This article is an update on a previous article.

In October 2024, the Office of the Privacy Commissioner for Bermuda (PrivCom) put out a Guidance note: Transfer of personal information to overseas third parties and comparable jurisdictions. On 1 January 2025, the Personal Information Protection Act 2016 (PIPA) took effect.

Organisations that use personal information in Bermuda may be engaging or may wish to contract overseas third parties located in an overseas country that doesn’t have comparable privacy protections as outlined under PIPA. From the perspective of privacy and data protection law, such countries are termed “non-comparable jurisdictions”.

In Bermuda’s new legal regime, organisations that use personal information in Bermuda may find themselves wondering whether they are PIPA-compliant when they engage overseas third parties that are based in a non-comparable jurisdiction to use personal information on their behalf.

Some organisations may conclude that if an overseas third party is based in a non-comparable jurisdiction, their contractual engagement of such a third party is not compliant with PIPA. However, this may not be the case in some circumstances.

Organisations in Bermuda wishing to transfer personal information to third parties based in non-comparable jurisdictions will still need to ensure the personal information transferred to and subsequently used by the overseas third party stays protected to a comparable standard.

Here is what organisations can do to establish whether their contractual engagement of a third party in a non-comparable jurisdiction complies with PIPA:

1.      Check the rules: Under section 5(3) of PIPA, organisations have a general obligation to retain responsibility for ensuring compliance when they share personal information with third parties. This legislative requirement means that the organisation must perform due diligence on the recipient, such as assessing their practices for compliance with PIPA. PIPA includes additional obligations under section 15 if an organisation is seeking to make a transfer of personal information to an “overseas third party,” or a third party not domiciled in Bermuda [section 6(4)]. Organisations must assess the level of protection provided by an overseas recipient, and when doing so must consider whether the level of protections of the laws that apply to the recipient are “comparable” [section 15(1)-(2)].

To proceed with the transfer, organisations must do one of three things: reach a reasonable conclusion that the law is comparable to PIPA [15(3)-(4)], employ mechanisms such as contractual clauses or corporate rules [15(5)], or identify a legal exception [15(6)].

Organisations may reach a reasonable conclusion that the law is comparable if the Minister designates the jurisdiction as providing a comparable level of protection [15(3)], or organisations may rely on their own reasonable belief considering the circumstances, such as whether the recipient uses a certification mechanism recognised by the Office of the Privacy Commissioner (PrivCom) [15(4)].

2.      Check the third party: In conjunction with its obligation under section 15 of PIPA to assess the overseas third party prior to the transfer of personal information, the organisation’s evaluation of the overseas third party should involve all relevant internal and external stakeholders, including internal audit, information security, physical security, cybersecurity, etc. This assessment may include vetting the third party, including running checks on its security system and practices, as well as establishing whether the third party has had breaches of security in the past and how they were handled and resolved.

3.      Put safeguards in place: The organisation can set up legal agreements such as contracts with overseas third parties that require specific safeguards be put in place. Such provisions may  include specific rules and performance obligations about how the personal information can be used, stored, and protected.  When drafting such contractual terms and conditions, an organisation may refer to the following contract inventory list.

4.      Use contractual mechanisms: Prior to the transfer of personal information to an overseas third party, section 15(5) of PIPA empowers organisations to utilise these provisions that ensure that privacy protections comparable to PIPA travel with the personal information, such as the employment of contractual mechanisms or corporate codes of conduct. As a general rule, any sort of contractual mechanisms could meet this standard. It is not necessarily a requirement for organisations to use approved contractual language. Some jurisdictions provide ready-made, approved contractual mechanisms or corporate codes of conducts such as binding corporate rules to simplify this process. As soon as contractual language under section 15 has been created and approved for Bermuda, doing so can provide certainty for the organisation.

5.      Assess the risks: Before transferring personal information to an overseas third party, organisations should evaluate the third party by conducting robust assessments. These may include privacy impact assessments. Organisations should also perform their due diligence as to whether the third party can realistically meet the privacy requirements under PIPA.

6.      Monitor and audit: Even after setting up contracts, organisations should keep an eye on how the third party is using the personal information through regular reviews and audits.

7.      Consider additional safeguards and protections: If the overseas third party is located in a country with weak privacy laws and regulations, in addition to the above, the organisation should consider employing additional security safeguards, such as encrypting the personal information or limiting what kind of personal information is transferred to the third party.

PrivCom encourages organisations that make determinations as to whether or not their engagement of third parties based in non-comparable jurisdictions is PIPA-compliant to use the following five-step test, contained in the Section 15 Checklist. We list the five steps below.

1.      Is the jurisdiction in which the overseas third party is based comparable?

If the answer is ‘yes’, proceed to conduct third party due diligence (step 5)

If the answer is ‘no’ because you have not been able to identify personal information protection laws and regulations that apply to the potential overseas third party’s jurisdiction, proceed to the next step.

2.      Is the level of protection provided by the overseas third party comparable to PIPA because

i. you have relied on the Minister’s designation of the jurisdiction as providing a comparable level of protection?

and/or

ii. you have conducted an assessment of the laws in comparison to PIPA in order to reach a reasonable belief that the protection is comparable?

and/or

iii. you have relied on the third parties’ use of a certification mechanism recognised by the Privacy Commissioner as providing a comparable level of protection?

If the answer to one or all of the above options is ‘yes’, proceed to conduct third party due diligence (step 5)

If the answer to all of the above options is no, proceed to the next step.

3.      You considered that the level of protection is not comparable, and to ensure the overseas third party provides a comparable level of protection, you are employing:

i. Contractual mechanisms that hold the overseas third party to a level of protection comparable to PIPA;

and/or

ii. Corporate codes of conduct, such as binding corporate rules, that meet a level of protection comparable to PIPA;

and/or

iii. Other means that have the effect that the overseas third party provides a level of protection comparable to PIPA: __________________

If you are able to identify one or all of the above, proceed to conduct third party due diligence (step 5)

If you are not able to identify none of the above, proceed to the next step.

4.      You considered that the level of protection is not comparable but have identified an exceptional circumstance, where:

i. The transfer is necessary for the establishment, exercise, or defence of legal rights;

and/or

ii. In consideration of all the circumstances, you reasonably consider the transfer of personal information to be small-scale, occasional, and unlikely to prejudice the rights of an individual.

If you have identified one of the exceptional circumstances listed above, proceed to step 5.

5.      You conducted your due diligence of the practices of the overseas third party to ensure that that you meet your responsibility to ensure compliance with PIPA.

Conclusion

When deciding whether or not to transfer personal information to overseas third parties based in non-comparable jurisdictions, organisation must take proactive steps to ensure that privacy protections are upheld to the standard required under PIPA. Organisations must conduct their due diligence of the overseas third party’s policies, procedures, and practices to ensure that those third parties meet the organisations’ responsibility and compliance requirement under PIPA.