After seeking, and receiving, input from the financial services sector last year, and issuing a draft report last September, Alexander White’s report is a comprehensive 52-page review of his views about how the Personal Information Privacy Act applies to the financial services sector.

Although the report confirms that the views expressed are not legally binding, that he is not bound by the report’s guidance, nor does the report set out his final or definitive position on any particular matter, it nevertheless provides a well considered and thoughtful review of the key questions that financial service providers have raised in the months leading up to, and since, PIPA’s full implementation on January 1.

An important context of the report, and why Commissioner White’s guidance is so welcome, is that Bermuda’s financial services are highly reliant on technology to capture, process and analyse data — so much of which includes personal information.

A controversy about PIPA’s interpretation that the report arguably settles is its guidance that all organisations — including holding companies and captives — that collect and disclose personal information about their directors, officers and ultimate owners for AML/ATF and other legally required determinations are subject to PIPA because such activities, even if performed by third parties on their behalf, constitute that organisation’s “use” of personal information in Bermuda.

That welcome clarification is best expressed in the report with the explanation that where “…an ‘organisation uses’ or is ‘using’ personal information under PIPA, Section 5(3) of PIPA states that the responsibility for compliance with PIPA is an ongoing regulatory compliance obligation for the captive insurer or holding company, irrespective of any third-party appointment”.

Another important controversy that the report addresses is whether the actual role of an organisation’s privacy officer can be outsourced to an unrelated third party.

The nuanced considerations offered by the Privacy Commissioner on that topic are important and must be considered in their totality.

However, Commissioner White suggests that there may be some circumstances where an organisation can “… elect to appoint a third-party [service provider] to act as [the organisation’s] privacy officer” and “smaller organisations may consider the value of obtaining the services of a corporate service provider capable of acting as their privacy officer”.

Bermuda’s financial services sector will also welcome the Privacy Commissioner’s guidance that an organisation’s ability to rely on PIPA’s qualified national security, regulatory activity and general exemptions is not limited to the public sector, and that circumstances may exist for the private sector to rely on those exemptions to “effectively fall outside the remit of PIPA”.

PIPA provides several grounds of allowance to permit an organisation to export personal information from Bermuda to an overseas third party. The legislation’s various grounds for export allowance primarily rest, in different ways, on whether the recipient jurisdiction provides comparable protections to PIPA.

Comparable PIPA protection may be achieved under PIPA by virtue of: the exporter’s assessment of such comparability — for the US, that will include federal and state law assessments — or if the governing export (services) agreement provides comparable protections; or if there are binding corporate codes of conduct that apply to the overseas recipient; or if the minister responsible designates that jurisdiction as providing a comparable level of protection.

Even though the minister has not yet designated any jurisdiction as providing “adequate protection”, the report states that all such comparability determinations must still be followed by a process of evaluating the business practices of the recipient to assess any PIPA noncompliance risk.

In that regard, the Privacy Commissioner’s guidance is highly instructive: “For the avoidance of doubt, a formal designation by the minister declaring that a jurisdiction’s law is ‘comparable’ to PIPA … would address only one element of Section 15: … the organisation should proceed to evaluating the business practices of the recipient.

“Whether or not an organisation concludes that the jurisdiction of an overseas third party provides a comparable level of data privacy protection, the organisation … must still assess the overseas third party’s organisational, administrative and technical processes and internal safeguards in order to determine that the overseas third party’s operational practices are secure and effectively provide a level of protection that satisfies the organisation’s obligations under PIPA.”

At more than 22,000 words, the report serves as much welcome guidance that makes a complex regime of data protection and privacy compliance much more accessible to organisations and individuals alike.

Commissioner White’s self-described proactive “listen, learn and engage” approach is destined to result in an improved awareness and understanding of PIPA for all organisations in Bermuda.

First Published in The Royal Gazette, Legally Speaking column, March 2025

Locations

Bermuda

Services

Corporate

Sectors

Privacy & Data Protection

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Insurance-and-Reinsurance
1 Oct 2025

Private Cat Bonds and Casualty Sidecars Gaining Momentum in ILS Space

Following a particularly busy quarter for privately placed catastrophe bond transactions, this appea...

Brad Adderley
Brad Adderley
Technology and Innovation
25 Sep 2025

IT Enables Global Business Alignment

In Bermuda, many — if not most — of our international businesses are part of a multinational ent...

Duncan Card
Duncan Card
Appleby_preview_Bermuda_1
23 Sep 2025

Continuous Compliance: Building Confidence, Reducing Risk

Over the past decade, Bermuda businesses have faced a steady rise in regulatory and legal obligation...

Jarion Richardson
Jarion Richardson
Bermuda-1024x576-1
11 Sep 2025

A guide to selling your Bermuda home

Bermuda homeowners should protect their interests by enlisting expert advice when they decide to sel...

Neil Molyneux
Neil Molyneux
Bermuda-1024x576-1
10 Sep 2025

Discipline Now Key as Pressures on Reinsurers Mount

The reinsurance market is in a strong position after two years of profits and covering its cost of c...

Brad Adderley
Brad Adderley
Appleby-Website-Insurance-and-Reinsurance
10 Sep 2025

Education and Acceptance Fuel Wave of New Sponsors in Cat Bond Market

With the catastrophe bond market seeing eleven new sponsors enter the space so far this year, the tr...

Brad Adderley
Brad Adderley
Appleby-Website-Insurance-and-Reinsurance
9 Sep 2025

Built on Governance, Driven by Innovation: The Bermuda Advantage

Holding 85% of the cat bond market, Bermuda’s edge in alternative capital is no accident. “Re...

Brad Adderley
Brad Adderley
Appleby-Website-Employment-and-Immigration
26 Aug 2025

Walking the Tightrope of Restrictive Covenants

Restrictive covenants in employment agreements can often be a tightrope for employers. Ideally, thos...

Anna Markiewicz
Anna Markiewicz
ICLG Fintech 21 cover
26 Aug 2025

Insights from the BMA’s Discussion Paper on Responsible Use of Artificial Intelligence in Bermuda’s Financial Sector

The Bermuda Monetary Authority (BMA) recently published a discussion paper on 30 July, 2025: The Res...

Brad Adderley
Aleisha Hollis
Brad Adderley, Aleisha Hollis
Appleby-Website-Insurance-and-Reinsurance
25 Aug 2025

Bermuda – Influential Women in Hamilton: Melinda Mayne

Insurance companies in Bermuda are more open to discussions on diversity and inclusion, though there...

Melinda Mayne
Melinda Mayne