PIPA Compliance is Not Just a Domestic Affair

In fact, PIPA has been intentionally designed to protect the privacy rights of individuals from all over the world if their personal information is used in Bermuda. That is because in order for most nations around the world to send personal information to Bermuda for any purpose, Bermuda must have equivalent privacy protection laws to adequately protect the privacy of those individuals, thus establishing Bermuda as a “safe harbor” to receive that personal information from overseas.

Therefore, PIPA is not simply a domestic piece of legislation even though it only applies to the use of personal information in Bermuda. PIPA makes no distinction about the residence, domicile, or geographic location of the individuals that are protected by PIPA. So, if an individual’s personal information is being used in Bermuda, that individual has the right to enforce their rights under PIPA, even if they have to do so remotely from long distances.

There are many reasons and circumstances in which members of the Chamber might collect and use the personal information of foreign individuals in Bermuda.

For example, international visitors to Bermuda might provide their personal information to their hotels, to a retailer, to their vehicle rental agencies, or to various medical service providers here in Bermuda.

Medical records fall into a special category of sensitive personal information under PIPA that can precipitate both more onerous compliance standards as well as an increased potential for financial liability arising from a failure to comply with PIPA. In that regard, medical service providers in Bermuda may maintain a large number of records related to the health and medical treatment of current and past visitors to Bermuda. A breach of PIPA’s standards of safeguard protection by a medical service provider, which causes or contributes to the unauthorized access to, or the wrongful disclosure of, that volume of patient medical records, could result in significant liabilities for that medical service provider; all of which arise from former patients who have no other connection to Bermuda other than the fact that their highly sensitive health information was being maintained in Bermuda.

Also, visitors to Bermuda who seek to establish longer term connections with Bermuda, by opening a bank or investment account, by buying property, by establishing a trust for their family, or even if they are establishing a company or participating in regulated business seeing to be licensed in Bermuda, will likely disclose their personal information for use in Bermuda.

As well, personal information might be provided by persons who are outside of Bermuda to local consulting, accounting or law firms, or to the individual’s employer whose head office is in Bermuda.

Insurance companies operating in Bermuda may have clients who reside outside of Bermuda, and so their personal information associated with administering those policies may be processed in Bermuda. A very common circumstance in the insurance industry, where sensitive personal information of individuals who are resident outside of Bermuda is collected and used in Bermuda, occurs when insurance companies from around the world provide, in the ordinary course of business, comprehensive insurance claims information to their Bermuda reinsurer, in part for the purpose of risk analysis and pricing evaluation.

As most members of the Chamber will appreciate, Bermuda is a jurisdiction that relies very heavily on international business, and so Bermuda’s anti-money laundering and anti-terrorism financing laws associated with “know your customer” requirements demand that a significant amount of personal information about individuals from around the world, much of which may be highly confidential and sensitive, must be collected for evaluation and assessment by both the private and public sectors in Bermuda.

The reality that individuals from around the world, who have no other connection to Bermuda other than the fact that an organization is using their personal information here, can assert their privacy right under PIPA carries some important implications for all organizations who collect and use personal information in Bermuda.

All individuals who have privacy rights under PIPA, even those who live on the other side of the planet and who do not intend to ever visit Bermuda, have a range of rights under PIPA – including the right: to access their personal information; to verify the accuracy, correctness or currency of their personal information; to require corrections to and/or the deletion of that information; to make a complaint about the use of their personal information to the relevant organization; to make such a complaint to Bermuda’s Privacy Commissioner ( including to request to launch an investigation ); to make a claim to the organization for financial compensation under PIPA for any financial loss or emotional distress they may have suffered from a failure of the relevant organization to comply with PIPA; or, to even petition the Privacy Commissioner or the Government to investigate the possible grounds for a regulatory investigation or criminal prosecution under PIPA.

Chamber members must also keep in mind that since Bermuda will so be an international “safe harbour” for the use of personal information, it is likely that any significant breach of PIPA, and any material incidents of unauthorized access to, publication of or use of personal information in Bermuda, may also attract the international attention and scrutiny by both foreign privacy regulators as well as potentially many individuals from around the world who may be adversely affected in those unfortunate circumstances.

Therefore, compliance with PIPA by the Chamber’s members is definitely not just a domestic affair.

First Published in the Bermuda Chamber of Commerce Newsletter (Chamber Insider), April 2024