Bermuda: Personal Information Protection Act 2016 (“PIPA”)
Bermuda passed PIPA in 2016, with the majority of the Act expected to come into force in 2018. PIPA is the first piece of legislation in Bermuda designed to protect personal information. Privacy and the use of personal information was previously governed solely by the common law. Many other common law jurisdictions have already enacted legislation to protect the use of personal information; Bermuda is following suit in an effort to keep up with international standards and promote international business.
PIPA applies to every organisation in Bermuda that uses personal information, where the information is used wholly or partly by automated means or where it forms, or is intended to form, part of a structured filing system.
“Personal information” is defined broadly to include any information about an identifiable individual. PIPA prohibits an organisation from “using” personal information unless one of the conditions in section 6 is met. “Using” is defined broadly to include: “collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating otherwise making available, combining, blocking, erasing or destroying it.” The easiest way for an organisation to ensure compliance is to obtain an individual’s consent prior to using their personal information.
PIPA also gives new rights to individuals to access their personal information and know the purpose why that information is being held.
By way of summary, PIPA requires organisations to:
- Ensure sufficient security safeguards are in place to protect personal information;
- Use personal information in a lawful and fair manner;
- Ensure personal information used is accurate and up to date for the purposes of use;
- Not keep personal information for longer than is necessary;
- Provide individuals with privacy notices containing information about practices and policies;
- Use personal information only for the specific purpose stated in the privacy notice;
- Appoint a privacy officer to ensure compliance.
Where a Bermuda organisation transfers personal information to an overseas third-party, the Bermuda organisation will remain responsible for compliance with PIPA. This is of vital importance in the Bermuda insurance and financial markets where it is commonplace for organisations to be part of a larger global corporation whereby information will constantly be passed back and forth.
PIPA also creates the new office of Privacy Commissioner, responsible for ensuring compliance with the Act with the power to, inter alia, conduct investigations, issue formal warnings, give guidance and conduct inquiries.
Non-compliance is an offence; the penalty for an individual is a fine not exceeding $25,000 or 2 years of imprisonment, or both, the penalty for an organisation is a fine not exceeding $250,000.
The implementation of PIPA will allow Bermuda to apply for “adequacy” status from the EU. Once a country has “adequacy” status, it allows the free flow of personal information between EU member states and the third-party country without the latter having to implement additional costly safeguards. This is an important step for Bermuda to place it on an even playing field with competitor jurisdictions that already have this status, including offshore competitors like Jersey and the Isle of Man.
It remains to be seen how organisations in Bermuda will cope and ensure compliance with PIPA, which marks a great step forward in moving Bermuda closer to complying with international data protection standards.