The majority of Bermuda’s Personal Information Protection Act 2016 (PIPA) is expected to come into force in 2018. Before PIPA’s enactment, privacy and the use of personal information were governed solely by the common law.
PIPA applies to every organization in Bermuda that uses personal information, including information that is used wholly or partly by automated means or where the information forms, or is intended to form, part of a structured filing system.
PIPA defines “personal information” broadly to include any information about an identifiable individual. PIPA prohibits an organization from “using” personal information unless one of the conditions in section 6 is met. “Using” is defined broadly to include: “collecting, obtaining, recording, holding, storing, organizing, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying” personal information. The easiest way for an organization to ensure compliance is to obtain an individual’s consent prior to using his or her personal information.
PIPA also gives new rights to individuals to access their personal information and know the purpose for why that information is being held.
By way of summary, PIPA requires organizations to:
- ensure sufficient security safeguards are in place to protect personal information;
- use personal information in a lawful and fair manner;
- ensure that personal information used is accurate and up-to-date for the purposes of use;
- not keep personal information for longer than is necessary;
- provide individuals with privacy notices containing information about practices and policies;
- use personal information only for the specific purpose stated in the privacy notice; and
- appoint a privacy officer to ensure compliance.
Where a Bermudian organization transfers personal information to an overseas third-party, the Bermudian organization will remain responsible for compliance with PIPA. This is of vital importance in the Bermudian insurance and financial markets where it is commonplace for organizations to be part of a larger global corporation whereby information will be regularly passed back and forth.
PIPA also creates the new office of privacy commissioner, which is responsible for ensuring compliance with the Act. The commissioner has the power to, inter alia, conduct investigations, issue formal warnings, give guidance, and conduct inquiries.
Non-compliance with PIPA is a criminal offense with fines of up to USD 25,000 (GBP 18,177: EUR 20,483) and up to 2 years’ imprisonment for a defaulting individual (and fines of up to USD 250,000 (GBP 181,769 : EUR 204,826) for defaulting companies).
The implementation of PIPA will allow Bermuda to apply for “adequacy” status from the European Union (EU). Once a country has adequacy status, it allows the free flow of personal information between EU member states and that third-party country, without the latter having to implement additional costly safeguards. This is an important step for Bermuda to place it on an even playing field with competitor jurisdictions that already have this status, including offshore competitors like Jersey and the Isle of Man.
Comment
With the implementation of PIPA, Bermuda will join most other common law jurisdictions by adopting international privacy and personal information standards. This change is intended to promote international business. It remains to be seen how organizations in Bermuda will ensure compliance with PIPA.
Written by Juliana M. Snelling of Canterbury Law Limited