Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bermuda - Data Protection Overview
Back

Bermuda - Data Protection Overview

August 2024

1. Governing Texts

As of the date of this publication, data protection in Bermuda is largely comprised of a complex set of sectoral laws, regulator guidance, and common law precedents established by the Bermuda courts.

The administrative provisions of the Personal Information Protection Act 2016 (PIPA), however, have been in force since December 2, 2016, and the corresponding independent regulatory authority, the Office of the Privacy Commissioner for Bermuda (PrivCom), has an established presence on the island. On June 15, 2023, the Government of Bermuda (the Government) and PrivCom jointly announced the official date for the remaining provisions of PIPA to come into effect as January 1, 2025, which was intended to provide organizations in Bermuda with an 18-month window to prepare for compliance with PIPA.

Organizations in Bermuda are now working against the clock, with less than six months to set budgets, develop compliant privacy programs, and prepare for breach incident response & reporting to PrivCom. Such preparations take place in the shadow of mounting global concern regarding the exploitation of individuals' personal information, risks posed by Artificial Intelligence (AI)-driven and defense solutions, and the infiltration of complex systems by bad actors and foreign governments alike.

As an archipelago with a total land mass of only 53.2 km², Bermuda is the flagship jurisdiction for many insurers/reinsurers and further remains the commercial jurisdiction of choice for a sea of high-net-worth individuals (HNWI), investors, financial advisors, and wealth managers. More than ever, maintaining trust in commercial partnerships and community relationships is an intrinsic part of doing business – whether as a public authority, non-profit, public figure, or as an international commercial enterprise. PIPA, accordingly, is intended to reflect international trends in the regulation of informational privacy to maintain the island’s robust market presence. Once fully in force, PIPA will become the overarching framework regulating the right to personal information privacy in Bermuda.

In the interim, the policy and legislative landscape in Bermuda is already experiencing a shift towards a more modernized and resilient approach to the regulation of information and response to attacks:

  • Reform to access to information law: On 16 June 2023, the Bermuda Parliament (the Parliament) passed the Personal Information Protection Amendment Act 2023 (the Amendment Act), which will amend PIPA and the island's access to information framework (the Public Access to Information Act 2010 (PATI) and its corresponding regulations) in order to prepare for the new data protection framework to come into force. Amongst other changes, the Amendment Act will ensure that, following the commencement of PIPA, PATI will no longer apply to records relating to the personal information of a requester. Any requester making a request under PATI to a public authority to access or amend their personal information must be notified in writing that they should proceed under PIPA. The Governor of Bermuda provided their Assent to the Amendment Act on July 18, 2023. No express date has been announced for the Amendment Act to come into force within the jurisdiction as of this date.
  • Establishment of the cybersecurity legislative framework: On May 31, 2024, the House of Assembly passed the Cybersecurity Act 2024 (the Cybersecurity Act) in the wake of the September 2023 attack on the systems of the Government. This assault has been most recently described as a "cyberattack" by the Minister of National Security (the Minister) in their May 3, 2024 Cyber Security Update. The cyberattack caused pro-longed disruptions to various public services in Bermuda which lasted weeks, or even months. The Governor of Bermuda provided their Assent to the Cybersecurity Act on June 24, 2024. No express date has been announced for the Cybersecurity Act to come into force within the jurisdiction as of this date.
  • Computer Misuse Act 2024: On May 17, 2024, the House of Assembly passed the Computer Misuse Act 2024 (CMA). The CMA is intended to repeal the Computer Misuse Act 1996 and replace it with a comprehensive statutory scheme that updates the law (by re-enacting and enhancing criminal offenses relating to unauthorized access of computers, which scheme is in line with international best practice as contained in the Council of Europe Convention on Cybercrime signed in Budapest on November 23, 2001). The Governor of Bermuda provided their Assent to the CMA on June 4, 2024, and again on July 9, 2024. No express date has been announced for the CMA to come into force within the jurisdiction as of this date.

Once PIPA is fully in force, it is expected that the data protection framework will be supplemented by an official body of determinations and guidance issued by PrivCom and decisions rendered by the Bermuda courts interpreting the same. In the event that determinations are issued similar to the Bermuda Information Commissioner's Officer (ICO), the jurisdiction will see the formation of clear and reasoned decisions available to the public and in due course, structured guidance to organizations such as the ICO's Compliance Enforcement Policy & Handbook issued by in January 2024.  

Accordingly, the Bermuda privacy and access to information landscape continues to develop and be recognized locally and internationally. This guidance note will remain under review and will be amended from time to time to reflect further privacy developments within the jurisdiction. In light of the fluid policy landscape in Bermuda, organizations are urged to take legal advice in connection with any specific organizational initiatives or the transfers of personal information involving Bermuda.

Establishment of Privacy Regulator in Bermuda

On December 13, 2019, the appointment of the island's first Privacy Commissioner, Mr. Alexander McD White, was announced by the Governor of Bermuda (the Governor') and the post became effective on January 20, 2020. Subsequent to that appointment, the public health crisis arising from the COVID-19 pandemic shifted local regulatory focus to the enactment of legislative measures to preserve residents' health.

Notwithstanding the uncertainty surrounding the future trajectory of Coronavirus, the timing of the appointment of the Privacy Commissioner was a significant catalyst for industry privacy awareness on the island. This was due, at least in part, to the high level of activity that the Privacy Commissioner engaged in, both within the jurisdiction and overseas, to promote awareness of PrivCom and the approach to be taken by the supervisory authority to business preparations for the new statutory privacy framework.

As of the date of this guidance, PrivCom is comprised of an Investigations Unit, Operations Unit, and Policy & Communications Unit. The public office is led by a Senior Management Team composed of the Privacy Commissioner for Bermuda, the Deputy Commissioner, the Assistant Commissioner (Operations), and the Assistant Commissioner (Investigations).

An individual or a representative of a personal information owner can now request a regulatory advisory opinion from PrivCom when they have a concern about a privacy violation, personal data breach, matters related to personal data protection, any other violation of PIPA, and other PIPA issuances that do not affect them personally or involve their personal data. General PrivCom support may also be requested in connection with specific industries or an information privacy breach or incident.

Internationally, PrivCom has been the first privacy regulator outside the Asia Pacific Economic Cooperation (APEC) forum to recognize the Cross Border Privacy Rules (CBPR) as an effective certification mechanism for overseas data transfers. Between October 15 and 20, 2023, Bermuda hosted the Global Privacy and Data Protection Summit of the Global Privacy Assembly (GPA). Prior to the event, PrivCom was appointed to the Executive Committee of the GPA to plan and coordinate the gathering. The GPA was comprised of an open session (open to the local and international business community for registration on October 16 and 17, 2023) and a closed session (open to GPA Membership only on October 18-20, 2023).

1.1. Key acts, regulations, directives, bills

Existing sectoral laws in Bermuda are significantly older than PIPA. While it is generally anticipated that the existing data protection law will remain in force once PIPA is fully operative, it is worth noting that PIPA expressly provides that consequential amendments to other statutes can be made by the Minister responsible for ICT policy and innovation (the ICT Policy Minister) where it appears to be necessary or expedient for the purposes of the legislation. All legislation, including PIPA, is and will continue to be subject to the Bermuda Constitution Order 1968 (the Constitution) which overrides both domestic legislation, common law principles, and the Human Rights Act 1981 (HRA).

PIPA expressly states that if its provisions are inconsistent or in conflict with a provision of another enactment, PIPA will prevail unless it is inconsistent with or in conflict with a provision in the HRA, in which case, the HRA will prevail. PIPA further states that the legislation applies notwithstanding any agreement to the contrary and any waiver or release of the rights, benefits, or protections provided under PIPA will be against public policy and void.

Constitutional provisions

Chapter 1 of the Constitution expressly establishes that every person in Bermuda is entitled to protection for the privacy of their home and other property, subject to respect for the rights and freedoms of others and for the public interest. In advance of the appointment of the Privacy Commissioner, a significant constitutional step was taken by the Governor through the exercise of her powers under the Constitution to protect and support the mandate of the Privacy Commissioner and to ensure the independence of PrivCom.

Acting in accordance with the recommendation of the Bermuda Public Service Commission, the Governor issued the Bermuda Public Service (Delegation of Powers) Amendment Regulations 2018 (the Regulations) on January 11, 2018. Through these Regulations, the Governor has delegated her constitutional powers to both the Information Commissioner (responsible for the enforcement of PATI) and the Privacy Commissioner to exercise control over the appointment, removal, and disciplinary control of the public officers assisting in the discharge of the functions of their independent offices. This watershed measure significantly reduced the risk of governmental influence over these offices and is thoroughly welcomed as part of good governance for the administration of these offices and in preparation for an adequacy application.

1.2. Guidelines

There are a number of regulatory authorities and postholders in Bermuda that have the power to issue guidance/have issued guidance pertaining to cyber and data protection, inclusive but not limited to:

  • PrivCom: PrivCom has issued a series of recent blog posts and guidance in a variety of privacy contexts inclusive of cyberattacks, PIPA compliance levels, children, and ChatGPT. It has also issued blog posts and guidance on public health emergencies & contact tracing, cybersecurity, data transfers, privacy officers, and privacy and cybersecurity program development.
  • Bermuda Monetary Authority: The Bermuda Monetary Authority (BMA) has issued a revised Operational Cyber Risk Management Codes of Conduct applicable to specific licensees (inclusive of Insurance, Corporate Service Providers, Trust Companies, Money Service Businesses, Investment Businesses, Fund Administration Providers, Banks, and Deposit Companies). Licensees were required to be in compliance with the same by February 15, 2023.
  • Pursuant to Section 20(11) of PIPA, the ICT Policy Minister may, in consultation with PrivCom, prescribe any fees which are applicable to the administration of requests by organizations for access to personal information (Section 17 of PIPA) and access to medical records (Section 18 of PIPA). As of the date of the drafting of this guidance, the ICT Policy Minister has not prescribed any such fees.
  • Pursuant to Section 32 of PIPA (not currently in force), the ICT Policy Minister will be required to issue codes of practice, after consultation with PrivCom, with best practice advice for organizations generally, or for specific types of organizations, to comply with PIPA. PrivCom may also be consulted by the ICT Policy Minister in connection with the Minister's passing of general regulations for the carrying out of, or giving effect to the purposes of, PIPA. As of the date of the drafting of this guidance, the ICT Policy Minister has not issued any such guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

PIPA will apply to every organization that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use, other than by automated means, of personal information, which form, or are intended to form, part of a structured filling system. An 'organization' is defined by PIPA as any individual, entity, or public authority that uses personal information.

2.2. Territorial scope

Please see the section on personal scope above.

2.3. Material scope

PIPA does not apply to:

  • the use of personal information for personal or domestic purposes;
  • the use of personal information for artistic, literary, or journalistic purposes with a view to publication in the public interest in so far as is necessary to protect the right to freedom of expression;
  • the use of business contact information (an individual's name, position name, or title, business telephone number, business address, business email, business fax number, and other similar business information) for the purpose of contacting an individual in their capacity as an employee or official of an organization;
  • personal information about an individual who has been dead for at least 20 years;
  • personal information about an individual that has been in existence for at least 150 years;
  • personal information transferred to an archival institution where access to the personal information was unrestricted or governed by an agreement between the archival institution and the donor of the personal information before the coming into operation of PIPA;
  • personal information contained in a court file and used by a judge of any court in Bermuda, used as part of judicial administration or relating to support services provided to the judges of any court in Bermuda, but only where such personal information is necessary for judicial purposes;
  • personal information contained in a personal note, communication, or draft decision created by or for an individual who is acting in a judicial, quasi-judicial, or adjudicative capacity; and
  • personal information used by a member of the House of Assembly or the Senate where such use relates to the exercise of his political function and the personal information is covered by parliamentary privilege.

The legislation will also not apply to affect any legal privilege, limit the information available by law to a party to any legal proceedings, or limit or affect the use of information that is the subject of trust conditions or undertakings to which a lawyer is subject.

Specific exemptions

PIPA further establishes a series of exemptions for organizations. The main exemptions provide that, except for the minimum requirements, organizations do not need to comply with much of the substantive provisions of PIPA.

The main exemptions in PIPA can be broadly described as follows:

  • the national security exemption, which requires an exemption certificate signed by the ICT Policy Minister;
  • the communication provider exemption, which eliminates the liabilities of directors, officers, or authorized agents of communications providers for any breach committed while acting as a communication provider under PIPA;
  • the regulatory activity and honors exemption, which applies only if:
    • such use is required for the purposes of discharging a relevant function (as defined in Section 24(3) of PIPA); the relevant function is designed for a purpose recognized by the section (Section 24(2) of PIPA); and
    • only to the extent to which the application of the substantive provisions of PIPA would be likely to prejudice the proper discharge of those functions; and
  • the general exemption, which applies to specific instances of law enforcement, the economic, or financial interests of Bermuda, and the regulation of professionals, to the extent that the application of some of the substantive provisions of PIPA would be likely to prejudice any of these matters.

The ancillary exemption in PIPA is as follows:

  • the disclosure for the purposes of business transaction exemption, which applies during the period leading up to and including the completion of a business transaction and also where a business transaction is completed only if:
    • the business transaction falls within the specific definition provided by PIPA; and
    • the personal information is necessary for a purpose identified by PIPA.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

On 20 January 2020, the appointment of Bermuda's first Privacy Commissioner, Mr. Alexander McD White, became effective. Notwithstanding this notable advancement towards enhanced privacy regulatory enforcement in Bermuda, the substantive provisions of PIPA remain inoperative until January 1, 2025, and data protection is largely regulated by the Courts and on a sectoral basis.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the PrivCom are threefold and can be summarised as follows:

Investigation and resolution of complaints

  • conduct investigations or inquiries concerning compliance with PIPA; and
  • attempt to resolve complaints by negotiation, conciliation, mediation, or otherwise.

Education and industry guidance

  • comment on the implications for the protection of personal information in relation to an organization's existing or proposed programs;
  • approve Binding Corporate Rules ('BCRs') for transfers of personal information to an overseas third party. BCRs are defined under PIPA as personal information protection policies approved by the Privacy Commissioner which are adhered to by an organisation for transfers or sets of transfers of personal information;
  • give guidance and recommendations of general application to an organization on matters relating to its rights or obligations under PIPA; and
  • establish or assist with the establishment of certification mechanisms and associated rules for the purpose of demonstrating compliance with PIPA (and may, without prejudice to their tasks and powers, delegate the operation of a certification mechanism to an independent certification body with the appropriate level of expertise in relation to the protection of personal information).

Orders and enforcement activity

  • issue formal warnings, admonish an organization, and bring to its attention any failure by the organization to comply with PIPA;
  • agree on a course of action with an organization;
  • issue orders in connection with inquiries and permit an organization to transfer personal information to an overseas third party (for use either on behalf of the organization or for that overseas third party's own business practices) where the organization has reasonably demonstrated that it is unable to comply with PIPA's statutory procedure for organizations to assess the level of protection provided by an overseas third party for personal information (provided the transfer does not undermine the rights of the individual); and
  • authorize an organization to disregard one or more requests for access to personal information, medical records, or rectification, blocking, erasure, or destruction of personal information if the requests would unreasonably interfere with the operations of the organisation or amount to an abuse of the right to make those requests, because of their repetitious or systematic nature or are otherwise frivolous or vexatious.

Sanctioning powers

On completing an inquiry, PrivCom must dispose of the matters by making an order or issuing a formal warning or public admonishment.

If the inquiry relates to an organization's decision to give or refuse to give access to all or part of an individual's personal information, the Privacy Commissioner may, by order:

  • direct the organization to give the individual access to all or part of their personal information that is under the control of the organization;
  • confirm the decision of the organization;
  • require the organization to reconsider its decision concerning access; or
  • direct the organization to refuse the individual access to all or part of their personal information.

If the inquiry relates to any other matter, the Privacy Commissioner may, by order, do one or more of the following:

  • confirm that a PIPA obligation imposed on an organization has been performed;
  • require that a PIPA obligation imposed on an organization be performed (including requiring an organization to take specific steps to remedy a breach of the legislation);
  • confirm that a right set out in PIPA has been observed;
  • require that a right set out in PIPA be observed;
  • confirm an organization's decision not to correct, erase, delete, or destroy personal information;
  • specify that personal information is to be corrected, erased, deleted, or destroyed by an organization and:
    • how such personal information is to be corrected, erased, deleted, or destroyed; and
    • may, if reasonably practicable, require the organization to notify third parties to whom the personal information has been disclosed of the correction, erasure, deletion, or destruction;
  • require an organization to stop using personal information in contravention of PIPA;
  • confirm a decision of an organization to use personal information;
  • require an organization to destroy personal information used contrary to PIPA; and
  • require an organization to provide specific information to persons in the event of a breach of security.

The Privacy Commissioner may, alternatively, make an order as they consider appropriate or may issue a formal warning or public admonishment if the abovementioned orders would not be applicable. A copy of an abovementioned order may be filed with the Registrar of the Supreme Court of Bermuda ('the Supreme Court') and, after filing, the order is enforceable as a judgment or order of that court.

4. Key Definitions

Data controller: There is no statutory term or corresponding definition for 'data controller' in PIPA. Instead, PIPA adopts the statutory term 'organisation' which is broadly defined as any individual, entity, or public authority that uses personal information.

Data processor: There is no statutory term or corresponding definition for 'data processor' in PIPA.

Personal information: 'Personal information' means any information about an identified or identifiable individual.

Sensitive personal information: 'Sensitive personal information' is any personal information relating to an individual's place of origin, race, color, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information (not yet in force).

Health data: There is no definition for 'health data' in PIPA, although PIPA does make reference to medical records in the context of an access request by a data subject which is described as "personal information of a medical or psychiatric nature relating to the individual” or “personal information kept for the purposes of, or obtained in the course of, the carrying out of social work in relation to the individual."

Biometric information: Any information relating to the physical, physiological, or behavioral characteristics of an individual which allows his unique identification, such as facial images or fingerprint information.

Pseudonymisation: There is no definition for 'pseudonymisation' in PIPA.

5. Legal Bases

Conditions for use of personal information

Section 6 of PIPA (not in force) establishes that (with limited exceptions) an organization may use an individual's personal information only if one or more of the following conditions are met:

  • the personal information is used with the consent of the individual where the organization can reasonably demonstrate that the individual has knowingly consented;
  • except in relation to sensitive personal information, a reasonable person giving due weight to the sensitivity of the personal information, would consider that the individual would not reasonably be expected to request that the use of their personal information should not begin or cease, and that the use does not prejudice the rights of the individual;
  • the use of the personal information is necessary for the performance of a contract to which the individual is a party or for the taking of steps at the request of the individual with a view to entering into a contract;
  • the use of the personal information is pursuant to a provision of law that authorizes or requires such use;
  • the personal information is publicly available information and will be used for a purpose that is consistent with the purpose of its public availability;
  • the use of the personal information is necessary to respond to an emergency that threatens the life, health, or security of an individual or the public;
  • the use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organization or in a third party to whom the personal information is disclosed; or
  • the use of the personal information is necessary in the context of an individual's present, past, or potential employment relationship with the organization.

5.1. Consent

For the purpose of relying on consent as a condition for the use of personal information, PIPA will require that an organization:

  • provide clear, prominent, easily understandable, accessible mechanisms for an individual to give consent in relation to the use of their personal information;
  • an organization is not obliged to provide such mechanisms where it can be reasonably implied from the conduct of an individual that they consent to the use of their personal information for all intended purposes that have been notified to them, but this does not apply to sensitive personal information;
  • when an individual consents to the disclosure of their personal information by an intermediary for a specified purpose, that individual will be deemed to have consented to the use of that personal information by the receiving organization for the specified purpose; and
  • an individual will be deemed to have consented to the use of their personal information for the purpose of coverage or enrolment under insurance, trust, benefit, or similar plan if the individual has an interest in or derives a benefit from that plan.

5.2. Contract with the data subject

Please see the section on legal bases above.

5.3. Legal obligations

Please see the section on legal bases above.

If an organization is unable to meet any of the conditions of use in PIPA (as set out above) then it may use personal information only if:

  • the personal information was collected from, or is disclosed to, a public authority which is authorized or required by a statutory provision to provide the personal information to, or collect it from, the organization;
  • the use of personal information is for the purpose of complying with an order made by a court, individual, or body having jurisdiction over the organization; or
  • the use of personal information is reasonable to protect or defend the organization in any legal proceeding.

5.4. Interests of the data subject

Please see the section on legal bases above.

5.5. Public interest

Please see the section on legal bases above.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

If an organization is unable to meet any of the conditions of use in PIPA (as set out above) then it may use personal information only if:

  • the use of the personal information is for the purpose of contacting the next of kin or a friend of an injured, ill, or deceased individual;
  • the use of personal information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization; or
  • the use of the personal information is in connection with disclosure to the surviving spouse or a relative of a deceased individual if, in the reasonable opinion of the organization, the disclosure is appropriate.

6. Principles

The PIPA Draft Model and its corresponding explanatory notes (the Explanatory Notes) were released in 2015.

The Explanatory Notes defined privacy as 'the expectation that confidential personal information disclosed in private will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities'. They further confirmed that the PIPA Draft Model was based on the following eight international privacy principles:

  • personal information shall be used fairly and lawfully;
  • personal information shall be used for limited specified purposes;
  • personal information shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are used;
  • personal information shall be accurate and, where necessary, kept up to date;
  • personal information used for any purpose shall not be kept for longer than is necessary for that use;
  • personal information shall be used in accordance with the rights of individuals;
  • personal information shall be kept securely; and
  • personal information shall only be transferred to third parties (including international transfers) where there is a comparable level of protection.

According to the Explanatory Notes, the PIPA Draft Model was intended to provide a light regulatory environment, but one which had been prepared so that an application for EU adequacy might be made. In this context, the Explanatory Notes confirmed that the purpose of PIPA was, 'to govern the use of personal information by organizations in a manner that recognizes both the need to protect the human rights of individuals in relation to their personal information and the need of organizations to use personal information for purposes that are legitimate.'

7. Controller and Processor Obligations

*Notwithstanding the above sub-heading, please note that PIPA does not adopt the terms 'controller' or 'processor' (or 'joint controller') into its terminology for the purposes of defining the extent of organizations' responsibilities and rights.

7.1. Data processing notification

Organizations are not required to register with PrivCom.

7.2. Data transfers

PIPA does not adopt the terms 'controller' or 'processor' (or 'joint controller') into its terminology for the purposes of defining the extent of organizations' responsibilities and rights. PIPA does, however, make a distinction between a third party and an overseas third party, and establishes a statutory procedure (not in force) for organizations to assess the level of protection provided by an overseas third party for personal information in advance of any transfer of personal information to that overseas third party. PIPA defines an "overseas third party" as an organization not domiciled in Bermuda.

Outsourcing

PIPA establishes that where an organization engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organization remains responsible for ensuring compliance with the legislation at all times. A 'third party' is not defined under PIPA.

Transfers

When an organization that uses personal information in Bermuda transfers personal information to an overseas third party for use by that overseas third party on behalf of the organization, or for the overseas third party's own business purposes, the organisation remains responsible for compliance with PIPA in relation to that personal information.

Before making any such transfer, the general requirement established by PIPA (not currently in force) is that an organization must complete the following statutory procedure to assess the level of protection provided by the overseas third party for that personal information:

  • consider the level of protection afforded by the law applicable to such overseas third party;
  • if the organization reasonably believes that the protection provided by the overseas third party is comparable to the level of protection required by PIPA, the organization may rely on such a comparable level of protection while the personal information is being used by the overseas third party; and
  • where the level of protection threshold is not satisfied, the organization must employ contractual mechanisms, corporate codes of conduct including BCRs, or other means to ensure that the overseas third party provides a comparable level of protection.

For the purposes of deciding whether the protection provided by the overseas third party is comparable to the level of protection required by PIPA, an organization that uses personal information in Bermuda can take into account:

  • the designation of any jurisdiction as providing a comparable level of protection by the ICT Minister; and
  • the third party's adoption of a certification mechanism recognized by the PrivCom.

Notwithstanding the general position outlined above, an organization may transfer personal information to an overseas third party for use by that overseas third party, on behalf of the organization or for the overseas third party's own business purposes, if:

  • the transfer of personal information is necessary for the establishment, exercise, or defense of legal rights; or
  • the organization assesses all the circumstances surrounding the transfer of personal information to the overseas third party and reasonably considers that the transfer of personal information is:
    • small-scale;
    • occasional; and
    • unlikely to prejudice the rights of an individual.

In March 2021, PrivCom exercised its authority under Section 29(1)(i) of PIPA to recognize the APEC CBPR System as a certification mechanism for transfers of personal information to an overseas third party. While a relatively new standard, the CBPR System has been recognised as an overseas data transfer mechanism by multiple Asia-Pacific countries and is an explicitly named option in the recent Agreement between the United States of America, the United Mexican States, and Canada (USMCA).

PrivCom recommended that if an overseas third party claims to be CBPR-certified, Bermudian organizations should verify their claim by consulting the public Compliance Directory and should further ensure that the CBPR certification is a material part of their agreement with the overseas third party.

7.3. Data processing records

There is no explicit requirement in PIPA for organizations to maintain records pertaining to their use of personal information. Notwithstanding this, once PIPA is fully in force it may prove challenging for organizations to meet their wider obligations under PIPA and to demonstrate that their practices are compliant with PIPA in the absence of the same.

Sectoral law in Bermuda does establish general statutory requirements for the maintenance of records by organizations.

7.4. Data protection impact assessment

There is no explicit requirement in PIPA for organizations to carry out a Data Protection Impact Assessment (DPIA).

Notwithstanding this, once PIPA is fully in force, organizations which use personal information will be subject to the statutory requirements of fairness, purpose limitation, proportionality, maintaining the integrity of personal information, and employing security safeguards.

An overarching requirement will be that an organization must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals in PIPA and must further act in a reasonable manner.

In the absence of carrying out a DPIA or establishing internal triggers for the circumstances in which a DPIA should be undertaken, an organization may find it challenging to meet these wider obligations and to demonstrate that its practices with respect to the use of personal information are compliant with PIPA.

7.5. Data protection officer appointment

PIPA requires organizations to designate a representative privacy officer for the purposes of compliance with the legislation. The privacy officer will be tasked with the primary responsibility for communicating with PrivCom. The legislation confirms that a group of organizations under common ownership or control may appoint a single privacy officer, provided that a privacy officer is accessible from each organization. A designated privacy officer may also delegate their duties to one or more individuals.

The privacy officer acts as the representative of the organization for the purposes of compliance with PIPA and has the primary responsibility for communicating with the Commissioner (Section 5(4) of PIPA).

Furthermore, the Privacy Officer Guidance outlines that the privacy officer may delegate some tasks for which they are responsible for. In addition, the Privacy Officer Guidance states that the privacy officer is responsible for the following tasks:

  • developing the organization's privacy program and communicating with PrivCom and the public;
  • overall organizational compliance;
  • ensuring organizations develop appropriate measures and policies to give effect to their obligations and to rights under PIPA;
  • respond to communications and requests from PrivCom; and
  • respond to questions from individuals and/or requests to exercise PIPA rights.

PIPA does not explicitly state where the privacy officer must sit within an organization, however, the Privacy Officer Guidance clarifies that a privacy officer should hold a position of responsibility within an organization with sufficient authority to oversee and ensure compliance with PIPA. Furthermore, the Privacy Officer Guidance notes that a privacy officer should be a senior decision-maker with full authorization, who may also serve as a privacy officer for an organizational group, so long as they are accessible from each organization, as mentioned above.

7.6. Data breach notification

PIPA mandates that where there has been a breach of security leading to the loss or unlawful destruction or unauthorized disclosure of or access to personal information, which is likely to adversely affect an individual, the organization responsible for that personal information must, without undue delay:

  • notify any individual affected by the breach; and
  • notify PrivCom of the breach. The notification to PrivCom must describe:
    • the nature of the breach;
    • its likely consequences for that individual; and
    • the measures taken and to be taken by the organization to address the breach, so that PrivCom can determine whether to order the organization to take further steps and for PrivCom to maintain a record of the breach and the measures taken.

In response to the 2023 cyberattack on the Government services in Bermuda, PrivCom stated that they considered the notification requirement in PIPA to be "one of the most practically important aspects of PIPA once the Government brings it into effect on January 1, 2025."

7.7. Data retention

There are no specific provisions in PIPA requiring organizations to delete personal information within specific timeframes. However, PIPA does provide that an organization must ensure that personal information for any use is not kept for longer than is necessary for that use. This is considered part of an organization's responsibility to maintain the integrity of personal information.

7.8. Children's data

Once fully in force, PIPA will regulate the use of personal information about children in information society. In this context, the following statutory definitions are applicable:

  • information society service: means a service which is delivered by means of digital or electronic communications; and
  • child: means an individual under the age of 14.

PIPA will require that an organization which uses personal information about a child in the provision of an information society service where:

  • the service is targeted at children; or
  • the organization has actual knowledge that it is using personal information about children

And consent is relied upon, must obtain consent from a parent or guardian before the personal information is collected or otherwise used.

In using personal information about a child in the provision of an information society service, an organization must be reasonably satisfied that the consent obtained is verifiable (so that it can be obtained only from the child's parent or guardian) and must further establish procedures to verify whether the individual is a child when it is reasonably likely that the organization will use personal information about a child.

When an organization is providing an information society service to a child, the organization will further be prohibited from seeking to obtain personal information from the child about other individuals, including in particular, personal information relating to the professional activity of parents or guardians, financial information, or sociological information. This prohibition is subject to the exception that an organization may seek to obtain personal information about the identity and address of the child's parent or guardian for the sole purpose of obtaining consent in accordance with PIPA's requirements.

When complying with its PIPA obligations, an organization delivering an information society service to a child must provide a privacy notice that is easily understandable and appropriate to the age of the child. In legal proceedings brought against an organization for failure to comply with these requirements, it will be a defense for the organization to prove that it had taken such care as in all circumstances was reasonably necessary to comply with these requirements.

7.9. Special categories of personal data

Once fully in force, PIPA will prohibit an organization from using sensitive personal information without lawful authority to discriminate against any person contrary to any provision of Part II of the HRA. Sensitive personal information will be considered to be used with lawful authority if and only to the extent that it is used:

  • with the consent of any individual to whom the information relates;
  • in accordance with an order made by either the court or the PrivCom;
  • for the purpose of any criminal or civil proceedings; or
  • in the context of recruitment or employment where the nature of the role justifies such use.

7.10. Controller and processor contracts

PIPA does not adopt the terminology of 'data controller' or 'data processor' and accordingly, the concept of 'controller and processor contracts' will not necessarily be applicable.

There is currently no requirement in PIPA for an organization to enter into a contractual arrangement with a third party to lawfully effect a transfer of personal information. However, Section 5 of PIPA (not in force), expressly confirms that where an organization engages (by contract or otherwise) in the services of a third party in connection with the use of personal information, the organization remains responsible for always ensuring compliance with the legislation.

Section 15 of PIPA (not in force) further establishes a statutory verification process that organizations regulated by PIPA must undertake prior to any transfer of personal information to an overseas third party. If a regulated organization reasonably believes that the protection provided by the overseas third party is not comparable to the level of protection required by PIPA, that organization must employ contractual mechanisms, corporate codes of conduct (including BCRs, or other means, to ensure that the overseas third party provides a comparable level of protection).

Where a regulated organization relies on a certification mechanism, even one that has been recognized by the PrivCom, to justify its determination that the protection in an overseas third party's country is comparable to PIPA, the guidance of the PrivCom indicates that the organization should ensure that certification is a material part of their agreement with the overseas third party.

8. Data Subject Rights

8.1. Right to be informed

Once fully in force, PIPA will require organizations to take all reasonably practicable steps to ensure that a privacy notice is provided to data subjects either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable.

Privacy notices

Subject to discreet exceptions, Section 9 of PIPA (not in force) mandates that organizations must issue privacy notices to individuals regarding their practices and policies with respect to personal information. Organizations must take all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable. The following mandatory content must be included in the privacy notice of an organization:

  • the fact that personal information is being used;
  • the purposes for which personal information is or might be used;
  • the identity and types of individuals or organizations to whom personal information might be disclosed;
  • the identity and location of the organization, including information on how to contact it about its handling of personal information;
  • the name of the privacy officer (The Amendment Act 2023 will amend PIPA to require the contact information of the privacy officer to be provided instead of the name of the privacy officer); and
  • the choices and means that the organization provides to an individual for limiting the use of, and for accessing, rectifying, blocking, erasing, and destroying their personal information (The Amendment Act 2023 will amend PIPA to refer to 'correcting' instead of 'rectifying').

From January 29, through February 2, 2024, PrivCom engaged in the annual Global Privacy Enforcement Network sweep. The annual initiative involved 26 global privacy enforcement agencies and was aimed at increasing awareness of privacy rights and responsibilities, encouraging compliance with privacy legislation, and enhancing cooperation between international privacy enforcement authorities. Each year, authorities select a theme and examine the privacy communications of a particular product or service under that theme to determine what personal information is being collected, how it is being used, how it is protected, and to whom it may be disclosed. Conclusions on best practices and how organizations could improve privacy protections are compiled and made public.

The Bermuda sweep occurred on February 1, 2024, and surveyed 196 local websites and did not examine mobile applications (apps). This included websites that either were domain in Bermuda or overseas (e.g., .bm & .com), and all organizations were defined to fit the provided GPEN sectors (banking & financial services, children, health & fitness, news & entertainment, public sector, retail (goods & services), travel & accommodation, and others (restaurants, healthcare, telecommunications, and law firms). The sweep was not an investigation, nor was it intended to generate formal findings regarding confirmed violations of privacy legislation.

PrivCom found that of the total of 196 organizations surveyed:

  • 40% (78) had a privacy notice/policy/terms & conditions;
  • 22% (44) included the contact information of their privacy officer or team;
  • 3% (5) made a reference to PrivCom and included its contact information; and
  • 7% (13) had a link (or a tab) to a privacy policy/notice but the document was missing.

Of 78 websites that did have a privacy notice/policy/terms and conditions displayed on their website:

  • 5% (4) used language that was fairly difficult to understand;
  • 76% (59) used language that was difficult to understand;
  • 18% (14) used language that was very difficult to understand; and
  • 1% (1) used language that was extremely difficult to understand.

The PrivCom has identified its participation in the international initiative as "an important first step for our office into the phase of conducting active investigations" and has confirmed that the sweep "gives our office statistics about what sort of guidance would be useful. The sweep results provide a baseline by which we can measure our progress as a community in these areas."

8.2. Right to access

Subject to specific exemptions, at the request of an individual for access to their personal information, and having regard to that which is reasonable, an organization must provide the individual with access to:

  • personal information about the individual in the custody or under the control of the organization;
  • the purposes for which the personal information has been and is being used by the organization; and
  • the names of the persons or types of persons to whom, and circumstances in which, the personal information has been and is being disclosed.

8.3. Right to rectification

An individual may make a written request to an organization to correct an error or omission in any of their personal information which is under the control of the organisation. If there is an error or omission in personal information in respect of which a request for a correction is received by an organization, the organization must correct the personal information as soon as reasonably practicable. Where the organization has also disclosed the incorrect information to other organizations, the organization must send a notification containing the corrected information to each such organization, if it is reasonable to do so. The Personal Information Protection Amendment Act 2023 will amend PIPA to refer to 'correction' instead of 'rectification').

8.4. Right to erasure

An individual may request an organization to erase or destroy personal information about themselves where that personal information is no longer relevant for the purposes of its use. On receiving such a request, an organization must erase or destroy the personal information that the individual has identified in their request or provide the individual with written reasons as to why the use of such personal information is justified.

8.5. Right to object/opt-out

An individual may request an organization to cease, or not to begin, using their personal information for the purposes of advertising, marketing, or public relations. On receiving such a request, an organization must cease, or not begin, using the personal information for such purposes. An individual may also request an organization to cease, or not to begin, using their personal information where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual. On receiving such a request, an organization must either cease, or not begin, using the personal information that the individual has identified in their request, or provide the individual with written reasons as to why the use of such personal information is justified.

8.6. Right to data portability

Although PIPA does provide for the right to access personal information, the legislation does not expressly provide for the right to data portability however it is possible that this activity could fall within the scope of the right of access and remains a matter for the interpretation of PrivCom.

8.7. Right not to be subject to automated decision-making

PIPA currently does not expressly provide for the right not to be subject to automated decision-making; however it is possible that this activity could fall within the scope of other rights and remains a matter for the interpretation of  PrivCom.

8.8. Other rights

Not applicable.

9. Penalties

Subject to Section 47(5) of PIPA, a person commits an offense if they (Section 47(1) of PIPA):

  • wilfully or negligently use or authorize the use of personal information in a manner that is inconsistent with Part 2 of PIPA and is likely to cause harm to an individual or individuals;
  • wilfully attempts to gain or gains access to personal information in a manner that is inconsistent with PIPA and is likely to cause harm to an individual or individuals;
  • disposes of or alters, falsifies, conceals, or destroys personal information, or directs another person to do so, in order to evade a request for access to the personal information;
  • obstructs PrivCom or an authorized delegate of PrivCom in the performance of the PrivCom's duties, powers, or functions under PIPA; and
  • knowingly or recklessly fails to comply with Section 34(1) of PIPA (restrictions on disclosure by Commissioner or staff).

Subject to Sections 47(4) and 47(5) of PIPA, a person commits an offense if they (Section 47(2) of PIPA):

  • fail to comply with an order made by PrivCom under PIPA;
  • fail to comply with a notice served by PrivCom under PIPA;
  • contravene Section 7 of PIPA (sensitive personal information);
  • dispose of, alter, falsify, conceal, or destroy evidence during an investigation or inquiry by PrivCom; or
  • fail to notify a breach of security to PrivCom in accordance with Section 14 of PIPA.

A person commits an offence under Section 47(1) or (2) of PIPA is liable (Section 47(3) of PIPA):

  • on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both; and
  • on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000.

In proceedings brought against an organization or an individual, it is a defense for the organization or individual charged with an offense under Section 47(2) of PIPA to prove to the satisfaction of the court that the organization or individual, as the case may be, acted reasonably in the circumstances that gave rise to the offense (Section 47(4) of PIPA). In determining whether a person has committed an offense under PIPA, a court shall consider whether a person has followed any relevant code of practice which was at the time issued by the Minister (Section 47(5) of PIPA).

Where an offense under this PIPA has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of (Section 47(6) of PIPA):

  • any director, manager, secretary, or similar officer of the body corporate; or
  • any person who was purporting to act in any such capacity, they, as well as the body corporate, commits that offense and is liable to be proceeded against and punished accordingly.

Where the affairs of a body corporate are managed by its members, Section 47(6) of PIPA applies, in relation to the acts and defaults of a member in connection with their function of management, as if he were a director of the body corporate.

Court/damages

A copy of an order made by PrivCom may be filed with the Registrar of the Supreme Court and, after filing, the order is enforceable as a judgment or order of that Court. An individual who suffers financial loss or emotional distress due to an organization's failure to comply with any of the requirements of PIPA will be entitled to compensation from the organization. The amount of compensation that an individual is entitled to under PIPA for each contravention will be determined by the Court. In legal proceedings brought against an organization for failure to comply with PIPA, it will be a defense for the organization to prove that it had taken such care as in all circumstances was reasonably necessary to comply with the requirement.

9.1 Enforcement decisions

In the absence of the substantive provisions of PIPA being in force, no formal enforcement decisions have been issued by PrivCom to date.