Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Gibraltar is a British Crown Colony. The United Kingdom is (presently) a member of the European Union and Gibraltar is within the European Economic Area pursuant to Article 355(3) of the Treaty on the Functioning of the European Union. As a consequence, EU law applies in principle to Gibraltar. However, Gibraltar is not part of the customs territory of the Union and remains exempt from EU legislation regarding the common agricultural policy, the common fisheries policy and the common system of value-added tax.

The present legal framework for data protection comes directly from the European Union in the form of the EU Data Protection Directive (95/46/EC) and the EU E-Privacy Directive (2002/58/EC). These have been transposed and implemented into Gibraltar law.

Gibraltar is thus ahead of international law in this respect, since Europe is the leader in data protection regulation.

Are any changes to existing data protection legislation proposed or expected in the near future?

Significant changes are coming to the data protection framework in the form of two new pieces of EU legislation, both of which will come into force in Gibraltar on May 25 2018:

  • the EU General Data Protection Regulation (2016/679); and
  • the EU Privacy and Electronic Communications Regulation (proposed).

The EU General Data Protection Regulation emphasizes transparency, security and accountability by data controllers and processors, and imposes a significant number of additional obligations on them. The headline changes coming as a result of the EU General Data Protection Regulation are as follows:

  • The territorial reach of EU law is being extended: non-EEA organisations will be governed by the EU General Data Protection Regulation if they process the personal data of data subjects who are in the European Union, provided that the processing activities are related "to the offering of goods or services" (regardless of whether a transaction takes place) to such data subjects in the European Union or "the monitoring of their behaviour" within the European Union. These organisations will be required to designate an EU-based representative;
  • Data processors will be subject to specific direct legal obligations (rather than contractual only), including maintaining records of personal data and processing activities, and will have significantly more legal liability if they are responsible for a breach;
  • Data subjects will have the right to sue controllers and processors directly for material and non-material damage;
  • The definition of ‘personal data’ in the new regulation is more detailed and includes information such as online identifiers (eg, IP addresses, device identifier tags and location identifier tags);
  • The new regulation requires further information to be provided to individuals before collecting data, including the legal basis for processing, retention periods and the right to complain;
  • The regulation has much stricter requirements for using consent as a ground for legally processing data;
  • The regulation makes notifying the data protection commissioner of any breaches mandatory;
  • Mandatory data protection impact assessments will be introduced for organisations involved in high-risk processing;
  • Certain organisations will be required to designate a data protection officer; and
  • Consumers will be able to allow consumer protection bodies to bring claims on their behalf;

Having prepared businesses for the change to the general data protection regime, in January 2017 the European Union announced that it was also going to make sizeable changes to specific privacy rules which relate to direct marketing, cookies and other forms of online monitoring, with the new EU Privacy and Electronic Communications Regulation:

  • The definition of ‘electronic communications services’ in the new regulation is far broader and will likely apply to all services that have a communications element;
  • Over-the-top communications services (eg, Skype, Gmail and WhatsApp), will be subject to EU electronic communications rules;
  • As regards cookies, consent from a data subject may be expressed by browser settings. The new regulation places specific obligations on browser providers to ensure that appropriate consent settings and options are given to individuals;
  • The collection of device information (eg, for WiFi log-ins) is prohibited, other than for the purpose of establishing the connection, unless a “clear and prominent” notice is displayed; and
  • Data subjects will have a new right to object to the processing of their electronic communications data.

Perhaps the change which is giving businesses most sleepless nights are the significant increase in the level of fines that have been proposed in both the EU General Data Protection Regulation and the EU Privacy and Electronic Communications Regulation, with the most punitive level being set at the higher of €20 million or up to 4% of total worldwide annual turnover.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The Data Protection Act 2004 and the Communications (Personal Data and Privacy) Regulations 2006 incorporate the EU Data Protection Directive (95/46/EC) and the EU E-Privacy Directive (2002/58/EC) into Gibraltar law.

Scope and jurisdiction

Who falls within the scope of the legislation?

The legislation applies to ‘data controllers’, which are defined as natural or legal persons, public authorities, agencies or any other bodies which, alone or jointly with others, determine the purposes and means of the processing of data.

The data protection regime also applies to ‘data processors’, which are natural or legal persons, or any other bodies, which process personal data on behalf of a data controller.

What kind of data falls within the scope of the legislation?

The legislation applies to the processing of ‘personal data’ wholly or partly by automatic or non-automatic means (ie, manual means).

‘Automated data’ covers information which:

  • is processed by means of equipment operating automatically in response to instructions given for that purpose; or
  • is recorded with the intention that it should be processed by means of such equipment.

‘Manual data’ refers to information which is recorded as part of a filing system or with the intention that it should form part of a filing system.

A further sub-set of data called ‘sensitive personal data’ is given special status by the 2004 Act (ie, its use by a data controller is more tightly controlled), as it refers to data which reveals any sensitive characteristics of an individual, such as racial origin, religious beliefs, sex life, health or potential offences committed.

Are data owners required to register with the relevant authority before processing data?

Yes.

The definition of ‘processing data’ is very broad and ranges from collecting, storing and recording to retrieval, use and disclosure by transmission.

Most businesses and organisations which ‘process’ information by computer will need to register with the Data Protection Commissioner. This includes controllers and processors (although the requirements for processors are more limited).

Under the Data Protection Act 2004, the Gibraltar Regulatory Authority (GRA) is nominated as the Data Protection Commissioner. The GRA is thereby the independent statutory body responsible for the enforcement of the Data Protection Act, and carries out its functions assigned to uphold the rights of individuals and their privacy.

Is information regarding registered data owners publicly available?

The Gibraltar Regulatory Authority keeps an online Data Protection Register, which is searchable by the public.

Is there a requirement to appoint a data protection officer?

There is no specific requirement for organisations that are data controllers or processors to have an appointed data protection officer.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Gibraltar Regulatory Authority (GRA) is responsible for enforcing data protection legislation. Its powers are set out in Part 5 of the Data Protection Act 2004. In overview, these include the powers to:

  • investigate;
  • serve information notices;
  • issue enforcement notices; and
  • order compensation.

The GRA may carry out such investigations as it feels appropriate in order to ensure compliance with the Data Protection Act, irrespective of whether a complaint has been made. The GRA must investigate any complaint that the Data Protection Act has been contravened, unless it considers the complaint to be frivolous or vexatious. If the GRA cannot arrange an amicable solution between the parties within a reasonable time, it must notify the parties of its decision, which either party can appeal to the Gibraltar Magistrates’ Court.

The GRA can serve information notices on any data controller, requiring that person (natural or legal) to produce the information specified in the notice. Other than in exceptional urgent circumstances, the person has 21 days to produce the information. Within this period, a recipient of an information notice can appeal to the Supreme Court to avoid having to produce the information. Failure to comply with an information notice without a reasonable excuse is an offence under the Data Protection Act. The same is true if a person complies, but provides information that it knows to be false or misleading in a material respect.

The GRA issues an enforcement notice when it believes that a party has contravened (or is contravening) the Data Protection Act. An enforcement notice requires that party to block, rectify, erase or destroy the data which is the subject of the notice, or supplement it with a statement rectifying the issues flagged by the GRA. Once a party has complied with an enforcement notice, that party has 35 days to notify the affected data subjects of the steps taken and, in certain circumstances, notify any third party to which the data was disclosed during the past 12 months.

As with an information notice, except in exceptional urgent circumstances, the party has 21 days to comply or appeal. A failure or refusal to comply with a requirement specified in an enforcement notice, without a reasonable excuse, is an offence under the Data Protection Act. 

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The key responsibilities of any data controller when it comes collection, storage and processing of personal data are governed by the eight ‘data protection principles’ in EU law:

  • Personal data shall be processed fairly and lawfully.
  • Personal data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed.
  • Personal data shall be accurate and, where necessary, kept up to date.
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  • Personal data shall be processed in accordance with the rights of data subjects.
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The only requirement in the Data Protection Act 2004 regarding the period for which an organisation may retain data states that “data shall… not be kept for longer than is necessary for that purpose or those purposes.” The Data Protection Act leaves the onus on organisations to determine what is ‘necessary’ in any particular circumstance. In addition, depending on the nature of the data controller’s business, it may have additional statutory requirements in respect of record keeping that affect its retention policies.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, one of the significant responsibilities of any data controller under the Data Protection Act 2004 is to enable individuals to know what information it keeps about people generally, and what information it keeps about them specifically.

Individuals have a number of key rights under the Data Protection Act regarding data relating to them:

  • the right to have information collected, stored and used in accordance with the eight data protection principles in EU law;
  • the right to access information held about them;
  • the right to have incorrect information corrected or destroyed;
  • the right to object to the use of their information for the purposes of direct marketing (ie, the communication by whatever means of any advertising or marketing material directed to a particular individual);
  • the right not to have decisions made about them solely on the basis of automatic processing of information; and
  • the right to complain to the Gibraltar Regulatory Authority and to take legal action against the improper use of information.

Do individuals have a right to request deletion of their data?

Where the data held by a data controller regarding an individual is incomplete or accurate, or otherwise contravenes the Data Protection Act 2004, the individual can request to rectify or erase it. This can include data being held than is longer than necessary.

Such a request must be made in writing, and once it is received by a company, that company must deal with the requested information within 28 days.

Once a data controller has complied with an enforcement notice, it has 35 days to notify the individual who is the subject of the data of the steps taken and, in certain circumstances, any third party to which the data was disclosed during the past 12 months.

Consent obligations

Is consent required before processing personal data?

No, but consent is central to the protection of data in EU member states. As a consequence, the phrase features prominently throughout the Data Protection Act 2004.

The starting point is that the processing of personal data is legitimate where the individual concerned has unambiguously given his or her consent. The giving of consent is defined in the Data Protection Act as being any freely given specific and informed indication by which an individual signifies agreement to his or her personal data being processed by a data controller.

If consent is not provided, are there other circumstances in which data processing is permitted?

There are a number of circumstances where data processing is permitted in the Data Protection Act 2004, even where an individual does not give consent. It is permitted where the processing is necessary:

  • for the signing or preparation of a contract between the data controller and the individual;
  • for the data controller to comply with a legal obligation;
  • to prevent injury or other damage to the health of the individual;
  • to prevent serious loss or damage to the property of the individual;
  • to protect the individual’s vital interests;
  • for the administration of justice;
  • for the performance of a public function by a third party; or
  • for the purposes of legitimate interests pursued by the data controller, except where these interest are overridden by the fundamental rights and freedoms of the individual.

The circumstances in which processing sensitive personal data without consent is permitted are different. Such processing is permitted where:

  • the data controller is processing the data in accordance with a legal right or obligation under employment law;
  • processing is carried out by a non-profit organisation (eg, charity, church or trade union) for a specified purpose;
  • the information contained in the data has been made public as a result of steps deliberately taken by the individual; or
  • the processing is necessary:
    • to protect the vital interests of the individual, or another person, where the individual is physically or legally incapable of giving consent;
  • for the administration of justice;
  • for the performance of a public function by a third party;
  • for obtaining legal advice or defending legal rights; or
  • for the purposes of medical treatment.

What information must be provided to individuals when personal data is collected?

Part of the requirement that personal data must be processed fairly is that the data controller ensures, so far as is practicable, that the individual has, is given, or has readily available the following information:

  • the identity of the data controller;
  • the intended purposes of the processing; and
  • based on the circumstances in which the data will be processed, any other information which is necessary to enable the processing to be fair to the individual, including:
    • the recipients or category of recipients;
    • the categories of the data collected, where it has come from a third party; and
    • the existence of the right to access and rectify the data concerning the individual.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

One of the key responsibilities of data controllers (if not the most important) is to ensure that information about individuals is kept safely, securely and confidentially.

Overall, in terms of compliance for data controllers, this means they must:

  • have effective organisational and technical security procedures in place; and
  • instruct their staff to keep information securely stored in accordance with the procedures in place.

In more detail, the procedures put in place must prevent the following from happening to an individual’s data:

  • accidental or unlawful destruction;
  • accidental loss;
  • alteration;
  • unauthorised disclosure and access; or
  • any other unlawful form of processing.

To prevent organisations from having to put in place disproportionate security measures to protect the data they collect, with the associated cost, the Data Protection Act 2004 provides further guidance as to what are ‘appropriate organisational and technical security measures’.

First, an organisation must have regard to the most up-to-date technology available, but can balance the effectiveness of the most state-of-the-art measures against their cost.

Second, an organisation processing data must ensure the level of data security it has in place is appropriate (proportionate) to:

  • the risks represented by the processing;
  • the harm which might occur from one of the above actions taking place (ie, accidental loss); and
  • the nature of the data being protected.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Not as standard under the Data Protection Act 2004.

However, the Communications (Personal Data and Privacy) Regulations 2006, which apply to the providers of publicly available electronic communications services, provide that in the event of a breach that would adversely affect data subjects or subscribers, a service provider must inform both the individuals concerned and the Gibraltar Regulatory Authority (GRA), as soon as reasonably practicable and without undue delay.

The notification must contain:

  • a description of the nature of the breach;
  • the contact points where more information can be obtained; and
  • a recommendation of the measures that can be taken to mitigate the possible adverse effects of the personal data breach.

The only circumstance in which a service provider need not notify an individual is where it can demonstrate to the GRA that:

  • it has implemented appropriate technological protection measures; and
  • those measures were applied to the data which was subject to the breach.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes, in respect of electronic communications service providers and where a breach would adversely affect data subjects or subscribers. When the service provider is notifying the Gibraltar Regulatory Authority of a breach, it must also include:

  • a description of the consequence of the breach; and
  • the measures proposed or taken by the provider to address the breach.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

The position of the Communications (Personal Data and Privacy) Regulations 2006 on unsolicited electronic marketing is clear, as a party may not transmit such marketing material unless the individual receiving it has previously notified the sender that he or she consents to receiving it (for the time being). This is known as the ‘opt-in’ regime.

The regulations provide for a limited number of circumstances in which a service provider can send unsolicited electronic marketing communications to an individual where there has been deemed to be a kind of implied consent, also referred to as a ‘soft’ opt-in:

  • The direct marketer has obtained the contact details of the individual in the course of the negotiations or sale of good or services;
  • The direct marketing relates to similar goods or services to those purchased by the individual; or
  • The direct marketer gives an individual a simple means at the time the data is collected, free of charge, to opt-out of the use of his or her data for direct marketing purposes.

Whether the opt-in has been explicit or soft, in each subsequent direct marketing email to an individual, the service provider must provide an option to opt out of future marketing emails (eg, an unsubscribe link).

Cookies

Are there rules governing the use of cookies?

Regulation 5 of the Communications (Personal Data and Privacy) Regulations 2006 was initially the law which specifically governed the use of cookies by Gibraltar-based service providers. It obliged service providers to tell individuals:

  • how they used cookies to collect and store information; and
  • how the individual could opt out if he or she did not wish the information to be collected and stored in this way.

The current rules in force in Gibraltar are now essentially that cookies can only be placed on computer equipment where the individual has given consent. Before giving consent, the individual must be provided with clear and comprehensive information about the purposes of the storage of, or access to, that information.

In addition to the Communications (Personal Data and Privacy) Regulations, service providers must comply with the requirements in the Data Protection Act 2004, paying particular attention to the third data protection principle that data controllers must not process personal data in such a way so as to be excessive.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

The transfer of personal data to countries outside of Gibraltar is governed by Part 6 of the Data Protection Act 2004.

Are there restrictions on the geographic transfer of data?

Yes. There are two circumstances in which transfer is allowed under the Data Protection Act 2004:

  • The recipient country is a member of the European Economic Area; or
  • The recipient country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The definition of ‘adequate protection’ all depends on the circumstances of the case (although there is further guidance in Section 30(1)(b) of the Data Protection Act).

There are some narrow exceptions to these allowed transfers. First, if an individual unambiguously consents to the data being transferred outside of the European Economic Area. Second, in the following circumstances:

  • in the execution of a contract to which the individual is either a party or the subject;
  • where here is an international obligation on Gibraltar to transfer the data;
  • where the transfer is necessary:
    • for reasons of substantial public interest;
    • for obtaining legal advice or defending legal rights;
    • to prevent injury or other damage to the health of the individual;
    • to prevent serious loss or damage to property of the individual;
    • to protect the individual’s vital interests;
  • where the data is part of a register established by law which is open either to the public or to persons with a legitimate interest in its subject matter; or
  • where the transfer is otherwise authorised by the Gibraltar Regulatory Authority (GRA), it being confident that adequate safeguards are in place.

Apart from the geographic restrictions set out above, the GRA has an overarching ability to prohibit transfers outside of Gibraltar unless:

  • the transfer is to an EEA country or another country which has adequate safeguards; or
  • there is an international obligation upon Gibraltar to transfer the data.

Other than in those two scenarios, the GRA may consider prohibiting a transfer outside of Gibraltar based on the provisions of the Data Protection Act that refer to any likely damage or distress to any party, as well as the desirability of facilitating international transfers of data.

If, having considered those factors, the GRA believe the transfer should be prohibited, it will issue a prohibition notice. This can be appealed by the recipient within 21 days to the Supreme Court.

Failure or refusal to comply with a prohibition notice within the time specified, and without a reasonable excuse, is an offence.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

When it comes to security, a vital area for data controllers to consider is the use of third-party data processors. This is because control of personal data, rather than possession, is the concept that underpins the EU framework and the Data Protection Act 2004.

First, a data controller must only contract with a processor that has sufficient security measures in place for that data. Second, the Data Protection Act mandates that the contract entered into by the data controller with the processor must:

  • be in writing;
  • include a requirement that the processor is to act only on the instructions of the controller; and
  • require the processor to comply with security obligations.

The management of third-party data processors is an area that many data controllers do not police carefully enough, and a number of data controllers have suffered penalties for failure to monitor third parties. Use of EU model contracts is advised for such arrangements.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

If a data controller or processor commits an offence under the Data Protection Act 2004 then there are two possible financial penalties:

  • on summary conviction, a fine not exceeding Level 4 on the standard scale (currently £2,000); or
  • on conviction on indictment, a fine not exceeding Level 5 on the standard scale (currently £5,000).

In addition, the court may order the party that committed the offence to order information connected to the offence to be forfeited or destroyed, and any relevant data to be erased.

Offences under the Communications (Personal Data and Privacy) Regulations 2006 can include up to two years’ imprisonment.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

The Gibraltar Regulatory Authority can make a compensation order against a data controller, in favour of an individual, for damage suffered by the individual for a contravention of the Data Protection Act 2004.

To avoid a compensation order, an organisation must show that it has taken such care as was reasonably required to comply with the requirements of the Data Protection Act.

Either party can appeal the issuing of a compensation order to the Supreme Court.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Gibraltar has a range of laws that govern cybersecurity, including laws implementing EU directives and territory-specific laws. These include:

  • the Crimes Act 2011;
  • the Proceeds of Crime Act 2015;
  • the Crimes Act (Amendment) Regulations 2015, implementing the EU Directive on Attacks Against Information Systems (2013/40/EU);
  • the Communications (Combating Child Pornography) Regulations 2013, implementing the EU Directive on Combating the Sexual Exploitation of Children Online and Child Pornography (2011/92/EU);
  • the Criminal Offences Ordinance 2005, implementing the Council Framework Decision on Combating Fraud and Counterfeiting;
  • the Communications Act 2006;
  • the Communications (Personal Data and Privacy) Regulations 2006;
  • the Data Protection Act 2004; and
  • the Financial Services (EEA) (Payment Services) Regulations 2010.

As Gibraltar is a British dependent overseas territory, some UK laws also apply. In particular, the Computer Misuse Act 1990 applies to “United Kingdom nationals”, which includes citizens of “British overseas territories” (Section 5(1B)(a)). Similarly, the Official Secrets Act 1989 applies to members of the security or intelligence services, crown servants, government contractors and anyone else that comes into possession of information protected by the act.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Gibraltar complies with all EU standards and legal requirements regarding cybercrime. In addition, Gibraltar is a leading jurisdiction in promoting awareness of and avoidance of cybercrime (eg, see the Gib Cyber Summit 2017). Gibraltar supports the European Agenda on Security, according to which fighting cybercrime is one of the top three priorities (together with tackling terrorism and disrupting organised crime).

Gibraltar also complies with Organisation for Economic Cooperation and Development Common Reporting Standards, Foreign Account Tax Compliance Act and Financial Action Task Force requirements and guidelines for the prevention of crime, tax evasion and the financing of terrorist activities.

Which cyber activities are criminalised in your jurisdiction?

Most of the laws focus on unauthorised access to electronic systems, avoiding theft and fraud, child protection, the avoidance of money laundering and terrorist financing and ensuring that personal data is protected by data controllers and processors and network providers. If the incident concerned is sufficiently serious, both companies and individuals can be prosecuted for offences under the Data Protection Act 2004, the Crimes Act 2011 and the Communications (Personal Data and Privacy) Regulations 2006 (in addition to the various enforcement powers conferred to the Gibraltar Regulatory Authority under these acts).

The Crimes Act penalises the following specific cyber-related activities:

  • unauthorised access to computer materials;
  • unauthorised access to computer materials with intent to commit or facilitate the commission of further offences;
  • unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer or related equipment;
  • unauthorised interception of computer services;
  • making, supplying or obtaining articles for use in an offence;
  • unauthorised acts causing or risking serious damage;
  • unauthorised disclosure of an access code; and
  • attempts and ancillary offences punishable as offences.

Which authorities are responsible for enforcing cybersecurity rules?

The Royal Gibraltar Police, the Gibraltar Financial Intelligence Unit and the Gibraltar Regulatory Authority are primarily responsible for policing and enforcing cybersecurity rules. However, other regulatory bodies (eg, the Gibraltar Financial Services Commission or the Gibraltar Gambling Commissioner) may also take enforcement actions against firms and organisations within their remit to support the primary authorities.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Insurance can be obtained and it is increasingly common to obtain it. While other business insurance policies may provide some cover, they are not necessarily designed to cover cybersecurity risks. Even cybersecurity policies must be checked very carefully to ensure they cover the risks that are of concern.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Regulated businesses (eg, financial services companies, online gaming companies, trust and company administrators) must record such breaches and avoid such attacks as part of their authorisation requirements. In addition, under Section 34B(2)(a) of the Communications (Personal Data and Privacy) Regulations 2006, a person providing a public communications network must notify the Gibraltar Regulatory Authority (GRA) of a breach of security or loss of integrity to its network, and the GRA can request that such providers provide the information needed to assess the security or integrity of their services and networks, including documented security policies.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Regulated companies (eg, financial services companies, online gaming companies, trust and company administrators) must do so to their regulators and the Gibraltar Financial Intelligence Unit. All companies must also report cyberattacks to their insurance companies. Whether a person is required by law to report any crime will depend on the nature of the crime but it is not a standard legal requirement in Gibraltar or the United Kingdom.

Are companies required to report cybercrime threats, attacks and breaches publicly?

Under Section 34A(6) of the Communications (Personal Data and Privacy) Regulations 2006, the Gibraltar Regulatory Authority (GRA):

may inform the public, or may require the person that has made a notification to it pursuant to subsection (4) [notification to the GRA of a breach of security or loss of integrity] to do inform the public, where the Authority determines that disclosure of the breach is in the public interest.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

As there are a wide range of cybersecurity related offences of different degrees of seriousness, it is impractical to list here all of the potential fines and imprisonment terms that may apply. For most cybercrime offences under the Crimes Act (ie, those that are most similar to those under the UK Computer Misuse Act 1990 relating to unauthorised access or use of computer systems), penalties range from fines to prison sentences of up to 14 years. 

What penalties may be imposed for failure to comply with cybersecurity regulations?

Most regulated entities will risk having their authorisation or licence to operate withdrawn (or have conditions attached) for any serious breach of the various cybercrime regulations and obligations. In addition, company directors may also risk losing their ability to act as a director of any company if they are found to be responsible for an offence committed by a company. 

Specific offences under the Communications Act can be attributable personally to managers and directors of an organisation. The Communications Act also enables the Gibraltar Regulatory Authority to take action against public communications networks and providers of publicly available electronic communications services in respect of their security policies and procedures. This can include the need to be audited in respect of the same (Section 34B). Failures can give rise to fines and the imposition of licence conditions.