Data Protection Update – August 2024

Bermuda Data Protection Overview August 2024 edition

Governing Texts

As of the date of this publication (1 August 2024), data protection in Bermuda is largely comprised of a complex set of sectoral laws, regulator guidance, and common law precedents established by the Bermuda courts.

The administrative provisions of the Personal Information Protection Act 2016 ('PIPA'), however, have been in force since 2 December 2016 and the corresponding independent regulatory authority, the Office of the Privacy Commissioner for Bermuda ('PrivCom'), has an established presence on the island. On 15 June 2023, the Government of Bermuda ('the Government') and PrivCom jointly announced the official date for the remaining provisions of PIPA to come into effect as 1 January 2025. This was intended to provide organisations in Bermuda with an 18-month window to prepare for compliance with PIPA.

Organisations in Bermuda are now working against the clock, with less than 6 months to set budgets, develop compliant privacy programmes and prepare for breach incident response & reporting to the Privacy Commissioner. Such preparations take place in the shadow of mounting global concern regarding the exploitation of individuals' personal information, risks posed by AI-driven and defence solutions, and the infiltration of complex systems by bad actors and foreign governments alike.

As an archipelago with a total land mass of only 53.2 km², Bermuda is the flagship jurisdiction for many insurers/reinsurers and further remains the commercial jurisdiction of choice for a sea of high-net-worth individuals (‘HNWI'), investors, financial advisors and wealth managers. More than ever, maintaining trust in commercial partnerships and community relationships is an intrinsic part of doing business – whether as a public authority, non-profit, public figure or as an international commercial enterprise. PIPA, accordingly, is intended to reflect international trends in the regulation of informational privacy to maintain the island's robust market presence. Once fully into force, PIPA will become the overarching framework regulating the right to personal information privacy in Bermuda.

In the interim, the policy and legislative landscape in Bermuda is already experiencing a shift towards a more modernised and resilient approach to the regulation of information and response to attacks.

Once PIPA is fully in force, it is expected that the data protection framework will be supplemented by an official body of determinations and guidance issued by PrivCom and decisions rendered by the Bermuda courts interpreting the same. In the event that PrivCom determinations are similar to those issued by the Bermuda Information Commissioner's Office (‘ICO'), the jurisdiction will see the formation of clear and reasoned decisions available to the public and in due course, structured guidance to organisations such as the ICO's Compliance Enforcement Policy & Handbook published in January 2024.

Accordingly, the Bermuda privacy and access to information landscape continues to develop and be recognised locally and internationally. In light of the fluid policy landscape in Bermuda, organisations are urged to take legal advice in connection with any specific organisational initiatives or the transfers of personal information involving Bermuda.

Notable Upcoming Changes to Legislation

• Reform to Access to Information Law: On 16 June 2023, the Bermuda Parliament ('the Parliament') passed the Personal Information Protection Amendment Act 2023 ('Amendment Act'), which will amend PIPA and the island's access to information framework ('PATI') in order to prepare for the new data protection framework to come into force. Amongst other changes, the Amendment Act will ensure that, following the commencement of PIPA, PATI will no longer apply to records relating to the personal information of a requester. Any requester making a request under PATI to a public authority to access or amend their personal information must be notified in writing that they should proceed under PIPA. The Governor of Bermuda provided their Assent to the Amendment Act on 18 July 2023. No express date has been announced for the Amendment Act to come into force within the jurisdiction.
• Cybersecurity Framework: On 31 May 2024, the House of Assembly passed the Cybersecurity Act 2024 (‘Cybersecurity Act‘) in the wake of the September 2023 attack on the systems of the Government. This assault has been most recently described as a “cyberattack” by the Minister of National Security (Minister) in their 3 May 2024 Cyber Security Update. The cyberattack caused pro-longed disruptions to various public services in Bermuda which lasted weeks, or even months. The Governor of Bermuda provided their Assent to the Cybersecurity Act on 24 June 2024. No express date has been announced for the Cybersecurity Act to come into force within the jurisdiction.
• Computer Misuse Act 2024: On 17 May 2024, the House of Assembly passed the Computer Misuse Act 2024 (‘CMA'). The CMA is intended to repeal the Computer Misuse Act 1996 and replace it with a comprehensive statutory scheme that updates the law (by re-enacting and enhancing criminal offences relating to unauthorised access of computers, which scheme is in line with international best practice as contained in the Council of Europe Convention on Cybercrime signed in Budapest on 23 November 2001). The Governor of Bermuda provided their Assent to the CMA on 4 June 2024 and again on 9 July 2023.

Privacy Regulator in Bermuda

As of the date of this guidance, PrivCom is comprised of an Investigations Unit, Operations Unit and Policy & Communications Unit. The public office is led by a Senior Management Team composed of the Privacy Commissioner for Bermuda, Deputy Commissioner, Assistant Commissioner (Operations) and Assistant Commissioner (Investigations).

An individual (or a representative of a personal information owner) can now request a regulatory advisory opinion from PrivCom when they have a concern about a privacy violation, personal data breach, matters related to personal data protection, any other violation of PIPA, and other PIPA issuances that do not affect them personally or involve their personal data. General PrivCom support may also be requested in connection with specific industries or an information privacy breach / incident.

Internationally, PrivCom has been the first privacy regulator outside the Asia Pacific Economic Cooperation ('APEC') forum to recognize the Cross Border Privacy Rules ('CBPR') as an effective certification mechanism for overseas data transfers. Between 15-20 October 2023, Bermuda hosted the Global Privacy and Data Protection Summit of the Global Privacy Assembly ('GPA'). Prior to the event, the Privacy Commissioner was appointed to the Executive Committee of the GPA to plan and coordinate the gathering. The GPA was comprised of an open session (open to the local and international business community for registration on October 16 and 17, 2023) and a closed session (open to GPA Membership only on October 18-20, 2023).

Sectoral Law

Existing sectoral laws in Bermuda are significantly older than PIPA. While it is generally anticipated that the existing data protection law will remain in force once PIPA is fully operative, it is worth noting that PIPA expressly provides that consequential amendments to other statutes can be made by the Minister responsible for ICT policy and innovation ('the ICT Policy Minister') where it appears to be necessary or expedient for the purposes of the legislation. All legislation, including PIPA, is and will continue to be subject to the Bermuda Constitution Order 1968 ('Constitution') which overrides both domestic legislation, common law principles, and the Human Rights Act 1981 ('HRA').

PIPA expressly states that if its provisions are inconsistent or in conflict with a provision of another enactment, PIPA will prevail unless it is inconsistent with or in conflict with a provision in the HRA, in which case, the HRA will prevail. PIPA further states that the legislation applies notwithstanding any agreement to the contrary and any waiver or release of the rights, benefits, or protections provided under PIPA will be against public policy and void.

Bermuda Constitution

Chapter 1 of the Constitution expressly establishes that every person in Bermuda is entitled to protection for the privacy of their home and other property, subject to respect for the rights and freedoms of others and for the public interest. In advance of the appointment of the Privacy Commissioner, a significant constitutional step was taken by the Governor through the exercise of their powers under the Constitution to protect and support the mandate of the Privacy Commissioner and to ensure the independence of PrivCom.

Acting in accordance with the recommendation of the Bermuda Public Service Commission, the Governor issued the Bermuda Public Service (Delegation of Powers) Amendment Regulations 2018 ('the Regulations') on January 11, 2018. Through these Regulations, the Governor has delegated their constitutional powers to both the Information Commissioner (responsible for the enforcement of PATI) and the Privacy Commissioner to exercise control over the appointment, removal, and disciplinary control of the public officers assisting in the discharge of the functions of their independent offices. This watershed measure significantly reduced the risk of governmental influence over these offices and is thoroughly welcomed as part of good governance for the administration of these offices and in preparation for an adequacy application.

Guidelines

There are a number of regulatory authorities and postholders in Bermuda that have the power to issue guidance/have issued guidance pertaining to cyber and data protection, inclusive but not limited to:

• PrivCom: In January 2024, PrivCom launched ‘The Road to PIPA', a year-long initiative aimed at providing resources and guidance to support the development of privacy programmes across the island, with a particular focus on small-to-medium sized organisations. Prior to this endeavour, PrivCom had already issued a series of blog posts and guidance in a variety of privacy contexts inclusive of cyberattacks, children, ChatGPT, public health emergencies & contact tracing, cybersecurity, data transfers, privacy officers and cybersecurity.
• Bermuda Monetary Authority: The Bermuda Monetary Authority ('BMA') has issued a revised Operational Cyber Risk Management Codes of Conduct applicable to specific licensees (inclusive of Insurance, Corporate Service Providers, Trust Companies, Money Service Businesses, Investment Businesses, Fund Administration Providers, Banks and Deposit Companies). Licensees were required to be in compliance with the same by 15 February 2023.
• ICT Policy Minister: Pursuant to Section 20(11) of PIPA, the ICT Policy Minister may, in consultation with the Privacy Commissioner, prescribe any fees which are applicable to the administration of requests by organisations for access to personal information (Section 17 of PIPA) and access to medical records (Section 18 of PIPA). The ICT Policy Minister has not prescribed any such fees. Pursuant to Section 32 of PIPA (not currently in force), the ICT Policy Minister will be required to issue codes of practice, after consultation with the Privacy Commissioner, with best practice advice for organisations generally, or for specific types of organisations, to comply with PIPA. The Privacy Commissioner may also be consulted by the ICT Policy Minister in connection with the Minister's passing of general regulations for the carrying out of, or giving effect to the purposes of, PIPA. The ICT Policy Minister has not issued any such guidance as of the date of this guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.