In the last edition of Law Talk, we briefly reviewed the much anticipated Cayman Islands LLC Bill which is intended to add another key facet to the Cayman Islands entity formation toolbox, the limited liability company. This important legal development has been sought by attorneys and clients in the United States for some time, particularly in the investment funds industry, and is based, in part, on the Delaware form of limited liability company. The LLC Law is expected to be enacted imminently, and we devote much of this edition of Law Talk to considering its key provisions and the type of vehicles that may adopt this structure. We also consider another important new Bill, the Cayman Islands’ Data Protection Bill, which was published in May 2016.
THE LLC LAW
The Limited Liability Companies Bill, 2015 has been published in the Cayman Islands and is expected to be enacted into law imminently. This will introduce a new type of corporate vehicle in the Cayman Islands: The Limited Liability Company.
What are Cayman LLCs?
The Cayman LLC will be a hybrid corporate vehicle combining many of the key characteristics of existing Cayman Islands companies and limited partnerships. The Cayman LLC will provide for the liability of its members to be limited to the amount they have agreed to contribute without any requirement for share capital or the relative structural rigidity of a traditional company and, unlike a limited partnership, will be a body corporate with separate legal personality. In common with limited partnerships, the interest of members in a Cayman LLC will typically be determined by reference to their capital contributions rather than by the number of shares that they hold and the members will be free to agree amongst themselves how the entity will be operated and regulated, subject to a small number of mandatory rules.
Other key features of the Cayman LLC include management by members or third party managers rather than by directors or general partners; freedom to allocate profits and losses as the members may determine; and the duty of managers to be limited to good faith unless otherwise agreed. The law implementing the Cayman LLC will also allow for the conversion of existing exempted companies into Cayman LLCs, the merger or consolidation of Cayman LLCs with exempted companies or foreign entities with separate legal personality and the continuation by foreign entities with separate legal personality into the Cayman Islands as Cayman LLCs.
Why is the LLC legislation significant?
The Cayman LLC legislation is significant because it brings to Cayman Islands’ law a corporate entity that is fundamentally different from the traditional share capital, director-managed style of company. In particular, common law concepts, including maintenance of capital and restrictions on how capital may be returned or distributions made to shareholders have been swept aside in favor of a flexible corporate structure where members’ interests may be measured by the amounts or value they contribute and solvency is the only test for permitting repayments or distributions to members.
Conceptually a Cayman LLC offers the flexibility of the partnership model in terms of how the business is operated and capitalized but – as with the company model – limited liability for members and separate legal personality for the entity. The operational flexibility of a Cayman LLC will enable its constitution to be closely aligned with how the members wish it to be run in contrast with the relatively rigid rules that companies are required to adhere to.
The Cayman LLC is thus being introduced to provide a flexible partnership-style corporate entity as an alternative to the traditional company model.
Who is likely to use this vehicle?
Limited liability companies are widely used in the United States and are a familiar feature in corporate structures for investment funds, joint ventures and structured finance transactions. A large proportion of investment funds and other financial services work undertaken in the Cayman Islands originates in the United States and the introduction of the Cayman LLC is largely a response to requests from the United States investment funds industry and major United States law firms. The Cayman LLC legislation has been drafted using the Delaware model as a guide and, for that reason, is expected to be welcomed by United States legal advisers and their clients as they will already be familiar with many of the concepts.
The Cayman Islands is the jurisdiction of choice for offshore investment funds and it is anticipated that the Cayman LLC will be of particular interest to private equity and hedge fund managers. The ability to have similar vehicles in onshore and offshore fund structures will better align the interests of investors regardless of how or where they enter the fund, enable broadly similar documentation to be used onshore and offshore and may well be administratively more efficient. Because the Cayman LLC will, for most practical purposes, operate as a “corporate partnership,” it provides a degree of operational flexibility that is well suited to the funds market.
Additionally, the Cayman LLC lends itself to a broad range of corporate and commercial applications, including joint venture, general partner and structured finance vehicles, where its operational and structural flexibility may provide advantages over more traditional companies.
Summary of key features
In summary, some of the key features of the Cayman LLC will include:
- The Cayman LLC will be a body corporate with separate legal personality (unlike partnerships in Cayman) and members will have limited liability. Subject to the LLC agreement, no member or manager of a Cayman LLC shall be personally liable for any debt, obligation or liability of the Cayman LLC solely by reason of being a member or acting as a manager of the Cayman LLC;
- The management of a Cayman LLC, unless otherwise provided in the LLC agreement, is vested either in its members acting by a majority in number or, if so provided in the LLC agreement, in one or more managers. Subject to the LLC agreement, a manager does not owe any duty (fiduciary or otherwise) to the Cayman LLC or any member other than a duty to act in good faith in respect of the rights, authorities or obligations of the manager;
- Members are given considerable flexibility to agree the internal workings and management of the Cayman LLC in their LLC agreement. The member(s) of an LLC are required to enter into an LLC agreement to regulate and conduct the business or affairs of the Cayman LLC. The LLC agreement is required to be governed by Cayman Islands law and the LLC is bound by the terms of the LLC agreement, whether or not signed by the Cayman LLC.
- No share capital – members may have capital accounts and make capital contributions with profits and losses allocated amongst them in accordance with the LLC agreement;
- Registration is effected by filing a simple registration statement with the Cayman Islands’ Registrar of Limited Liability Companies. The LLC agreement need not be filed; and
- Existing Cayman Islands exempted companies and certain foreign companies continuing into the Cayman Islands may convert or merge into a Cayman LLC.
As the only offshore common law jurisdiction (with the exception of the Isle of Man) to introduce LLC legislation, this is another example of the responsiveness of this jurisdiction to onshore market developments and client needs when introducing new or amending existing legislation and will help cement the Cayman Islands’ leading position in the offshore world.
NEW DATA PROTECTION BILL
The Cayman Islands government has published the Data Protection Bill, 2016, which proposes a framework of rights and duties designed to safeguard individuals’ personal data, balanced against the need of public authorities, businesses and organizations to collect and use personal data for legitimate purposes. The Data Bill was developed in line with international best practices while ensuring that it reflects the specific needs of the Cayman Islands. It is based substantially on the Data Protection Act, 1998 of the United Kingdom and has been drafted in an attempt to meet the “adequacy” requirement of the European Data Protection Directive.1 The Directive is generally regarded as the most rigorous data privacy standard in the world. Gaining “adequacy” status would allow personal data to move between the EU member states (and members of the European Economic Area) and the Cayman Islands without further safeguards.
The Data Bill is centered around eight data protection principles requiring that personal data must:
- be processed fairly and only when specific conditions are met, for instance where consent has been given, where there is a legal obligation, or where it is necessary for performance of a contract to which the data subject (as defined in the Data Bill) is a party. Additional conditions apply in respect of “sensitive” (as defined in the Data Bill) personal data (examples of which include racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health, sex life and offenses);
- be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with such purposes;
- be adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected or processed;
- be accurate and, where necessary, kept up-to-date;
- not to be kept for longer than is necessary for the purpose;
- be processed in accordance with the rights of individuals as specified under the draft Data Bill;
- be protected by appropriate technical and organizational measures against unauthorized or unlawful processing, and against accidental loss, destruction or damage; and
- not to be transferred abroad unless the country or territory to which it is transferred ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The proposed legislation grants to living individuals referred to as “data subjects” specific rights in relation to their personal data including, subject to specified limitations:
- the right to be informed by a data controller (as defined in the Data Bill) whether their personal data is being processed;
- the right to access their personal data and certain information about its use and source;
- the right to require that processing of their personal data cease;
- the right to require that processing of their personal data for the purpose of direct marketing cease;
- the right to require that a decision which significantly affects him or her is not made solely by the processing by automatic means of personal data;
- the right to seek compensation for damages caused by contravention of the data protection legislation;
- the right to complain to the Information Commissioner (discussed further below) where it appears that a violation has occurred; and
- the right to seek from the Information Commissioner an order for rectification, blocking, erasure or destruction of inaccurate personal data and opinions based on such.
The Data Bill also imposes specific obligations on the persons who control the processing of personal data (so-called “data controllers” (as further discussed below), including:
- the duty to apply the data protection principles;
- the duty to respond in a timely fashion to requests from data subjects in relation to their personal data; and
- the duty to notify data subjects and the Information Commissioner of any personal data breaches.
If processing of personal data is to be carried out on behalf of a data controller by a data processor (as defined in the Data Bill) (not being an employee of the data controller), the data controller will not be regarded as complying with Principle 7 above unless the processing is carried out under a contract which conforms to specific requirements (to ensure compliance with the Data Bill).
The Data Bill applies to a data controller established in the Cayman Islands if the data are processed in the context of that establishment. It also applies to a data controller who is not established in the Cayman Islands but processes data in the Cayman Islands otherwise than for the purposes of transit of data through the Cayman Islands. Where a data controller is not established in the Cayman Islands, the data controller is required to nominate someone who is established in the Cayman Islands as a representative, who will be liable as a data controller.
In order to be a data controller, a person must be the person who, alone or with others, determines the purposes, conditions and means of the processing of personal data.
The regulated activity of “processing” personal data is very widely defined to include obtaining, recording or holding data, or carrying out any operation or set of operations, which is again very widely defined. It is difficult to envisage anything that an organization might do with data that will not be considered to be processing.
In order to ensure that personal data can be used in appropriate circumstances, the Data Bill recognizes a number of exemptions to the obligations noted above, including national security, law enforcement, certain public functions, health care, education, social work, journalism, literature, art, research, history, statistics, information available under an enactment, legal proceedings, personal family or household affairs, honours, corporate finance, negotiations and legal privilege.
Compliance and enforcement
The Information Commissioner, currently tasked with oversight of the Freedom of Information Law (2015 Revision), will assume a similar role for data protection, and will be given the powers, responsibilities and resources necessary to ensure the successful functioning of the legislation.
The Information Commissioner will be given the power:
- to hear, investigate and rule on complaints;
- to monitor, investigate and report on the compliance of data controllers under the law;
- to intervene and deliver opinions and orders related to processing operations;
- to order the rectification, blocking, erasure or destruction of data;
- to impose a temporary or permanent ban on processing;
- to make recommendations for reform both of a general nature and directed at specific data controllers;
- to engage in proceedings where the provisions of the law have been violated, or refer violations to the appropriate authorities;
- to cooperate with international data protection supervisory authorities;
- to publicize and promote the requirements of the law and the rights of data subjects under it; and
- to do anything which appears to be incidental or conducive to the carrying out of his or her functions under the law.
The Data Bill establishes a number of offenses and penalties for failure to comply with the requirements of the Data Bill, but also for:
- failing to notify the data subject and the Information Commissioner of a personal data breach;
- withholding, altering, suppressing or destroying information requested by the Information Commissioner;
- knowingly or recklessly disclosing information;
- obstructing a warrant, or making a false statement;
- unlawfully obtaining, disclosing, selling or procuring personal data;
- failing to comply with an enforcement or monetary enforcement order; and
- offenses otherwise specified in Regulations.
The Data Bill has been developed in line with international best practices but a conscious effort has also been made to ensure that it reflects the specific needs of the Cayman Islands. The Data Bill aims to meets these requirements and, if enacted, should create a robust and proportionate data protection regime that will enhance Cayman’s reputation and competitiveness in the global marketplace.
- Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the process of personal data and on the free movement of such data O.J. No. L 281/31. The Council and the European Parliament have given the EU Commission the power to determine whether a third-country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. The effect of such a decision is that personal data can flow from the EU and EEA member countries to that third country without further safeguards being necessary.