Gretchen Tucker of BeesMont Law in Bermuda considers the impact of the jurisdiction’s emerging cybersecurity framework on commercial organisations
The Personal Information Protection Act 2016 (PIPA) received the Royal Assent on 27 July 2016 and discreet administrative provisions of the legislation came into force on 2 December 2016, enabling the recruitment of a Privacy Commissioner and the creation of an independent office of the Privacy Commissioner.
PIPA is intended to create a bespoke privacy framework for the protection of personal information, while adhering to recognised international standards for privacy protection and addressing recent global developments, such as the EU General Data Protection Regulation and the EU-US Privacy Shield. The legislation will apply to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and where the use of personal information forms or is intended to form part of a structured filing system. “Use” is defined broadly by PIPA as “carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it”.
In 2016, the Government of Bermuda advised that, due to the significant rights and duties created by the legislation, the major provisions of PIPA would not come into force for approximately two years from the date of Royal Assent in order to allow organisations and commercial businesses to prepare for the new regime.
Earlier this month, on 3 February 2017, the Government of Bermuda confirmed its resolve to appoint a Privacy Commissioner to ensure that guidance to organisations can be provided prior to the legislation being fully implemented. Noting that a fully independent Privacy Commissioner’s office is a key criterion of the EU ‘Adequacy’ assessment (as discussed in more detail below), Bermuda’s Minister for Economic Development confirmed the Government’s dedication to the creation, staffing and operations of an office which was fully compliant with the same.
Brexit and Obtaining an “Adequacy” Confirmation from the European Union
The introduction of PIPA, in light of Brexit and the flurry of recent activity in the international privacy arena, is undoubtedly timely and will enable the Government of Bermuda to seek confirmation that the jurisdiction provides an adequate level of protection for personal data from the European Union, which is typically referred to as an ‘Adequacy’ determination or obtaining ‘Adequacy’ status.
Such a determination would permit the free transferability of such information maintained and held by businesses between Bermuda entities and the 28 Member States of the European Union and 3 EEA Member Countries (Norway, Liechtenstein and Iceland).
Currently, Member States of the European Union are required to only transfer personal data to a third country if that jurisdiction ensures an adequate level of protection. In the absence of a jurisdiction possessing ‘Adequacy’ status, corporations that wish to do business with European entities must either create legally binding corporate rules, which are expensive and time-consuming to establish, or potentially be cornered out of the market.
In its judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner, the Court of Justice of the European Union explained that the term 'adequate level of protection' in Article 25(6) of Directive 95/46/EC did not mean a level of protection identical to that guaranteed in the EU legal order, but instead must be understood as requiring the third country to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms 'essentially equivalent' to that guaranteed within the Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights. On this basis, even though the means to which that third country has recourse to ensure such a level of protection could differ from the ones employed within the European Union, those means must nevertheless prove, in practice, to be effective in order to ensure protection that is essentially equivalent to that guaranteed within the European Union.
To date, all three British Crown Dependencies (Guernsey, Jersey and the Isle of Man) have achieved ‘Adequacy’ status, however none of the Overseas British Territories have obtained the same.
Most recently, the Cayman Islands has produced a data protection bill also setting out a proposed framework with a view to obtain such status, however its Government has proposed a combined “ombudsman” office to be responsible for the administration and enforcement of the same. In 2016, this structure was rejected by the Caymanian Acting Information Commissioner, Mr. Jan Liebaers, on the basis that it prevented the full independence of the office. Mr. Liebaers specifically warned that the arrangement could cause EU regulators to fail to deem the Cayman Islands to afford adequate protection to personal data as a result.
In light of this prediction, Bermuda may ultimately prove to become the domicile of choice over the Cayman Islands if an EU ‘Adequacy’ determination is made in Bermuda’s favour, prior to the Cayman Islands achieving this coveted status.
In addition to the appointment of a Privacy Commissioner, the advancement of consequential amendments to existing Bermuda legislation is expected to occur throughout this Parliamentary year in Bermuda, in order to harmonise statutory provisions with PIPA.
In the meantime, it would be prudent for all organisations, including commercial entities and financial service providers, operating any offices, branches or subsidiaries in Bermuda which are using personal information to initiate on-site reviews of current management processes to ensure future compliance with the new data protection regime.