A Guernsey trust can be used to hold any types of assets,
wherever situated, including intellectual property rights,
copyright, database rights and image rights, as well as licences to
access, process and store data, and confidentiality rights in the
data. A trust can be used to protect trust assets from claims of
third parties against the settlor and the beneficiaries.
This piece explores the uses of Guernsey trusts to hold all types of data assets, including examples of structures and the regulatory background.
The purpose of this note is to explain and set out some of the possible benefits of a data trust for securing data and satisfying data protection requirements.
Technology is enabling businesses to collect increasing amounts of information about their customers, employees and their operations. As businesses invest in resources to extract "big answers" from the "big data" that they collect, and they increasingly move their operations to the cloud, the intrinsic value of data is becoming recognised as a new asset class.
Similar to any type of asset, businesses must plan to protect their data, and in doing so identify how to store and manage their data. It is easy to think that this issue solely concerns cyber security. However, the risks to data extend beyond hackers and IT failures, which can only be appreciated once data is considered in the same way as any other asset.
Further, the so called "splinternet" phenomenon is occurring as countries introduce conflicting requirements for protecting and requiring disclosure of data. For example, some countries have wide reaching powers to order disclosure of data, as evidenced by the US PRISM program. Those powers conflict with other countries' laws, including data protection and rights to privacy. These problems are highlighted in the recent case of United States v Microsoft Corp. (also called the Microsoft Ireland case), which involved a warrant issued by the New York District Court for Microsoft to produce all emails and private information associated with an account hosted by Microsoft in the US and Ireland. Whilst Microsoft successfully appealed the warrant on grounds that it should not apply outside the US, Microsoft was still required to disclose all data relating to the account that it hosted in the US, even if the data concerned a non-US person. This issue can cause serious legal and reputational risks for international businesses.
More recently, in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (also called "Schrems II") the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, which was a commonly used framework for exchanges of personal data between the EU and the US to satisfy EU data protection requirements. The CJEU ruled that the protections for personal data under US law, and the ability of US public authorities to access that data, do not satisfy requirements that are essentially equivalent to those required under EU law. It is now very difficult for businesses to lawfully transfer personal data from the EU to the US or for US businesses to handle data relating to EU citizens.
The data trust solution
For over 50 years, trusts have been used in Guernsey to protect assets. A trust is a legal arrangement whereby a person or business (the settlor) transfers assets to another person or business (the trustee) to hold for the benefit of the settlor or other persons (the beneficiaries) or for a specified purpose. The trustee becomes the legal owner of the assets, which the trustee must manage for the benefit of the beneficiaries or for the specified purpose. The terms on which the trustee holds the assets are set out in a trust instrument document.
A Guernsey trust can be used to hold any types of assets, wherever situated, and any share, right or interest in the assets, including tangible and intangible property, and rights and interests, whether vested, contingent, defeasible or future. In relation to data, examples of rights could include intellectual property rights in the data, such as copyright, database rights and image rights, as well as licences to access, process and store the data, and confidentiality rights in the data.
A trust can be used to protect trust assets from claims of third parties against the settlor and the beneficiaries. Under a data trust the trustee would hold the rights to the data, is legally responsible for the data and must apply the data for the benefit of the beneficiaries, or for the purpose of the trust. Importantly, the rights attaching to the data should be held by the trustee in Guernsey in accordance with Guernsey law requirements, including for data protection.
Examples of possible data trust structures
For the purposes of a data trust, the current holder of the
data, such as a business, or its customer, transfers the data and
assigns its rights in the data to a trustee in Guernsey. The
trustee would hold the data and associated rights itself, or
outsource the hosting of the data to a thirdparty, such as a cloud
service provider, whilst retaining the rights in the data. The
terms governing the data trust must be agreed between the settlor
and the trustee, and the terms will be stated in the trust
instrument. In relation to data trusts containing personal data,
the trustee would be a data controller of the data for data
Data trusts for beneficiaries Under a trust for beneficiaries, the beneficiaries are either fixed (named in the trust instrument with a predetermined right to the trust assets or the proceeds of the assets), or determined by the trustee in accordance with terms stated in the trust instrument. Examples of different types of potential beneficiaries include the business that established the trust, its employees or its customers. The trustee must hold and manage the data for the benefit of the beneficiaries in accordance with the terms of the trust instrument.
Purpose data trusts
A purpose trust is not required to have beneficiaries. Instead, the trust is established for a specified purpose, which can be any purpose whatsoever, whether or not involving the conferral of any benefit to a person, and including the holding or ownership of assets and the exercise of functions. The purpose must be clearly defined in the trust instrument. Possible examples of purposes for data trusts include receiving and hosting the data, maintaining confidentiality in the data, and processing the data. In addition to the trustee, a purpose trust must also have an enforcer, whose duty it is to enforce the trust in relation to its purpose. The enforcer is a useful independent check and balance on the trustee in the performance of its functions.
Benefits of a data trust
Unlike other structures for hosting data, a Guernsey data trust achieves a distinction between the legal and beneficial ownership of data. The trustee is legally responsible for the data, and must comply with Guernsey's regulatory requirements in relation to the data, whilst applying the data for the benefit of the beneficiaries, or for the stated purpose, of the data trust.
The settlor and the beneficiaries will benefit from additional protection for the data, because any claims from third parties to access the data should be brought in Guernsey against the trustee (not against the settlor or the beneficiaries), which must comply with Guernsey law.
Additional Guernsey law benefits
Guernsey is compliant with existing European data protection requirements. For over a decade, Guernsey has been one of only eleven jurisdictions whose data protection regimes benefit from an adequacy decision of the EU Commission. Further, in 2017 Guernsey introduced new data protection legislation that implements equivalent provisions as the EU's General Data Protection Regulation (GDPR) to maintain Guernsey's adequacy status. A Guernsey data trustee will be required to hold the data in compliance with Guernsey's data protection requirements, which enables personal data to flow from EU and EEA countries to the trustee without any further safeguards being necessary.
Under a Guernsey data trust arrangement it should be possible for businesses in jurisdictions that are not compliant with EU data protection requirements, such as the US, to appoint a Guernsey data trustee in order to satisfy those requirements and benefit from the ability to easily transfer data to and from EU and EEA countries.
Guernsey also has some unique advantages in respect of database rights and image rights. Database rights create a property right to protect against unauthorised use of the contents of a database. Few countries outside the EU have database rights. Guernsey has introduced database rights legislation based on the EU model. However, unlike the EU, Guernsey is unique in that it permits a database right to exist even if the data is created by the author of the database. This difference is important for protecting databases of the results produced from analysing data, since those results are likely to constitute newly created data, which might not otherwise be protected by database rights outside of Guernsey.
Guernsey was also the first jurisdiction in the world to enable registration of image rights, to determine and enable the commercial exploitation and protection of image rights associated with a person. Guernsey image rights are a property right that can be licensed and assigned.
Database rights and image rights in Guernsey are useful to
provide certainty as to the assets held within the data trust, for
example by creating legal rights existing in a database or the
image held by the data trustee.
About Guernsey Guernsey is an independent self-governed jurisdiction and it is an established centre for international finance. Guernsey is the largest captive insurance domicile near to Europe, and is a leading location for investment funds with over 1,000 funds domiciled or administered on the island. Guernsey also has an "AA" credit rating from Standard & Poor's and has received from MONEYVAL the best score of any jurisdiction under the Financial Action Task Force's recommendations with respect to anti-money laundering and combating the financing of terrorism.
Further, with more than 50 years' experience in providing trust and corporate services, Guernsey is a leading jurisdiction for fiduciaries. Guernsey was one of the first jurisdictions in the world to introduce a regulatory regime for trust and corporate services providers, to ensure the highest standards. Guernsey currently has over 180 licensed fiduciaries.
Guernsey is also in an enviable position as being an integral
part of the trans-Europe and Atlantic fibre-optic network, which is
one of the backbones of the global internet. Guernsey's network
has regularly carried US to EU data traffic. The island's
state-of-the art international connections have enabled Guernsey to
become a leader in e-Gaming, internationally transmitting more
e-Gaming data than any other jurisdiction.
Conclusion Guernsey trusts are an established arrangement for adding legal protection to assets. Combined with Guernsey's international internet connectivity and track record, its EU data protection adequacy and its additional database and image rights protection, Guernsey data trusts are an ideal solution for businesses that require data protection compliance and additional legal safeguards to protect their data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.