PRIVACY, DATA PROTECTION & CYBERSECURITY REGULATION OVERVIEW
Bermuda's laws and regulations concerning the protection and use of personal information, data, and related cybersecurity risk management, currently exists across several statutes and regulations. Several areas of law are now converging to regulate the privacy, security, integrity and reliability of information in the Bermuda economy. Even though Bermuda is a British Overseas Territory (pursuant to the British Overseas Territory Act 2002), domestic privacy and data protection laws are within the constitutional authority of the Bermuda Government. The European Union's (EU) laws and regulations concerning privacy and data protection (EU's General Data Protection Regulation) have also not been enacted in Bermuda. However, the Bermuda Government is cognisant that a "safe harbour" or "adequacy" status, as determined by jurisdictions that have data export restrictions (such as the EU), would be highly beneficial for international business in Bermuda. The following is a survey of Bermuda's current and expected privacy, data protection, and cybersecurity laws and regulations.
ELECTRONIC TRANSACTIONS ACT 1999 (ETA)
In 1999, Bermuda enacted legislation to legally facilitate e-commerce business and operations, which included a set of EU-style "data protection principles", including the concepts of "personal data" and "data processor" among them.
The ETA governs a very broad range of transactions carried out by electronic means and expressly addresses, in part, "electronic records" (any record created, stored, generated, received or communicated by electronic means) and "personal data" (any information relating to an identified or identifiable natural person). Since 1999, the types and scope of business and commercial activities conducted over the internet, and governed by the ETA, has ubiquitously expanded across all sectors and enterprises. Online business as we know it today is no longer the narrow domain of what was narrowly referred to in 1999 as "e-commerce".
Part VI of the ETA, titled "Data Protection", permits the Government to creation of a regime of standards for the use and processing of personal data in the hands of "data controllers" and "data processors". In May 2000, the Bermuda Government prescribed the "Standard for Electronic Transaction" pursuant to Sections 29(3) and 29(5) of the ETA (the Privacy Standards). The Privacy Standards include specific personal information protection requirements and obligations, including the following prescriptions for those who are involved in "transactions" (a term not defined by ETA) involving the storage, use or processing, in part, of personal data:
- Section 4(A)(iv) – Protect Personal Data and to respect the privacy, accuracy and security of personal information in accordance with the ETA;
- Section 7(A) – titled, Maintenance of Effective Monitoring Systems;
- Section 7(D) – titled, Establish Systems to Protect Privacy, which includes the following prescriptions:
(i) intermediaries and e-commerce service providers should collect personal data of customers only:
- if relevant for the provision of goods, services or information as agreed with the customer only; and
- as otherwise disclosed to the customer prior to collection of such information.
(ii) intermediaries and e-commerce service providers should use personal data and business records of customers only for:
- internal marketing, billing or other purposes necessary for the provision of services;
- purposes made known to the customer prior to the time the personal data or business records are collected; or
- other purposes with the prior consent of the customer
(iii) intermediaries and e-commerce service providers should endeavour to ensure that the personal data or business records:
- are accurate and if necessary, kept up to date;
- if accurate, are erased or rectified;
- are erased when no longer reasonably required; and
(iv) intermediaries and e-commerce service providers should endeavour to:
- ensure the confidentiality of personal data and business records or customers;
- prevent the sale or transfer of the personal data and business records of customers other than as part of the sale of the intermediaries' or e-commerce service providers' business; and
- prevent the examination of or tampering with personal data or business records other than for the purposes of maintenance or security of the relevant information processing system or data integrity.
The Privacy Standards do not prohibit the disclosure of personal information or business records:
- where the express or implied consent of the person to whom such personal data or business records relates has been secured; or
- as required by law.
However, it is important to note that only Section 7(D) of the Privacy Standards will not apply to the extent any other law or more onerous obligations of confidentiality related to personal data may apply, whether by statute, common law or in equity.
PERSONAL INFORMATION PROTECTION ACT 2016 (PIPA)
PIPA received Royal Assent in July 2016 and applies to all organisations in Bermuda that use personal information. With ties to privacy and data protection laws on both sides of the Atlantic, but with a particular reliance on Canadian statutory precedent, PIPA was drafted as a privacy framework to meet Bermuda's unique public policy requirements.
PIPA's administrative provisions came into force in December 2016 to enable the establishment of a Privacy Commission (including the appointment of a Privacy Commissioner). However, the substantive provisions concerning the privacy of personal information in PIPA has not yet been proclaimed into full force in order to allow for a transitional period to permit the readiness of the business community and to allow for the issuance of interpretive guidance to help organisations in Bermuda achieve compliance. As at the date of this Guide's publication (September 2022), the Privacy Commissioner has issued several PIPA guidance publications, and held various PIPA compliance training and educational programmes. Further interpretive guidance concerning PIPA from the Privacy Commission are anticipated before PIPA is fully proclaimed into force.
It is also anticipated that when the Bermuda Government proclaims all of PIPA into force, the overlapping data privacy provisions of the ETA that are currently in effect may be repealed.
PIPA enacts a set of jurisdictional "data protection principles" that are found across numerous jurisdictions, all with the express intention of securing EU and international "adequacy" and "safe harbour" status for personal information to move freely between Bermuda and the rest of the world. Following PIPA's proclamation into force, it is expected that applications to the EU and other jurisdictions will be made by the Privacy Commissioner for "adequacy" status.
PIPA does not adopt the "data controller", "data subject" or "data processor" nomenclature of EU data protection law, referring instead to the more North American terminology of "organisations", "individuals" and "third parties". PIPA does reflect the international principle that the "organisation" – defined as any individual, entity or public authority that uses personal information – is responsible for ensuring compliance with Bermuda's privacy laws at all times. It is important to note that enterprises that perform services to process personal information on behalf of organisations are not directly regulated under PIPA. Organisations can delegate the use of personal information to data processing service providers but organisations cannot delegate their PIPA responsibilities and regulatory accountability to others.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.