Legislative Brief by the Minister of Economic Development, Dr. the Hon. E. Grant Gibbons JP, MP
Mr. Speaker, the Personal Information Protection Act or PIPA that we are debating today, will, for the very first time in Bermuda, introduce a general right to privacy for personal information in Bermuda. The aim of the PIPA Bill is to put back the control over the use of personal information into the hands of our residents, where it rightly belongs. This legislation, often termed ‘data protection’ or ‘informational privacy’ legislation, is an important human right and forms a critical building block in the creation of a successful information society, which in turn will help boost Bermuda’s economy.
Mr. Speaker, the introduction of PIPA is timely. PIPA has links with the Public Access To Information Act (PATI), which was confirmed by the Information Commissioner in her recent annual report. She spoke of the need for privacy legislation in Bermuda. and specifically recognized the need to protect individual privacy when discharging her legal duties in managing the PATI office.
Mr. Speaker, in establishing both PATI and PIPA, the government has introduced a robust “information rights” framework. In essence, government has established a framework that creates transparency and accountability, with respect to information held by organisations and provides rights of access. First, with the implementation of PATI for government held records, and now with PIPA, creating responsibilities for all organisations including government, regarding the use of personal information.
Mr. Speaker, PIPA’s long gestation period allowed Bermuda to benefit by ensuring that the Bill before the House today captures the very latest privacy rights and principles found across the World. This includes the European Union’s General Data Protection Regulation (GDPR), which was passed by the European Parliament on April 14, 2016 and will come into operation on May 25, 2018. A new framework for transferring personal information from the European Union to the U.S., known as the “Privacy Shield’, which was adopted this week, has also been considered in the development of the Bill.
Mr. Speaker, the original concept of privacy found in the constitutions of many countries’ and in human rights legislation, stems from the “right to be left alone”. Bermuda has limited rights of privacy in the Bermuda Constitution Order 1968 with section 7, providing “Protection for privacy of home and other property” between the individual and the State. The International Covenant on Civil and Political Rights issued by the United Nations was extended to Bermuda by the United Kingdom, May 20, 1976. Article 17 of that Covenant provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, or to unlawful attacks on their honour and reputation”. The European Convention on Human Rights also “applies” to Bermuda. Article 8 creates a general right to “respect for privacy” while finally, the Human Rights Act 1981 adds to this and develops areas of particular relevance to Bermuda.
Mr. Speaker, these separate provisions were introduced in a World that is markedly different to the one that exists today. The advent of the ’information society’ and the dramatic development of technology make the issue of privacy and in particular the right to ‘informational privacy’, a major focus for the global community. The right to informational privacy is based on the right of the individual to protect his or her personal information. Such laws were developed in Europe due to abuses by the Nazi regime of personal information contained in town hall and other local records in order to commit the well documented atrocities of World War ll. In the 1960s and ‘70s with the advent of computers, the realization grew that those who wished harm to others would have even greater power to do so. Alan Westin, a lawyer and political scientist at Columbia University credited with the origins of modern privacy law, in his book “Privacy and Freedom,” written in 1967, defined privacy as ”the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and behaviours to others”. This is the guiding principle of the PIPA Bill.
Mr. Speaker, in Bermuda we live in a small, caring community where being neighbourly and sharing information is a natural part of life. Although we may know a lot about each other, we all have an expectation of privacy. While it is clear to most that privacy should be a right, it may not evident as to what the lack of, or abuses of privacy, actually mean for us in our daily lives, and what this legislation is intended to achieve.
Mr. Speaker, Many of us know of situations that exist in Bermuda, where intimate personal information held by an organisation has been shared by a staff member, without the knowledge or consent of the individual concerned, such as a health condition. We have also witnessed hearing or even seeing personal details related to someone else’s transaction while waiting to be served. While harm may not have been intended, the consequences can pose embarrassment, unwarranted challenges to and risks for, the individual whose personal information has been exposed.
Mr. Speaker, There have also been cases reported in our local papers where personal information has been accessed enabling hackers to obtain credit card information.The Department of E-Commerce, in its 2014-15 ICT Benchmarking Study revealed that some Bermuda organisations have been the subject of cyber security incidents. These kinds of situations could potentially result in identity or financial theft.
Mr. Speaker, these are a few examples of what is already occurring on our Island. I think it’s safe to say that everyone would like to have peace of mind knowing that the use of their personal information is both limited and secure. This is not the case at present. The PIPA seeks to address this head on and offers additional gains. It would include the ability to have incorrect personal information being held and used by an institution amended. This becomes particularly important if the information is being used for the purposes, for example, of determining whether a loan should be granted.
Mr. Speaker, The PIPA Bill, is designed to address the imbalance of individuals having little or no control over the use of their personal information. There are advantages as well for the organisations that are subject to the PIPA. It is a highly competitive marketplace and those entities that are seen to be trustworthy and responsible with the use of personal information will benefit.
Mr. Speaker, it will also be beneficial for organisations such as associations, clubs and charities that may rely on donations or fees from the public, both local and overseas. Assuring donors and members that the personal information given will be kept and used in accordance with the requirements of the PIPA, will provide a level of confidence. In cases where groups are organized around controversial or sensitive issues, it becomes very important indeed, that participants can be assured that their identities will not be revealed without their awareness or agreement.
Mr. Speaker, While providing protection locally is of great importance, PIPA has been drafted with a broader perspective in mind, as it seeks to raise Bermuda to a level that will enable it to join the international ‘network of trust’ currently existing between countries with similar levels of informational privacy protection. This ‘network’ increases trust between individuals and users of personal information while providing significant advantages for international businesses and local businesses who would like to compete in global markets. Bermuda is currently excluded from this network of trust and it is likely that we will be viewed as a less attractive jurisdiction to operate from if this continues.
Mr. Speaker, The operation of this ‘network of trust’ is based upon an assessment of privacy laws to see if they match those of member nations. To this end, the European Union permits third party countries to apply for a finding of ‘Adequacy’. Any country whose informational privacy legislation is deemed ‘adequate’ may transfer personal information from and to the EU, without the need for formal assessments and contractual restrictions. Given that many businesses operating in Bermuda have clients or offices in the EU and other equivalent jurisdictions, a finding of ‘Adequacy’ would be viewed as a major advantage.
Mr. Speaker, as an aside, I can also confirm that this situation will not change in the event that the United Kingdom leaves the EU, as it is in the UK’s best interest to continue to implement any informational privacy legislation that the EU develops, in order that it will itself remain ‘adequate’ for purposes of trade.
Mr. Speaker, I can confirm that PIPA has been developed so that an application for a finding of ‘Adequacy’ can be made. Should Bermuda be deemed “Adequate”, it can provide us with a competitive advantage because of our close proximity to the U.S. and the ability to transfer personal information freely to the EU and other jurisdictions.
Mr. Speaker, the network of trust is not limited to the EU. Canada, Guernsey, Jersey, Isle of Man, Israel, New Zealand, Argentina, Uruguay, and Switzerland all have such legislation and are able to transfer personal information with the EU member states. The United States is entering into an agreement with the EU known as the “Privacy Shield”, which will allow for these transfers with some restrictions. In 2008, a CARIFORUM EU Economic Partnership Agreement was signed between the EU and many Caribbean countries. It requires them to adopt informational privacy laws within a specific time frame.
The Cayman Islands have also published draft Data Protection legislation and have expressed their intent to seek an “Adequacy” finding as well. The gradual expansion of this network to many jurisdictions with which Bermuda has a social and economic relationship means that membership is important.
Mr. Speaker, technology linked to a world-class communications infrastructure is now regarded as critical for the wellbeing of any nation’s economy and in this Bermuda is no exception. Indeed given the reliance of both domestic and international business in Bermuda on links with the outside World, it is possible to make a case that Bermuda is more reliant on these technologies than many other countries and therefore their continued and secure operation is critical for our national security.
Mr. Speaker, we are in discussion with the private sector and others with a view to the development of a cybersecurity framework. International organisations like the “International Telecommunications Union” (ITU) and the “Organisation for Economic Development”(OECD) together with major trading blocks such as the “European Union”(EU), “and the “Asia-Pacific Economic Cooperation”(APEC), either actively promote or require that countries operating in this arena implement relevant laws to promote public trust and security. They make it clear that a key part of any e-business security infrastructure is the introduction of laws protecting the use of personal information by organisations. The EU in its new “ General Data Protection Regulation” states that public confidence in the protection of personal information held by organisations is essential for the development of the information economy.
Mr. Speaker, I am pleased to say that the importance of PIPA has been recognized by both sides of this House. At a relatively early stage it was decided that a bespoke model law should be developed that recognized Bermuda’s unique requirements. The law would balance robust protections for individuals with the needs of organisations to operate effectively. The highly regulatory approach taken by many countries was not regarded as appropriate for a country the size of Bermuda and with our strong US trading links. In developing the draft model, the primary goal was to provide comprehensive informational privacy rights for our residents that reflect international best practice. The OECD and the EU along with other organisations and countries have adopted a set of common privacy principles and these have been used as our framework.
Mr. Speaker, it has been challenging creating a privacy framework that meets these requirements, so in developing the legislation we have looked at various laws and the implementation experiences of other countries. We have considered the frameworks of small jurisdictions and our competitors. We have consulted with international specialists and have had unprecedented access to a group of international privacy regulators, from countries both large and small, who have kindly provided considerable advice and assistance throughout the development of PIPA.
Mr. Speaker, I would like to take this opportunity to thank those regulators on behalf of the Government of Bermuda for the time they have taken in this regard.
Mr. Speaker, the roots of our PIPA model stretch far and wide. Primarily, we wished to emulate the European Union and their approach and philosophy with respect to preserving and protecting the informational privacy rights of individuals. We have drawn heavily from Canada, and particularly Alberta, who have taken a business- friendly approach to their privacy legislation. Canada is an “Adequate” jurisdiction for business purposes and they have significant economic ties with the United States, as does Bermuda. We have of course taken into consideration the UK’s model and some aspects of the U.S. regime as well. Ultimately, we have extracted those elements from these jurisdictions that in our opinion best serve Bermuda.
Mr. Speaker, the team within the Department of E-Commerce tasked with developing the PIPA model engaged with the public and private sectors both directly and also through a Privacy Working Party, constituted with representatives of important stakeholder groups. There has been strong support for this initiative and from the Department of E-Commerce’s latest ICT survey, in which 97% of Bermuda residents believe that it is important to protect their personal information.
Mr. Speaker, I would now like to provide some highlights of the PIPA Bill. I mentioned earlier that this legislation is based on a common set of principles developed by the OECD and EU, that embody the right to informational privacy and form the basis of obligations required by organisations. They are as follows:
- Personal information shall be used fairly and lawfully.
- Personal information shall be used for limited specified purposes.
- Personal information shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are used.
- Personal information shall be accurate and, where necessary, kept up to date.
- Personal information used for any purpose shall not be kept for longer than is necessary for that use.
- Personal information shall be used in accordance with the rights of individuals.
- Personal information shall be kept securely.
- Personal information shall only be transferred to third parties (including international transfers) where there is a comparable level of protection.
Mr. Speaker, while PIPA is designed to meet international best practice, it is a modern, pragmatic piece of legislation, balancing comprehensive protection with sensible regulation that is appropriate for Bermuda. For PIPA to achieve its objectives, it must work in practice, as well as in theory. The basic tenets of the PIPA is that it be fair, just and reasonable. “Reasonableness’ is a concept well known in Common law. It is the standard to be applied regarding the application of PIPA. In determining whether something is reasonable or unreasonable, or whether a matter has been carried out, or otherwise dealt with reasonably, or in an unreasonable manner, is that which a reasonable person would consider appropriate in the circumstances.
Mr. Speaker, the PIPA covers all businesses and government departments and their use of personal information both in electronic and hard copy format. The Bill also outlines the grounds for using personal information. Organisations should take into consideration the privacy implications of the services they provide and the nature of the personal information they are using. They should incorporate these considerations into their policies and procedures and at the earliest stage in the development of any new service. Many countries have similar requirements and this concept is often referred to as “privacy by design”.
Mr. Speaker, we have taken into account the nature of Bermuda organisations, whether small, medium or large and while we remain committed to the principles we have tried to be pragmatic in order that organisations can carry out their obligations. To this end, we have reduced some of the traditional regulatory requirements found in other jurisdictions which provides more operational flexibility without reducing protections. This should be attractive to businesses wishing to locate here from both sides of the Atlantic.
Mr. Speaker, In order to provide individuals with confidence when entrusting their personal information, organisations remain responsible for the personal information that they use even if transferred to third parties. This follows the Canadian approach and the EU is also concerned that protections should follow the personal information that is transferred outside its borders. The PIPA also requires additional safeguards for a certain category of personal information known as sensitive information. This includes personal information relating to race, religion and health, among others.
Mr. Speaker, the PIPA details the rights of individuals and how to exercise those rights. It includes provisions requiring notices to individuals regarding the collection and use of their personal information as well as procedures for accessing their information and requesting that it be corrected, blocked, or erased. Individuals also have the right to complain to a regulator and have their complaints investigated.
Mr. Speaker, children can be vulnerable particularly on the Internet. We have included requirements relating to children’s information used in the context of information society services. We are well aware that despite the challenges there are also benefits to be derived for our youth participating online and so we have tried to take a realistic approach in this regard.
Mr. Speaker, I have spoken about cybersecurity and our efforts in this area. In order to assist in the prevention of data breaches, PIPA requires that organisations implement appropriate security for any personal information that they have and use. There are data breach notification provisions as well.
Mr. Speaker, this brings me to a very important area, that of enforcement, compliance, offences and penalties. Given the seriousness with which we view the PIPA and the importance of compliance, the PIPA outlines offences and the penalties that include fines and imprisonment.
Mr. Speaker, critical to the success of the PIPA is the appointment of an independent regulator responsible for ensuring compliance with the legislation. This is also important when applying to the EU for an “Adequacy” finding. The PIPA details the appointment of a Privacy Commissioner and sets out the necessary conditions, powers and functions required to fulfill the responsibilities of that office in a fair and independent manner.
Mr. Speaker, you may recall that last summer we undertook a Public Consultation on the PIPA draft model. Four information sessions were held and an awareness campaign through the media took place to encourage feedback. Copies of the PIPA draft model, comment submission forms and further information about privacy were available through the Department of E-Commerce’s office and on the dedicated website at www.privacy.bm. We received eighteen (18) submissions by the deadline from individuals and organisations. These were posted on the privacy.bm website for the public to view and we are grateful to those who took the time to participate in this process.
Mr. Speaker, since the consultation took place there have been a number of significant events in the international privacy landscape that required consideration. We have already mentioned that the EU introduced its new General Data Protection Regulation. The European Court of Justice declared “Safe Harbour”, the previous framework for transferring personal information from the EU to the US, invalid. It is being replaced by the “Privacy Shield”. These are particularly important given that Bermuda intends to submit an application for “Adequacy”.
Mr. Speaker, after a thorough review of both the consultation feedback and the EU developments, we have taken on board a number of suggestions, and have refined certain areas of the Bill. These include: expanding the categories of sensitive personal information; adding additional safeguards to protect the rights of individuals; respecting legal privilege; providing the Commissioner with more tools to encourage the resolution of complaints before legal action; ensuring a right of appeal for all Commissioner’s orders; and requiring breach notices to include an assessment of the impact of the breach. We feel these additions and other changes have significantly improved PIPA and furthered its objectives.
Mr. Speaker, I have articulated why PIPA is important and timely. Many organisations in Bermuda already comply with some type of informational or data privacy requirements. The latest ICT Benchmarking report I referred to earlier, states that 26% of Bermuda companies are already subject to data privacy laws or regulations. Of the 26%, 33% were large companies, 24% were medium sized firms and 21% were small businesses. Adopting privacy practices also makes good business sense as it creates consumer trust. While most would recognize the benefits and welcome the legislation in principle, we are also aware that its application and implementation will require a learning curve. That is why we intend to delay bringing the legislation in force for a period of approximately two years so that organisations can prepare. However the appointment and establishment of the Privacy Commissioner and his office, along with related provisions will be enacted soon after the passage of the legislation. This is so that the Privacy Commissioner may assist organisations during this preparatory period and provide information for all those impacted by the legislation. We understand that the implementation will not be without its challenges for organisations. However we are reminded that similar legislation has existed for years in many countries, including Bermuda’s competitors. It has been successfully adopted in small jurisdictions, including those that have a significant proportion of small businesses and, in fact, that have a more complex and highly regulatory model that PIPA has tried to avoid. We must also keep in mind the risks to our families and Bermuda’s future if we do not act responsibly and adopt informational privacy protection legislation.
Mr. Speaker, during this transitional phase, we will be introducing consequential amendments to other pieces of legislation so that the harmonisation exercise with PIPA will be fully completed. An important one of these is the PATI Act. Many countries also have both types of legislation and we will be following a similar approach to ensure that both Acts work compatibly and can achieve their desired objectives.
Mr. Speaker, the introduction of the PIPA will precipitate a culture shift within this small community of ours. It will change the way we perceive personal information and its value. Both individuals and organisations will start thinking about personal information in the same way that we think about money. It is a precious commodity and should be protected. You should never leave it lying around, it’s important to control who can access it and if you give it away, it is because it is your choice.
Mr. Speaker, the PIPA Bill marks a pivotal moment in our history and a landmark in the evolution of human and informational rights in Bermuda. Privacy will be the right of our residents and their families and Bermuda will be recognized internationally as a jurisdiction that can be trusted with personal information. This new found confidence within the community will also have a positive impact on the business sector.
Mr. Speaker, we are confident that with PIPA we have introduced a robust technology-neutral privacy framework. However, as the proverb says, “nothing remains constant except change itself”. The field of privacy is proof of this. We realize that it will only be a matter of time before we will be looking at further legislative changes to PIPA, as the international community shifts to reflect changes in technology and society. Regardless of the challenges the future brings, we will always remain committed to the protection of individual’s rights and the advancement of Bermuda’s interests in a challenging and competitive international economic environment.
Finally Mr. Speaker, in closing, I would like to acknowledge the early work done by the former Government in this area, as well as the many stakeholders who have participated in the process of developing this legislation. Special thanks should go to the members of the Privacy team. In particular; the Attorney-General’s office and Chief Parliamentary Counsel, Cathryn Balfour Swain; Parliamentary Counsel, Amani Lawrence; our privacy legal experts, Eduardo Ustaran and Victoria Hordern from the firm of Hogan Lovells and Mr. Graham Wood, as well. Finally I would like to commend the leadership of the Ministry’s Department of E-Commerce and, especially the former Director, Nancy Volesky, in bringing this project to fruition.
Thank you, Mr. Speaker