On 1st January 2025, Bermuda's Personal Information Protection Act 2016 (PIPA) came into full force and effect. Based on the core principles of data protection and privacy law internationally, PIPA has profound operational, legal compliance and corporate governance implications for all businesses that use personal information in Bermuda. At the same time, PIPA brings Bermuda into the accepted world of international 'safe data harbours'.
Like most regulatory authorities in Bermuda, the Privacy Commissioner under PIPA has the authority to: conduct investigations concerning PIPA compliance, make PIPA compliance orders upon the completion of an investigation, educate the public about this Act, receive comments from the public concerning the administration of this Act and, to do anything which reasonably appears to the Privacy Commissioner to be conducive to the carrying out of his functions under this Act. Also, the authority of the Privacy Commissioner is supported by the Department of Public Prosecutions' ability to prosecute businesses for offences they commit under PIPA. now face as mandatory requirements in the ordinary course of their operations.
However, unlike other regulatory authorities in Bermuda and perhaps the greatest source of compliance liability for businesses under PIPA, lies within the purview of individuals who now hold a broad range of privacy rights concerning the use and protection of their personal information in Bermuda. Under PIPA, individuals now have the right to ask a Court for compensation from any business that has caused the individual to suffer financial loss or emotional distress because of that business' failure to comply with PIPA. In such actions, the amount of compensation that may be awarded to an individual will be determined by the Court.
Many businesses in Bermuda have a global reach, so it is important to note that PIPA applies to the use of all personal information in Bermuda regardless of the location, or the connection to Bermuda, of the individuals whose privacy rights may be infringed by the business. For example, individuals from anywhere in the world who have had their personal information used in Bermuda and who have suffered financial loss or emotional harm have the right to seek compensation due to the relevant Bermuda business' failure to comply with PIPA.
Although there are numerous operational compliance requirements for businesses under PIPA, the following highlights some of the more common PIPA prescriptions that businesses now face as mandatory requirements in the ordinary course of their operations.
First, PIPA permits businesses to use personal information for the purposes of a business transaction (which includes M&A transactions among others) without the consent of the subject individuals on the condition that:
- the parties have entered into an agreement that restricts the use of the personal information to the purposes of the transaction
- there has been a determination that such use if necessary for the purposes of the business transaction
- requires the personal information to be destroyed or returned to the disclosing party if the transaction does not proceed.
Many preliminary engagement agreements for business transactions (such as an NDA) adequately address those preconditions, but any contractual caveats or qualifications to those requirements that permit other uses by the recipient may put the disclosing party off-side of PIPA's allowance for business transaction use.
Second, businesses that routinely transfer personal information to recipients in other jurisdictions must now comply with section 15 of PIPA before they can undertake those international transfers. Section 15 sets out several possible grounds to allow the export of personal information from Bermuda but two of the most relied on grounds are:
- if the business, acting reasonably, believes that the recipient's jurisdiction provides a level of protection for the personal information that is comparable to the protections provided by PIPA
- if the parties to the transfer rely on a 'contractual mechanism', or where 'corporate codes of conduct including binding corporate rules' exist, to ensure that the foreign recipient will provide such a comparable level of protection for the exported personal information.
Given the legal nuances and complexity of comparing the privacy laws of Bermuda with other jurisdictions − and in the absence of a formal certification by the Bermuda Government of a jurisdiction's 'PIPA adequacy' − many businesses in Bermuda prefer to rely on the terms and conditions of the relevant service agreement pursuant to which the personal information will be exported in order to adequately set out the disclosing party's obligations under PIPA. For example, where a Bermuda business is engaged in an international business transaction and will export business data that includes personal information, whether to a counterparty or to a data-room service provider, that personal information cannot be exported from Bermuda unless section 15 of PIPA is first complied with.
Third, among the most important PIPA requirements for businesses in Bermuda is the necessity for all personal information to be protected by adequate safeguards. As proportional risk based legislation, PIPA stipulates that the more sensitive the personal information is and the greater the harm that might be caused in the event of wrongful access or misuse of that personal information, the more onerous such protection 'safeguards' must be. Since PIPA stipulates that any business that engages the services of a third party service provider (whether domestically or internationally) that involves the use of personal information, the business will remain responsible for ensuring compliance with PIPA by such third parties at all times. Certainly, those obligations dovetail with section 15's 'contractual mechanism' ground of personal information export allowance. Another important third party contract term for such service agreements is the requirement to notify the business of a security breach event, with all of the information that the business is required to, in turn, notify affected individuals and the Privacy Commissioner of such event.
Another privacy law compliance requirement that has attracted attention is PIPA's privacy notice requirement. Even though PIPA is very clear as to what a privacy notice must disclose, some businesses have decided not to comply with some of those requirements. For example, many businesses include privacy notice disclosures that are not required by PIPA and many others have chosen not to disclose the identity of those to whom the business provides personal information. In that regard, the Privacy Commissioner's March 2025 publication titled 'Financial Service Provider's Guidance Notes- Final Report', provides the following instructive guidance on this topic: " ...organisations have a minimum requirement to undertake genuine efforts to operate fairly and transparently. Appreciating that it may be practically difficult for an organisation to disclose the identity of the individuals and/or organisations with whom personal information may be shared, organisations should make genuine efforts to disclose in their Privacy Notice the types of parties that an individual's personal information may be shared with in accordance with the provisioning of a financial service. Upon receipt of a rights request, organisations should be prepared to inform the individual with whom the personal information was in fact shared."
Finally, businesses in Bermuda should note that PIPA intersects with several other regulatory regimes in Bermuda, some of which may have overlapping requirements. For example, the cybersecurity codes of conduct that have been issued by the Bermuda Monetary Authority (BMA) for the financial services that it regulates stipulate that its registrants must comply with the privacy laws in the jurisdictions in which they operate, which now includes PIPA. Among other aspects of intersection, those regulations and PIPA both require the disclosure of a security incident or event to the respective authority. Those notice requirements are not identical, so all such incidents and events must be carefully considered by the relevant businesses to determine when any such notice is required and what related information must be disclosed. Additional security and reporting requirements are also expected under the recently passed Cybersecurity Act 2024 for both the public sector and for the critical infrastructure businesses that are designated therein concerning any 'cybersecurity event' that may occur.
Despite its many implications for businesses in Bermuda, in a world of international commerce that demands the fluid crossborder flow of personal information, Bermuda's comparatively less complicated and streamlined privacy law regime arguably provides Bermuda with yet another important competitive advantage to attract international investment and business enterprise.
Originally published by Bermuda Business Review 2025-2026, June 2025
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
