Mr. Speaker,
I rise today to share an update on the work of the Office of the Privacy Commissioner in preparation for PIPA, otherwise known as the Personal Information Protection Act 2016. The Office of the Privacy Commissioner (also known as PrivCom) and the Cabinet Office’s PATI/PIPA Unit are working hand in hand to ensure information, guidance and tools are available to aid the Island’s organisations, including the public sector offices, to prepare to meet PIPA requirements.
Mr. Speaker,
As you are aware, PIPA will come fully into force on the 1st of January 2025, and the Commissioner has been conducting a “Road to PIPA” implementation programme throughout 2024. The overall objective of the plan is to offer guidance to Bermuda’s organisations and individuals in the year preceding the full enactment of PIPA, so that the Island is prepared for the legislation to take effect.
To date the Road to PIPA programme has:
1. Provided tools to organization to aid in building their Privacy Programmes;
2. Improved general understanding of the potential risks related to collecting and storing personal information;
3. Identified actions required for Bermuda-based organisations to retain competitive advantages in the global business arena;
4. Enhanced training and development opportunities for Bermudians creating potential opportunities for careers related to privacy and data protection; and
5. Prepared organisations and individuals to take the necessary steps for PIPA Implementation.
Mr. Speaker,
The Privacy Commissioner’s Road to PIPA offers a step-by-step process for organisations to follow to comply with the PIPA legislation. The Programme is being updated regularly with downloadable resources available on PrivCom’s website (www.privacy.bm). For the last fifteen weeks to date, the Commissioner has provided weekly guidance, templates, and resources for organisations large and small to:
- demonstrate their ‘Organisational Commitment’ to PIPA;
- lay the groundwork for their privacy compliance programme; and
- begin taking tangible steps, such as conducting an inventory of personal information used by the organisation and catalogue business practices to ensure privacy is included.
Mr. Speaker,
The Commissioner’s weekly updates will continue throughout the year. Organisations of all sizes can follow along and utilise the Quarterly Checklists to track and document their progress towards compliance. I encourage every organisation to review the resources in the Commissioner’s Road to PIPA archive, no matter how they may be preparing for PIPA. The information can assist organisations to begin to take or review the steps necessary to integrate PIPA requirements into their organisations. If organisations have not started their PIPA journey, I want them to know that it is not too late to start on the Road to PIPA.
Mr. Speaker,
In addition to these online resources, the Commissioner has been actively engaging with the community. PrivCom has developed a six-month cohort programme to help organisations undertake an accelerated Road to PIPA in the “fast lane”, while learning from, and sharing experiences with, their peers.
Mr. Speaker,
The Commissioner has opened a public consultation with the financial services community, requesting feedback on how Bermuda’s specialised international business practices may need specific PIPA guidance. This consultation leverages Bermuda’s position as a global leader in meeting international financial standards to ensure that PIPA requirements will not conflict with their other legal requirements, such as monitoring for financial crime or the prevention of money laundering.
Mr. Speaker,
On 8th March, the Commissioner held a public information session at City Hall to provide a comprehensive understanding of what PIPA means for the community, as well as to recognise the important contribution of women to the field of data governance for International Women’s Day. The Deputy Privacy Commissioner, Angie Farquharson, provided insight into her role and privacy in Bermuda. The event was well attended with beneficial discussions around the opportunities that Bermuda’s privacy regime provides to both individuals and organisations. The Commissioner’s next public information session will fall in mid-July and will focus on PIPA compliance for local businesses.
Mr. Speaker,
In addition to preparing the local community for PIPA coming into force, the Commissioner has engaged with other jurisdictions to bolster Bermuda’s reputation as a trusted hub for international data transfers.
To illustrate the importance of this work, let me frame the context. In the field of finance and enforcement, Bermuda prides itself on strong regulation and has garnered international recognition for our standards and practices. As a global business hub, Bermuda’s businesses receive data from organisations based in all corners of the world. Our business community would similarly prosper from international recognition for being a trusted jurisdiction for privacy and data protection.
Mr. Speaker,
This practice of recognising trusted jurisdictions is a key feature of most privacy legislation. Such 2-way recognition serves:
- to provide practical certainty that Bermuda’s businesses may engage with service providers in other trusted jurisdictions, and
- as a signal to the world that Bermuda is open for business as a trusted recipient of global data flows.
Thanks to the Commissioner’s engagement, Bermuda has received an invitation to participate as a member of the Global Cross-Border Privacy Rules Forum and its associated Cooperation Arrangement for Privacy Enforcement. The Commissioner has recommended that the Government apply to seek participation under Associate status in the Forum. This allows Bermuda to participate in the activities of the Forum and to be recognised as a trusted, equivalent jurisdiction.
Mr. Speaker,
Participation in this Forum would mean that Bermuda stands side-by-side as an equal partner with the United States, Canada, Australia, Japan, Singapore, Korea, the Philippines, Mexico, and Chinese Taipei, along with other Associates such as the Dubai International Finance Centre and the United Kingdom.
This growing Forum promotes interoperability between the privacy laws of the member jurisdictions by providing an international certification system that organisations may use – if they choose – to demonstrate compliance with common privacy principles that align with PIPA.
By participating in the Forum, Bermuda would be granted mutual recognition for our privacy rights and standards, ensuring certainty for Bermudian businesses and expanded international protections for the rights of its people. The Forum’s workings are based upon consensus, which gives Bermuda a global platform to express our perspective and represent our interests.
Mr. Speaker,
I have directed our PATI/PIPA Unit to submit a letter of intent to participate as an Associate Member in the Forum, and to take steps to update that participation to full membership once PIPA comes into full effect in January 2025.
Mr. Speaker,
Issues of technology and digital rights have never been more important – or more global. By bringing PIPA into force on 1st January 2025 and by engaging with jurisdictions around the world, we are positioning Bermuda as a forward-thinking and privacy-preserving jurisdiction. Not only will Bermuda be recognised as meeting international standards for conducting business, but we will also be seen to play a key role in setting those standards while protecting personal information and respecting privacy rights.
I thank the Privacy Commissioner and his officers for their superb work in preparing the community on the Road to PIPA, and for his tireless efforts in representing Bermuda’s interests in the wider world.
Thank you, Mr. Speaker.