PIPA Guidance on Financial Services (Bermuda)
This month, the Privacy Commissioner of Bermuda released his Financial Services Guidance Notes: Final Report.
After seeking, and receiving, input from the financial services sector last year, and issuing a draft report last September, Alexander White’s report is a comprehensive 52-page review of his views about how the Personal Information Privacy Act applies to the financial services sector.
Although the report confirms that the views expressed are not legally binding, that he is not bound by the report’s guidance, nor does the report set out his final or definitive position on any particular matter, it nevertheless provides a well considered and thoughtful review of the key questions that financial service providers have raised in the months leading up to, and since, PIPA’s full implementation on January 1.
An important context of the report, and why Commissioner White’s guidance is so welcome, is that Bermuda’s financial services are highly reliant on technology to capture, process and analyse data — so much of which includes personal information.
A controversy about PIPA’s interpretation that the report arguably settles is its guidance that all organisations — including holding companies and captives — that collect and disclose personal information about their directors, officers and ultimate owners for AML/ATF and other legally required determinations are subject to PIPA because such activities, even if performed by third parties on their behalf, constitute that organisation’s “use” of personal information in Bermuda.
That welcome clarification is best expressed in the report with the explanation that where “…an ‘organisation uses’ or is ‘using’ personal information under PIPA, Section 5(3) of PIPA states that the responsibility for compliance with PIPA is an ongoing regulatory compliance obligation for the captive insurer or holding company, irrespective of any third-party appointment”.
Another important controversy that the report addresses is whether the actual role of an organisation’s privacy officer can be outsourced to an unrelated third party.
The nuanced considerations offered by the Privacy Commissioner on that topic are important and must be considered in their totality.
However, Commissioner White suggests that there may be some circumstances where an organisation can “… elect to appoint a third-party [service provider] to act as [the organisation’s] privacy officer” and “smaller organisations may consider the value of obtaining the services of a corporate service provider capable of acting as their privacy officer”.
Bermuda’s financial services sector will also welcome the Privacy Commissioner’s guidance that an organisation’s ability to rely on PIPA’s qualified national security, regulatory activity and general exemptions is not limited to the public sector, and that circumstances may exist for the private sector to rely on those exemptions to “effectively fall outside the remit of PIPA”.
PIPA provides several grounds of allowance to permit an organisation to export personal information from Bermuda to an overseas third party. The legislation’s various grounds for export allowance primarily rest, in different ways, on whether the recipient jurisdiction provides comparable protections to PIPA.
Comparable PIPA protection may be achieved under PIPA by virtue of: the exporter’s assessment of such comparability — for the US, that will include federal and state law assessments — or if the governing export (services) agreement provides comparable protections; or if there are binding corporate codes of conduct that apply to the overseas recipient; or if the minister responsible designates that jurisdiction as providing a comparable level of protection.
Even though the minister has not yet designated any jurisdiction as providing “adequate protection”, the report states that all such comparability determinations must still be followed by a process of evaluating the business practices of the recipient to assess any PIPA noncompliance risk.
In that regard, the Privacy Commissioner’s guidance is highly instructive: “For the avoidance of doubt, a formal designation by the minister declaring that a jurisdiction’s law is ‘comparable’ to PIPA … would address only one element of Section 15: … the organisation should proceed to evaluating the business practices of the recipient.
“Whether or not an organisation concludes that the jurisdiction of an overseas third party provides a comparable level of data privacy protection, the organisation … must still assess the overseas third party’s organisational, administrative and technical processes and internal safeguards in order to determine that the overseas third party’s operational practices are secure and effectively provide a level of protection that satisfies the organisation’s obligations under PIPA.”
At more than 22,000 words, the report serves as much welcome guidance that makes a complex regime of data protection and privacy compliance much more accessible to organisations and individuals alike.
Commissioner White’s self-described proactive “listen, learn and engage” approach is destined to result in an improved awareness and understanding of PIPA for all organisations in Bermuda.
First Published in The Royal Gazette, Legally Speaking column, March 2025
