Privacy Commissioner leads at digital trade agreement discussions
Some of the most critical questions about the modern digital economy relate to how personal information is to be protected and respected when crossing international borders.
Privacy Commissioner Alexander White was invited to speak to members of the newly-formed Global Cross Border Privacy Rules Forum about the benefits and potential for Bermuda and other countries to participate in the data transfer system. Bermuda is considered to be a candidate to join the trade and enforcement cooperation agreement and to help set the worldwide rules of the modern digital economy.
As discussed in our office's previous guidance, certification mechanisms like the Cross Border Privacy Rules (CPBR) can provide a dependable and predictable system for protecting rights while allowing the proper use of data. The CBPR system was originally developed as a regional agreement for the Asia Pacific.
In our March 2021 guidance, PrivCom Bermuda was the first privacy regulator outside the Asia Pacific Economic Cooperation (APEC) to recognise the CBPRs as an effective certification mechanism for overseas data transfers.
Current Global CBPR Forum members include Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan, and the United States of America. If Bermuda were to join, individual Bermudians would gain the ability to hold overseas organisations accountable for their privacy rights. The CBPR Forum would provide Bermudian organisations with a standardised, predictable mechanism to access markets and overseas third parties in participating economies. Businesses would gain certainty in their operations and in the cross-border data transfers that must occur in the course ordinary business.
On 26th to 28th April, the inaugural meeting of the Global Cross Border Privacy Rules (CPBR) Forum was held in Honolulu, Hawaii, USA. Bermuda was one of 20 participating countries at the event, which included representatives from CBPR Forum non-members Bermuda, Brazil, Chile, Colombia, Dubai, and the United Kingdom. Commissioner White was invited to attend and speak as a featured panelist, and Bermuda Government staff participated online. His attendance did not incur a public expense.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."
The Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System is a voluntary, accountability-based system that facilitates privacy-respecting data flows among APEC economies. There are currently nine participating APEC CBPR system economies: USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei and the Philippines with more expected to join soon. The APEC CBPR System requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework. These policies and practices must be assessed as compliant with the program requirements of the APEC CBPR System by an Accountability Agent (an independent APEC CBPR system recognised public or private sector entity) and be enforceable by law. For more information, see http://cbprs.org.