Bermuda Data Privacy Laws: PIPA Compliance Guide (2026)
Bermuda enacted the Personal Information Protection Act 2016 (PIPA), establishing a comprehensive data privacy framework for the British Overseas Territory. PIPA received Royal Assent on July 27, 2016, with its provisions brought into force in stages. The full Act became operative on January 1, 2025, following several implementation delays that allowed organizations additional time to prepare for compliance.
PIPA was designed to balance the protection of personal information with Bermuda's role as a leading international business center, particularly in the insurance, reinsurance, and financial services sectors. The legislation draws inspiration from Canadian privacy law (PIPEDA) and incorporates a "use-and-disclosure" approach rather than the consent-first model used in European frameworks.
This guide covers Bermuda's data privacy framework under PIPA, including the use-and-disclosure principle, the Privacy Commissioner's role, data subject rights, cross-border transfer rules, and compliance considerations for the financial services sector.
Overview of PIPA
PIPA applies to organizations operating in Bermuda that collect, use, or disclose personal information in the course of commercial activities. The Act also applies to personal information about Bermuda residents collected by organizations outside Bermuda, if the information is used or disclosed in connection with activities in Bermuda.
Scope and Application
PIPA applies to every "organization," which the Act defines broadly to include corporations, partnerships, unincorporated associations, trade unions, professional bodies, trusts, and individuals acting in a commercial capacity.
Exemptions apply to:
- Individuals collecting, using, or disclosing personal information for personal, family, or household purposes
- Journalistic, artistic, or literary purposes (limited exemption)
- Personal information processed by the Bermuda Police Service or the Bermuda Regiment for law enforcement purposes
- Certain public records that are publicly available by law
Key Definitions
Personal information: Information about an identifiable individual, including name, address, telephone number, email address, identification numbers, biometric data, financial information, health information, and any information relating to an identifiable individual.
Sensitive personal information: Personal information about an individual's race, ethnic or national origin, religion, political opinions, trade union membership, physical or mental health, sexual life, commission or alleged commission of an offense, or biometric data used for identification. Sensitive personal information receives heightened protection under PIPA.
Organization: Any entity (corporation, partnership, unincorporated body, trust, or individual) that collects, uses, or discloses personal information in the course of a commercial activity.
Use: The treatment and handling of personal information by an organization that has the information in its custody or control.
Disclosure: Making personal information available to another organization or individual.
The Use-and-Disclosure Principle
PIPA's most distinctive feature is its reliance on a "use-and-disclosure" framework rather than a consent-centric model.
Reasonableness Standard
Under PIPA, an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. This reasonableness standard is the foundational test for lawful processing.
The Act does not prescribe a rigid set of legal bases (like the GDPR's six lawful bases). Instead, PIPA requires organizations to assess whether their collection, use, or disclosure would meet the expectations of a reasonable person given:
- The sensitivity of the personal information
- Whether the purpose represents a legitimate need of the organization
- The effectiveness of the collection, use, or disclosure in meeting that need
- Whether there are less intrusive alternatives
- Whether the individual's privacy interest is proportionate to the benefit
Consent Under PIPA
While PIPA is not consent-centric, consent remains a relevant factor. Organizations must obtain consent when required by the Act, and individuals may withdraw consent at any time, subject to legal or contractual restrictions.
Consent may be express (written or oral) or implied (inferred from the individual's conduct or the circumstances). For sensitive personal information, express consent is generally required.
Notice Requirements
Organizations must provide individuals with clear notice of their information practices. The notice must include the purposes of collection, the types of personal information collected, the circumstances under which information may be disclosed, and the individual's rights under PIPA.
Data Subject Rights
PIPA grants individuals (referred to as "individuals" rather than "data subjects") several rights regarding their personal information.
Right of access: Individuals may request access to their personal information held by an organization. The organization must respond within 45 calendar days.
Right of correction: Individuals may request correction of inaccurate or incomplete personal information. If the organization disagrees with the correction request, it must annotate the record with the individual's proposed correction.
Right to request cessation: Individuals may request that an organization stop collecting, using, or disclosing their personal information. The organization must comply unless it has a lawful reason to continue, such as a legal obligation.
Right to complain: Individuals may file a complaint with the Privacy Commissioner if they believe an organization has violated PIPA.
Right regarding automated decisions: PIPA addresses automated decision-making by requiring organizations to inform individuals when decisions with significant impact are made by automated means and to provide the individual with an opportunity to have the decision reviewed by a human.
Privacy Commissioner
The Privacy Commissioner for Bermuda (PrivCom) is the independent supervisory authority established under PIPA.
Appointment and Independence
The Privacy Commissioner is appointed by the Governor of Bermuda on the recommendation of the Public Service Commission. The Commissioner serves a fixed-term appointment and operates independently of the government.
Powers and Functions
The Privacy Commissioner exercises broad supervisory and enforcement powers:
- Complaint investigation: The Commissioner receives and investigates complaints from individuals regarding alleged violations of PIPA
- Own-initiative investigations: The Commissioner may initiate investigations without a complaint if there are reasonable grounds to believe PIPA has been violated
- Compliance audits: The Commissioner may conduct audits of organizations to assess PIPA compliance
- Compliance orders: Following an investigation, the Commissioner may issue compliance orders requiring organizations to take specific actions
- Administrative penalties: The Commissioner may impose monetary penalties for PIPA violations
- Guidance: The Commissioner publishes guidance notes, codes of practice, and educational materials
- Advisory: The Commissioner advises the government on data protection matters and proposed legislation
Enforcement Approach
The Privacy Commissioner has emphasized a collaborative approach to enforcement during PIPA's initial implementation period, providing guidance and support to organizations working toward compliance. As the framework matures, formal enforcement actions are expected to increase.
Cross-Border Data Transfers
PIPA addresses cross-border data transfers through a comparable protection standard.
Comparable Protection
An organization may transfer personal information outside Bermuda if:
- The recipient jurisdiction provides a comparable level of protection for personal information
- The organization takes reasonable steps (such as through contractual provisions) to ensure the personal information receives a comparable level of protection
The Privacy Commissioner may issue guidance on which jurisdictions provide comparable protection.
Contractual Safeguards
When transferring to jurisdictions that may not provide comparable protection, organizations should implement contractual clauses that bind the recipient to PIPA-equivalent protections. These clauses typically address purpose limitation, security measures, individual rights, breach notification, and onward transfer restrictions.
Financial Services Considerations
Many Bermuda-based organizations, particularly in the insurance and reinsurance sectors, routinely transfer personal information to affiliates and business partners worldwide. These organizations must assess the data protection frameworks of recipient jurisdictions and implement appropriate safeguards for each transfer.
Enforcement and Penalties
PIPA establishes a graduated enforcement framework.
Compliance Orders
The Privacy Commissioner may issue compliance orders requiring organizations to:
- Stop collecting, using, or disclosing personal information in violation of PIPA
- Correct data handling practices
- Destroy personal information collected in violation of the Act
- Implement specific privacy safeguards
Administrative Penalties
PIPA authorizes the Privacy Commissioner to impose administrative monetary penalties for violations. The maximum penalty amounts are:
| Entity Type | Maximum Penalty |
|---|---|
| Individual | $25,000 per violation |
| Organization | $250,000 per violation |
Factors considered in determining the penalty amount include the nature and severity of the violation, the organization's history of compliance, whether the violation was deliberate, the organization's efforts to mitigate harm, and any economic benefit derived from the violation.
Criminal Offenses
PIPA also creates criminal offenses for specific conduct:
- Obstructing the Privacy Commissioner in the exercise of powers
- Failing to comply with a compliance order
- Knowingly providing false information to the Commissioner
- Retaliating against an individual for exercising their PIPA rights
Criminal penalties may include fines and imprisonment.
Sector-Specific Considerations
Insurance and Reinsurance
Bermuda is one of the world's leading insurance and reinsurance centers. Organizations in this sector handle large volumes of personal information, including health data for life and health insurance, claims data, and policyholder information. PIPA's sensitive personal information provisions are particularly relevant, as health and financial data both receive heightened protection.
International Business
Bermuda hosts numerous international businesses that process personal information of individuals in multiple jurisdictions. These organizations must navigate PIPA alongside the data protection laws of other jurisdictions where they operate, including the GDPR, UK Data Protection Act, and various US state privacy laws.
Trust and Corporate Services
Trust companies and corporate service providers in Bermuda process personal information of settlors, beneficiaries, directors, and shareholders. Compliance requires attention to both PIPA requirements and the regulatory obligations imposed by the Bermuda Monetary Authority (BMA).
Recent Developments
Bermuda's data protection framework is in its early operational phase following PIPA's full commencement.
Full PIPA commencement: PIPA became fully operative on January 1, 2025, following several postponements from its original implementation timeline. The staged implementation allowed organizations to prepare their compliance programs.
Privacy Commissioner operations: The Office of the Privacy Commissioner has been actively publishing guidance notes and conducting outreach to support organizational compliance during the initial implementation period.
Sector-specific guidance: The Privacy Commissioner has issued guidance tailored to Bermuda's key industries, including insurance, financial services, and healthcare, addressing common data handling scenarios and compliance questions.
International recognition: Bermuda's adoption of PIPA strengthens its position in international data protection. The framework positions Bermuda for potential EU adequacy recognition from the EU and UK, which would facilitate data flows with these important trading partners.
Regulatory coordination: The Privacy Commissioner has engaged in coordination with other Bermuda regulators, including the Bermuda Monetary Authority, to ensure coherent regulatory requirements for organizations subject to multiple regulatory frameworks.
Sources and References
Sources and References
- Privacy Commissioner for Bermuda (PrivCom)(privacy.bm).gov
- Bermuda Laws - PIPA 2016(bermudalaws.bm).gov
- Government of Bermuda(gov.bm).gov
- Bermuda Monetary Authority(bma.bm).gov
- UNCTAD - Data Protection Legislation Worldwide(unctad.org)