Privacy Rights Extend Outside Bermuda

Published: 14 Mar 2024
Type: Insight

As Bermuda prepares for the full application of the Personal Information Protection Act 2016 on January 1, 2025, organisations that use personal information in Bermuda must keep in mind that PIPA protects the privacy rights of all individuals whose personal information is being used, regardless of their geographic location.

Although PIPA only applies to the use of personal information in Bermuda, PIPA makes no distinction about the residence, domicile, or geographic location of the individual – defined in PIPA only as “a natural person” – whose personal information (ie any information about an identified or identifiable individual) is being used.

The reality that individuals around the world, who have no other connection to Bermuda other than the fact that an organisation is using their personal information here, can assert their privacy right under PIPA carries some important implications for all organisations that collect and use personal information in Bermuda.

There are many ways in which personal information is collected for use from individuals who are outside of Bermuda. For example, international visitors to Bermuda may provide their personal information to their hotels, to a retailer, to vehicle rental agencies, or to various medical service providers here.

As well, personal information might be provided by persons who are outside of Bermuda to local financial institutions, such as banks or investment firms, to consulting, accounting and law firms, or to the individual’s employer whose head office is on-island.

A very common circumstance where sensitive personal information is collected occurs when insurance companies from around the world provide, in the ordinary course of business, comprehensive insurance claims information to their Bermuda reinsurer.

As a jurisdiction that relies heavily on international business, Bermuda’s anti-money laundering and antiterrorism financing duties associated with “know your customer” requirements results in a significant amount of personal information, which can be highly sensitive, to be collected and used by both the private and public sectors in Bermuda.

Of course, the operation of PIPA in this regard is neither exceptional nor unintended. PIPA was fundamentally designed to protect the privacy rights of individuals from around the world here in Bermuda.

The ability of individuals to hold organisations who use their personal information fully accountable under PIPA is what makes Bermuda, in the eyes of international privacy law, a “safe harbour” that allows such personal information to be legally exported for its use in Bermuda.

However, being an international safe harbour also means that any potential breaches of PIPA, and incidents of unauthorised access to, publication of, or use of personal information, may also attract the international attention and scrutiny by both foreign privacy regulators and by potentially many individuals around the world who may be adversely affected in those potential circumstances.

First Published in The Royal Gazette, Legally Speaking column, March 2024

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.