August 2023

1. Governing Texts

Data protection in Bermuda is currently comprised of a complex set of sectoral laws, regulator guidance, and common law precedents established by the Bermuda courts. The Personal Information Protection Act 2016 ('PIPA'), however, is now partially in force within the jurisdiction (sections 1, 2, 26, 27, 28, 29, 35, 36, 51, and 52) and, is intended to become the overarching legislation regulating the right to personal information privacy in Bermuda. On June 15, 2023, the Government of Bermuda ('the Government') and the Office of the Privacy Commissioner for Bermuda ('PrivCom') jointly announced the official date for the remaining provisions of PIPA to come into effect as January 1, 2025.

The Bermuda Parliament ('the Parliament') passed the Personal Information Protection Amendment Act 2023 ('Amendment Act') on June 16, 2023, which will amend PIPA and the island's access to information framework (the Public Access to Information Act 2010 ('PATI') and its corresponding regulations) in order to prepare for the new data protection framework to come into force. Amongst other changes, the Amendment Act will insert a new Section 12A into PATI. Section 12A will confirm that, following the commencement of PIPA, PATI will no longer apply to records relating to the personal information of a requester. Any requester making a request under Section 12 to a public authority to access or amend their personal information must be notified in writing that they should proceed under PIPA.

More recently, the Governor of Bermuda provided their Assent to that amending legislation on July 18, 2023. As of the date of this publication (July 28, 2023), no date has been announced for the Amendment Act to come into force within the jurisdiction. At this time, it is expected to be that organisations in Bermuda that use personal information will generally have 18 months to prepare for the full implementation of Bermuda's data privacy law. The Amendment Act, however, will empower the Government to appoint different days for the commencement of PIPA for different purposes or in respect of different classes of organisation. With this in mind, it is possible that certain sophisticated companies (for example, those companies which have business activities in environments and jurisdictions where data privacy frameworks are already in place) may be expected to comply with PIPA at an earlier date.

Despite Bermuda's status as a British Overseas Territory, EU Regulations are not part of Bermuda's current legal system and EU Directives are, accordingly, not automatically implemented into Bermuda law. Once the PIPA is fully in force, it is expected that the data protection framework will be supplemented by an official body of determinations and guidance issued by PrivCom and decisions rendered by the Bermuda courts interpreting the same. The Privacy Commissioner has confirmed that starting on Data Privacy Week in January 2024, its offices will be providing the community with 'specific goals and actions to take each month as part of a phased action plan that puts the process of privacy compliance in bite-sized proportions'. In the meantime, privacy professionals can review jurisprudence issued by the Office of the Information Commissioner for Bermuda ('ICO') under the PATI framework which considers the protections afforded to personal information in the context of regulating the public's access to records held by Bermuda public authorities.

Accordingly, the Bermuda privacy landscape continues to develop and is being recognized locally and internationally. This guidance note will remain under review and will be amended from time to time to reflect further privacy developments within the jurisdiction.  In light of the fluid policy landscape in Bermuda, organisations are urged to take legal advice in connection with any specific organisational initiatives or the transfers of personal information involving Bermuda.

 Establishment of Privacy Regulator in Bermuda

On December 13, 2019, the appointment of the island's first Privacy Commissioner, Mr. Alexander McD White, was announced by the Governor of Bermuda ('the Governor') and the post became effective on January 20, 2020. Subsequent to that appointment, the public health crisis arising from the COVID-19 pandemic shifted local regulatory focus to the enactment of legislative measures to preserve residents' health.

Notwithstanding the uncertainty surrounding the future trajectory of Coronavirus, the timing of the appointment of the Privacy Commissioner was a significant catalyst for industry privacy awareness on the island. This was due, at least in part, to the high level of activity that the Privacy Commissioner engaged in, both within the jurisdiction and overseas, to promote awareness of PrivCom and the approach to be taken by the supervisory authority to business preparations for the new statutory privacy framework.

As of the date of this guidance, PrivCom is comprised of the following appointments:

• Privacy Commissioner for Bermuda
• Deputy Commissioner
• Assistant Commissioner, Operations;
  • Responsible for the PrivCom's operations unit, with varied responsibilities for administration, project management, research, and policy development;
• Assistant Commissioner, Innovation.
  • Responsible for PrivCom’s innovation unit, with varied responsibilities for PrivCom's public engagement on topics of special complexity or novelty, including the development of strategies related to PIPA readiness, innovation support services, and emerging issues.
• Assistant Commissioner, Investigations;
  • Responsible for PrivCom's investigations unit, with varied responsibilities for case management, policy development, complaints, concerns, audits, investigations, inquiries, and order-making.

PrivCom has further introduced the Privacy Innovation and Knowledge-Sharing ('Pink') Sandbox, which provides organisations with access to Privcom expertise to test products, services, or their organisational approach to privacy issues. This mechanism is based on PIPA, which provides the Privacy Commissioner with the power to 'comment on the implications for protection of personal information in relation to an organisation's existing or proposed programmes" (Section 29(1)(f) of PIPA) and to "give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations" (Section 29(1)(i) of PIPA).

A new series of PrivCom services are also now available to the public, notably an individual or a representative of a personal information owner can now request a regulatory advisory opinion from PrivCom when they have a concern about a privacy violation, personal data breach, matters related to personal data protection, any other violation of PIPA, and other PIPA issuances that do not affect them personally or involve their personal data. General PrivCom support may also be requested in connection with specific industries or an information privacy breach or incident.

Internationally, PrivCom has been the first privacy regulator outside the Asia Pacific Economic Cooperation ('APEC') forum to recognize the Cross Border Privacy Rules ('CBPR') as an effective certification mechanism for overseas data transfers. In late September 2021, the Global Privacy Assembly ('GPA') selected Bermuda as the site to host its week-long Global Privacy and Data Protection Summit which is scheduled to take place October 15-20, 2023. The Privacy Commissioner has been appointed to the Executive Committee of the GPA to plan and coordinate the gathering, which looks to place Bermuda squarely at the center of the tech world. The GPA is comprised of an open session (open to the local and international business community for registration on October 16 and 17, 2023) and a closed session (open to GPA Membership only on October 18-20, 2023). On the dates of the closed session, supplementary events which are open to all attendees will take place in the afternoon.

1.1. Key acts, regulations, directives, bills

Existing sectoral laws in Bermuda are significantly older than PIPA. While it is generally anticipated that the existing data protection law will remain in force once PIPA is fully operative, it is worth noting that PIPA expressly provides that consequential amendments to other statutes can be made by the Minister responsible for ICT policy and innovation ('the ICT Policy Minister') where it appears to be necessary or expedient for the purposes of the legislation. All legislation, including PIPA, is and will continue to be subject to the Bermuda Constitution Order 1968 ('Constitution’) which overrides both domestic legislation, common law principles, and the Human Rights Act 1981 ('HRA').

PIPA expressly states that if its provisions are inconsistent or in conflict with a provision of another enactment, PIPA will prevail unless it is inconsistent with or in conflict with a provision in the HRA, in which case, the HRA will prevail. PIPA further states that the legislation applies notwithstanding any agreement to the contrary and any waiver or release of the rights, benefits, or protections provided under PIPA will be against public policy and void.

Sectoral-specific areas of data regulation in Bermuda include the following specific areas:

Banking sector:

• the Banks and Deposit Companies Act 1999.

FinTech sector:

• the Digital Asset Business Act 2018 ('DABA');
• the Digital Asset Business (Cybersecurity) Rules 2018 ('the Cybersecurity Rules');
• Digital Asset Business (Client Disclosure) Rules 2018;
• Digital Asset Issuance Rules 2020; and
• Digital Asset Business Accounts Rules 2021.

Public authority sector:

• the PATI; and
• the Public Access to Information Regulations 2014.

Telecommunications sector:

• the Telecommunications Act 1986 ('TA');
• the Electronic Communications Act 2011 ('ECA'); and
• the Electronic Transactions Act 1999 ('ETA'), and its corresponding Standard for Electronic Transactions.

Constitutional provisions

Chapter 1 of the Constitution expressly establishes that every person in Bermuda is entitled to protection for the privacy of their home and other property, subject to respect for the rights and freedoms of others and for the public interest. In advance of the appointment of the Privacy Commissioner, a significant constitutional step was taken by the Governor through the exercise of her powers under the Constitution to protect and support the mandate of the Privacy Commissioner and to ensure the independence of PrivCom.

Acting in accordance with the recommendation of the Bermuda Public Service Commission, the Governor issued the Bermuda Public Service (Delegation of Powers) Amendment Regulations 2018 ('the Regulations') on January 11, 2018. Through these Regulations, the Governor has delegated her constitutional powers to both the Information Commissioner (responsible for the enforcement of PATI) and the Privacy Commissioner to exercise control over the appointment, removal, and disciplinary control of the public officers assisting in the discharge of the functions of their independent offices. This watershed measure significantly reduced the risk of governmental influence over these offices and is thoroughly welcomed as part of good governance for the administration of these offices and in preparation for an adequacy application.

1.2. Guidelines

There are a number of regulatory authorities and postholders in Bermuda that have the power to issue guidance/have issued guidance pertaining to data protection. PrivCom has issued guidance in a variety of privacy contexts inclusive of public health emergencies & contact tracing, cybersecurity, data transfers, privacy officers and privacy and cybersecurity programme development. Bermuda Monetary Authority ('BMA') has issued Operational Cyber Risk Management Codes of Conduct to categories of its licensees inclusive of Insurance, Corporate Service Providers, Trust Companies, Money Service Businesses, Investment Businesses, Fund Administration Providers, Banks and Deposit Companies.

Pursuant to Section 32 of PIPA (not in force), the ICT Policy Minister will be required to issue codes of practice, after consultation with the Privacy Commissioner, with best practice advice for organisations generally, or for specific types of organisations, to comply with PIPA. The Privacy Commissioner may also be consulted by the ICT Policy Minister in connection with the Minister's passing of general regulations for the carrying out of, or giving effect to the purposes of, PIPA.

The ICT Policy Minister has not issued any guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

PIPA will apply to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use, other than by automated means, of personal information, which form, or are intended to form, part of a structured filling system. An 'organisation' is defined by PIPA as any individual, entity or public authority that uses personal information

2.2. Territorial scope

Please see section on personal scope above.

2.3. Material scope

PIPA does not apply to:

• the use of personal information for personal or domestic purposes;
• the use of personal information for artistic, literary, or journalistic purposes with a view to publication in the public interest in so far as is necessary to protect the right to freedom of expression;
• the use of business contact information (an individual's name, position name, or title, business telephone number, business address, business email, business fax number, and other similar business information) for the purpose of contacting an individual in their capacity as an employee or official of an organisation;
• personal information about an individual who has been dead for at least 20 years;
• personal information about an individual that has been in existence for at least 150 years;
• personal information transferred to an archival institution where access to the personal information was unrestricted or governed by an agreement between the archival institution and the donor of the personal information before the coming into operation of PIPA;
• personal information contained in a court file and used by a judge of any court in Bermuda, used as part of judicial administration or relating to support services provided to the judges of any court in Bermuda, but only where such personal information is necessary for judicial purposes;
• personal information contained in a personal note, communication, or draft decision created by or for an individual who is acting in a judicial, quasi-judicial, or adjudicative capacity; and
• personal information used by a member of the House of Assembly or the Senate where such use relates to the exercise of his political function and the personal information is covered by parliamentary privilege.

The legislation will also not apply to affect any legal privilege, limit the information available by law to a party to any legal proceedings, or limit or affect the use of information that is the subject of trust conditions or undertakings to which a lawyer is subject.

Specific exemptions

PIPA further establishes a series of exemptions for organisations. The main exemptions provide that, except for the minimum requirements, organisations do not need to comply with much of the substantive provisions of PIPA.

The main exemptions in PIPA can be broadly described as follows:

• the national security exemption, which requires an exemption certificate signed by the ICT Policy Minister;
• the communication provider exemption, which eliminates the liabilities of directors, officers, or authorised agents of communications providers for any breach committed while acting as a communication provider under PIPA;
• the regulatory activity and honours exemption, which applies only if:
  • such use is required for the purposes of discharging a relevant function (as defined in Section 24(3) of PIPA); the relevant function is designed for a purpose recognised by the section (Section 24(2) of PIPA); and
  • only to the extent to which the application of the substantive provisions of PIPA would be likely to prejudice the proper discharge of those functions; and
• the general exemption, which applies to specific instances of law enforcement, the economic, or financial interests of Bermuda and the regulation of professionals, to the extent that the application of some of the substantive provisions of PIPA would be likely to prejudice any of these matters.

The ancillary exemption in PIPA is as follows:

• the disclosure for the purposes of business transaction exemption, which applies during the period leading up to and including the completion of a business transaction and also where a business transaction is completed only if:
  • the business transaction falls within the specific definition provided by PIPA; and
  • the personal information is necessary for a purpose identified by PIPA.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

On 20 January 2020, the appointment of Bermuda's first Privacy Commissioner, Mr. Alexander McD White, became effective. Notwithstanding this notable advancement towards enhanced privacy regulatory enforcement in Bermuda, the substantive provisions of PIPA remain inoperative and data protection is largely regulated by the Courts and on a sectoral basis.

3.2. Main powers, duties and responsibilities

The main powers, duties, and responsibilities of the Privacy Commissioner are threefold and can be summarised as follows:

Investigation and resolution of complaints

• conduct investigations or inquiries concerning compliance with PIPA; and
• attempt to resolve complaints by negotiation, conciliation, mediation, or otherwise.

Education and industry guidance

• comment on the implications for protection of personal information in relation to an organisation's existing or proposed programmes;
• approve Binding Corporate Rules ('BCRs') for transfers of personal information to an overseas third party. BCRs are defined under PIPA as personal information protection policies approved by the Privacy Commissioner which are adhered to by an organisation for transfers or sets of transfers of personal information;
• give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations under PIPA; and
• establish or assist with the establishment of certification mechanisms and associated rules for the purpose of demonstrating compliance with PIPA (and may, without prejudice to their tasks and powers, delegate the operation of a certification mechanism to an independent certification body with the appropriate level of expertise in relation to the protection of personal information).

Orders and enforcement activity

• issue formal warnings, admonish an organisation, and bring to its attention any failure by the organisation to comply with PIPA;
• agree on a course of action with an organisation;
• issue orders in connection with inquiries and permit an organisation to transfer personal information to an overseas third party (for use either on behalf of the organisation or for that overseas third party's own business practices) where the organisation has reasonably demonstrated that it is unable to comply with PIPA's statutory procedure for organisations to assess the level of protection provided by an overseas third party for personal information (provided the transfer does not undermine the rights of the individual); and
• authorise an organisation to disregard one or more requests for access to personal information, medical records or rectification, blocking, erasure, or destruction of personal information if the requests would unreasonably interfere with the operations of the organisation or amount to an abuse of the right to make those requests, because of their repetitious or systematic nature or are otherwise frivolous or vexatious.

Sanctioning powers

On completing an inquiry, the Privacy Commissioner must dispose of the matters by making an order or issuing a formal warning or public admonishment.

If the inquiry relates to an organisation's decision to give or refuse to give access to all or part of an individual's personal information, the Privacy Commissioner may, by order:

• direct the organisation to give the individual access to all or part of their personal information that is under the control of the organisation;
• confirm the decision of the organisation;
• require the organisation to reconsider its decision concerning access; or
• direct the organisation to refuse the individual access to all or part of their personal information.

If the inquiry relates to any other matter, the Privacy Commissioner may, by order, do one or more of the following:

• confirm that a PIPA obligation imposed on an organisation has been performed;
• require that a PIPA obligation imposed on an organisation be performed (including requiring an organisation to take specific steps to remedy a breach of the legislation);
• confirm that a right set out in PIPA has been observed;
• require that a right set out in PIPA be observed;
• confirm an organisation's decision not to correct, erase, delete, or destroy personal information;
• specify that personal information is to be corrected, erased, deleted, or destroyed by an organisation and:
  • how such personal information is to be corrected, erased, deleted, or destroyed; and
  • may, if reasonably practicable, require the organisation to notify third parties to whom the personal information has been disclosed of the correction, erasure, deletion, or destruction;
• require an organisation to stop using personal information in contravention of PIPA;
• confirm a decision of an organisation to use personal information;
• require an organisation to destroy personal information used contrary to PIPA; and
• require an organisation to provide specific information to persons in the event of a breach of security.

The Privacy Commissioner may, alternatively, make an order as they consider appropriate or may issue a formal warning or public admonishment if the abovementioned orders would not be applicable. A copy of an abovementioned order may be filed with the Registrar of the Supreme Court of Bermuda ('the Supreme Court') and, after filing, the order is enforceable as a judgment or order of that court.

4. Key Definitions

Data controller: There is no definition for 'data controller' in PIPA. However, an 'organisation' is any individual, entity, or public authority that uses personal information.

Data processor: There is no definition for 'data processor' in PIPA. However, an 'organisation' is any individual, entity, or public authority that uses personal information.

Personal data: 'Personal information' means any information about an identified or identifiable individual.

Sensitive data: 'Sensitive personal information' is any personal information relating to an individual's place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information (not yet in force).

Health data: There is no definition for 'health data' in PIPA.

Biometric data: Any information relating to the physical, physiological, or behavioural characteristics of an individual which allows his unique identification, such as facial images or fingerprint information.

Pseudonymisation: There is no definition for 'pseudonymisation' in PIPA.

5. Legal Bases

Conditions for use of personal information

Section 6 of PIPA (not in force) establishes that (with limited exceptions) an organisation may use an individual's personal information only if one or more of the following conditions are met:

• the personal information is used with the consent of the individual where the organisation can reasonably demonstrate that the individual has knowingly consented;
• except in relation to sensitive personal information, a reasonable person giving due weight to the sensitivity of the personal information, would consider that the individual would not reasonably be expected to request that the use of their personal information should not begin or cease, and that the use does not prejudice the rights of the individual;
• the use of the personal information is necessary for the performance of a contract to which the individual is a party or for the taking of steps at the request of the individual with a view to entering into a contract;
• the use of the personal information is pursuant to a provision of law that authorises or requires such use;
• the personal information is publicly available information and will be used for a purpose that is consistent with the purpose of its public availability;
• the use of the personal information is necessary to respond to an emergency that threatens the life, health, or security of an individual or the public;
• the use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation or in a third party to whom the personal information is disclosed; or
• the use of the personal information is necessary in the context of an individual's present, past, or potential employment relationship with the organisation.

5.1. Consent

For the purpose of relying on consent as a condition for the use of personal information, PIPA will require that an organisation:

• provide clear, prominent, easily understandable, accessible mechanisms for an individual to give consent in relation to the use of their personal information;
• an organisation is not obliged to provide such mechanisms where it can be reasonably implied from the conduct of an individual that they consent to the use of their personal information for all intended purposes that have been notified to them, but this does not apply to sensitive personal information;
• when an individual consents to the disclosure of their personal information by an intermediary for a specified purpose, that individual will be deemed to have consented to the use of that personal information by the receiving organisation for the specified purpose; and
• an individual will be deemed to have consented to the use of their personal information for the purpose of coverage or enrolment under insurance, trust, benefit, or similar plan if the individual has an interest in or derives a benefit from that plan.

5.2. Contract with the data subject

Please see section on legal bases above.

5.3. Legal obligations

Please see section on legal bases above.

If an organisation is unable to meet any of the conditions of use in PIPA (as set out above) then it may use personal information only if:

• the personal information was collected from, or is disclosed to, a public authority which is authorised or required by a statutory provision to provide the personal information to, or collect it from, the organisation;
• the use of the personal information is for the purpose of complying with an order made by a court, individual, or body having jurisdiction over the organisation; or
• the use of the personal information is reasonable to protect or defend the organisation in any legal proceeding.

5.4. Interests of the data subject

Please see section on legal bases above.

5.5. Public interest

Please see section on legal bases above.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

If an organisation is unable to meet any of the conditions of use in PIPA (as set out above) then it may use personal information only if:

• the use of the personal information is for the purpose of contacting the next of kin or a friend of an injured, ill or deceased individual;
• the use of the personal information is necessary in order to collect a debt owed to the organisation or for the organisation to repay to the individual money owed by the organisation; or
• the use of the personal information is in connection with disclosure to the surviving spouse or a relative of a deceased individual if, in the reasonable opinion of the organisation, the disclosure is appropriate.

6. Principles

The PIPA Draft Model and its corresponding explanatory notes ('the Explanatory Notes') were released in 2015.

The Explanatory Notes defined privacy as 'the expectation that confidential personal information disclosed in private will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities'. They further confirmed that the PIPA Draft Model was based on the following eight international privacy principles:

• personal information shall be used fairly and lawfully;
• personal information shall be used for limited specified purposes;
• personal information shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are used;
• personal information shall be accurate and, where necessary, kept up to date;
• personal information used for any purpose shall not be kept for longer than is necessary for that use;
• personal information shall be used in accordance with the rights of individuals;
• personal information shall be kept securely; and
• personal information shall only be transferred to third parties (including international transfers) where there is a comparable level of protection.

According to the Explanatory Notes, the PIPA Draft Model was intended to provide a light regulatory environment, but one which had been prepared so that an application for EU adequacy might be made. In this context, the Explanatory Notes confirmed that the purpose of PIPA was, 'to govern the use of personal information by organisations in a manner that recognises both the need to protect the human rights of individuals in relation to their personal information and the need of organisations to use personal information for purposes that are legitimate'.

7. Controller and Processor Obligations

7.1. Data processing notification

Organisations are not required to register with PrivCom.

7.2. Data transfers

PIPA does not adopt the terms 'controller' or 'processor' (or 'joint controller') into its terminology for the purposes of defining the extent of organisations' responsibilities and rights. PIPA does, however, make a distinction between a third party and an overseas third party, and establishes a statutory procedure (not in force) for organisations to assess the level of protection provided by an overseas third party for personal information in advance of any transfer of personal information to that overseas third party. PIPA defines an “overseas third party” as an organisation not domiciled in Bermuda.

Outsourcing

PIPA establishes that where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with the legislation at all times. A 'third party' is not defined under PIPA.

Transfers

When an organisation that uses personal information in Bermuda transfers personal information to an overseas third party for use by that overseas third party on behalf of the organisation, or for the overseas third party's own business purposes, the organisation remains responsible for compliance with PIPA in relation to that personal information.

Before making any such transfer, the general requirement established by PIPA (not currently in force)  is that an organisation must complete the following statutory procedure to assess the level of protection provided by the overseas third party for that personal information:

• consider the level of protection afforded by the law applicable to such overseas third party;
• if the organisation reasonably believes that the protection provided by the overseas third party is comparable to the level of protection required by PIPA, the organisation may rely on such comparable level of protection while the personal information is being used by the overseas third party; and
• where the level of protection threshold is not satisfied, the organisation must employ contractual mechanisms, corporate codes of conduct including BCRs, or other means to ensure that the overseas third party provides a comparable level of protection.

For the purposes of deciding whether the protection provided by the overseas third party is comparable to the level of protection required by PIPA, an organisation that uses personal information in Bermuda can take into account:

• the designation of any jurisdiction as providing a comparable level of protection by the Minister; and
• the third party's adoption of a certification mechanism recognised by the Privacy Commissioner.

Notwithstanding the general position outlined above, an organisation may transfer personal information to an overseas third party for use by that overseas third party, on behalf of the organisation or for the overseas third party's own business purposes, if:

• the transfer of the personal information is necessary for the establishment, exercise, or defence of legal rights; or
• the organisation assesses all the circumstances surrounding the transfer of personal information to the overseas third party and reasonably considers that the transfer of personal information is:
  • small-scale;
  • occasional; and
  • unlikely to prejudice the rights of an individual.

In March 2021, the Privacy Commissioner exercised his authority under Section 29(1)(i) of PIPA to recognise the APEC CBPR System as a certification mechanism for transfers of personal information to an overseas third party. While a relatively new standard, the CBPR System has been recognised as an overseas data transfer mechanism by multiple Asia-Pacific countries and is an explicitly named option in the recent Agreement between the United States of America, the United Mexican States, and Canada ('USMCA').

PrivCom recommended that if an overseas third party claims to be CBPR-certified, Bermudian organisations should verify their claim by consulting the public Compliance Directory and should further ensure that the CBPR certification is a material part of their agreement with the overseas third party.

7.3. Data processing records

There is no explicit requirement in PIPA for organisations to maintain records pertaining to their use of personal information. Notwithstanding this, once PIPA is fully in force it may prove challenging for organisations to meet their wider obligations under PIPA and to demonstrate that their practices are compliant with PIPA in the absence of the same.

Sectoral law in Bermuda does establish general statutory requirements for the maintenance of records by organisations.

7.4. Data protection impact assessment

There is no explicit requirement in PIPA for organisations to carry out a Data Protection Impact Assessment ('DPIA').

Notwithstanding this, once PIPA is fully in force, organisations which use personal information will be subject to the statutory requirements of fairness, purpose limitation, proportionality, maintaining the integrity of personal information, and employing security safeguards.

An overarching requirement will be that an organisation must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals in PIPA and must further act in a reasonable manner.

In the absence of carrying out a DPIA or establishing internal triggers for the circumstances in which a DPIA should be undertaken, an organisation may find it challenging to meet these wider obligations and to demonstrate that its practices with respect to the use of personal information are compliant with PIPA.

7.5. Data protection officer appointment

PIPA requires organisations to designate a representative privacy officer for the purposes of compliance with the legislation. The privacy officer will be tasked with the primary responsibility for communicating with the Privacy Commissioner. The legislation confirms that a group of organisations under common ownership or control, may appoint a single privacy officer, provided that a privacy officer is accessible from each organisation. A designated privacy officer may also delegate their duties to one or more individuals.

The privacy officer acts as the representative of the organisation for the purposes of compliance with PIPA and has the primary responsibility for communicating with the Commissioner (Section 5(4) of PIPA).

Furthermore, the Privacy Officer Guidance outlines that the privacy officer may delegate some tasks for which they are responsible for. In addition, the Privacy Officer Guidance states that the privacy officer is responsible for the following tasks:

• developing the organisation's privacy programme and communicating with PrivCom and the public;
• overall organisational compliance;
• ensuring organisations develop appropriate measures and policies to give effect to their obligations and to the rights under PIPA;
• respond to communications and requests from PrivCom; and
• respond to questions from individuals and/or requests to exercise PIPA rights.

PIPA does not explicitly state where the privacy officer must sit within an organisation, however, the Privacy Officer Guidance clarifies that a privacy officer should hold a position of responsibility within an organisation with sufficient authority to oversee and ensure compliance with PIPA. Furthermore, the Privacy Officer Guidance notes that a privacy officer should be a senior decision-maker with full authorisation, who may also serve as a privacy officer for an organisational group, so long as they are accessible from each organisation, as mentioned above.

7.6. Data breach notification

PIPA mandates that where there has been a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to personal information, which is likely to adversely affect an individual, the organisation responsible for that personal information must, without undue delay:

• notify any individual affected by the breach; and
• notify the Privacy Commissioner of the breach. The notification to the Privacy Commissioner must describe:
  • the nature of the breach;
  • its likely consequences for that individual; and
  • the measures taken and to be taken by the organisation to address the breach, so that the Privacy Commissioner can determine whether to order the organisation to take further steps and for the Privacy Commissioner to maintain a record of the breach and the measures taken.

7.7. Data retention

There are no specific provisions in PIPA requiring organisations to delete personal information within specific timeframes. However, PIPA does provide that an organisation must ensure that personal information for any use is not kept for longer than is necessary for that use. This is considered part of an organisation's responsibility to maintain the integrity of personal information.

7.8. Children's data

Once fully in force, PIPA will regulate the use of personal information about children in information society. In this context, the following statutory definitions are applicable:

• information society service: means a service which is delivered by means of digital or electronic communications; and
• child: means an individual under the age of 14.

PIPA will require that an organisation which uses personal information about a child in the provision of an information society service where:

• the service is targeted at children; or
• the organisation has actual knowledge that it is using personal information about children

And consent is relied upon, must obtain consent from a parent or guardian before the personal information is collected or otherwise used.

In using personal information about a child in the provision of an information society service, an organisation must be reasonably satisfied that consent obtained is verifiable (so that it can be obtained only from the child's parent or guardian) and must further establish procedures to verify whether the individual is a child when it is reasonably likely that the organisation will use personal information about a child.

When an organisation is providing an information society service to a child, the organisation will further be prohibited from seeking to obtain personal information from the child about other individuals, including in particular, personal information relating to the professional activity of parents or guardians, financial information, or sociological information. This prohibition is subject to the exception that an organisation may seek to obtain personal information about the identity and address of the child's parent or guardian for the sole purpose of obtaining consent in accordance with PIPA's requirements.

When complying with its PIPA obligations, an organisation delivering an information society service to a child must provide a privacy notice that is easily understandable and appropriate to the age of the child. In legal proceedings brought against an organisation for failure to comply with these requirements, it will be a defence for the organisation to prove that it had taken such care as in all circumstances was reasonably necessary to comply with these requirements.

7.9. Special categories of personal data

Once fully in force, PIPA will prohibit an organisation from using sensitive personal information without lawful authority to discriminate against any person contrary to any provision of Part II of the HRA. Sensitive personal information will be considered to be used with lawful authority if and only to the extent that it is used:

• with the consent of any individual to whom the information relates;
• in accordance with an order made by either the court or the Privacy Commissioner;
• for the purpose of any criminal or civil proceedings; or
• in the context of recruitment or employment where the nature of the role justifies such use.

7.10. Controller and processor contracts

There is currently no requirement in PIPA for an organisation to enter into a contractual arrangement with a third party to lawfully effect a transfer of personal information. However, Section 5 of PIPA (not in force), expressly confirms that where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for always ensuring compliance with the legislation.

Section 15 of PIPA (not in force) further establishes a statutory verification process that organisations regulated by PIPA must undertake prior to any transfer of personal information to an overseas third party. If a regulated organisation reasonably believes that the protection provided by the overseas third party is not comparable to the level of protection required by PIPA, that organisation must employ contractual mechanisms, corporate codes of conduct (including BCRs, or other means, to ensure that the overseas third party provides a comparable level of protection).

Where a regulated organisation relies on a certification mechanism, even one that has been recognised by the Privacy Commissioner, to justify its determination that the protection in an overseas third party's country is comparable to PIPA, the guidance of the Privacy Commissioner indicates that the organisation should ensure that certification is a material part of their agreement with the overseas third party.

8. Data Subject Rights

8.1. Right to be informed

Once fully in force, PIPA will require organisations to take all reasonably practicable steps to ensure that a privacy notice is provided to data subjects either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable.

Privacy notices

Subject to discreet exceptions, Section 9 of PIPA (not in force) mandates that organisations must issue privacy notices to individuals regarding their practices and policies with respect to personal information. Organisations must take all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable. The following mandatory content must be included in the privacy notice of an organisation:

• the fact that personal information is being used;
• the purposes for which personal information is or might be used;
• the identity and types of individuals or organisations to whom personal information might be disclosed;
• the identity and location of the organisation, including information on how to contact it about its handling of personal information;
• the name of the privacy officer (The Personal Information Protection Amendment Act 2023 will amend PIPA to require the contact information of the privacy officer to be provided instead of the name of the privacy officer); and
• the choices and means that the organisation provides to an individual for limiting the use of, and for accessing, rectifying, blocking, erasing, and destroying their personal information (The Personal Information Protection Amendment Act 2023 will amend PIPA  to refer to 'correcting' instead of 'rectifying').

8.2. Right to access

Subject to specific exemptions, at the request of an individual for access to their personal information, and having regard to that which is reasonable, an organisation must provide the individual with access to:

• personal information about the individual in the custody or under the control of the organisation;
• the purposes for which the personal information has been and is being used by the organisation; and
• the names of the persons or types of persons to whom, and circumstances in which, the personal information has been and is being disclosed.

8.3. Right to rectification

An individual may make a written request to an organisation to correct an error or omission in any of their personal information which is under the control of the organisation. If there is an error or omission in personal information in respect of which a request for a correction is received by an organisation, the organisation must correct the personal information as soon as reasonably practicable. Where the organisation has also disclosed the incorrect information to other organisations, the organisation must send a notification containing the corrected information to each such organisation, if it is reasonable to do so. The Personal Information Protection Amendment Act 2023 will amend PIPA to refer to 'correction' instead of 'rectification').

8.4. Right to erasure

An individual may request an organisation to erase or destroy personal information about themselves where that personal information is no longer relevant for the purposes of its use. On receiving such a request, an organisation must erase or destroy the personal information that the individual has identified in their request or provide the individual with written reasons as to why the use of such personal information is justified.

8.5. Right to object/opt-out

An individual may request an organisation to cease, or not to begin, using their personal information for the purposes of advertising, marketing, or public relations. On receiving such a request, an organisation must cease, or not begin, using the personal information for such purposes. An individual may also request an organisation to cease, or not to begin, using their personal information where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual. On receiving such a request, an organisation must either cease, or not begin, using the personal information that the individual has identified in their request, or provide the individual with written reasons as to why the use of such personal information is justified.

8.6. Right to data portability

Although PIPA does provide for the right to access personal information, the legislation does not expressly provide for the right to data portability however it is possible that this activity could fall within the scope of the right of access and remains a matter for the interpretation of the Privacy Commissioner.

8.7. Right not to be subject to automated decision-making

PIPA currently does not expressly provide for the right not to be subject to automated decision-making; however it is possible that this activity could fall within the scope of other rights and remains a matter for the interpretation of the Privacy Commissioner.

8.8. Other rights

Not applicable.

9. Penalties

Subject to Section 47(5) of PIPA, a person commits an offence if they (Section 47(1) of PIPA):

• wilfully or negligently use or authorise the use of personal information in a manner that is inconsistent with Part 2 of PIPA and is likely to cause harm to an individual or individuals;
• wilfully attempts to gain or gains access to personal information in a manner that is inconsistent with PIPA and is likely to cause harm to an individual or individuals;
• disposes of or alters, falsifies, conceals, or destroys personal information, or directs another person to do so, in order to evade a request for access to the personal information;
• obstructs the Privacy Commissioner or an authorised delegate of the Commissioner in the performance of the Privacy Commissioner's duties, powers, or functions under PIPA;
• obstructs the Privacy Commissioner or an authorised delegate of the Privacy Commissioner in the performance of the Privacy Commissioner's duties, powers, or functions under PIPA; and
• knowingly or recklessly fails to comply with Section 34(1) of PIPA (restrictions on disclosure by Commissioner or staff).

Subject to Section 47(4) and (5) of PIPA, a person commits an offence if they (Section 47(2) of PIPA):

• fail to comply with an order made by the Privacy Commissioner under PIPA;
• fail to comply with a notice served by the Privacy Commissioner under PIPA;
• contravene Section 7 of PIPA (sensitive personal information);
• dispose of, alter, falsify, conceal, or destroy evidence during an investigation or inquiry by the Privacy Commissioner; or
• fail to notify a breach of security to the Privacy Commissioner in accordance with Section 14 of PIPA.

A person commits an offence under Section 47(1) or (2) of PIPA is liable (Section 47(3) of PIPA):

• on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both; and
• on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000.

In proceedings brought against an organisation or an individual, it is a defence for the organisation or individual charged with an offence under Section 47(2) of PIPA to prove to the satisfaction of the court that the organisation or individual, as the case may be, acted reasonably in the circumstances that gave rise to the offence (Section 47(4) of PIPA). In determining whether a person has committed an offence under PIPA, a court shall consider whether a person has followed any relevant code of practice which was at the time issued by the Minister (Section 47(5) of PIPA).

Where an offence under this PIPA has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of (Section 47(6) of PIPA):

• any director, manager, secretary, or similar officer of the body corporate; or
• any person who was purporting to act in any such capacity, they, as well as the body corporate, commits that offence and is liable to be proceeded against and punished accordingly.

Where the affairs of a body corporate are managed by its members, Section 47(6) of PIPA applies, in relation to the acts and defaults of a member in connection with their function of management, as if he were a director of the body corporate.

Court/damages

A copy of an order made by the Privacy Commissioner may be filed with the Registrar of the Supreme Court and, after filing, the order is enforceable as a judgment or order of that Court. An individual who suffers financial loss or emotional distress due to an organisation's failure to comply with any of the requirements of PIPA will be entitled to compensation from the organisation. The amount of compensation that an individual is entitled to under PIPA for each contravention will be determined by the Court. In legal proceedings brought against an organisation for failure to comply with PIPA, it will be a defence for the organisation to prove that it had taken such care as in all circumstances was reasonably necessary to comply with the requirement.

9.1 Enforcement decisions

In the absence of the substantive provisions of PIPA being in force, no formal enforcement decisions have been issued by the Privacy Commissioner to date.

However, decisions of the ICO under the PATI framework pertaining to personal information are listed below:

• Decision Notice 02/2017: Public Service Commission (Request to amend record of personal information: failure to decide within statutory timeframes;
• Decision Notice 01/2018 Bermuda Tourism Authority (Employee compensation);
• Decision Notice 06/2018: Government Department (Personnel records);
• Decision Notice 02/2019: Office of the Governor (DPP recruitment and appointment records);
• Decision Notice 10/2019: Department of Corrections (Records related to released sex offenders);
• Decision Notice 24/2019: Bermuda Hospitals Board (Executive Team compensation);
• Decision Notice 30/2019: Ministry of Health Headquarters (Medical cannabis import application records);
• Decision Notice 32/2019: Ministry of Health Headquarters (Physician referral letters);
• Decision Notice 02/2020: Department of Health (Records of incidents in day care centres and child care provider); and
• Decision Notice 03/2020: Ministry of Education Headquarters (Records of personal information).