Law: Data Protection Act, 2021

Regulator: Office of the Information Commissioner, not yet established.

Summary: The British Virgin Islands (BVI) is a British overseas territory. The BVI enacted the Data Protection Act, 2021 (the Act) on April 13, 2021, and entered into force on July 9, 2021. The Act regulates various data protection matters and provides for the establishment of the Office of the Information Commissioner (the Commissioner), which is yet to be appointed.

The Act applies to both public and private entities. The Act is structured around a set of data protection principles however it imposes limited obligations for data controllers and only grants data subjects certain rights.

The Commissioner, as the entity responsible for overseeing compliance with the Act, may serve an enforcement notice to data controllers. Moreover, specified contraventions of the Act are construed as offenses and expose natural persons to fines of up to $100,000 and/or imprisonment for up to 5 years. Fines are higher if the offense is committed by a body corporate (up to $500,000).