Bermuda: Privacy and the Private Sector

Published: 12 Oct 2023
Type: Insight

Bermuda’s Personal Information Protection Act 2016, which comes into full force on January 1, 2025, includes an important compliance obligation that the public sector is far more familiar with than the private sector.

PIPA requires all organisations, in both the public and private sectors, to act reasonably in meeting their responsibilities under the Act, as well as ensure that they use personal information in a lawful and fair manner.

The lawful part is nothing new, and the obligation to act reasonably is pervasive across statutory and contractual obligations.

However, a duty to act fairly is usually associated with public sector conduct and administrative procedure, and is comparatively new legal territory for the private sector.

Pipa is flexibly structured to impose greater duties of care and protection where there is a greater risk of harm to the individual should their personal information be wrongfully used or disclosed. Therefore, organisations have a very wide ambit of discretion and judgment along that continuum of compliance.

The conduct that a duty of fairness may require for private sector organisations under PIPA has been addressed by the Privacy Commissioner, who has published helpful guidance.

The fairness principles that the Privacy Commissioner advanced includes conduct: to handle personal information in ways that individuals would reasonably expect; to not deceive or mislead individuals; that takes into account the interests of those affected by such decisions; and, in a manner that facilitates the exercise of individual privacy rights.

That guidance very closely echoes Britain’s Information Commissioner’s Office, which is that jurisdiction’s independent body mandated to uphold information rights.

Their version of Pipa — the UK General Data Protection Regulation, which is not part of Bermuda’s privacy law — contains a similar duty of fair conduct.

The Bermuda ICO’s guidance asserts that the duty of fairness also extends to treating “… individuals fairly when they seek to exercise their rights over their data. This ties in with your obligation to facilitate the exercise of individuals’ rights”.

However, as helpful as that non-binding guidance is, a duty of fair conduct in the context of Bermuda’s imminent privacy law may also go farther.

At common law, compliance with a duty of fairness also suggests that decisions affecting others should: not be undertaken with malice or in bad faith; be in accordance with a transparent process that is followed in all situations without favouritism, bias or unequal treatment; and, avoid arbitrary decisions towards those affected.

There is no question that PIPA’s imposed duty of fairness will require the private sector to carefully consider the management and administrative measures and policies that PIPA requires all users of personal information in Bermuda to formulate and adopt by January 1, 2025.

First Published in The Royal Gazette, Legally Speaking column, October 2023

Share
More publications
Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.