Bermuda's data protection legislation has been on hold for a number of years. Since its enactment in 2016, only some of the provisions of the Personal Information Protection Act 2016 (PIPA) have come into effect. PIPA is designed to protect the fundamental rights and freedoms of individuals relating to the use of their personal information and places duties and restrictions on the use of such information by all organisations including public authorities. The Public Access to Information Act 2010 and concomitant regulations (PATI) provides the public with access, subject to some restrictions, to their records held by public authorities. Together, the right to public access to information under PATI and the privacy rights enshrined in PIPA provide the core foundations of a robust and comprehensive information rights framework.
Full implementation of PIPA was deferred to enable the groundwork for that Act to be laid. This included the appointment of an information a Privacy Commissioner and educating the public on their rights under the law generally. On June 16, 2023, Bermuda's lawmakers passed amendments to the island's laws to bring the jurisdiction closer to having mandated personal data protection.
With the passage of the Personal Information Protection Amendment Act 2023 (the "Amendment Act"), all provisions of PIPA will come into force on January 1, 2025.
The Amendment Act harmonises PIPA and PATI codifying the access to public records and providing for the efficient administration of both Acts. The Amendment Act provides one legislative regime through which personal information may be requested or corrected and gives PIPA, rather than PATI, priority as the route through which requests to public authorities for personal information will be managed. It also resolves certain conflicting and duplicate provisions found in PATI and PIPA ensuring, for instance, that there is a single, cohesive definition of what amounts to one's personal information. Other changes to the legislation have been included to enable the efficient practical application of the laws such as giving the Privacy Commissioner six instead of three months within which to prepare year-end annual reports under PIPA.
While still some time away, the upcoming date offers welcome certainty. Organisations of all sizes must now consider their internal processes and procedures to ensure that they comply with the legislation before the expiration of the 18-month period. When enacted, PIPA will provide strong safeguards for the collection, storage, handling and sharing of personal information and its implementation will bolster Bermuda's reputation internationally ensuring that the jurisdiction's privacy laws are stringent and fair.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
