ARTICLE
22 October 2024

Privacy Law And Compliance Guide 2025: Bermuda

A
Appleby

Contributor

Appleby logo
Appleby is one of the world’s leading offshore law firms, operating in 10 highly regarded and well-regulated locations. We provide comprehensive, expert advice and services across a number of key practice areas. We work with our clients to achieve practical solutions whether from a single location or across multiple jurisdictions.
Explore Firm Details
Bermuda's privacy laws and regulations concerning the protection and use of personal information in Bermuda currently exists across two different statutes. One of them, the Electronic Transactions Act 1999 ( ETA ).
Bermuda Privacy
Duncan Card and Jerome Wilson
Your Author LinkedIn Connections

OVERVIEW

INTRODUCTION

Bermuda's privacy laws and regulations concerning the protection and use of personal information in Bermuda currently exists across two different statutes. One of them, the Electronic Transactions Act 1999 ( ETA ) has neither been activated with regard to it privacy law provisions nor has it been rescinded concerning its potential privacy law influence . The second statute was passed in 2016 but will only be brought into full force and effect on, and as of, January 1st, 2025, the Personal Information Protection Act 2016 (PIPA). Since PIPA has been crafted as omnibus legislation governing the use of personal information across all sectors, private and public, it may well be that when the Bermuda Government introduced and passed the Personal Information Protection Amendment Act 2023 ( mostly for drafting clean-up purposes ), it simply and inadvertently overlooked the need to repeal the sections of the ETA that were originally positioned ( a quarter of a century ago ) to address data protection and privacy law at some point in the future.

Although the genesis of PIPA is discussed below, it is first important to note that even though Bermuda is a British Overseas Territory (pursuant to the British Overseas Territory Act 2002), domestic privacy laws are within the constitutional authority of the Bermuda Government. The European Union's (EU) laws and regulations concerning privacy and data protection (EU's General Data Protection Regulation) and the United kingdom's Data Protection Act 2018 ( often referred to UK-GDPR ) have not been enacted in Bermuda. However, the Bermuda Government has been cognisant that the "safe harbour" or "adequacy" requirements of both of those data protection legal regimes are important to international trade and finance, and in recognition that it would be highly beneficial for international business in Bermuda if privacy laws were enacted and implemented in Bermuda, it brought PIPA into force so that our jurisdiction's treatment of privacy rights and the protection of personal information would be consistent with international legal norms and best regulatory practices, all in the interest of facilitating the cross-border flow of all data through Bermuda, including personal information.

Bermuda's Privacy Law History – though still on the books

ELECTRONIC TRANSACTIONS ACT 1999 (ETA)

In 1999, Bermuda enacted legislation to legally facilitate e-commerce business and operations, which included a set of EU-style "data protection principles", including the concepts of "personal data" and "data processor" among them.

The ETA governs a very broad range of transactions carried out by electronic means and expressly addresses, in part, "electronic records" (any record created, stored, generated, received or communicated by electronic means) and "personal data" (any information relating to an identified or identifiable natural person). Since 1999, the types and scope of business and commercial activities conducted over the internet, and governed by the ETA, has ubiquitously expanded across all sectors and enterprises. Online business as we know it today is no longer the narrow domain of what was narrowly referred to in 1999 as "e-commerce". It has been argued that the introduction of "data protection" laws in Europe ( including the UK then ) of the late 1990's were intended more as a an NTB, Non-Tariff Barrier, to trade for the purpose of disrupting or controlling the otherwise unchecked and exploding growth of e-commerce into Europe from the United States. That is why it is neither uncommon nor out of place to see the first vestiges of "privacy law" appear more as "data protection" and buried into electronic commerce enabling and controlling legislation, such as with the ETA.

Part VI of the ETA, titled "Data Protection", relied upon the nomenclature in the EU's original data protection laws to permit the Government to creation of a regime of standards for the use and processing of personal data in the hands of "data controllers" and "data processors". In May 2000, the Bermuda Government prescribed the "Standard for Electronic Transaction" pursuant to Sections 29(3) and 29(5) of the ETA (the Privacy Standards). The Privacy Standards included specific personal information protection requirements and obligations, including the following prescriptions for those who are involved in "transactions" (a term not defined by ETA) involving the storage, use or processing, in part, of personal data:

  • Section 4(A)(iv) – Protect Personal Data and to respect the privacy, accuracy and security of personal information in accordance with the ETA;
  • Section 7(A) – titled, Maintenance of Effective Monitoring Systems;
  • Section 7(D) – titled, Establish Systems to Protect Privacy, which includes the following prescriptions:

(i) intermediaries and e-commerce service providers should collect personal data of customers only:

  • if relevant for the provision of goods, services or information as agreed with the customer only; and
  • as otherwise disclosed to the customer prior to collection of such information.

(ii) intermediaries and e-commerce service providers should use personal data and business records of customers only for:

  • internal marketing, billing or other purposes necessary for the provision of services;
  • purposes made known to the customer prior to the time the personal data or business records are collected; or
  • other purposes with the prior consent of the customer

(iii) intermediaries and e-commerce service providers should endeavour to ensure that the personal data or business records:

  • are accurate and if necessary, kept up to date;
  • if accurate, are erased or rectified;
  • are erased when no longer reasonably required; and

(iv) intermediaries and e-commerce service providers should endeavour to:

  • ensure the confidentiality of personal data and business records or customers;
  • prevent the sale or transfer of the personal data and business records of customers other than as part of the sale of the intermediaries' or e-commerce service providers' business; and
  • prevent the examination of or tampering with personal data or business records other than for the purposes of maintenance or security of the relevant information processing system or data integrity.

The Privacy Standards do not prohibit the disclosure of personal information or business records:

  • where the express or implied consent of the person to whom such personal data or business records relates has been secured; or
  • as required by law.

PERSONAL INFORMATION PROTECTION ACT 2016 (PIPA)

INTRODUCTION

Notwithstanding the ETA, PIPA was drafted through 2014 and 2015, and it received Royal Assent in July 2016. It applies to all organisations that use personal information in Bermuda. PIPA has ties to privacy and data protection laws on both sides of the Atlantic, however it is primarily based in its structure, nomenclature and simplification of law with various Canadian statutes, perhaps primarily the approach to privacy protection taken in Alberta, Canada, which also calls its privacy rights legislation the "Personal Information Protection Act".

PIPA is structured as both omnibus legislation and primacy legislation. PIPA governs all sectors of Bermuda, both privacy and public. Except for the Human Rights Act in Bermuda, if any enactment in Bermuda is inconsistent with or conflicts with the provisions of PIPA, PIPA shall prevail. Arguably, PIPA's legislative primacy stature renders the need for the Government to repeal the privacy law provisions of the ETA somewhat less pressing.

PIPA's administrative provisions came into force in December 2016 to enable the establishment of a Privacy Commission (including the appointment of a Privacy Commissioner). However, the substantive provisions concerning the privacy right of individuals and the protection of personal information under PIPA will not be proclaimed into full force until January 1st, 2025. As at the date of this Guide's publication [October 2024], the commencement date of January 1st, 2024 has not been Gazette by the Government.

PIPA enacts a set of jurisdictional "data protection principles" that are found across numerous jurisdictions, all with the express intention of securing EU and international "adequacy" and "safe harbour" status for personal information to move freely between Bermuda and the rest of the world. Following PIPA's proclamation into force, it is expected that applications to the EU and other jurisdictions will be made by the Privacy Commissioner for "adequacy" status. However, it is interesting to note that in 2024 the data protection authority of the EU formally reconfirmed that Canada's approach to the protection of privacy rights satisfied the EU's "safe harbour" requirements and are adequate to permit the export of personal data from the EU to Canada under those legislative protections.

Unlike the EU's GDPR and the UK's Data Protection Act 2018, PIPA does not adopt the "data controller", "data subject" or "data processor" nomenclature of EU data protection law, referring instead to the more North American terminology of "organisations", "individuals" and "third parties". PIPA does reflect the international principle that the "organisation" – defined as any individual, entity or public authority that uses personal information – is responsible for ensuring compliance with Bermuda's privacy laws at all times. It is important to note that enterprises that perform services to process personal information on behalf of organisations are not directly regulated under PIPA. Organisations can delegate the use of personal information to data processing service providers but organisations cannot delegate their PIPA responsibilities and regulatory accountability to others.

PERSONAL INFORMATION

"Personal Information" is defined as "any information about an identified or identifiable individual".

PIPA applies to every organisation that uses personal information in Bermuda, and all personal information that is collected by such organisations must be collected and used in a lawful and fair manner. Organisations must further ensure that all personal information that is used is accurate and be kept up to date. Any personal information that is collected must be adequate, relevant and not excessive in relation to the purposes for which it is used. Personal information must not be retained for longer than is necessary. With regard to personal information retention, PIPA is not merely suggestive but mandatory in its prohibition that it must not be kept for longer than is necessary for the purposes for which such data is collected and used.

Organisations are required to formulate and adopt both:

  • suitable measures and policies to give effect to their obligations, and to the rights of individuals, under PIPA (section 5(1) of PIPA); and
  • provide individuals with a notice about its practices and policies concerning personal information. Those are very distinct obligations, and both are requirements of PIPA.

Organisations have transparency obligations that include the obligation to provide a "privacy notice" to individuals with a statement about its practices and policies concerning personal information. For example, the statements should have the following characteristics/information (among others):

  • must be clear;
  • must be easily accessible;
  • must include a statement about its practices and policies concerning personal information (see below (l);
  • must include the fact that personal information is being used;
  • must state the purposes for which personal information is or might be used;
  • must disclose the identity and types of individuals or organisations to whom personal information might be disclosed;
  • must disclose the identity and location of the organisations posting the privacy notice using the personal information;
  • must disclose information on how to contact the organisation concerning the organisation's handling of personal information;
  • must name the appointed privacy officer;
  • must disclose the choices and means the organisation provides to an individual for limiting the use, accessing, rectifying, blocking, erasing and destroying of an individual's personal information;
  • must "take all reasonably practicable steps to ensure" the privacy notice is provided before or at the time the personal information is collected;
  • the privacy notice's disclosure of the particular practices and policies that are delineated in section 9 (1) and (2) concerning the collection, storage, use and disclosure of personal information is not exhaustive. Therefore, there are other material PIPA requirements that organisations may also wish to disclose.

Small businesses will find helpful assurance in PIPA's stipulation that a privacy notice is not required where the small business' use of personal information will be within the reasonable expectations of the individual to whom such personal information relates. As well, section 11 of PIPA further provides that all organisations, including small businesses, must ensure that the personal information that they collect and use is adequate, relevant and not excessive for the purposes for which it was gathered and used.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Duncan Card
Duncan Card
Photo of Jerome Wilson
Jerome Wilson
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More