Bermuda Data Privacy Laws: PIPA Compliance Guide (2026)

Bermuda's Personal Information Protection Act 2016 (PIPA) became fully operative on January 1, 2025, requiring every organization that collects or uses personal information in Bermuda to appoint a Privacy Officer, notify breaches without undue delay, and limit data use to purposes a reasonable person would consider appropriate under Section 5(2).

Bermuda enacted the Personal Information Protection Act 2016 (PIPA), establishing a comprehensive data privacy framework for the British Overseas Territory. PIPA received Royal Assent on July 27, 2016, and reached full operative effect on January 1, 2025, following a staged commencement that first established the Office of the Privacy Commissioner in December 2016. The Act draws its structural model primarily from Canadian provincial privacy statutes and applies a use-and-disclosure approach rather than the consent-first model used in European frameworks.

PIPA was designed to balance the protection of personal information with Bermuda's role as a leading international financial centre, particularly in the insurance, reinsurance, fund administration, and trust sectors. This guide covers the full framework: commencement history, scope and definitions, lawful use grounds, the privacy officer requirement, data subject rights, breach notification, overseas transfer rules, enforcement and penalties, and the current state of PrivCom's enforcement posture since January 2025.

Jurisdiction scope: This article addresses the law of personal information protection in Bermuda under the Personal Information Protection Act 2016 (PIPA). It does not address data privacy laws in other British Overseas Territories or in the United Kingdom. For the UK framework, see our UK data privacy laws guide. For the EU framework, see our GDPR guide.

---

Quick Answer: What Does PIPA Require?

PIPA is Bermuda's omnibus data privacy statute. It applies to every organization (private sector and public sector) that collects, uses, or discloses personal information in the course of commercial or public activities in Bermuda. The Act also captures offshore organizations that collect personal information about Bermuda residents in connection with activities in Bermuda. Any conflicting Bermuda enactment yields to PIPA, except the Human Rights Act 1981.

The core obligation is proportionality: organizations may only collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate given the sensitivity of the information, the legitimate need of the organization, and whether less intrusive alternatives exist. PIPA does not mandate a consent-first approach for every processing activity. Instead, Section 5(2) lists eight grounds on which an organization may use personal information, of which consent is only one.

Organizations must appoint a Privacy Officer, implement proportionate safeguards, provide individuals with privacy notices, respond to access requests within 45 calendar days, and notify PrivCom and affected individuals of privacy breaches without undue delay.

---

PIPA 2016 and the Office of the Privacy Commissioner

The Personal Information Protection Act 2016 (PIPA) is Bermuda's principal data privacy statute, enacted by the Parliament of Bermuda and receiving Royal Assent on July 27, 2016. PIPA covers every organization operating in Bermuda that collects, uses, or discloses personal information in the course of commercial or public activities. The Act also reaches offshore organizations that process personal information about Bermuda residents in connection with Bermuda-based activities.

PIPA functions as omnibus legislation: it covers all sectors (private and public) and, except for the Human Rights Act 1981, overrides any conflicting Bermuda enactment. The statute's structural model draws primarily from Canadian privacy statutes, particularly Alberta's Personal Information Protection Act, and uses North American nomenclature ("organizations," "individuals," "third parties") rather than EU GDPR terminology ("controllers," "data subjects," "processors").

The Office of the Privacy Commissioner for Bermuda (PrivCom) was established as the independent supervisory authority under PIPA. The Commissioner is appointed by the Governor of Bermuda on the recommendation of the Public Service Commission for a fixed term. The Commissioner's functions are explicitly insulated from direction or control by any other person or authority. Alexander White served as the inaugural Privacy Commissioner. Gretchen Tucker was appointed Commissioner effective March 2, 2026, becoming the first Bermudian and first woman to hold the post. Tucker holds an IAPP Certified Information Privacy Management (CIPM) designation and is a qualified barrister in Bermuda and the UK (non-practising).

PrivCom's mandate includes investigating complaints, conducting own-initiative investigations, carrying out compliance audits, issuing compliance orders, imposing administrative penalties, and publishing guidance notes, codes of practice, and educational materials.

---

PIPA's Phased Commencement: From 2016 to January 2025

Understanding PIPA's commencement history matters for compliance because organizations may be unsure which obligations applied when.

PIPA received Royal Assent on July 27, 2016, but the substantive privacy provisions did not come into force immediately. The Government brought only the administrative sections into force in December 2016, specifically sections 1, 2, 26, 27, 28, 29, 35, 36, 51, and 52. These provisions were limited to enabling the establishment of the Privacy Commission and the appointment of a Privacy Commissioner. They did not impose obligations on organizations or grant rights to individuals.

The substantive provisions governing personal information protection, individual rights, and organizational obligations were deferred for several years while the Government and PrivCom prepared the market. On June 16, 2023, the Government announced January 1, 2025 as the full commencement date, providing an 18-month preparation window. Commissioner White stated at that announcement:

"We now have an 18-month window for organisations to prepare for PIPA. This course of action has my support, and we have worked closely with our Government colleagues to determine this implementation window. With a single fixed, universal date we can provide legal certainty and avoid confusion about deadline."

On January 1, 2025, all remaining PIPA provisions came into full operative effect. As of that date, every in-scope organization in Bermuda became obligated to comply with the full Act: appointing privacy officers, implementing safeguards, providing privacy notices, handling access requests, and reporting breaches.

PrivCom ran a "Road to PIPA" campaign throughout 2024, publishing weekly compliance steps and guidance notes to help organizations prepare. The campaign addressed privacy officer appointment, data flow mapping, privacy notice drafting, third-party contract updates, and breach response protocols.

---

Scope, Definitions, and Exemptions

PIPA applies to every "organization" that collects, uses, or discloses personal information in the course of commercial activities or public activities in Bermuda. The Act defines "organization" broadly to include corporations, partnerships, unincorporated associations, trade unions, professional bodies, trusts, and individuals acting in a commercial capacity.

Key definitions

Personal information: Any information about an identified or identifiable individual, including name, address, telephone number, email address, identification numbers, biometric data, financial information, health information, and any information relating to an identifiable individual.

Sensitive personal information: A specific subset of personal information encompassing race, ethnic or national origin, colour, sex, sexual orientation, sexual life, marital status, disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, and biometric or genetic data. Sensitive personal information receives heightened protection: the reasonable expectation standard for non-sensitive data does not apply, and express consent is generally required.

Organization: Any entity (corporation, partnership, unincorporated body, trust, or individual) that collects, uses, or discloses personal information in the course of a commercial or public activity.

Use: The treatment and handling of personal information by an organization that has the information in its custody or control.

Disclosure: Making personal information available to another organization or individual.

Exemptions

PIPA does not apply to:

• Individuals collecting, using, or disclosing personal information for personal, family, or household purposes
• Journalistic, artistic, or literary purposes (limited exemption)
• Personal information processed by the Bermuda Police Service or the Bermuda Regiment for law enforcement or national security purposes
• Certain publicly available personal information
• Activities related to national security, financial system fraud prevention, charity misconduct prevention, crime prevention or detection, and international monetary obligations (Section 47 exemptions)

Non-delegable organizational responsibility

Organizations bear non-delegable responsibility for PIPA compliance, including in relation to third-party service providers. Contracting out the processing of personal information does not transfer the compliance obligation. Safeguards must be proportionate to the sensitivity of the personal information and the context in which it is held (PIPA s.13).

---

Lawful Use Grounds: The Section 5(2) Framework

PIPA's most distinctive feature is its use-and-disclosure model rather than a consent-centric approach. Section 5(2) lists eight grounds on which an organization may collect, use, or disclose personal information:

1. Consent: The individual has knowingly consented, whether expressly or by implication from the conduct or the circumstances.
2. Reasonable expectation (non-sensitive data only): A reasonable person, giving due weight to the sensitivity of the information and the circumstances, would not reasonably expect to request that the use should not begin or should cease.
3. Contract: The collection, use, or disclosure is reasonably necessary for the performance of a contract with the individual, or the taking of pre-contractual steps at the individual's request.
4. Legal authorization or requirement: A law authorizes or requires the collection, use, or disclosure (for example, AML/ATF know-your-customer obligations for financial services firms).
5. Publicly available information: The information is publicly available and will be used for a purpose consistent with the purpose for which it was made publicly available.
6. Emergency response: The collection, use, or disclosure is necessary to respond to an emergency that threatens the life, health, or security of an individual or the public.
7. Public task or official authority: The collection, use, or disclosure is necessary to perform a task carried out in the public interest, or in the exercise of official authority.
8. Employment relationship: The collection, use, or disclosure is necessary in the context of an individual's present, past, or potential employment relationship.

The reasonableness standard in Ground 2 does not apply to sensitive personal information. For sensitive personal information, organizations must generally rely on Ground 1 (express consent) or another specific ground.

Notice requirements

Regardless of which ground is used, organizations must provide individuals with a privacy notice at or before the time of collection. The notice must describe the purposes of collection, the types of personal information collected, the circumstances under which information may be disclosed, and the individual's rights under PIPA. Section 9(a) requires the notice to name the appointed Privacy Officer.

---

The Privacy Officer Requirement

Every organization subject to PIPA must designate a Privacy Officer responsible for the management of personal information and ensuring the organization's compliance with the Act. This requirement is mandatory for all in-scope organizations regardless of size.

The Privacy Officer serves as the primary point of contact both internally (for staff questions and breach escalation) and externally (for individual rights requests and communications with PrivCom). Privacy notices must include the Privacy Officer's name and contact details, so individuals and the Commissioner know who to reach.

The role carries the following core responsibilities:

• Developing and maintaining the organization's PIPA compliance program
• Ensuring privacy notices meet the requirements of Section 9
• Implementing proportionate safeguards under Section 13
• Managing individual access and correction requests within the required timeframes
• Coordinating breach detection, assessment, containment, and notification under Section 14
• Training staff on PIPA obligations
• Overseeing overseas-transfer contracts and vendor assessments under Section 15

The role may be outsourced to an external privacy professional or a shared services provider. There is no Bermuda residency requirement for the Privacy Officer. However, the designee should have a solid understanding of privacy law and sufficient time available to fulfill the responsibilities. For organizations in the financial services sector, the Privacy Officer's function should be coordinated with existing compliance frameworks under BMA regulatory requirements.

Watch out: Appointing a Privacy Officer in name only without genuine authority or resources is unlikely to satisfy PIPA. PrivCom's guidance emphasizes that the Privacy Officer must be able to meaningfully manage compliance, not merely serve as a contact point.

---

Data Subject Rights

PIPA grants individuals several rights regarding their personal information. These rights apply to any individual whose personal information is held by an organization subject to PIPA.

Right of access: An individual may request access to their personal information held by an organization. The organization must respond within 45 calendar days. If the organization cannot comply within that period, it must notify the individual and provide reasons for the delay.

Right of correction: An individual may request correction of inaccurate or incomplete personal information. If the organization disagrees with the correction request, it must annotate the record to include the individual's proposed correction alongside the organization's own version.

Right to request cessation of use for marketing: An individual may request that an organization stop using their personal information for direct marketing or advertising purposes. The organization must comply with such a request without requiring a reason.

Right to request cessation generally: An individual may request that an organization stop collecting, using, or disclosing their personal information. The organization must comply unless it has a lawful reason to continue, such as a legal obligation, a contractual obligation, or a statutory duty.

Right to complain: An individual who believes an organization has violated PIPA may file a written complaint with the Privacy Commissioner. PrivCom will investigate or facilitate resolution.

Right regarding automated decisions: Where a decision with a significant impact on an individual is made solely by automated means, PIPA requires the organization to inform the individual and provide an opportunity for the decision to be reviewed by a human.

---

Privacy Breach Notification

PIPA Section 14 establishes mandatory breach notification obligations. An organization that experiences a breach of security of personal information must notify both the Privacy Commissioner and the affected individuals when the breach is "likely to adversely affect an individual."

What triggers notification

The threshold is harm-probability based, not harm-actual. A breach of security means loss, unlawful destruction, or unauthorized disclosure of, or unauthorized access to, personal information. Organizations must assess whether such an event is likely to adversely affect an individual and document that assessment regardless of the conclusion reached.

Timing

Notification to the Commissioner and to affected individuals must occur "without undue delay." PIPA does not prescribe a specific number of days. The flexibility is deliberate: it gives organizations time to contain the breach, assess its scope, and prepare an accurate notification before filing. PrivCom's guidance notes that where a delay occurs, the organization must give reasons.

What the notification must contain

Notification to the Privacy Commissioner must describe:

• The nature of the breach
• The likely consequences for the affected individual(s)
• The measures taken and to be taken to address the breach

Notification to affected individuals must include:

• The name and contact details of the organization's Privacy Officer
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to deal with the breach
• Advice on protective steps the individual can take (such as password changes or fraud monitoring)

Failure to notify

Failure to notify a qualifying breach is a separate criminal offense under PIPA. Individuals face fines up to $25,000 and/or imprisonment up to 2 years on summary conviction. Organizations face fines up to $250,000 on indictment.

Organizations must maintain documented records of all breaches, including those that did not meet the notification threshold, to demonstrate the assessment process.

Watch out: Service contracts with IT providers and data processors must include a requirement for the vendor to notify the organization of any breach promptly enough to enable the organization to meet its own PIPA reporting obligations to PrivCom and individuals.

---

Overseas Data Transfers

PIPA Section 15 governs transfers of personal information outside Bermuda. The Act does not operate an adequacy-list system with pre-approved destination jurisdictions. Instead, Section 15(2) requires a prospective assessment before every transfer.

The comparable protection assessment

Before transferring personal information to an overseas recipient, the organization must:

1. Assess the level of protection actually provided by the overseas recipient
2. Assess the level of protection afforded by the law applicable to the overseas recipient's jurisdiction

Where the organization reasonably believes that the overseas recipient does not and will not provide a comparable level of protection, the organization must employ contractual mechanisms, corporate codes of conduct, or other means to ensure comparable protection.

Contractual safeguards should address purpose limitation, security measures consistent with PIPA Section 13, individual access and correction rights, breach notification obligations, and onward transfer restrictions. The organization remains responsible for PIPA compliance regardless of where the transfer goes.

No adequacy decisions yet

As of early 2026, no jurisdiction has been designated by PrivCom as providing comparable protection by default. PrivCom has indicated it intends to apply to the EU and other jurisdictions for reciprocal adequacy recognition. The EU confirmed in 2024 that Canada's privacy framework satisfies safe harbour requirements; because PIPA is modeled substantially on Canadian statutes, Bermuda's framework may eventually achieve similar recognition, but no decision has been made.

Financial services sector

Many Bermuda-based organizations in the insurance, reinsurance, and fund administration sectors routinely transfer personal information to affiliates, cedants, retrocessionnaires, and service providers worldwide. These organizations must maintain a record of overseas transfer assessments and ensure that data processing agreements flow PIPA obligations downstream to each processor.

---

Enforcement and Penalties

PIPA establishes a graduated enforcement framework administered by the Privacy Commissioner.

Compliance orders

Following an investigation, the Commissioner may issue compliance orders requiring organizations to:

• Stop collecting, using, or disclosing personal information in a manner that violates PIPA
• Correct data handling practices
• Destroy personal information collected in violation of the Act
• Implement specific privacy safeguards

Administrative and criminal penalties

Penalty factors include the nature and severity of the violation, the organization's compliance history, whether the violation was deliberate, efforts to mitigate harm, and any economic benefit derived.

Director and manager personal liability

Where an organization commits a PIPA offense with the consent or connivance of a director or manager, or where the offense is attributable to that person's neglect, the director or manager is personally liable for the offense and subject to individual penalties. This provision makes governance-level accountability explicit.

Criminal offenses

PIPA creates criminal offenses for:

• Collecting, using, or disclosing personal information inconsistently with Part 2 in a manner likely to cause harm
• Unauthorized access to personal information likely to cause harm
• Disposing of, altering, falsifying, or destroying personal information to obstruct an access request
• Obstructing the Privacy Commissioner
• Making false statements to the Commissioner
• Retaliating against an individual for exercising PIPA rights
• Failing to notify a qualifying breach under Section 14
• Contravening Section 7 (sensitive personal information handling)

---

Sector-Specific Considerations

Insurance and reinsurance

Bermuda is one of the world's leading insurance and reinsurance centers. Organizations in this sector handle substantial volumes of personal information, including health data for life and health insurance policies, claims data, policyholder financial information, and medical records from cedants and retrocessionnaires. PIPA's sensitive personal information provisions apply directly to health and certain financial data, requiring express consent or another specific Section 5(2) ground.

Cross-border transfers are a routine feature of Bermuda reinsurance operations. Reinsurers must maintain overseas-transfer assessments for each jurisdiction to which they send personal information, and must ensure that reinsurance treaties and data processing agreements include PIPA-compliant data protection clauses.

BMA dual compliance for financial services

Financial services organizations registered with the Bermuda Monetary Authority face a dual compliance layer. The BMA's Operational Cyber Risk Management codes of conduct expressly require BMA registrants to comply with Bermuda's privacy laws. A PIPA violation by a BMA registrant therefore creates concurrent exposure to BMA enforcement, not just PrivCom action. Organizations should coordinate their PIPA compliance programs with their existing BMA cyber risk management frameworks.

AML/ATF and KYC interaction

AML/ATF know-your-customer obligations authorize financial services firms to collect identity data, beneficial ownership information, and transaction profiles under PIPA Section 5(2)(d) (legal requirement) without needing explicit consumer consent. However, such data remains subject to all PIPA obligations regarding safeguarding, retention, individual access rights, and breach notification.

Trust and corporate services

Trust companies and corporate service providers process personal information of settlors, beneficiaries, directors, and shareholders. PIPA compliance must be coordinated with BMA regulatory requirements, professional obligations, and the PIPA obligations of any overseas affiliates or service providers to whom information is transferred.

International business and captive insurance

Bermuda's substantial captive insurance and international business sector operates across multiple jurisdictions. These organizations must navigate PIPA alongside the GDPR, the UK Data Protection Act 2018, and relevant US state privacy laws, particularly for organizations with US employees or US policyholders.

---

Practical Business Compliance

Organizations newly subject to PIPA's full obligations from January 1, 2025 should work through the following compliance steps:

Step 1: Designate a Privacy Officer. Every in-scope organization must name a Privacy Officer and publish that person's contact details in privacy notices. The role can be outsourced; no Bermuda residency is required.

Step 2: Map your data flows. Identify every category of personal information collected, the purpose, the legal ground under Section 5(2), who has access internally, and where data is sent externally (including overseas transfers).

Step 3: Update privacy notices. Ensure all privacy notices name the Privacy Officer, describe the purposes of collection, identify disclosure recipients, and explain individual rights. Privacy notices must satisfy Section 9.

Step 4: Implement proportionate safeguards. Section 13 requires safeguards proportionate to the sensitivity of the personal information and the context in which it is held. Document the safeguards in place for each data category.

Step 5: Establish a breach response protocol. Define who has authority to declare a breach, who notifies PrivCom and individuals, and how the organization will document its assessment of whether a breach meets the Section 14 notification threshold.

Step 6: Review overseas-transfer contracts. Ensure every vendor or affiliate that receives personal information from Bermuda is bound by data processing agreements containing PIPA-comparable protections, breach notification clauses, and onward transfer restrictions.

Step 7: Train staff. PIPA obligations apply to all staff who handle personal information. Annual training on PIPA basics, privacy notice requirements, and breach identification is a recommended minimum.

Step 8: For BMA registrants, coordinate your cyber risk management framework. A PIPA breach also triggers BMA code of conduct exposure. Align your breach response protocols with your existing BMA Operational Cyber Risk Management procedures.

---

Recent Developments (2025-2026)

January 1, 2025: Full PIPA commencement. All substantive PIPA provisions came into operative effect, imposing binding obligations on every in-scope organization. The staged implementation from 2016 to 2025 concluded.

Q1 2025: PrivCom's inaugural statistical report. PrivCom published its first quarterly statistics report on July 1, 2025, covering January through March 2025. The report recorded 5 personal information breaches affecting more than 3,000 individuals (4 concluded, 1 remaining open). PrivCom received 6 formal written requests (2 for review, 4 complaints), 4 of which closed by resolution before formal investigation, and fielded 22 general queries.

November 2025: GPEN sweep on children's privacy. PrivCom joined 26 other international privacy authorities in the Global Privacy Enforcement Network 2025 sweep, examining nearly 900 websites and mobile applications used by children. Findings published March 25, 2026 identified that 72% of platforms allowed circumvention of age assurance measures, 71% lacked child-tailored privacy information, and 59% required email addresses. PrivCom indicated it would use the results to inform its own annual local sweep.

March 2, 2026: Commissioner Tucker appointed. Gretchen Tucker succeeded Alexander White as Privacy Commissioner, becoming the first Bermudian and first woman to hold the post. Tucker is a qualified barrister and IAPP CIPM-certified privacy professional who co-chaired the IAPP Bermuda KnowledgeNet Chapter for over five years before her appointment.

Early 2026: PrivCom capacity and 2026 strategy. Following the transition period after Commissioner White's departure, PrivCom was working toward a full staff complement of 14, with an annual budget of $2.39 million. Public education workshops were reduced from 14 in 2024-25 to 4 planned for 2026-27, with PrivCom intending to reorient toward targeted engagement with individual organizations rather than broad public workshops.

EU adequacy status pending. Following PIPA's full commencement, PrivCom intends to apply to the EU and other jurisdictions for adequacy recognition. No adequacy decision had been issued as of the date of this article's review.

---

---

Disclaimer

This article presents general legal information about Bermuda's Personal Information Protection Act 2016 (PIPA). It covers the law as in force in Bermuda as of May 19, 2026. This article is not legal advice and does not create a solicitor-client or attorney-client relationship. Privacy law requirements vary by organization type, size, sector, and the nature of the personal information processed. Organizations and individuals should consult a lawyer licensed in Bermuda for advice on their specific situation.

---

Authorities Cited