Log In

Reset Password

Privacy enforcement has arrived

Enforcement time: employees are asking for access to their employment records, as provided for under Pipa (File photograph)

With the recent release of the Privacy Commissioner’s annual report for 2025-2026, it seems we may now be entering the enforcement stage of privacy law enforcement in Bermuda.

The Privacy Commissioner noted in the report that for much of the last six years since Personal Information Protection Act was passed, her office has focused on pre-implementation preparedness activities that have included both staffing-up and numerous community education initiatives.

Those initiatives were then followed up by a “prolonged period of leadership transition” after Bermuda’s first Privacy Commissioner departed that post in 2025 for a similar role in Australia.

Internationally, it has not gone unnoticed that Bermuda took nine years to bring Pipa into full force and then another 18 months (thus far) without realising any meaningful enforcement of those laws notwithstanding that the legislature enacted Pipa as paramount legislation in priority to all other legislation except the Human Rights Act.

It seems that tide has now turned, and perhaps dramatically so.

Concerning that significant change of direction, Commissioner Tucker states in her report’s message that “one of my immediate priorities is to develop and establish informed strategic enforcement strategy”.

The report goes on to reassert that priority in the Commission’s mission statement, which was revised by senior management in 2025, to state that the Commission exists to “regulate the use of personal information in Bermuda by organisations and to protect the rights of individuals in relation to the use of their personal information” in accordance with Pipa.

Perhaps the clearest indication of the compass change towards Pipa enforcement is stated on page 11 of the report in the section titled, “Priority One: Enforcement”, which asserts that the core strategic priority of the Privacy Commission is now the effective supervision and enforcement of Pipa to deliver impactful outcomes.

In fact, the meaningful enforcement of Pipa is essential to Pipa’s very existence because Bermuda cannot be considered a safe harbour for the importation of personal information from any other jurisdiction in the world unless Pipa has a clearly documented enforcement track record.

Data protection safe harbours can only exist where privacy protection laws exist and where they are actually supervised and enforced for compliance.

For example, the European Commission actively and frequently reviews the privacy laws of other jurisdictions to determine if they are adequate for the protection of individual privacy to permit the export of personal information from the EU to those foreign shores.

When the European Commission reviewed the adequacy of Canada’s privacy laws (which have heavily influenced Pipa) for the second time in 2024, it spent a great deal of its assessment effort and consideration on Canada’s privacy enforcement infrastructure, activities and outcomes.

Privacy legislation alone does not allow Bermuda to participate in the ubiquitous global exchange of personal information.

Bermuda must, through the overt attention of the Privacy Commission, impactfully enforce Pipa to ensure privacy protection as the paramount social and legal priority that the legislature intended in 2016.

Without regulatory enforcement, Pipa does not and cannot serve its essential purpose of facilitating the international flow of data among trading nations.

That is certainly why achieving the report’s “Priority Three: Compliance Outcomes” of “exercising supervisory and regulatory enforcement functions” is so important.

This new phase of privacy protection and Pipa compliance oversight is extremely welcome news for both domestic and international commerce in Bermuda that fundamentally rely on the free and protected flow of personal information internationally.

The enforcement direction will be especially meaningful for all individuals who wish to assert their Pipa rights to now access and review the personal information about them that any organisation uses.

As well, this development establishes where cybersecurity breach reporting (under several Bermuda laws) meets privacy law enforcement because when notified individuals assert their direct Pipa rights to question whether such breaches have occurred within the compliance margins of Pipa, the Privacy Commission has now signalled its priority to support those inquiries.

Duncan Card, CEO of The Advisory Group

Duncan Card is the chief executive of The Advisory Group in Bermuda and is a sought-after adviser and frequent author on topics related to privacy, cybersecurity, outsourcing transactions, AI use, and resilience regulation and compliance. This article is not intended as advice

Royal Gazette has implemented platform upgrades, requiring users to utilize their Royal Gazette Account Login to comment on Disqus for enhanced security. To create an account, click here.

You must be Registered or to post comment or to vote.

Published July 02, 2026 at 7:58 am (Updated July 02, 2026 at 8:45 am)

Privacy enforcement has arrived

Users agree to adhere to our Online User Conduct for commenting and user who violate the Terms of Service will be banned.