Bermuda continues preparations to fully implement the Personal Information Protection Act 2016

Bermuda continues preparations to fully implement the Personal Information Protection Act 2016

Preparations for full implementation of the Personal Information Protection Act 2016 (known as PIPA) continue with the Privacy Commissioner taking steps to ease cross border transfers of personal data.

The hope is that PIPA may lead to an adequacy decision from the European Commission and UK government on the basis that Bermuda offers an equivalent standard of data protection. This would allow routine cross-border transfers of personal data to Bermuda from the EU and likely the UK without the need for additional compliance requirements imposed by the EU General Data Protection Regulation and UK Data Protection Act 2018. This may increase the attractiveness of Bermuda as a jurisdiction for data intensive industries including insurance and banking.

Key to achieving that EU or UK adequacy decision is demonstrating that when organisations in Bermuda transfer personal data cross border that the overseas third party applies a similar level of protection. This creates a particular burden in Bermuda where a significant proportion of personal data is transacted with countries in North America and South East Asia which are not in receipt of an adequacy decision from the European Commission (save for Japan and South Korea which just received a European Commission adequacy decision). 

Under PIPA the transferring organisation remains responsible for the personal data it transfers abroad and imposes a requirement that the Bermudian entity carry out due diligence on the recipient to assess their data processing standards. Transfers can take place where there is a ‘reasonable belief’ that the recipient applies comparable protection to PIPA. This belief can be supported by binding corporate rules within group structures or standard contractual clauses in the case of suppliers or customers, both of which impose administrative burden and risk. The Privacy Commissioner can also designate particular jurisdictions or certification mechanisms as ‘comparable,’ removing the need for those.

In an effort to ease the burden on organisations and perhaps signal to the European Commission that its rules on cross border transfers are ‘adequate’, in March 2021 the Privacy Commissioner recognised the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System as a certification mechanism for transfers of personal information to an overseas third party. CBPR certification is available to organisations in Japan, Korea, Singapore and the United States. This will mean that transfers to certified member organisations of the CBPR will meet the requirements for reasonable belief under PIPA provided that Bermudian entity verifies the recipient’s membership and makes it a term of the contract. Membership of CBPR can be verified via the website http://cbprs.org/.

Indications from the Privacy Commissioner so far are that it expects to take a risk based approach, meaning organisations that make genuine efforts to comply, including proper due diligence on overseas recipient organisations, are less likely to be subject to the penalties it may impose (up to $250,000 for corporate entities along with personal criminal liability for the directors).

We will continue to assist our clients with their preparation for the implementation of PIPA and provide updates as developments occur.