The Personal Information Protection Act, 2016 is now in force in Bermuda

On 1 January 2025, the Personal Information Protection Act, 2016 (“PIPA”), finally came into full force and effect in Bermuda.

On 1 January 2025, the Personal Information Protection Act, 2016 (“PIPA”), finally came into full force and effect in Bermuda.

PIPA is Bermuda’s equivalent of the UK’s Data Protection Act, 1998, and the EU’s General Data Protection Regulation (EU) 2016/679 (or “GDPR”).  It applies to all “organisations” in Bermuda.  The primary purposes of PIPA are to regulate the:

  • collection;
  • use;
  • safeguarding; and
  • access to;

personal information about individuals used by organisations in Bermuda, in a manner that respects an individual’s right to privacy.

To achieve these aims, PIPA requires organisations to:

  • provide individuals with “privacy notices” which state the purpose for which the personal information is being collected and provide other details;
  • have a valid “condition of use” for all uses made of personal information (the conditions of use include but are not limited to the consent of the individual to the use);
  • have policies and procedures in place concerning the handling of personal information, including records as to how that information was obtained and how it was used;
  • have a designated “privacy officer” who will be responsible for dealing with all requests for access to personal information;
  • provide ready access to an individual who wishes to review their personal information, held by the organisation, for the purpose of:
    • correcting;
    • blocking; or
    • destroying;

the information in question.

  • report any “data breach” concerning personal information to Bermuda’s Privacy Commissioner.

The coming into force of PIPA is highly significant as it now brings Bermuda in line with His Majesty’s international obligations as set out in Article 8 of the European Convention on Human Rights.  Although there were causes of action available under Common Law, which preceded the coming into force of PIPA, such remedies were only available to those who were prepared to file a writ, and seek a temporary injunction through the Supreme Court of Bermuda.  

PIPA, however, now provides a regulatory enforcement provision whereby Bermuda’s Privacy Commissioner can issue orders to organisations found to be in breach of PIPA to ensure their compliance with the new statutory regime.  By affording powers of enforcement to the Privacy Commissioner, the residents of Bermuda now have a ready clear right of control their personal information which will not require them to retain a lawyer first.

Services

Locations