It’s time to bridge Pipa compliance gap

Published: 8 Jun 2026
Type: Insight

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.


Under Pipa — which became fully effective on January 1, 2025 — privacy notices are the primary mechanism for an organisation to meet its transparency obligations. When a notice is noncompliant, it creates specific legal vulnerabilities and financial implications.

My review also found varying levels of compliance with the legislation.

Forty-four per cent of companies reviewed had no privacy notice, 6 per cent were inherited from notices with a General Data Protection Regulation (European Union) framework, 3 per cent had global policies and 37 per cent were deficient primarily owing to lack of transparency or lack of accessibility.

This review follows the 2024 Global Privacy Enforcement Network Sweep, where Bermuda’s Privacy Commission contributed to an assessment of more than 1,000 websites and applications that used deceptive designs to influence privacy choices.

The GPEN is an informal network of more than 60 privacy enforcement authorities in 39 jurisdictions.

As part of the local sweep, the Privacy Commission examined the websites of 196 organisations located in Bermuda and found a number of deficiencies.

Out of those 196, only 78 per cent had privacy notices, 44 per cent included contact information for a privacy officer or team, just 5 per cent provided the Privacy Commission’s contact information, and 13 per cent had a link to a privacy notice, but the document was missing.

Failing to maintain a compliant privacy notice is not just a paperwork error, but a significant regulatory and operational risk. It could trigger formal action from the Privacy Commissioner such as enforcement orders that compel an organisation to bring its practices into compliance, public admonishment that could lead to significant reputational damage, or criminal prosecution where an organisation could be fined up to $250,000 for wilful noncompliance.

Under Pipa, personal information must be used fairly and lawfully. If a privacy notice is vague, misleading, or missing entirely, any data collected could be deemed “unfair” or “unlawful” because the individual was not properly informed of the purpose of its use. Other than in limited circumstances, this could invalidate the legal basis for holding that data.

There is also an increased liability for privacy harm to individuals. A privacy notice that does not comply with Pipa could harm the privacy rights of individuals where data is used in ways not disclosed in a notice, which is a direct violation of Pipa’s “purpose limitation”, or where there is a lack of informed choice in which individuals do not know their data is being collected or used therefore, they cannot exercise their rights.

One of these rights is the right to seek compensation for financial loss or distress pursuant to section 21 of Pipa. This provision allows individuals who suffer harm because of an organisation’s failure to comply with Pipa to sue for damages.

Section 21 also explicitly allows for compensation where an individual discovers that their data was used in ways not disclosed in a notice and which resulted in emotional distress.

An organisation could avoid liability if it could prove that it took all reasonable steps to comply. However, providing a privacy notice that lacks mandatory elements is a clear failure of this standard, making the defence difficult to maintain.

This review of a cross-section of privacy notices offers an overview of existing practices and indicates that there may be an essential need to strengthen transparency and address potential compliance gaps across the business community.

In a privacy-regulated environment, a noncompliant privacy notice is a significant liability to an organisation. Now is the time for businesses in Bermuda to bridge the compliance gap before the Privacy Commissioner, or a disillusioned consumer, bridges it for them.

First Published in The Royal Gazette, Legally Speaking column, June 2026

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.