Personal Information Protection Act 2016 (PIPA) Department of ICT Policy and Innovation, Government of Bermuda PIPA introduces a right to informational privacy that is bespoke to Bermuda and was drafted to meet the aspirations of a country focused on a future where data is inextricably linked to the quality of life for its residents and citizens. PIPA builds on Bermuda’s blue-chip reputation, its long business relationships with the world’s key economies, its world-class regulatory infrastructure and its desire to be in the vanguard delivering 21st century information services. The law provides a high standard of personal information protection giving confidence to individuals in the growing trust and personal information economy. In addition to providing a fundamental human right, as attested to by the UN Universal Declaration of Human Rights for both self-sovereignty and privacy, PIPA is a critical pillar of Bermuda’s cybersecurity infrastructure. The Bermuda approach PIPA establishes a progressive framework for the protection of personal information. It was created to meet current European privacy standards on which the ‘international network of trust’ is based that permits the free transfer of personal information between states providing ‘adequate’ privacy protection1. PIPA’s concepts and approach will be instantly familiar to anyone with experience of the OECD/APEC/EU Privacy Principles. Familiarity provides confidence and legal certainty reduces risk. PIPA creates a privacy framework covering all personal information used by organisations including the Government of Bermuda, and implements standard privacy principles enabling Bermuda to draw on a large body of privacy law developed in other jurisdictions. This, coupled with English law and an appeal process ending with the Privy Council in London, provides both familiarity and a strong basis for legal certainty. PIPA also provides a feature not always found in other jurisdictions; under the legislation, an organisation may request that the Privacy Commissioner issue a “finding or decision” concerning its privacy compliance. This means that a business with a new/novel service using personal information (or thinking about setting up in the country) may obtain an official statement as to whether they comply with the law before incurring significant expenditure2. Privacy and the United States PIPA was drafted with the assistance of US attorneys and is based on legislation from an economy reliant on trade with the country3. US business can take comfort from this. However, the US does not have overarching informational privacy legislation. Multiple laws apply to different sectors, different states, and at the Federal level. Such laws do not match the omnibus legislation found in many other countries. What’s more, while one-off deals have been made that enable the transfer of personal information to and from the US, they do not allow it to join the ‘international network of trust’ that is founded on the European model. Equally, in a truly global world focused on interoperability and agreed standards, the assurances that a world-class privacy and data-sharing regime can offer both individuals and organisations become even more important. Businesses that use personal information rely on the continued confidence of customers for growth. This is a fundamental issue of trust as the data required from individuals which can personalize and assert their identities and brand loyalties is a critical component in all transactions for goods and services involving customer data. Recent events have undermined this and actions by a number of ultra-large, publicly-listed technology and data organisations continue to create considerable uncertainty around the future of privacy4 in the US and around the world. If you are looking for a jurisdiction that provides an effective and efficient approach to privacy protection, that meets international best practice, and that will boost customer confidence, you need look no further than Bermuda. Conclusion PIPA places Bermuda at the forefront of global privacy protection. It creates a straightforward privacy framework and provides customers with a high level of confidence. 1. An application for EU adequacy will be made by Bermuda at the appropriate time 2. Subject to standard limitations 3. Alberta 4. Tim Cook, Apple CEO, proposed a US version of the EU GDPR at the 40th ICDPPC (24/10/2018)
PIPA places Bermuda at the forefront of global privacy protection. It creates a straightforward privacy framework and provides customers with a high level of confidence