Bermuda recognises comprehensive certification mechanism for data transfers

Bermuda flag. Image source: pixabay.com

Bermuda’s Privacy Commissioner recently announced recognition for the APEC CBPR System as a certification mechanism for overseas transfers of personal data under Bermuda’s data privacy law. The move promises strong safeguards for transfers of data outside of Bermuda.

What is the CBPR System?

CBPR refers to the Cross-Border Privacy Rules. The CBPR System was developed as a means of operationalising the principles in the Asia Pacific Economic Forum’s Privacy Framework. Practically speaking, the CBPR System provides a unified framework for the exchange of personal information among the 21 participating economies in APEC.

To obtain CBPR certification, participating businesses in APEC economies must implement privacy policies that are consistent with the principles in the APEC Privacy Framework. Upon successfully demonstrating compliance to an accountability agent, the business is certified as CBPR compliant.

When a business within an APEC member economy becomes CPBR certified by the accountability agent, they are listed on the CBPR’s website. It is, therefore, fairly easy for entities considering sending personal information to a business in an APEC economy to verify the certification status of that business.

If an organisation has been CBPR certified, it implies that it has already been exposed to a rigorous assessment of its privacy compliance practices. Also, in the event of a breach of duty by a CBPR-certified business, it can be subject to enforcement action from both the accountability agent and the privacy enforcement authority in that entity’s home country.

Rationale for adopting the CBPR

Most data privacy laws tend to protect personal information by preventing businesses from sending it outside of the jurisdiction. Naturally, in an interconnected, modern, digital world, this starting point renders digital trade and commerce exceedingly difficult and impractical. Today, most businesses need to send data outside of their domicile. Modern data privacy laws have solved this challenge by creating exceptions that allow personal information to be legally transferred outside of a jurisdiction, once certain additional safeguards are in place. 

Bermuda’s Personal Information Protection Act (PIPA) is one such modern privacy law. Its safeguards allow for lawful transfers to entities outside Bermuda where that entity has adopted a certification mechanism approved by Bermuda’s Privacy Commissioner

By approving the CBPR System, the Privacy Commissioner has given practical effect to this aspect of the PIPA. Bermuda-domiciled businesses now have an additional lawful basis for transferring data outside of Bermuda.

What CBPR means for Bermuda

Easy to connect t
The CBPR recognition will help to strengthen Bermuda’s already strong economic ties with the USA.
Image Source: bermuda.com

The USA is Bermuda’s primary trading partner. It is a significant source of income for Bermuda’s offshore sector that accounts for 60% of the territory’s economic output. The USA is among the 21 APEC member economies. Bermuda’s recognition of the CBPR framework is, therefore, a sensible step towards ensuring the continued ease of doing business for globally-focused organisations domiciled in Bermuda, many of whom will likely be sharing information with entities in the USA. 

Speaking practically, the recognition of the CBPR System means that organisations in Bermuda can more easily transfer personal data to an overseas CBPR-certified recipient without having to meet additional data transfer requirements. Without recognition of a mechanism like the CBPR, organisations sending data from Bermuda would have to expense themselves to implement more bespoke data transfer methods, including contractual clauses, corporate codes of conduct (for e.g. binding corporate rules), or similar measures.

To be clear, making use of the CBPR framework as part of data transfers will not relieve Bermuda-domiciled entities from their general obligations under the PIPA. In fact, the PIPA makes clear that where an organisation sends data to an entity outside of Bermuda, the Bermudan sending organisation retains responsibility for PIPA compliance in respect of that transfer. 

Making use of the CBPR will, however, make overall compliance easier since: 

  • Bermudan organisations can more readily comply with their duty under PIPA to only transfer data internationally if there is a reasonable belief that the protection provided by the overseas third party is comparable to the level of protection afforded to data subjects by PIPA itself; and
  • the probability of investigations by the Privacy Commissioner to ‘check under the hood’ of international data transfers by Bermudan businesses premised on CPBR certification will be less likely (though not extinguished) as there will be an implicit assurance that the third-party has been vetted against a rigorous privacy standard that is comparable to the safeguards in Bermuda’s PIPA.

To be clear, Bermuda is not an APEC Member country. Accordingly, it is unlikely that Bermuda will appoint accountability agents or even participate in the enforcement framework directly. In recognising the CBPR framework, Bermuda is, however, making it easier and more predictable for Bermudan organisations to safely transfer data to destinations within APEC economies. CBPR utilization will also make privacy compliance somewhat cheaper.

What’s next?

To engage with a CBPR certified entity, standard contractual clause language is typically employed. See an example of this kind of clause here.

The Bermudan regulator has not yet published any recommended clause language to guide Bermuda-based organisations in operationalising usage of the CBPR System. It is not unreasonable to presume that this step may be taken at some point in the short-medium term.

This guidance may be forthcoming as part of the overall effort to ensure all the necessary resource puzzle pieces are in place before the PIPA fully comes into force (the latest word from Bermuda is that the PIPA will not fully come into effect before the end of 2021).

Further Reading

Processing…
Success! You're on the list.

Published by bartlettmorgan

Attorney at Law in the Commonwealth Caribbean. Focused on developments in the internet law sphere.