On September 30, 2024, the Office of the Privacy Commissioner for Bermuda (PrivCom)  published a guidance note on the obligations under the Personal Information Protection Act (PIPA) regarding the transfer of personal information to overseas third parties. The guidance outlines how organizations must ensure compliance when sharing personal data with foreign entities, focusing on due diligence, legal protections, and ongoing responsibility.

The guidance explains that according to PIPA, organizations are required to retain responsibility for compliance when transferring personal information to third parties, including those outside of Bermuda. The guidance specifies that when transferring data to an overseas third party, organizations must assess whether the recipient's legal framework provides a level of protection comparable to PIPA. 

Key requirements for overseas data transfers

The guidance notes that organizations must take one of three actions before proceeding with a transfer, namely:

• Reasonable Conclusion of Comparable Laws: Organizations can conclude that the laws governing the overseas recipient provide protection comparable to PIPA. This may include jurisdictions designated as comparable by the Minister or based on the organization's own reasonable belief that the recipient uses recognized certification mechanisms;
• Use of Mechanisms: Mechanisms such as contractual clauses or binding corporate rules can be employed to ensure the overseas recipient complies with PIPA standards; or
• Legal Exceptions: Organizations may proceed if a legal exception applies to the transfer.

The guidance points out that even after completing a transfer, organizations remain responsible for compliance with PIPA. This responsibility includes conducting vendor assessments, privacy impact assessments, and considering potential risks to individuals' privacy. Organizations must also provide appropriate privacy notices to individuals, ensuring they are informed about the transfer and the legal mechanisms used.

Further, the guidance also includes a 'Template for Section 15 Analysis of Comparable Laws,' a tool that organizations can use to assess whether a jurisdiction's legal framework aligns with PIPA's principles. The template covers areas such as legal definitions, individual rights, and enforcement mechanisms, helping organizations determine if a foreign law offers comparable protection.

Key principles and individual rights

The guidance reiterates that any transfer must comply with PIPA's 12 general principles, including:

• responsibility and compliance;
• security safeguards;
• purpose limitation; and
• fairness and proportionality.

Additionally, the guidance explains that organizations must respect individuals' four key rights under PIPA, including the right to access, correction, blocking, and erasure of personal data. The guidance underscores that even in cases where the Minister designates a jurisdiction as providing comparable protection, organizations must perform due diligence to ensure compliance with PIPA's requirements.

You can read the guidance here.