INTRODUCTION

Data protection law in Bermuda is currently comprised of a complex set of sectoral law, regulator guidance and common law precedents established by the Bermuda courts.

Island Newcomer: PIPA

The Personal Information Protection Act 2016 (PIPA) is, however, intended to become the principal piece of legislation regulating the right to personal informational privacy in Bermuda.

Despite Bermuda's status as a British Overseas Territory, the European Union (EU) regulations are not part of Bermuda's current legal system and EU Directives are, accordingly, not automatically implemented into Bermuda law. Notwithstanding this, the introduction of PIPA has caused the Government of Bermuda to consider the commerce opportunities that would arise from an "adequacy determination" from the EU Commission, once PIPA is fully in effect. Specifically, an adequacy determination would allow for the free flow of personal information between Bermuda and any EU member state, together with the increasing number of non-EU states who have obtained such determinations. This would increase economic opportunities for international businesses operating from Bermuda by helping to satisfy international privacy compliance requirements and placing them on a level playing field with those organisations based in many of Bermuda's competitor jurisdictions that are already deemed adequate by the EU Commission.

Once PIPA is fully in force, it is expected that the data protection framework will be supplemented by an official body of determinations and guidance issued by the Privacy Commissioner (Commissioner) and decisions rendered by the Bermuda courts interpreting the legislation. In the meantime, a new body of jurisprudence has been issued by the Information Commissioner which considers the protections afforded to personal information in the context of regulating the public's access to records held by Bermuda public authorities.

As of the date of the issuance of this Guide, a Commissioner has not yet been appointed and the substantive provisions of PIPA which will regulate the use of personal information are not in force within the jurisdiction. PIPA was originally expected to come fully into force by the end of 2018. In the absence of an appointed Commissioner, the new implementation period for the substantive provisions of the legislation have yet to be confirmed by the Government of Bermuda.

As of the date of the issuance of this Guide, a Commissioner has not yet been appointed and the substantive provisions of PIPA which will regulate the use of personal information are not in force within the jurisdiction. PIPA was originally expected to come fully into force by the end of 2018. In the absence of an appointed Commissioner, the new implementation period for the substantive provisions of the legislation have yet to be confirmed by the Government of Bermuda.

Sectoral Law

Existing sectoral laws in Bermuda are significantly older than PIPA. While it is generally anticipated that the existing data protection law will remain in force once PIPA is fully operative, it is worth noting that PIPA expressly provides that consequential amendments to other statute can be made by the Government of Bermuda Minister responsible for information and communication technologies policy and innovation (Minister) where it appears to be necessary or expedient for the purposes of the legislation

BEESMONT INSIGHTS

CONSTITUTIONAL PRIVACY PROTECTION

Chapter 1 of the Bermuda Constitution expressly establishes that every person in Bermuda is entitled to protection for the privacy of their home and other property, subject to respect for the rights and freedoms of others and for the public interest.

In advance of the appointment of the Commissioner, a significant constitutional step has already been taken by the Governor of Bermuda through the exercise of his powers under the Bermuda Constitution to protect and support the mandate of the Privacy Commissioner and to ensure the independence of the Office of the Privacy Commissioner.

Acting in accordance with the recommendation of the Bermuda Public Service Commission, the Governor issued the Bermuda Public Service (Delegation of Powers) Amendment Regulations 2018 (Regulations) on 11 January 2018.

Through these Regulations, the Governor has delegated his constitutional powers to both the Information Commissioner (responsible for the enforcement of PATI) and the Commissioner to exercise control over the appointment, removal and disciplinary control of the public officers assisting in the discharge of the functions of their independent offices. This watershed measure has significantly reduced the risk of governmental influence over these offices and is thoroughly welcomed as part of good governance for the administration of these offices and in preparation for an adequacy application.

PIPA │ BASIC CONCEPTS

The PIPA Draft Model and its corresponding Explanatory Notes were released in 2015. Adoption of International Privacy Standards

The Explanatory Notes confirmed that the PIPA Model was based on the following eight international privacy principles:

  1. personal information shall be used fairly and lawfully;
  2. personal information shall be used for limited specified purposes;
  3. personal information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are used;
  4. personal information shall be accurate and, where necessary, kept up to date;
  5. personal information used for any purpose shall not be kept for longer than is necessary for that use;
  6. personal information shall be used in accordance with the rights of individuals;
  7. personal information shall be kept securely; and
  8. personal information shall only be transferred to third parties (including international transfers) where there is a comparable level of protection.

The Explanatory Notes define privacy as "the expectation that confidential personal information disclosed in private will not be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities."

According to the Explanatory Notes, the PIPA Draft Model provided a light regulatory environment but which had been prepared so that an application for EU adequacy might be made. In this context, the Explanatory Notes confirmed that the purpose of PIPA was "to govern the use of personal information by organisations in a manner that recognises both the need to protect the human rights of individuals in relation to their personal information and the need of organisations to use personal information for purposes that are legitimate."

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.