After seeking, and receiving, input from the financial services sector last year, and issuing a draft report last September, Alexander White’s report is a comprehensive 52-page review of his views about how the Personal Information Privacy Act applies to the financial services sector.

Although the report confirms that the views expressed are not legally binding, that he is not bound by the report’s guidance, nor does the report set out his final or definitive position on any particular matter, it nevertheless provides a well considered and thoughtful review of the key questions that financial service providers have raised in the months leading up to, and since, PIPA’s full implementation on January 1.

An important context of the report, and why Commissioner White’s guidance is so welcome, is that Bermuda’s financial services are highly reliant on technology to capture, process and analyse data — so much of which includes personal information.

A controversy about PIPA’s interpretation that the report arguably settles is its guidance that all organisations — including holding companies and captives — that collect and disclose personal information about their directors, officers and ultimate owners for AML/ATF and other legally required determinations are subject to PIPA because such activities, even if performed by third parties on their behalf, constitute that organisation’s “use” of personal information in Bermuda.

That welcome clarification is best expressed in the report with the explanation that where “…an ‘organisation uses’ or is ‘using’ personal information under PIPA, Section 5(3) of PIPA states that the responsibility for compliance with PIPA is an ongoing regulatory compliance obligation for the captive insurer or holding company, irrespective of any third-party appointment”.

Another important controversy that the report addresses is whether the actual role of an organisation’s privacy officer can be outsourced to an unrelated third party.

The nuanced considerations offered by the Privacy Commissioner on that topic are important and must be considered in their totality.

However, Commissioner White suggests that there may be some circumstances where an organisation can “… elect to appoint a third-party [service provider] to act as [the organisation’s] privacy officer” and “smaller organisations may consider the value of obtaining the services of a corporate service provider capable of acting as their privacy officer”.

Bermuda’s financial services sector will also welcome the Privacy Commissioner’s guidance that an organisation’s ability to rely on PIPA’s qualified national security, regulatory activity and general exemptions is not limited to the public sector, and that circumstances may exist for the private sector to rely on those exemptions to “effectively fall outside the remit of PIPA”.

PIPA provides several grounds of allowance to permit an organisation to export personal information from Bermuda to an overseas third party. The legislation’s various grounds for export allowance primarily rest, in different ways, on whether the recipient jurisdiction provides comparable protections to PIPA.

Comparable PIPA protection may be achieved under PIPA by virtue of: the exporter’s assessment of such comparability — for the US, that will include federal and state law assessments — or if the governing export (services) agreement provides comparable protections; or if there are binding corporate codes of conduct that apply to the overseas recipient; or if the minister responsible designates that jurisdiction as providing a comparable level of protection.

Even though the minister has not yet designated any jurisdiction as providing “adequate protection”, the report states that all such comparability determinations must still be followed by a process of evaluating the business practices of the recipient to assess any PIPA noncompliance risk.

In that regard, the Privacy Commissioner’s guidance is highly instructive: “For the avoidance of doubt, a formal designation by the minister declaring that a jurisdiction’s law is ‘comparable’ to PIPA … would address only one element of Section 15: … the organisation should proceed to evaluating the business practices of the recipient.

“Whether or not an organisation concludes that the jurisdiction of an overseas third party provides a comparable level of data privacy protection, the organisation … must still assess the overseas third party’s organisational, administrative and technical processes and internal safeguards in order to determine that the overseas third party’s operational practices are secure and effectively provide a level of protection that satisfies the organisation’s obligations under PIPA.”

At more than 22,000 words, the report serves as much welcome guidance that makes a complex regime of data protection and privacy compliance much more accessible to organisations and individuals alike.

Commissioner White’s self-described proactive “listen, learn and engage” approach is destined to result in an improved awareness and understanding of PIPA for all organisations in Bermuda.

First Published in The Royal Gazette, Legally Speaking column, March 2025

Locations

Bermuda

Services

Corporate

Sectors

Privacy & Data Protection

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Insurance-and-Reinsurance
11 Jun 2025

Bermuda Paves the Way for Captive Insurers with New Stablecoin Policy

The Bermuda Monetary Authority (BMA) has announced a significant new policy framework that allows ca...

Brad Adderley
Ojeda Smith
Brad Adderley, Ojeda Smith
Appleby-Website-Insurance-and-Reinsurance
10 Jun 2025

Bermuda benefits from a strong and capital efficient regulatory regime

Bermuda’s long-term reinsurance sector is experiencing a new phase of complexity and scrutiny but ...

Max Tetlow
Cathryn Minors
Max Tetlow, Cathryn Minors
ICLG Fintech 21 cover
5 Jun 2025

Digital transformation done right (Bermuda)

As any specialised tech lawyer or technology consultant will tell you, digital transformation projec...

Duncan Card
Duncan Card
Appleby-Website-Insurance-and-Reinsurance
2 Jun 2025

2025 Global Financial Crisis Stress Test: Bermuda

The Bermuda Monetary Authority (BMA) has recently published instructions for a significant data coll...

Brad Adderley
Max Tetlow
Brad Adderley, Max Tetlow
050-Insolvency-Restructuring-Grid-Image
30 May 2025

Bankruptcy & Restructuring – To Enforce, or not to Enforce

Bermuda’s flagship restructuring process is the appointment of provisional liquidators, whose powe...

John Wasty
Sam Riihiluoma
Claire van Overdijk KC
James Batten
John Wasty, Sam Riihiluoma, Claire van Overdijk KC, James Batten
Bermuda-1024x576-1
22 May 2025

Corporate real estate acquisition in Bermuda

Corporate real estate acquisitions in Bermuda are a matter of careful balance. That is because, a...

Neil Molyneux
Jane Walker
Milaun Perott
Neil Molyneux, Jane Walker, Milaun Perott
Appleby-Website-Insurance-and-Reinsurance
22 May 2025

Long-term reinsurance and ILS are set for growth

After a record-breaking  2024, Bermuda’s life reinsurance sector is likely to expand further this...

Brad Adderley
Brad Adderley
Appleby-Website-Insurance-and-Reinsurance
15 May 2025

Bermuda: The vital role of the principal representative

Bermuda's regulatory framework requires every insurance company registered under the Insurance Act 1...

Ojeda Smith
Ojeda Smith
Employment-and-Immigration
30 Apr 2025

The End of the Digital Nomad Visa: How Else Can Individuals Reside in Bermuda?

As of 28 February 2025, Bermuda officially discontinued its popular “Work from Bermuda” (WFB) Ce...

Theodora Hand
Theodora Hand
Appleby-Website-Private-Client-and-Trusts-Practice
25 Apr 2025

Compliance with Pipa for trustees

The Personal Information Protection Act 2016, the island’s data protection legislation, applies to...

Nicola Bruce
Nicola Bruce