Dec 2024
Bermuda, the British Virgin Islands (“BVI”) and the Cayman Islands have each introduced data protection regimes in recent years which align with global data protection standards. It is therefore increasingly important for offshore companies, partnerships and other entities which collect and process personal data to be aware of the applicable laws and regulations in relation to the collection, use and retention of such information and to comply with the relevant legislation.
Bermuda
The Personal Information Protection Act 2016 of Bermuda (“PIPA”) was passed in 2016 and is intended to regulate and protect the use of personal information by organisations in Bermuda. Currently only certain sections of the PIPA are in force. PIPA will be fully implemented on 1 January 2025.
When fully implemented, PIPA will apply (subject to certain exceptions under PIPA) to organisations that use personal information in Bermuda where that personal information is used wholly or partly by automated means, and to the use, if not by automated means, of personal information which forms (or is intended to form) part of a structured filing system.
For the purposes of PIPA, “organisation” means any individual, entity or public authority that uses personal information. “Personal information” is defined broadly in PIPA and means “any information about an identified or identifiable individual”. Examples include an individual’s name, address and date of birth.
Under PIPA, organisations are required to:
- adopt suitable measures and policies to give effect to their obligations and to the rights of individuals set out in PIPA;
- designate a privacy officer for the purposes of compliance with PIPA who will have primary responsibility for communicating with the Privacy Commissioner in Bermuda; and
- put in place a privacy notice about their practices and policies with respect to personal information in accordance with the requirements in PIPA.
Organisations will also need to protect personal information that they hold with appropriate safeguards against loss, unauthorised access, destruction or disclosure, misuse and other risks. Safeguards should be proportional to the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information, the sensitivity of the personal information and the context in which it is held.
PIPA also grants individuals certain rights, including the right (subject to certain exclusions) to access their personal information held by an organisation. Individuals may also request corrections to their personal information and request an organisation to erase or destroy their personal information where that personal information is no longer relevant for the purposes of its use.
When PIPA is fully in force, penalties may be imposed for non-compliance. A person committing an offence under PIPA may be liable on summary conviction in the case of an individual to a fine of up to US$25,000 or to imprisonment of up to two years or both and, in the case of conviction of an entity on indictment, to a fine of up to US$250,000. Where a body corporate commits an offence under PIPA with the consent or connivance of, or attributable to any neglect on the part of, any director, manager, secretary or other similar officer of the body corporate, or any person who was purporting to act in such capacity, such officer or person may also be liable for the offence.
An individual who suffers financial loss or emotional distress by reason of an organisation’s failure to comply with its requirements under PIPA may be entitled to compensation from the organisation as may be determined by the court.
British Virgin Islands
The Data Protection Act, 2021 of the BVI (“BVI DPA”) came into force on 9 July 2021 and provides a framework on how data controllers may collect, use and retain personal data. The BVI DPA applies to:
- persons established in the BVI (which includes companies incorporated in the BVI and partnerships formed in the BVI) that process personal data, or employ or engage any other person to process personal data on their behalf; and
- persons which are not established in the BVI but use equipment in the BVI for processing personal data (otherwise than for the purposes of transit through the BVI). Such persons are required to nominate for the purposes of the BVI DPA a representative established in the BVI.
For the purposes of the BVI DPA, “data controller” means a person who either alone or jointly or in common with other persons processes any personal data, or has control over, or authorises the processing of any personal data (but does not include a data processor). “Personal data” means any information in respect of commercial transactions that relates directly or indirectly to a data subject (being the natural person, whether living or deceased, whose data is being processed) who is identified or identifiable from that information, or from that and other information in the possession of a data user. This includes any sensitive personal data and expression of opinion about the data subject. “Sensitive personal data” includes any personal data about a data subject’s physical or mental health, sexual orientation, political opinions, religious beliefs or criminal convictions.
Subject to certain exemptions, a data controller has to comply with the 7 privacy and data protection principles set out in the BVI DPA in relation to the collection, processing, disclosure, security, retention, integrity and access of personal data, which are summarised below:
- General Principle – A data controller may not process personal data unless the data subject has given express consent (and, in the case of sensitive personal data, subject to meeting certain other conditions set out in the BVI DPA), and a data controller shall not transfer personal data outside the BVI unless there is proof of adequate data protection safeguards or consent from the data subject;
- Notice and Choice Principle – Upon requesting personal data, a data controller has to inform a data subject of, inter alia, the purposes for which the personal data is being collected and whether it is obligatory or voluntary for the data subject to provide the personal data;
- Disclosure Principle – Subject to certain exceptions, personal data may not be disclosed without the consent of the data subject for any purpose other than the purpose or a related purpose for which the personal data was to be disclosed at the time of collection of the personal data;
- Security Principle – A data controller is required to take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction;
- Retention Principle – Personal data should not be kept longer than is necessary;
- Data Integrity Principle – Reasonable steps should be taken to ensure that the personal data is accurate, complete, not misleading and kept up-to-date; and
- Access Principle – Subject to certain exceptions under the BVI DPA, a data subject should be allowed access to his/her personal data and be able to correct the personal data if it is inaccurate, incomplete, misleading or not up-to-date.
The BVI DPA provides for certain rights of data subjects, including the right to request access to personal data, rectification of personal data and cessation of processing of personal data for the purposes of direct marketing.
A person who wilfully discloses personal information or collects, stores or disposes of personal information in contravention of the BVI DPA may be liable on summary conviction to a fine of up to US$5,000 or to imprisonment for up to 6 months or both. A body corporate that commits an offence under the BVI DPA is liable to a fine of up to US$500,000. The BVI DPA also provides for penalties for obstruction and breach of confidentiality. A data controller who processes sensitive personal data in contravention of the BVI DPA is liable on conviction to a fine of up to US$200,000 or to imprisonment of up to two years or both. Where an offence under the BVI DPA is committed by a body corporate with the consent or connivance of, or attributable to neglect on the part of, any director, manager, secretary or other similar officer of the body corporate, or any person who was purporting to act in such capacity, such officer or person may also be liable for the offence.
A data subject who suffers damage or distress by reason of the contravention of the provisions of the BVI DPA may institute civil proceedings in the BVI High Court. In such proceedings, the court may grant damages or such other relief as the court thinks fit.
Cayman Islands
The Data Protection Act of the Cayman Islands (“Cayman DPA”) came into force on 30 September 2019, and regulates the processing of personal data by data controllers and data processors established in Cayman and to data controllers established outside Cayman that process personal data within Cayman.
For the purposes of the Cayman DPA, “data controller” means a person who, alone or jointly with others, determines the purposes, conditions and manner in which any personal data is, or is to be processed and includes a local representative (who is required to be appointed where the data controller is not established in Cayman but the personal data is processed in Cayman), and “data processor” means any person (excluding an employee of the data controller) who processes personal data on behalf of a data controller.
Under the Cayman DPA, organisations must obtain express and unambiguous consent from an individual (the “Data Subject”) before handling personal data and must have lawful grounds to process such data. Depending on the type and sensitivity of the personal data, the processing of personal data will be subject to certain conditions. Data Subjects also have certain rights such as access to their personal information and rectification of their data and may request the data controller to cease processing their data.
Subject to certain exemptions, the Cayman DPA sets out 8 data protection principles in relation to the processing of personal data by data controllers and data processors, namely, that the personal data must be:
- fairly and lawfully obtained and processed;
- processed for one or more specified lawful purposes and not further processed in any incompatible manner;
- adequate, relevant and not excessive for the purposes for which the personal data is collected or processed;
- accurate and kept up to date;
- not kept for longer than necessary;
- processed in accordance with the rights of Data Subject under the Cayman DPA;
- kept secure; and
- only transferred internationally where adequate protection is provided in the jurisdiction where the personal data is transferred to.
In case of a data breach, the data controller is required to notify the affected parties and Cayman Office of the Ombudsman (“Ombudsman”) within 5 days of being aware of the breach. Penalties for non-compliance include fines up to US$305,000 and/or imprisonment for up to 5 years. In determining the amount of the monetary penalty to be imposed, the Ombudsman will take in account factors such as the duration and extent of the contravention and the type of individuals affected. Where an offence under the Cayman DPA has been committed by a body corporate and is proven to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of any director, secretary or similar officer of the body corporate, or any person who was purporting to act in any such capacity, such officer or person are also liable to be punished accordingly.
Further Assistance
Organisations who collect and use personal information should consider whether they are subject to any data protection regime and review their personal information management processes and practices to ensure that they have implemented appropriate measures and policies which comply with the requirements under applicable data protection legislation.
For further information in respect of your obligations under or steps to achieve compliance with the data protection regime in Bermuda, the BVI or the Cayman Islands, please get in touch with your usual Conyers contact.