With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. That said, as much as there are similarities between the regulations, there are important differences, especially for those companies which also must comply with US privacy laws.
What is considered personal information under the Act?
Like the GDPR, PIPA defines personal information (PI) more broadly than the US typically does. For Bermuda, PI is “any information about an identified or identifiable individual.”1 Under GDPR, personal data is “any information relating to an identified or identifiable natural person.”2 Definitions of personal information vary by jurisdiction in the US; but in general, definitions focus on first name or first initial coupled with a last name and either a social security number, a state-issued government ID number, or a financial account number and corresponding PIN.
In addition, as is the case with the GDPR,3 PIPA provides additional protections for use of “sensitive personal information,” which is defined as “an individual’s place of origin, race, color, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.”4
Similarly, while in general the US conception of personally identifiable information is narrower than the European or Bermudan conception, certain US jurisdictions treat certain categories of personal information more stringently. For example, Maryland5 and North Carolina6 expand on the definition of personal information to include elements like biometric data, health data and other government identification numbers, and federal acts, like the Health Insurance Portability and Accountability Act (HIPAA) and the Graham-Leach-Bliley Act (GLBA), mandate that certain health and financial data remains protected.
What actions trigger restrictions?
PIPA applies certain key restrictions on the “use” of this broadly defined personal information, which itself is very broad. According to PIPA, “use” involves carrying out “any operation on personal information, including collecting, obtaining, recording, holding, storing, organizing, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.”7 In essence, any handling of personal data whatsoever will require compliance with the Act.
Permitted use of personal information
That said, PIPA permits the use of personal information in particular scenarios, like when the individual has consented to its use, in cases of emergency, when it is in the public interest, when there is a legal requirement or authorization, and when it is required for the execution of a contract.8 Europe’s GDPR permits processing of personal data in similar, albeit not identical, situations like consent, performance of a contract, protection of the vital interests of a data subject, public interest, and the legitimate interests pursued by the controller or by a third party.9
In contrast to the GDPR, however, PIPA also sanctions the use of personal data by an organization without consent when an organization believes that an individual would not reasonably request that the organization stop using, or never begin using, his or her personal information and allows for the use of personal information “when it is necessary in the context of an individual’s present, past or potential employment relationship with the organization.” The use of this personal information can never prejudice the individual.
These two use cases provide additional flexibility for organizations that desire to “use” personal information while remaining in compliance with the Act.
Transfer of personal information outside of Bermuda
Cross-border data flows, as they are with the GDPR, are closely regulated, creating particular difficulties for transfers to the US.
PIPA provides the Privacy Commissioner with the ability to designate particular jurisdictions, countries and territories as having comparable levels of privacy protection, allowing the free transfer of information between Bermuda and these other areas.10 Unless and until the United States passes an overarching privacy statute providing comparable levels of protection over the use of one’s personal information, including for non-US Persons, it is unlikely that the Privacy Commissioner will allow for the free flow of personal information between Bermuda and the United States.
Alternatively, PIPA allows for cross-border transfers when an individual organization ensures that the “overseas third party” uses a comparable level of protection.11 In fact, PIPA can be seen as Bermuda’s attempt to appear adequate before the EU Commission in order to facilitate data transfers between Europe and Bermuda.
Similar to the GDPR, the Act provides contractual mechanisms, corporate codes of conduct and binding corporate rules as examples of how an organization is expected to guarantee third-party compliance with the Act.12 These three methods can be used by a Bermuda-based organization, which transfers data to and from other organizations that operate within countries (like the United States), which do not require comparable levels of privacy protection. Corporate codes of conduct and binding corporate rules tend to be a good option for groups of organizations that often work with one another and would like to rely on a set of rules shared among the entities guaranteeing that personal information will be protected in a manner that meets the requirements of PIPA. Standard contractual clauses act as addendums to agreements between entities and, like binding corporate rules, ensure that, for the duration of the contract, the entities will protect personal information in accordance with the Act.
Rights of the individual
PIPA provides individuals with more actionable rights than the US does, but somewhat less than the GDPR does. For example, under PIPA, the individual has a right to access his or her personal information being used by an organization, can request information regarding the purpose of the information use, and can also demand that incorrect personal information be corrected as soon as reasonably practicable. However, the individual cannot request that the organization delete or cease using the information without an accompanying reason. The GDPR grants “data subjects” the ability to stop further use of personal data at any point and for any reason (or for no reason at all), by withdrawing their consent (if given), or exercising a right to object to processing reliant on legitimate interest, unless the controller can demonstrate it has a compelling interest to continue. That right is absolute where the processing is direct marketing. By contrast, PIPA only requires that an organization cease using personal information upon request when that information is used for purposes of advertising, marketing or public relations, its use is likely to cause substantial damage or substantial distress, or the information is no longer fulfilling its purpose.13
If the personal information used by an organization does not fit under the aforementioned categories, the individual can still request that an organization cease using that individual’s personal information. Unlike the GDPR, however, PIPA allows for the organization to respond to the individual in writing, articulating why the use of the individual’s personal information remains justified.14 The standard of rebuttal to the objection, therefore, is not as high.
Security and enforcement provisions
PIPA requires that organizations implement adequate safeguards to prevent data loss and unauthorized access. In the event of a data breach, organizations must notify the Information Commissioner “without undue delay.”15 The Act does not provide a maximum time limit for notification.
An entity that commits an offense under PIPA can be subject to a fine not exceeding $250,000.16 While this penalty still amounts to a significant sum, it is a far cry from the potential penalties enumerated under the GDPR, which can reach up to €20 million, or 4% of global turnover.
The global regulatory environment continues to evolve and grow in complexity, making it essential for companies operating internationally to have a global regulatory strategy for data. This strategy has to account for the important differences in the requirements, while also looking for helpful similarities to formulate the most efficient and effective approach. Ultimately, the trend towards greater privacy protections—and the limitation on cross-border data transfers, especially to the United States—is only picking up steam, as this Bermuda law highlights. And more may still be to come.