PrivCom recognises APEC CBPR System as a certification mechanism for overseas data transfers
Exercising authority under PIPA section 29(1)(i), the Privacy Commissioner recognises the APEC CBPR System as a certification mechanism that may be utilised according to PIPA section 15(4).
As described in our previous guidance, "Guidance on vendors, third parties, and overseas data transfers," the Personal Information Protection Act (PIPA) includes additional obligations under section 15 if an organisation is making a data transfer to an "overseas third party," or a third party not domiciled in Bermuda.
PIPA Section 15(4) states:
(4) If the organisation reasonably believes that the protection provided by the overseas third party is comparable to the level of protection required by this Act, which may be evidenced by the third party’s adoption of a certification mechanism recognised by the Commissioner, the organisation may rely on such comparable level of protection while the personal information is being used by the overseas third party.
Section 15(4) clarifies that an organisation may act upon a reasonable belief that the protection in the overseas third party's country is comparable to PIPA. Under this section, our office has the authority to recognise certification mechanisms, and organisations may rely on such a recognition.
The Office of the Privacy Commissioner for Bermuda recognises the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System as a certification mechanism for transfers of personal information to an overseas third party.
While a relatively new standard, the CBPR System has been recognised as an overseas data transfer mechanism by multiple Asia-Pacific countries. As an explicitly named option in the recent "US, Mexico, and Canada Agreement", the CBPR System presents a valid mechanism for data transfers across North America.
Our recognition of this certification mechanism provides Bermudian organisations with certainty in their operations and the data transfers that must occur in the course ordinary business, along with a standardised, predictable mechanism to access markets and overseas third parties in Asia-Pacific economies, including the United States and Canada.
The CBPR System is based on the APEC Privacy Framework, which aligns well with PIPA's requirements. Both regulatory regimes share a common lineage based on the OECD Privacy Guidelines. An overseas third party that is CBPR-certified may generally be considered as legally bound to a comparable level of protection for personal information.
Under the CBPR System, an APEC member economy designates Accountability Agents as government-authorised certification entities who confirm organisations' compliance with the Framework. In their jurisdiction, Accountability Agents may enforce CBPR certification through law and contract. Further, CBPR certification may be enforced by the APEC Cross-border Privacy Enforcement Arrangement: a group of our regulatory counterparts in the US, Canada, Australia, Hong Kong, Japan, Mexico, New Zealand, the Philippines, Singapore, South Korea, and Taiwan.
For these reasons, Bermudian organisations may reasonably conclude that an overseas third party that has been certified under the CBPR system is subject to a comparable level of privacy protection.
Nevertheless, if an overseas third party claims to be CBPR-certified, Bermudian organisations should verify their claim by consulting the public Compliance Directory available at http://cbprs.org/.
Further, Bermudian organisations should ensure that CBPR certification is a material part of their agreement with the overseas third party. As an example, our colleagues at the Singapore Personal Data Protection Commission, who have also recognised CBPR certification for overseas data transfers, have developed a template contract clause that transferring organisations could include in their contract with recipients. Of course, this language may not be appropriate for all Bermudian organisations, who should conduct their own legal due diligence to meet their needs.
Even if relying on an overseas third party's CBPR certification, a Bermudian organisation remains responsible to the individual and must provide appropriate notice (including notice regarding the transfer overseas and its reliance on a particular certification mechanism), ensure section 6 Conditions are met, and fulfill any other responsibilities under PIPA.
As with any obligation under PIPA, organisations must assess their specific circumstances to determine what measures would be reasonable and appropriate. For example, CBPR certification may not be appropriate when transferring personal information that is sensitive or that may have a high risk of harm if misused. Organisations may need to specify certain controls or solicit certain promises in their contracts to ensure personal information is used properly.
Likewise, organisations that comply with multiple jurisdictions' standards should note that requirements may differ. For example, the European Commission spoke about the CBPR System and the use of personal information that originally comes from the EU in their Adequacy determination for Japan.
While PIPA generally allows flexibility in approach, organisations nevertheless remain ultimately responsible for the obligations that relate to the use of personal information.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."
The Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System is a voluntary, accountability-based system that facilitates privacy-respecting data flows among APEC economies. There are currently nine participating APEC CBPR system economies: USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei and the Philippines with more expected to join soon. The APEC CBPR System requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework. These policies and practices must be assessed as compliant with the program requirements of the APEC CBPR System by an Accountability Agent (an independent APEC CBPR system recognised public or private sector entity) and be enforceable by law. For more information, see http://cbprs.org.