In February 2023, the Office of the Privacy Commissioner for Bermuda (PrivCom) has entered into two prominent international enforcement cooperation agreements. With these agreements, PrivCom will be able to liaise with privacy commissioners around the world to share resources in joint investigations that may affect individuals in Bermuda and elsewhere.

PrivCom joined the Global Privacy Enforcement Network (GPEN), which includes jurisdictions from every continent around the world, as well as jurisdictions with whom Bermuda has close ties, such as Canada, Ireland, the United Kingdom, the United States, and others. The GPEN supports cooperation through exchanging information about relevant issues and trends, sharing training and expertise, and undertaking specific activities, such as coordination of investigations, discussions on investigations techniques, supporting cross-jurisdictional educational projects, periodic conference calls, and other activities. More information about GPEN may be found at the network’s website.

PrivCom joined the Global Privacy Assembly’s Enforcement Cooperation Arrangement, which includes other jurisdictions with whom Bermuda has close ties, such as Canada, Ireland, the United Kingdom, and others. Under this Arrangement, participants promote a common understanding and approach to cross-border enforcement cooperation at a global level by sharing enforcement related material and, where appropriate, coordinating their knowledge, expertise and experience that may assist other participants to address matters of mutual interest, among other aims. More information and a list of all participating jurisdictions may be found on the Global Privacy Assembly website.

PrivCom engages with its international counterparts to enhance Bermuda's reputation as a regulatory leader and to ensure that its guidance and actions are consistent with standards and best practices around the world. Individuals benefit from this engagement because their privacy rights are interpreted according to the high standards of global consensus. Organisations benefit because our guidance reflects consensus best practices and our regulatory actions become interoperable standards that suit multiple jurisdictions, promoting consistency and reducing compliance costs.

Commissioner White: “There are many benefits to working with our international colleagues. Not only do we benefit from their experience to operate more efficiently and effectively, but we can also serve as the voice of Bermudians in matters of data or technology regulation of global and multi-national entities.”

Press Background:

• Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.

• The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).

• The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.

• The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom's mission is also to raise awareness and educate the public about privacy risks and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.

• Alexander White (Privacy Commissioner) was appointed by H. E. the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020

• Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).

• "Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)

• "Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."

• About the Global Privacy Assembly’s Enforcement Cooperation Agreement The purpose of this Arrangement is to foster data protection compliance by organisations processing personal data across borders. It encourages and facilitates privacy commissioner cooperation with each other by sharing information, particularly confidential enforcement-related information about potential or ongoing investigations, and where appropriate, the Arrangement also coordinates participants’ enforcement activities to ensure that their scarce resources can be used as efficiently and effectively as possible. Participant since February 2023.

• About the Global Privacy Enforcement Network Based upon the OECD’s Recommendation on Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, that called for member countries to foster the establishment of an informal network of Privacy Enforcement Authorities, the Global Privacy Enforcement Network (GPEN) was established in March 2010. GPEN connects privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy. Member since February 2023.