of the matter the court may –

1. dismiss the proceedings on such terms and conditions as it may direct; or
2. make such other order as it considers just, including an order –

1. that the Authority give the written acknowledgement or notice required,
2. annulling the decision not to investigate the complaint and directing the Authority to investigate it,
3. confirming, modifying or substituting the notice, decision or determination, or
4. remitting the matter back to the Authority for reconsideration.

5. In this Article –

"complainant" means a person who has summited a complaint to the Authority under Article 19;

"person affected by a notice, decision or determination" means –

1. the complainant in respect of the complaint giving rise to it; or
2. a controller, processor or responsible officer in respect of whom it was made.

32 Rights of appeal against determinations or orders of the Authority

1. This Article applies where the Authority –
   1. makes a breach determination; or
   2. makes an order under Article 25(3);
   3. orders the payment of an administrative fine under Article 26; or
   4. serves an information notice under paragraph 1 of Schedule 1.
2. The controller or processor affected may appeal the determination, order or notice to the Royal Court in accordance with this Article.
3. The appeal may be made on the grounds that in all the circumstances of the case the decision was not reasonable.

4. An appeal must be made within the period of 28 days immediately following the date on which the person concerned receives written notice of the determination, order or notice from the Authority.
5. An appeal is made by summons served on the Authority stating the grounds and material facts on which the appellant relies.
6. On the application of the appellant, the Royal Court may, on such terms as the court thinks just, suspend or modify the effect of the determination or order appealed against pending the determination of the appeal.
7. Upon determining an appeal under this Article, the Court may –

1. confirm the determination, order or notice, with or without modification; or
2. annul the determination, order or notice and remit the matter back to the Authority for reconsideration, in addition to making any order it considers just.

33 General provisions relating to offences

1. A person guilty of an offence under this Law is liable to a fine.
2. Where an offence under this Law, or under Regulations made under this Law, committed by a limited liability partnership or body corporate or unincorporated body is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of –

1. a person who is a partner of the limited liability partnership, or director, manager, secretary or other similar officer of the body corporate;
2. in the case of any other partnership, any partner;
3. in the case of any other unincorporated body, any officer of that body who is bound to fulfil any duty of which the offence is a breach or, if there is no such officer, any member of the committee or other similar governing body; or
4. any person purporting to act in any capacity described in sub- paragraph (a), (b) or (c),

the person is also guilty of the offence and liable in the same manner as the partnership or body corporate to the penalty provided for that offence.

3. If the affairs of a body corporate are managed by its members, paragraph (2) applies in relation to acts and defaults of a member in connection with the member's functions of management as if the member were a director of the body corporate.
4. Where an offence under this Law is alleged to have been committed by an unincorporated body, proceedings for the offence must, without limiting paragraph (2), be brought in the name of the body and not in the name of any of its members.
5. A fine imposed on an unincorporated body on its conviction for an offence under this Law must be paid from the funds of the body.

6. A person who aids, abets, counsels or procures the commission of an offence under this Law is also guilty of the offence and liable in the same manner as a principal offender to the penalty provided for that offence.

34 Proceedings concerning unincorporated bodies.

Subject to Article 33, where a breach is alleged to have been committed by an unincorporated body, any complaint, investigation, action, order or notice, or other proceedings, for or otherwise in relation to the breach must be brought, issued or (as the case may be) served in the name of the body and not in the name of any of its members.

35 Rules of Court

1. The power to make Rules of Court under Article 13 of the Royal Court (Jersey) Law 19484 includes the power to make Rules regulating the practice and procedure on any matter relating to the Royal Court under this Law.
2. The Rules may, in particular, make provision for –

1. enabling directions to be given to withhold material or restrict disclosure of any information relevant to proceedings under this Law from any party (including any representative of any party) to the proceedings; and
2. enabling the court to conduct such proceedings in the absence of any person, including a party to the proceedings (or any representative of a party to the proceedings).

3. In making the Rules, regard must be had to –

1. the need to secure that the decisions that are the subject of such proceedings are properly reviewed; and
2. the need to secure that disclosures of information are not made where they would be contrary to the public interest.

36 Service of notices etc.

1. A notice required by this Law to be given to the Authority is not regarded as given until it is in fact received by the Authority.
2. A notice or other document required or authorized under this Law or under Regulations made under this Law to be given to the Authority may be given by electronic or any other means by which the Authority may obtain or recreate the notice or document in a form legible to the naked eye.
3. Any notice, direction or other document required or authorized by or under this Law to be given to or served on any person other than the Authority may be given or served –

1. by delivering it to the person;
2. by leaving it at the person's proper address;

3. by sending it by post to the person at that address; or
4. by sending it to the person at that address by electronic or any other means by which the notice, direction or document may be obtained or recreated in a form legible to the naked eye.

4. Without limiting the generality of paragraph (3), any such notice, direction or other document may be given to or served on a partnership, company incorporated outside Jersey or unincorporated association by being given to or served –

1. in any case, on a person who is, or purports (under whatever description) to act as, its secretary, clerk or other similar officer;
2. in the case of a partnership, on the person having the control or management of the partnership business;
3. in the case of a partnership or company incorporated outside Jersey, on a person who is a principal person in relation to it (within the meaning of the Financial Services (Jersey) Law 19985); or
4. by being delivered to the registered or administrative office of a person referred to in sub-paragraph (a), (b) or (c) if the person is a body corporate.

5. For the purposes of this Article and of Article 7 of the Interpretation (Jersey) Law 19546, the proper address of any person to or on whom a notice, direction or other document is to be given or served by post is the person's last known address, except that –

1. in the case of a company (or person referred to in paragraph (4) in relation to a company incorporated outside Jersey), it is the address of the registered or principal office of the company in Jersey; and
2. in the case of a partnership (or person referred to in paragraph (4) in relation to a partnership), itis the address of the principal office of the partnership in Jersey.

6. If the person to or on whom any notice, direction or other document referred to in paragraph (3) is to be given or served has notified the Authority of an address within Jersey, other than the person's proper address within the meaning of paragraph (5), as the one at which the person or someone on the person's behalf will accept documents of the same description as that notice, direction or other document, that address is also treated for the purposes of this Article and Article 7 of the Interpretation (Jersey) Law 1954 as the person's proper address.
7. If the name or the address of any owner, lessee or occupier of premises on whom any notice, direction or other document referred to in paragraph (3) is to be served cannot after reasonable enquiry be ascertained it may be served by –

1. addressing it to the person on whom it is to be served by the description of "owner", "lessee" or "occupier" of the premises;
2. specifying the premises on it; and
3. delivering it to some responsible person resident or appearing to be resident on the premises or, if there is no person to whom it can be

delivered, by affixing it, or a copy of it, to some conspicuous part of the premises.

PART 5

ADMINISTRATIVE PROVISIONS

37 Guidance of Minister

1. The Minister may, if he or she considers that it is desirable in the public interest to do so, and having consulted the Authority, give to the Authority written guidance or general written directions on matters relating to corporate governance.
2. The guidance relates to the system and arrangements by or under which the Authority is directed and controlled and may relate to –

1. accountability, efficiency and economy of operation of the office of the Authority, but not to matters relating directly to the Authority's regulatory functions;
2. conflicts of interest, the accounts of the Authority and their audit, borrowing by the Authority and the investment of the funds of the Authority.

3. The Authority must have regard to any guidance and must act in accordance with any directions addressed to the Authority under this Article.

38 Fees and charges

The Authority may charge, retain and apply in the performance of the Authority's functions –

1. fees and charges (other than administrative fines) of such amounts, paid by such persons and paid in such manner, as may be –

1. prescribed by Order of the Minister, the Minister having consulted the Authority, or
2. payable in accordance with this Law or any other enactment; and

2. such fees and charges (not inconsistent with this or any other enactment) –

1. of such amounts, paid by such persons and paid in such manner, as may be decided by the Authority in respect of any service, item or matter, that does not arise under this or any other enactment, and
2. as may be agreed between the Authority and any person for whom the Authority provides advice, assistance or other services under this or any other enactment, in respect of the advice, assistance or other matters.

39 Grants to Authority

1. In respect of each financial year, the States may make a grant to the Authority from their annual income towards the Authority's expenses in performing any of its functions.
2. The amount of any grant referred to in paragraph (1) is determined by the Minister for Treasury and Resources on the recommendation of the Minister made after consultation with the Authority.
3. In making that recommendation, the Minister must have regard to the actual financial position and the projected financial position of the Authority.
4. In determining the amount of grant, the Minister for Treasury and Resources must have regard to the actual financial position and the projected financial position of the Authority.

40 Consent to borrowing

1. The Authority must not borrow money without the consent of the Minister.
2. The Minister for Treasury and Resources may, on such terms as he or she may determine, on behalf of the States –

1. guarantee the liabilities of the Authority; or
2. lend money to the Authority.

3. The Minister for Treasury and Resources may act under paragraph (2) only on the recommendation of the Minister.

41 Guidelines on investment

In investing any funds belonging to the Authority, the Authority must comply with any guidelines specified by the Minister.

42 Exemption from income tax

The income of the Authority is not liable to income tax under the Income Tax (Jersey) Law 19617.

43 Accounts and audit

1. The Authority must –

1. keep proper accounts and proper records in relation to the accounts; and
2. prepare accounts in respect of each financial year; and
3. after the accounts have been audited in accordance with paragraph (3), provide them to the Minister as soon as practicable after the end of the financial year to which they relate, but in any event within 4 months of the end of that year.