Column: Data Privacy Day, PIPA & Bermuda
[Written by Nancy Volesky]
Sunday, January 28 is “Data Privacy Day” an international celebration of privacy and data protection best practices held in 50 countries, including the EU, Canada and the United States.
While Data Privacy Day has not yet been celebrated in Bermuda, 2018 will prove to be a watershed year for the country with regards the principles it promotes. This is because the Personal Information Protection Act, known as “PIPA” is scheduled to come into force this year.
The PIPA brings Bermuda into line with many other countries, including a number of key small jurisdictions that have already implemented legislation for the protection of personal information. The law places duties on organisations with regard their use of personal information, while providing rights to individuals. In the context of the global economy, the principles that the PIPA espouses are accepted as fundamental human rights and on this basis they cannot be seen to be in the least controversial. However in the context of Bermuda’s small closely-connected community, its introduction will require significant changes and a culture shift.
Many organisations operating in Bermuda already deal with a variety of compliance obligations, including regulatory requirements from overseas. Privacy is no exception. The drive to improve global cybersecurity has helped spur changes to the European Union’s approach to data protection, resulting in the implementation of the General Data Protection Regulation, [GDPR], which applies from May 25, 2018.
The GDPR is a seismic shift in the approach taken by the EU to privacy. Its introduction was also due to the rapid and seemingly uncontrolled manner in which the digital economy was using personal information. Its importance to Bermuda lies in the fact that the GDPR now has extraterritorial provisions that may apply to businesses/organisations based here.
Under the GDPR, data controllers and processors based outside the EU must comply with its provisions when they process personal data from individuals within the EU in the following circumstances:
- When a non-EU organisation targets goods or services to individuals in the EU. This would not cover a generic English-language website operated by a Bermuda-based company that sold goods globally in Bermuda/US dollars. It would cover a website operated by a Bermuda based company that was written in German, marketed by email to Germany and with prices in Euro’s. It would also cover financial services, such as funds, targeted to EU citizens;
- When monitoring the behaviour of individuals inside the EU. This means, [for example], that a non-EU provider of social networks with users from within the EU will fall within the scope of GDPR. The same goes for an app that gathers location data of EU citizens from their smartphones. Given that most organisations operating websites acquire some personal information, it is possible that these provisions may capture a number of Bermuda operations.
What is the cost of non-compliance? In addition to the loss of consumer trust and an organisation’s reputation, potential fines under the GDPR are significant. The maximum will be 4% of global revenue. Google has annual revenues of approximately $90B, which would make a potential maximum fine $3.6B. You can understand why large ‘personal information rich’ companies are conducting wholesale changes to their operations so as to come into line with this legislation.
Here at home, Bermuda has already seen some worrying incidents with regard to the loss of personal information due to criminal activity. The international community including trade organisations, [the ITU, EU, OECD, etc.,], view the introduction of effective privacy laws as critical to the development of the digital economy and a major building block of any jurisdiction’s cybersecurity strategy. Bermuda’s international business community’s reliance on the digital economy means that the introduction of the PIPA is not only timely, but also necessary.
The PIPA was drafted so as to comply with international best practice, including that found in the GDPR. This is not to say that compliance with PIPA means compliance with the GDPR as there are provisions in the latter that are not replicated by the PIPA. The broad principles are the same. Due to this, the Bermuda Government has expressed an intention to apply for a finding of data protection “Adequacy” from the EU. If successful, this would assist in the free-flow of personal information between both jurisdictions, without the need for complex contractual arrangements.
PIPA was drafted in a readable, user-friendly manner, with implementation in a small jurisdiction very much in mind. Legislation found elsewhere is often lengthy, complex and legalistic. The PIPA is a low regulatory law that provides a workable framework for the introduction of a privacy regime with guidance from a Privacy Commissioner. While it would be wrong to second-guess the approach of the Privacy Commissioner, [yet to be appointed], it is likely that the initial period of the PIPA implementation will be spent educating both organisations and individuals in the rights and duties that have been created. This is not to say action will not be taken where necessary. For example gross security breaches and a failure to notify such breaches to the Privacy Commissioner are likely to be regarded as serious offences from the outset, while ensuring rigid compliance with technicalities may be treated with more patience.
The PIPA will impact every individual in Bermuda. It will affect every organisation including Government and the not-for-profit sector. While the fines it imposes are not of the same magnitude as for the GDPR, organisations and individuals within such organisations may be personally liable and penalties include fines and imprisonment.
When assessing compliance it helps to keep the privacy principles upon which most privacy legislation is based including the PIPA. These are:
- 1. An organisation will use personal information fairly and lawfully.
- 2. The use is for limited purposes and not in any manner incompatible with those purposes.
- 3. The personal information used is adequate, relevant and not excessive.
- 4. The personal information used is accurate and where necessary, up to date.
- 5. The personal information used is not kept for longer than is necessary.
- 6. The personal information is used in line with the individual’s rights, which includes providing access to their personal information.
- 7. The personal information used is maintained securely.
- 8. The personal information shall not be transferred to countries outside Bermuda without adequate protection.
None of these principles are particularly controversial. It would be an obtuse individual who would argue against any of them in isolation. Hands up all those who would like their personal information to be held in an insecure manner?
The PIPA has a number of defined terms of which “use” and “personal information” are critical. “Use” is defined very broadly in the PIPA with the intention that it would include any use of personal information by an organisation. “Personal information” means information about any identified of identifiable individual.
As a first step in preparing for the PIPA, an organisation should understand the use of personal information. In particular, given the prevalence of data breaches and the PIPA requirements for security, time should also be spent at the outset assessing security systems and policies to ensure they are robust and up to the challenge. A personal data mapping exercise would be explore the following broad questions:
- 1. What personal information is collected and why?
- 2. What do we use it for?
- 3. Who collects it?
- 4. How do we collect it and when [online, in person, forms]?
- 5. Where is it stored?
- 6. Who is it disclosed to?
- 7. How long is it kept?
- 8. What level of security applies to it?
- 9. Do we share it?
As always with these things the devil is in the detail. Can a company providing health insurance release medical information to an associated company providing life insurance? An accident occurred on the street and you have a CCTV recording. Can you release the recording to the injured party? Can I provide one member of staff the personal contact details of another?
While these situations require an understanding of the law it is often useful to begin by asking yourself “how would I like my personal information to be treated in this situation”. The PIPA may not always agree with the answer you have provided, but by giving some context to the question being asked you are more likely to come to the correct conclusion.
Adopting information privacy practices is good for business. In the 2016 State of ICT study, undertaken by the Department of ICT Policy and Innovation, 98% of people in Bermuda prefer doing business with organisations that protect their personal information. While compliance with the PIPA may require some initial heavy lifting, in a few years we will all be wondering how we lived without it.
- Nancy Volesky is a Certified Information Privacy Professional [CIPP/US] and is a Privacy and Security Consultant for Gateway Systems Limited.
Read More About
Category: All, Business, News, technology