Data Privacy Policy in Bermuda, New Found Regulation

Bermuda’s Personal Information Protection Act 2016 or the PIPA for short is a comprehensive data protection law that was passed in 2016. Despite the fact that the country of Bermuda is a British Overseas Territory, the current regulations of the EU are not part of the country’s legal system. As such, Bermuda does not fall under the jurisdiction of the General Data Protection Regulation or GDPR. To this end, the Personal Information Protection Act 2016 sets forth the legal framework for the collection and processing of personal data within the country of Bermuda, as well as the sanctions that individuals and organizations stand to face in the event that they fail to comply with the law.

How are data controllers and processors defined under the Personal Information Protection Act 2016?

The Personal Information Protection Act 2016 does not provide definitions for the terms data processor or data controller. Instead, the law only provides a definition for the term organization, defined as “any individual, entity, or public authority that uses personal information.” Moreover, the law defines personal data broadly to include “any information about an identified or identifiable individual.” Alternatively, sensitive personal data is defined as “any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.”

What are the requirements for organizations under the Personal Information Protection Act 2016?

In the explanatory notes of the Personal Information Protection Act 2016, privacy is defined as “the expectation that confidential personal information disclosed in private will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.” Furthermore, the explanatory notes of the law also outlined the following data protection principles:

• Personal information must be used lawfully and fairly.
• Personal information may only be used for limited and specific purposes.
• Personal information must be adequate, relevant, and non-excessive in regards to the purposes for which said information is to be used.
• Personal information must be accurate and kept up to date where necessary.
• Personal information may not be used be kept for any period of time other than is needed to accomplish the purposes for which it was collected or processed.
• Personal information must be collected, processed, and disclosed in accordance with the rights of individuals.
• Personal information must be kept in a manner that is secure.

What are the rights of data subjects under the Personal Information Protection Act 2016?

Under the Personal Information Protection Act 2016, data subjects within Bermuda are entitled to the following data protection and personal information privacy rights:

• The right to be informed- Under the PIPA, organizations operating within Bermuda are responsible for providing data subjects with privacy notices detailing the purposes for which their personal data are to be used and the identity of said organization, along with various other forms of pertinent information.
• The right to access- Data subjects have the right to access any personal data that has been collected or processed by a particular organization, subject to certain exemptions.
• The right to rectification- Data subjects retain the right to request that an organization correct an error or omission concerning their personal data.
• The right to erasure- Data subjects retain the right to request that an organization delete personal data concerning, permitting said data is no longer relevant to the purposes for which it was collected, processed, or used.
• The right to object or opt-out- “an individual may request an organization to cease, or not to begin, using their personal information for the purposes of advertising, marketing, or public relations.”

What are the penalties for violating the Personal Information Protection Act 2016?

Bermuda’s Personal Information Protection Act 2016 is enforced by the Privacy Commissioner, in accordance with Sections 47(1) and 47(5) of the law. Examples of violations under these sections of the law include “wilfully or negligently uses or authorizes the use of personal information in a manner that is inconsistent with Part 2 of PIPA and is likely to cause harm to an individual or individuals” and “willfully attempts to gain or gains access to personal information in a manner that is inconsistent with PIPA and is likely to cause harm to an individual or individuals.” To this point, organizations who commit such offenses are subject to the following penalties:

• A monetary penalty of up to $25,000, a term of imprisonment of up to two years, or both.
• A fine of up to $250,000 for the most egregious offenses.

With the passing of the Personal Information Protection Act 2016, data subjects within Bermuda were provided with the legal guarantee that their personal information is being protected at all times. What’s more, the adoption of the law has also caused the government of Bermuda to consider requesting an adequacy decision from the European Commission, the executive branch of the European Union that is responsible for implementing and enforcing the organizational body’s laws. In this way, the passing of the Personal Information Protection Act 2016 represents more than just data protection and privacy for the country of Bermuda, but the potential for commerce opportunities as well.