As the GDPR’s effective date marches closer, many are probably dreaming of a vacation to the Caribbean. While we can’t whisk you away on a tropical vacation, we can offer you a brief respite from the hubbub of GDPR readiness by turning our focus to the privacy regulations of the British Virgin Islands (BVI) and Bermuda.
Both islands are British Overseas Territories and are considered among the most prosperous islands in the Caribbean. However, the two differ when it comes to privacy legislation and the impact the GDPR has had on them. The GDPR has had little to no influence on privacy regulations of the BVI, but it has had a significant impact on the island of Bermuda, prompting it to enact the Personal Information Protection Act (PIPA) last December.
In this post, we’ll look at how both of these islands address data privacy and the impact of the GDPR on these territories.
The British Virgin Islands (BVI) and Common Law
There are 600,000 corporations (175,000 of which are UK companies) and over 5,000 new companies registering to do business in the BVI every month. The BVI has become a popular hub for business due to its lenient privacy and tax regulations. The financial services industry in particular is a significant contributor to the economy of the BVI. Notably, client confidentiality is strictly enforced under the BVI’s legislation.
Currently, English Common Law is the primary rule of law in the BVI. Under Common Law, it is the responsibility of the Court to recognize and submit to previous court decisions regarding issues of confidentiality and privacy. When it comes to the GDPR, no formal legislation is in place to regulate data processing in the BVI. The BVI will continue to follow its current privacy and confidentially methods as mandated by Common Law. Any possible changes to the BVI privacy laws will not likely be issued until years after the GDPR and Brexit go into effect.
Processing of BVI Data Subjects' Data
Although citizens from the BVI are classed with full British citizenship, the islands are a territory and not a Member State of the European Union, meaning that companies processing BVI citizens’ data will not be under the requirements of the GDPR.
Bermuda and the Personal Information Protection Act (PIPA)
Bermuda introduced the Personal Information Protection Act (PIPA) to regulate the use of personal information by organizations in order to better protect the rights of data subjects. The PIPA first went into effect in December 2017, with the expectation that organizations must be prepared and be fully compliant by the beginning of 2018.
The PIPA shares many similarities with EU’s GDPR. The most notable similarity is how the PIPA defines personal data. The PIPA covers “any information about an identified or identifiable individual,” and emphasizes the importance of protecting an individual’s sensitive personal information, such as their origin, race, ethnicity, sex, religious belief, etc.
The PIPA legal process also heavily emphasizes the need for consent when processing personal information but also includes other lawful bases similar to those found in the GDPR, such as public interest, legal requirements, and contract obligations.
Where the PIPA deviates from the GDPR (when it comes lawful basis) is how it allows an organization to process data without consent when an organization believes that an individual would not reasonably request that the organization stop using, or never begin using, his or her personal information and allows for the use of personal information “when it is necessary in the context of an individual’s present, past or potential employment relationship with the organization.” The use of this personal information in this way can never discriminate against the individual.
Data Subject Rights Under PIPA
The PIPA dictates that data subjects must know the purpose of why their data is being used and have the ability to access to their data. However, an individual cannot request that the organization delete or cease using the information without reason. PIPA only requires an organization to stop processing personal data if substantial damage has been caused to the data subject.
Notification and Enforcement under PIPA
The PIPA does not specify a window of time in which organizations must notify the Information Commissioner in the event of a breach, but it does have a penalty of up to $250,000 if a breach occurs.
The Impact of the GDPR on Bermuda and the BVI
Because the British Virgin Islands and Bermuda are British Overseas Territories, and not part of the EU, they are not covered by the GDPR. However, this doesn’t mean the GDPR has not had an impact on them. Bermuda enacted PIPA just 5 months before the GDPR goes into effect, and the regulation aligns closely with the GDPR in a number of areas. But with many questions surrounding Brexit and the impact it will have on the UK and its territories, it is evident that some British territories may be waiting to enact more formal regulations.
As we have already seen in the regulations of Japan and the Philippines, data privacy is becoming a critical part of doing business around the globe, even in remote, tropical locations. Companies with international operations in these tropical locales will need to take the time to dive into the requirements of the various regulations they will need to comply with and see where they align and differ.
Want more GDPR insights like this?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.