[BreachExchange] A paradise for data privacy advocates - Bermuda’s privacy law now in full effect

Inga Goddijn inga at riskbasedsecurity.com
Sun Apr 15 13:02:59 EDT 2018


https://www.jdsupra.com/legalnews/a-paradise-for-data-privacy-advocates-91618/

With enactment of the Personal Information Protection Act (PIPA), Bermuda
can now count itself among the ever-expanding list of jurisdictions with
enhanced privacy protections. PIPA, passed on July 27, 2016, and entered
into force in December 2017, shares many of the more stringent requirements
and protections with Europe’s impending General Data Protection Regulation
(GDPR), which indicates a growing, global trend towards stepped-up privacy
regimes. That said, as much as there are similarities between the
regulations, there are important differences, especially for those
companies which also must comply with US privacy laws.

*What is considered personal information under the Act?*

Like the GDPR, PIPA defines personal information (PI) more broadly than the
US typically does. For Bermuda, PI is “*any* information about an
identified or identifiable individual.”1 Under GDPR, personal data is
“*any*information
relating to an identified or identifiable natural person.”2Definitions of
personal information vary by jurisdiction in the US; but in general,
definitions focus on first name or first initial coupled with a last name
and either a social security number, a state-issued government ID number,
or a financial account number and corresponding PIN.

In addition, as is the case with the GDPR,3 PIPA provides additional
protections for use of “sensitive personal information,” which is defined
as “an individual’s place of origin, race, color, national or ethnic
origin, sex, sexual orientation, sexual life, marital status, physical or
mental disability, physical or mental health, family status, religious
beliefs, political opinions, trade union membership, biometric information
or genetic information.”4

Similarly, while in general the US conception of personally identifiable
information is narrower than the European or Bermudan conception, certain
US jurisdictions treat certain categories of personal information more
stringently. For example, Maryland5 and North Carolina6 expand on the
definition of personal information to include elements like biometric data,
health data and other government identification numbers, and federal acts,
like the Health Insurance Portability and Accountability Act (HIPAA) and
the Graham-Leach-Bliley Act (GLBA), mandate that certain health and
financial data remains protected.

*What actions trigger restrictions?*

PIPA applies certain key restrictions on the “use” of this broadly defined
personal information, which itself is very broad. According to PIPA, “use”
involves carrying out “*any* operation on personal information, including
collecting, obtaining, recording, holding, storing, organizing, adapting,
altering, retrieving, transferring, consulting, disclosing, disseminating
or otherwise making available, combining, blocking, erasing or destroying
it.”7In essence, any handling of personal data whatsoever will require
compliance with the Act.

*Permitted use of personal information*

That said, PIPA permits the use of personal information in particular
scenarios, like when the individual has consented to its use, in cases of
emergency, when it is in the public interest, when there is a legal
requirement or authorization, and when it is required for the execution of
a contract.8Europe’s GDPR permits processing of personal data in similar,
albeit not identical, situations like consent, performance of a contract,
protection of the vital interests of a data subject, public interest, and
the legitimate interests pursued by the controller or by a third party.9

In contrast to the GDPR, however, PIPA also sanctions the use of personal
data by an organization *without* consent when an organization believes
that an individual would not reasonably request that the organization stop
using, or never begin using, his or her personal information and allows for
the use of personal information “when it is necessary in the context of an
individual’s present, past or potential employment relationship with the
organization.” The use of this personal information can never prejudice the
individual.

These two use cases provide additional flexibility for organizations that
desire to “use” personal information while remaining in compliance with the
Act.

*Transfer of personal information outside of Bermuda*

Cross-border data flows, as they are with the GDPR, are closely regulated,
creating particular difficulties for transfers to the US.

PIPA provides the Privacy Commissioner with the ability to designate
particular jurisdictions, countries and territories as having comparable
levels of privacy protection, allowing the free transfer of information
between Bermuda and these other areas.10 Unless and until the United States
passes an overarching privacy statute providing comparable levels of
protection over the use of one’s personal information, including for non-US
Persons, it is unlikely that the Privacy Commissioner will allow for the
free flow of personal information between Bermuda and the United States.

Alternatively, PIPA allows for cross-border transfers when an individual
organization ensures that the “overseas third party” uses a comparable
level of protection.11 In fact, PIPA can be seen as Bermuda’s attempt to
appear adequate before the EU Commission in order to facilitate data
transfers between Europe and Bermuda.

Similar to the GDPR, the Act provides contractual mechanisms, corporate
codes of conduct and binding corporate rules as examples of how an
organization is expected to guarantee third-party compliance with the
Act.12These
three methods can be used by a Bermuda-based organization, which transfers
data to and from other organizations that operate within countries (like
the United States), which do not require comparable levels of privacy
protection. Corporate codes of conduct and binding corporate rules tend to
be a good option for groups of organizations that often work with one
another and would like to rely on a set of rules shared among the entities
guaranteeing that personal information will be protected in a manner that
meets the requirements of PIPA. Standard contractual clauses act as
addendums to agreements between entities and, like binding corporate rules,
ensure that, for the duration of the contract, the entities will protect
personal information in accordance with the Act.

*Rights of the individual*

PIPA provides individuals with more actionable rights than the US does, but
somewhat less than the GDPR does. For example, under PIPA, the individual
has a right to access his or her personal information being used by an
organization, can request information regarding the purpose of the
information use, and can also demand that incorrect personal information be
corrected as soon as reasonably practicable. However, the individual cannot
request that the organization delete or cease using the information without
an accompanying reason. The GDPR grants “data subjects” the ability to stop
further use of personal data at any point and for any reason (or for no
reason at all), by withdrawing their consent (if given), or exercising a
right to object to processing reliant on legitimate interest, unless the
controller can demonstrate it has a compelling interest to continue. That
right is absolute where the processing is direct marketing.  By contrast,
PIPA only requires that an organization cease using personal information
upon request when that information is used for purposes of advertising,
marketing or public relations, its use is likely to cause substantial
damage or substantial distress, or the information is no longer fulfilling
its purpose.13

If the personal information used by an organization does not fit under the
aforementioned categories, the individual can still request that an
organization cease using that individual’s personal information. Unlike the
GDPR, however, PIPA allows for the organization to respond to the
individual in writing, articulating why the use of the individual’s
personal information remains justified.14 The standard of rebuttal to the
objection, therefore, is not as high.

*Security and enforcement provisions*

PIPA requires that organizations implement adequate safeguards to prevent
data loss and unauthorized access. In the event of a data breach,
organizations must notify the Information Commissioner “without undue
delay.”15 The Act does not provide a maximum time limit for notification.

An entity that commits an offense under PIPA can be subject to a fine not
exceeding $250,000.16 While this penalty still amounts to a significant
sum, it is a far cry from the potential penalties enumerated under the
GDPR, which can reach up to €20 million, or 4% of global turnover.

*Conclusion*

The global regulatory environment continues to evolve and grow in
complexity, making it essential for companies operating internationally to
have a global regulatory strategy for data. This strategy has to account
for the important differences in the requirements, while also looking for
helpful similarities to formulate the most efficient and effective
approach. Ultimately, the trend towards greater privacy protections—and the
limitation on cross-border data transfers, especially to the United
States—is only picking up steam, as this Bermuda law highlights. And more
may still be to come.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180415/388f5e88/attachment.html>


More information about the BreachExchange mailing list