DATA PROTECTION OVERVIEW

There is currently no formal legislation regulating data protection in the British Virgin Islands (BVI). However, the BVI Government has recently prepared draft legislation for wider industry consultation.  The legislation has been drafted around a set of EU-style data protection principles to which data controllers must adhere. Under the draft, personal data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly understood and agreed to by data subjects. A timetable for implementation of the new law is not known at this stage but it is expected to be passed within the next 12 months.

In the meantime, the BVI courts recognise and subscribe to the common law duties of confidentiality and privacy. Under common law principles, a duty of confidentiality will be imposed where:

  • there is an agreement between the parties that the information should be kept confidential;
  • the relationship between the parties is is such that the law imposes a duty of confidentiality; and
  • the nature and circumstances of the person obtaining the information make it such that the law will require that they keep the information confidential.

However, to establish a breach of confidence, something more is needed – a situation or relationship which imposes on the recipient an obligation to keep the information confidential. Where no such relationship exists, a commercial contract with a non-disclosure agreement or confidentiality clause can be effective in imposing such an obligation.

PERSONAL data

While there is currently no overriding personal data protection legislation in the BVI, all entities that manage and maintain personal data are subject to the common law duty of confidentiality.

From a fiduciary/trust perspective, certain licensees regulated by the BVI Financial Services Commission (FSC) – the principal regulatory authority in the jurisdiction – shall be under a general obligation to keep client’s personal data confidential, unless the individual has granted specific permission for its release or disclosure to third parties. This obligation may be limited where the licensee is obligated by other laws to disclose confidential information.

For corporate entities, the Registrar of Corporate Affairs is permitted to release only limited information regarding registered companies, including the company name, company type, registration/incorporation date, the registered office address and the company status. Details of individual shareholders, directors and company officers are not available for public inspection.

The Telecommunications Act 2006 regulates the telecommunications industry in the BVI and provides sanctions protecting the confidentially and disclosure of personal information without consent.

Sensitive personal and biometric data is not separately protected.

Collecting personal data

There is no requirement to notify data subjects at the time of data collection.

Processing and retention of personal data

The BVI Business Companies Act 2004 (BCA) requires every company to keep “records and underlying documentation”. These may be kept at the registered agent’s office or at such other places, within or outside of the BVI. If not kept at the registered agent’s office, a record of the location must be given to the registered agent.

The records must be retained for at least five years from either i) the completion date of the transaction the records relate to; or ii) the date the business relationship the records relate to was terminated. As the limitation period for most actions under contract law is six years, best practice in the BVI is to retain records for this longer period.

Accessing Personal data

There are no specific access rights under BVI law.

Law Enforcement

The BVI is a cooperative member of the international community in the fight against financial crime. Mutual legal assistance is generally offered between countries, including the BVI, in three principle areas:

  • tax matters and investigations,
  • anti-money laundering and other financial crime investigations, and
  • in relation to enquiries related to financial services.

The FSC may accept information or documentation exchange requests from equivalent overseas authorities.

In addition, it is mandatory for registered agents to maintain up-to-date “know-your-client” information on all directors, shareholders and beneficial owners of BVI companies. In the event of a request for such information from the competent authorities, a registered agent must comply with the request within seven days. Failure to deliver the information can result in financial penalties and, possibly, the revocation of the agent’s operating licence.

International transfers of personal information

Transfers of personal data to third parties are subject to the common law duty of confidentiality. Express consent should be obtained before personal data is transferred within or outside of the BVI.

On 1 September 2014 the Computer Misuse and Cybercrime Act, 2014 came into force which regulates and penalises the unauthorised transfer and dissemination of information stored on a computer.

The FSC is under a general confidentiality obligation but has the power to disclose personal information in certain circumstances, including to foreign regulators. However, before doing so, the foreign regulator is required to undertake that the information will not be transmitted to any other person without the FSC’s prior written consent.

How is direct marketing regulated?

No restrictions are currently in place in the BVI.

Is the use of Internet cookies regulated?

Cookies and similar technologies are not subject to specific BVI regulation.

Best practice is for website operators to explicitly state the types of information stored in the cookies, whether personal or not. They should also indicate to whom the data may be transferred, and for what purposes the data is being transferred. Any use of third party cookies should be disclosed.

What rules apply to the monitoring of employees in the workplace?

There are no specific restrictions on employee monitoring in the BVI. It is recommended that employers draft and communicate a written monitoring policy to affected employees explaining the purposes of the monitoring, and the kinds of personal data being collected. Other methods (less intrusive on privacy) should also be considered where possible.

Can telephone calls be recorded?

Yes but it is advisable that the caller is made aware at the start of the call of the possibility of personal data being collected during the call.

What rules apply to the recording of CCTV footage?

No specific regulations apply and no guidance has been issued. It would be prudent for BVI businesses to ensure that any personal data collected via CCTV is not excessive or goes beyond the collection purpose. Consideration should be given to camera location and the recording angles. Particular care should also be taken if CCTV is used as part of employee monitoring.

enforcement

The FSC and the BVI Courts will be tasked with enforcing confidentiality-related matters, pending promulgation of appropriate data protection legislation.

Data controllers are not required to register with or notify the BVI authorities, and presently there is no requirement for the appointment of data protection officers, however it is recommended best practice.

What are the penalties for non-compliance?

Currently there is no formal legislation regulating data protection in the BVI.

A registered agent must comply with a know-your-client access request from the competent authorities within seven days. Failure to deliver the information can result in financial penalties and, possibly, the revocation of the agent’s operating licence.

CYBERSECURITY

The Computer Misuse and Cybercrime Act, 2014, prohibits, among other things, the unauthorised access and use of data held on a computer, or any computer service, and the knowing disclosure of passwords, or other means of access to a computer, with a view to cause loss, gain or for any unlawful purposes. Neither this legislation, nor any other legislation in the BVI contains any mechanism or requirement to report data security breaches. However, notification is recommended where there is a risk of harm to the data subject as a result of the breach, not least from a relationship-management perspective.

Key Contacts

Andrew Jowett

Partner: BVI

T +1 284 393 5316
E Email Andrew

Peter Colegate

Counsel: Cayman Islands

T +1 345 814 2745
E Email Peter

More Publications
25 Jun 2020 |

ILS needs a buoyant secondary market to thrive – but electronic platforms must come first

A secondary market for ILS can only emerge once the broader market fully embraces electronic platfor...

24 Jun 2020 |

Health and Wellness – Employers Duties

With the current state of COVID-19, many employees are in the midst of now returning to work and oth...

11 Jun 2020 |

Bermuda: Mergers & Acquisitions

This country-specific Q&A provides an overview to Mergers & Acquisitions laws and regulation...

8 Jun 2020 |

Data Protection in Bermuda: Overview

A Q&A guide to data protection in Bermuda. This Q&A guide gives a high-level overview of ...

Contributors: Bradley Houlston
4 Jun 2020 |

Financial crime in Bermuda: overview

A Q&A guide to financial and business crime law in Bermuda. This Q&A gives a high level o...

4 Jun 2020 |

Business crime and investigations in Bermuda

A Q&A guide to business crime in Bermuda. This Q&A gives a high level overview of matters...

4 Jun 2020 |

Choices of law, jurisdiction must be clear

Ideally, a contract will contain both a “choice of jurisdiction” and a “choice of law” claus...

26 May 2020 |

Technology & Innovation Update Q2 2020

Technological developments have been accelerating at an unprecedented pace in Asia - the first regio...

22 May 2020 |

Reopening workplaces: employment issues

As Bermuda takes the first tentative steps in its phased reopening plan, we review some of the key p...

20 May 2020 |

Threatened insolvency: Personal Exposure of Directors

During the challenging economic environment created by the COVID-19 pandemic, business resilience an...

Contributors: Jerome Wilson