The British Virgin Islands has enacted new personal data protection legislation in the form of the Data Protection Act, 2021 (the DPA). Although enacted, the date on which the DPA will come into force is yet to be announced, but this is expected imminently. Prior to the DPA, there was no specific data protection legislation in the British Virgin Islands though the current Computer Misuse and Cybercrime Act 2014 does restrict the publication of illegally obtained confidential data, together with the common law duties of privacy and confidentiality.
The DPA is stated to be an act to provide for the protection of personal data processed by public and private bodies and for related matters, and the BVI now joins those countries that have a form of data protection legislation.
This article will focus on the application of the DPA to private bodies (defined below), other relevant definitions, unless included within the article, can be found at the end.
Who does the DPA apply to?
With regards to private bodies, the DPA applies to persons who "process" or who have "control over, or authorise, the processing of any personal data in respect of commercial transactions."
Private bodies are defined as entities that: "carry on any trade, business or profession, but only in that capacity; or has legal personality" – which means the DPA will apply to all BVI incorporated companies and limited partnerships (unless the limited partnership has elected to have no legal personality – however, these may still be caught under the definition of "established" in the DPA).
The DPA applies to persons that process data in respect of commercial transactions, the DPA defines commercial transactions broadly as: "any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance." The processing of data in the context of a transaction is also used broadly, such that it will include persons engaged by private bodies to process personal data on their behalf. For regulated entities in the BVI that have to process personal data as part of their on-boarding processes and anti-money laundering obligations, this will capture the persons engaged to process such on-boarding (eg fund administrators and providers of RTA services). If the process of personal data is engaged on behalf of a person established in the BVI, or is not for a person established in the BVI but is processed in the BVI, the DPA will apply.
What does the DPA do?
The DPA restricts the ability of a data controller from processing personal data without the data subject's express consent (which can be withdrawn at any time); restricts the use of sensitive personal data; and restricts the transfer of personal data outside the BVI unless there are adequate safeguards. There are exceptions to the restrictions, such as (among others) in the context of performing a contract with the data subject or to comply with legal obligations. However, even within those exemptions there are certain overriding principles, such as that personal data processed must not be excessive in relation to the allowed purpose.
Data controllers must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. In addition, data controllers must inform data subjects upon a request for personal data; if consent is provided, ensure the personal data is only used for the purpose consented to; and not retain the personal data for longer than necessary.
The DPA also allows data subjects to submit written requests for access to personal data and private bodies will need to comply with the request in the manner stated in the DPA.
The use of sensitive personal data, a particular sub-category of personal data, is subject to an even more restrictive regime under the DPA than personal data and persons will need to ensure they recognise the differences between personal data and sensitive personal data. Sensitive personal data must be treated and processed separately from other forms of personal data to ensure it is not processed in the same way as mere personal data. Processing sensitive personal data in contravention of the DPA is an offence and may result in a fine of up to US$200,000 or up to two years in prison, or both.
There are a number of offences that may be committed in relation to the DPA that may result in fines (up to US$500,000 in certain cases) or imprisonment. In addition, a data subject who suffers damage or distress as a result of their data being processed in contravention of the DPA may institute civil proceedings in the BVI Courts.
What must persons affected do?
Persons who are private bodies and who process personal data, will need to make changes to their data processes and procedures to ensure compliance with the DPA. Some of the necessary changes will depend on the nature of a person's business, for example: a BVI investment fund will need to amend its offering documents and/or create new policies on data management.
Please contact your usual Ogier contact, or any of the Ogier persons connected with this article, if you have any questions or would like assistance with ensuring your BVI entity complies with the DPA.
While data protection legislation across a number of English-speaking common law jurisdictions tends to use similar terms, how these terms are defined in the BVI under the DPA is important to note as not all terms carry the exact same meaning that persons may be used to elsewhere. We have set out below the most pertinent of the defined terms from the DPA.
data processor, in relation to personal data, means a person who processes data on behalf of a data controller, but does not include an employee of the data controller.
data subject means a natural person, whether living or deceased.
data controller means a person who either alone or jointly or in common with other persons processes any personal data, or has control over, or authorises the processing of any personal data, but does not include a data processor.
process or processing means, in relation to personal data: collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the
- organisation, adaption or alteration or personal data;
- retrieval, consultation or use of personal data;
- disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
- alignment, combination, correction, erasure or destruction of personal data.
personal data means any information in respect of commercial transactions which
- is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
- is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
- is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.
sensitive personal data means any personal data subject's
- physical or mental health;
- sexual orientation;
- political opinions;
- religious beliefs or other beliefs of a similar nature;
- criminal convictions, the commission or alleged commission, of any offence; or
- any other personal data that the Minister for Information may by Order prescribe.