Bermuda Introduces Draft Model Personal Information Protection Act (PIPA)

Bermuda Introduces Draft Model Personal Information Protection Act (PIPA)

About Agathe HolowatincAgathe Holowatinc

Agathe manages the firm’s library and information centre, provides legal research and reference services and delivers training in the use of print and online resources to the firm’s attorneys and pupils. She also coordinates the firm’s marketing and public relations programme, leads the design and development of the firm website, Bermuda Law Blog and MJM Quarterly Newsletter, and oversees IT operations.

Agathe Holowatinc’s full profile on mjm.bm.

In the USA, “Companies and marketing firms have been gathering information about customers and potential customers for years, collecting their names and addresses, tracking credit card purchases, and asking them to fill out questionnaires, so they can offer discounts and send catalogues. But today we are giving up more and more private information online without knowing that it’s being harvested and personalized and sold to lots of different people…” …”It’s not about what we know we’re sharing, it’s about what we don’t know is being collected and sold about us.” (CBS News, March 9 2014)

-

In Bermuda, the Department of E-Commerce found in its latest ICT survey that ninety-seven percent (97%) of Bermuda residents believed that it was important to protect their personal information, echoing sentiments shared by many around the world. Today, the right to information/data privacy is being recognized globally as a basic human right and laws are being, or have already been, put into place accordingly that restrain both government and private party actions that threaten the privacy of individuals.

To that end, the Government of Bermuda under the Ministry of Economic Development is planning to introduce legislation that fortifies privacy protection rights for all residents. A Draft Model Personal Information Protection Act (PIPA) was written and sent out for public consultation from July 10th to August 17th, 2015. The PIPA Draft Model covers personal information in both the online and offline environments (ie. filing cabinets), including provisions for the protection of children’s personal information, the use of “sensitive” information such as details about one’s race, religion, sexual orientation, etc, and access to medical records.

In the Explanatory Notes to the Draft Model, where context for the proposed legislation is provided, it is stated that:


Privacy is the expectation that confidential personal information disclosed in private will not be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities. This idea has been developed by a number of international organisations into a set of common principles that embody a right of informational privacy i.e. that everyone has the right to the protection of personal information concerning him or her. These principles have been implemented by a large number of countries and the PIPA Model has been based on them. They are as follows:

1. Personal information shall be used fairly and lawfully.
2. Personal information shall be used for limited specified purposes.
3. Personal information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are used.
4. Personal information shall be accurate and, where necessary, kept up to date.
5. Personal information used for any purpose shall not be kept for longer than is necessary for that use.
6. Personal information shall be used in accordance with the rights of individuals, (as set out in the PIPA Model).
7. Personal information shall be kept securely.
8. Personal information shall only be transferred to third parties (including international transfers) where there is a comparable level of protection.

On the whole, the PIPA Draft Model sets out how organisations, businesses and the government may use personal information. It has as its goals to address the privacy concerns of Bermuda residents and to satisfy international privacy compliance requirements that would put Bermuda organizations on a level playing field with those based in based in other jurisdictions that are already deemed adequate, effectively increasing economic opportunities for international business, indicated Dr the Hon. E. Grant Gibbons, Minister of Economic Development (Royal Gazette).

In other words, adopting privacy legislation would bring Bermuda in line with other jurisdictions and would make Bermuda eligible to put forth an application for European Union (EU) adequacy (as a country providing ‘adequate protection’ from the EU Directive standpoint by significantly closing the perceived gap in the regulatory and enforcement mechanisms for privacy protection). The Notes to the Draft Model state that “EU adequacy would enable the unhindered transfer of personal information between Bermuda and any EU member state together with the increasing number of countries that have also been deemed adequate by the EU Commission. This would increase economic opportunities for international business operating from Bermuda by helping to satisfy privacy compliance requirements and placing them on a level playing field with those organisations based in many of our competitor jurisdictions that are already deemed adequate.” The PIPA Draft Model draws on legislation from Canada, the United States, Europe and beyond.

You can find the Draft Model, related documentation and further information on the Privacy website at www.privacy.bm.

This legislative initiative complements the recently launched Public Access to Information Act which provides for public access to Government information (for more on that see these posts: Public Access To Information (PATI) Act and Regulations Now In Force and Q & A with Bermuda’s first Information Commissioner, Gitanjali S. Gutierrez).

We now await the results of the consultation process, which might reveal any unintended consequences with the proposed PIPA Draft Model.