In Bermuda, the applicable privacy law is the Personal Information Protection Act (PIPA) 2016.
It is not the Data Protection Act or General Data Protection Regulation (GDPR) as found in the United Kingdom or European Union, respectively.
Here's a breakdown of what this means for organisations in Bermuda:
Personal Information Protection Act (PIPA) 2016
Overview:
PIPA is Bermuda’s privacy law aimed at protecting personal information.
It was partially enacted in 2016 to ensure that organisations handle personal information in a secure and responsible manner. The full implementation date is 1 January 2025.
PIPA applies to every organisation that uses personal information in Bermuda.
If you are an organisation, you are not relieved of your obligations when a third party, including an overseas third party, is involved.
The law places further obligations on your organisation to ensure your contracts with overseas third parties comply with PIPA (including the level of protection they provide).
Key provisions:
Definition of personal information: PIPA defines personal information broadly as any information about an identified or identifiable individual.
Consent: Consent is one of the conditions under which organisations in Bermuda may use personal information. Organisations must obtain consent from individuals before collecting, using, or disclosing their personal information, except in certain specified circumstances. Individuals have the right to withdraw their consent but note that there are some exclusions.
Security safeguards: Organisations are required to implement appropriate security measures to protect personal information against loss, unauthorised access, misuse, and other risks.
Access, Correction, Blocking, Erasure and Destruction Rights: Individuals have the right to access their personal information held by organisations and request corrections if necessary. They also have the right to ask organisations to block, erase, and destroy their information. There are some exclusions. These rights are not absolute.
Proportionality/Data Minimisation: Organisations may only collect personal information that is necessary for the purposes identified and should not retain it longer than necessary.
Breach Notification: Organisations must notify affected individuals and the Privacy Commissioner if a data breach occurs that could result in significant adverse effect/harm.
Implications for organisations:
Responsibility and compliance: Organisations in Bermuda need to ensure their personal information handling practices comply with PIPA’s requirements. This involves reviewing and potentially revising data collection, use, storage, and destruction processes and procedures.
Personal information management policies: Implementing robust personal information management and privacy policies is crucial. This includes having in place a robust privacy programme, as well as clear protocols for obtaining consent, managing data access requests, and responding to data breaches.
Training and awareness: Staff training on PIPA's requirements and best practices in data protection is essential to ensure compliance across the organization.
Designating a Privacy Officer: Organisations are required to designate a privacy officer to oversee compliance with PIPA and handle any privacy-related issues.
Audits and assessments: Regular audits and assessments of privacy practices are a key component of helping organisations identify and mitigate potential risks.
General Data Protection Regulation (GDPR)
Overview:
GDPR is the European Union's data protection regulation, effective since May 2018. To clarify, the United Kingdom’s Data Protection Act is also sometimes called the UK GDPR.
It applies to all EU member states and organisations outside the EU that process personal data of EU residents (extraterritoriality).
PrivCom does not enforce the GDPR nor interpret it; organisations subject to the GDPR should seek their own advice.
Key differences:
Jurisdiction: PIPA applies to organisations in Bermuda that use personal information, while GDPR applies to organisations operating within the EU or handling data of EU residents.
Fines and Penalties: PIPA has penalties for non-compliance tailored to Bermuda’s jurisdiction. For example:
In Bermuda:
Misuse of personal information that has caused harm to individuals would form an offense under section 47(1)(a) and/or (b), meaning that violators could also be subject to financial liabilities under PIPA of up to $250,000 in addition to imprisonment for 2 years, per section 47(3).
Once PIPA is fully enacted, affected individuals are able to bring a private legal action against the perpetrator. Under PIPA’s section 21, individuals who suffer emotional distress are entitled to compensation determined by the court.
The GDPR imposes significant fines for non-compliance, potentially up to 4% of global annual turnover or €20 million, whichever is higher.
Relevance for organisations:
Organisations operating in Bermuda need to focus on PIPA compliance.
Under EU law, organisations with operations or customers in the EU must ensure they also comply with GDPR, as it has extraterritorial reach.
By understanding and implementing the provisions under PIPA, organisations in Bermuda can ensure they handle personal information responsibly and in compliance with the local privacy law, PIPA, thereby safeguarding the rights of individuals.