Under the Personal Information Protection Act 2016 (PIPA), organisations have a general obligation to retain responsibility for ensuring compliance when they share personal information with third parties [section 5(3)]. In the application, this requirement means that the organisation must perform due diligence on the recipient, such as assessing their practices for compliance.
PIPA includes additional obligations under section 15 if an organisation is making a transfer of personal information to an “overseas third party,” or a third party not domiciled in Bermuda [section 6(4)]. Organisations must assess the level of protection provided by an overseas recipient, and when doing so must consider whether the level of protections of the laws that apply to the recipient are “comparable” [section 15(1)-(2)].
To proceed with the transfer, organisations must do one of three things: reach a reasonable conclusion that the law is comparable to PIPA [15(3)-(4)], employ mechanisms such as contractual clauses or corporate rules [15(5)], or identify a legal exception [15(6)].
Organisations may reach a reasonable conclusion that the law is comparable if the Minister designates the jurisdiction as providing a comparable level of protection [15(3)], or organisations may rely on their own reasonable belief considering the circumstances, such as whether the recipient uses a certification mechanism recognised by the Office of the Privacy Commissioner (PrivCom) [15(4)].
Section 15(3) provides that the Minister’s designation is made on the recommendation of the Commissioner. This guidance note explains the basis of how PrivCom will reach such recommendations. If an organisation needed to assess a law or jurisdiction, they could use a similar basis to justify their reasonable conclusion.
It would be reasonable to conclude a law is comparable to PIPA if the law in question:
1. Establishes in effect the scope described in Section 3 “Application,” and establishes legal
definitions comparable to PIPA’s definitions of “personal information” and “use;”
2. Operates in alignment with the “12 General Principles and Rules” of PIPA (see below);
3. Provides individuals with the 4 rights established in PIPA’s sections 17, 18 and 19
(see below);
4. Limits exclusions and exemptions to reasonable grounds, such as the ones found in PIPA’s
section 4(1) and 22-25; and
Establishes effective enforcement mechanisms, such as the regulatory supervision in
PIPA’s sections 26-45 and/or the sanctions and redress in PIPA’s sections 21 and 47.
PrivCom has developed a “Template for Section 15 Analysis of Comparable Laws” for these evaluations as a tool to evaluate the laws of other jurisdictions, and will publish these analyses as they are completed. The tool may also be useful for organisations conducting their own analyses. To see the template, see below by scrolling down.
If a law aligns with every section of the “Template for Section 15 Analysis of Comparable Laws”, then the case for a designation as comparable is quite strong. However, when completing this template, it is unlikely that a law will be an exact duplicate of PIPA, nor will a jurisdiction’s legal process operate exactly the same. Differences do not necessarily mean that the law is no longer comparable, since differences could result in greater, lesser, or no difference in the protection of personal information. For example, the amount of fines may not be the same, but due to economic differences their effect is comparable. In contrast, if a law were to create a right that individuals may seek compensation for harms in court, but corruption in the jurisdiction renders the rule of law ineffective, then the protections are lesser and the law is not comparable. Further, the specific circumstances regarding the law or the use of personal information may mean that certain provisions do not relate to the circumstances in question.
The Template for Section 15 Analysis of Comparable Laws will facilitate in identifying these differences and in documenting whether the differences will cause the law to no longer be comparable in effect. In the absence of a designation by the Minister, organisations may use the Template to reach and rely on their own reasonable beliefs and need not fear a disruption in their operations.
As a reminder, compliance with section 15 is more than an analysis of whether the law is comparable. The organisation still must assess the vendor to ensure they meet compliance obligations. To help organisations understand these two aspects of section 15, our office has created a “Section 15 checklist for Organisations.” This checklist emphasises that organisations must do three things: 1) identify the jurisdictions where they are transferring personal information; 2) determine if the law is comparable and if and/or how they may proceed; and 3) evaluate the recipient overseas third party to ensure they can be trusted to comply with PIPA standards.
As step 3 of the checklist demonstrates, once an organisation completes the process of evaluating its own section 15 compliance and determines to proceed with a transfer to an overseas third party, the organisation remains responsible for PIPA compliance [15(1)]. This requirement applies regardless of whether they are relying on a designation by the Minister, reaching and relying on their own reasonable belief, employing a mechanism, or identifying an exception.
Because the organisation is still responsible for PIPA compliance, they must continue to meet obligations such as considering the context of the use of personal information [5(3)]. This means that they should consider the specific risk of harm to individuals in the specific circumstances. (Common tools for considering the risk include vendor assessments, privacy impact and/or risk assessments, and transfer impact and/or risk assessments, but the specific measures needed will depend on the context.)
Organisations must continue to meet their obligations to the individual, such as by providing appropriate notice (including notice regarding the transfer overseas and its reliance on a particular certification mechanism) [9], ensuring that legal Conditions are met [6], and fulfilling any other responsibilities under PIPA.
The 12 PIPA general principles and rules are as follows:
1) Responsibility and compliance: Section 5
2) Conditions for using personal information: Section 6
3) Sensitive personal information: Section 7
4) Fairness: Section 8
5) Privacy notices: Section 9
6) Purpose limitation: Section 10
7) Proportionality: Section 11
8) Integrity of personal information: Section 12
9) Security safeguards: Section 13
10) Breach of security: Section 14
11) Transfer of personal information to an overseas third party: Section 15
12) Personal information about children in the information society: Section 16
The 4 rights of individuals are:
1) Right to Access: Section 17 & 18
2) Right to correction: Section 19(1)-(5)
3) Right to blocking (cease or not begin use): Section 19(6)-(9)
4) Right to erasure or destruction: Section 19(10)-(11)
For more comprehensive information, check out our Guide to PIPA.
Template for Section 15 Analysis of Comparable Laws
Sections of PIPA |
General description of the PIPA sections | Sections of [Law of the Comparable Jurisdiction] | Analysis of differences of note that may affect protections under the law, if any[1] |
2 | The scope regards protections for information about an identified or identifiable natural person.[2] |
|
|
2 | The scope governs organisational practices relating broadly to the use of personal information.[3] |
|
|
3 | The scope covers use wholly or partly by automated means or by structured filing system.[4] |
|
|
5(1) | Organisations must adopt suitable measures and policies to give effect to obligations and rights of individuals. |
|
|
5(2) | The measures and policies shall be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals. |
|
|
5(3) | Organisations must ensure compliance by any third parties engaged by contract or otherwise; responsibility stays with the organisation. |
|
|
5(4) | Organisations must designate a privacy officer responsible for compliance. |
|
|
5(7) | Organisations must generally act in a reasonable manner. |
|
|
6 | Use of personal information is only lawful if it meets at least one specified condition, subject to qualifications and limitations. [5] According to PIPA, the lawful conditions are: · 6(1)(a): consent of the individual; · 6(1)(b): the organisation can demonstrate a reasonable belief that neither would the individual object nor would the individual be harmed or their rights prejudiced; · 6(1)(c): the information is necessary for the performance of a contract or entering into a contract; · 6(1)(d): a provision of law authorises or requires such a use; · 6(1)(e): if the information is already publicised and will be used for the same purpose for which it was publicised; · 6(1)(f): the use of the information is necessary due to an emergency; · 6(1)(g): the use of the information is necessary for a task in the public interest or the exercise of official authority; or · 6(1)(h): the use of the information is necessary for an individual’s employment relationship. If unable to meet one of the above conditions, an organisation may use personal information only if the facts align with section 6(3). |
|
|
7 |
|
| |
8 | An organisation shall use personal information in a lawful and fair manner: in compliance with laws, transparently and openly without hiding relevant details, and neither harmful nor against the interests of the individual. |
|
|
9 | An organisation shall provide individuals with a clear and easily accessible statement about its practices and policies with respect to personal information. |
|
|
9(a) | The statement must include the fact that personal information is used. |
|
|
9(b) | The statement must describe the purposes for which personal information is or might be used. |
|
|
9(c) | The statement must include the identity and types of individuals or organisations to whom personal information might be disclosed. |
|
|
9(d) | The statement must include details about the identity and location of the organisation, including how to contact it. |
|
|
9(e) | The statement must include the contact details of the privacy officer. |
|
|
9(f) | The statement must include the choices and means the organisation provides to an individual for limiting the use of, and for accessing, correcting, blocking, erasing and destroying, personal information. |
|
|
10 | Use of personal information is limited to the purposes specified in the privacy notice, unless an exception applies. |
|
|
11 | An organisation shall ensure that use of personal information is adequate, relevant and not excessive in relation to the purposes for which it is used. |
|
|
12(1) | An organisation shall ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use. |
|
|
12(2) | An organisation shall ensure that personal information is not kept for longer than is necessary for a particular use. |
|
|
13(1) | An organisation shall protect personal information that it holds with appropriate safeguards against risk, including the risk of loss, unauthorised access, destruction, use, modification or disclosure, or any other misuse. |
|
|
13(2) | Security safeguards must be proportional to factors such as the likelihood or severity of harm, the sensitivity of the information, the context, and these safeguards are periodically reviewed. |
|
|
14 | When an organisation suffers a breach of security that is likely to adversely affect an individual, the organisation must notify the individual and the Privacy Commissioner / regulator. |
|
|
15 | As a general principle, organisations remain responsible for information transferred overseas and must assess the level of protection provided to ensure it is comparable or ensure that the overseas party provides a comparable level of protection. |
|
|
16 | Special consideration must be given to personal information that is about a child, such as requiring consent by parents and limiting the information that may be sought from a child. |
|
|
17 & 18 | Individuals have a right to request access to personal information, subject to qualifications and limitations. |
|
|
19(1)-(5) | Individuals have a right to request the correction of a factual error or omission in personal information under the control of an organisation, or to request that a note be added to an opinion. |
|
|
19(6)-(7) | Individuals have a right to request an organisation cease, or not begin, using personal information for the purposes of advertising, marketing, or public relations. |
|
|
19(8)-(9) | Individuals have a right to request an organisation to cease, or not to begin, using personal information where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual, subject to qualifications and limitations. |
|
|
19(10)-(11) | Individuals have a right to request an organisation to erase or destroy personal information about the individual where that personal information is no longer relevant for the purposes of its use, subject to qualifications and limitations. |
|
|
21 and 47 | Non-compliance is subject to penalties and/or effective redress for individuals. Consideration may need to be given to the legal bodies and mechanisms of redress.[8] |
|
|
22-25 and 4(1) | Exemptions and exclusions are limited to reasonable grounds, such as national security, regulation, judicial activities, freedom of expression, and activities in the public interest such as archiving or scientific or historical research.[9] |
|
|
26-45 | The law effectively empowers a supervisory authority or regulator with a mandate and appropriate powers over investigation, decision- or order-making, review and approval of safeguards, the promotion of public awareness, receipt of requests or complaints, and mutual assistance and co-operation with other regulators. The authority is structured in such a way as to effectively perform its functions, with appropriate independence, legal protections, and resources, and is subject to reporting requirements, confidentiality requirements, and judicial appeal.[10] |
|
|
[1] Finding a difference between the laws may not necessarily mean that the law is not comparable to PIPA. Differences may result in greater, lesser, or no difference in the effective protections provided.
[2] An organisation may reasonably conclude that a law is comparable even if its scope differs from PIPA, if the scope of the law governs at least the facts of the organisation’s transfer to an overseas third party.
[3] See Footnote 2.
[4] See Footnote 2.
[5] An organisation may reasonably conclude that a law is comparable even if it does not include all the legal conditions of use, if the law includes at least the condition applicable to the facts of the organisation’s transfer to an overseas third party.
[6] These sensitive personal information types are defined in section 7(1). An organisation may reasonably conclude that a law is comparable even if it does not include all aspects of the definition of sensitive personal information, if the law includes at least the aspects applicable to the facts of the organisation’s transfer to an overseas third party.
[7] This prohibition should be comparable to section 7(2), and the standard for lawful authority should be comparable to section 7(3). An organisation may reasonably conclude that a law is comparable even if it does not include all the options for lawful authority, if the law includes at least the lawful authority applicable to the facts of the organisation’s transfer to an overseas third party.
[8] See Footnote 1.
[9] See Footnote 1.
[10] See Footnote 1.