Privacy Commissioner for Bermuda Releases 2025 Stats

As the clock struck midnight on January 1, 2025, Bermuda ushered in a new era with the full implementation of the Personal Information Protection Act (PIPA) 2016, marking a significant milestone in safeguarding personal data across the island. Just six months later, on July 1, 2025, the Office of the Privacy Commissioner for Bermuda (PrivCom) released its inaugural quarterly statistics report for the first quarter of 2025 (January 1 to March 31), offering a rare glimpse into the early enforcement and compliance landscape. This detailed breakdown, shared at 11:26 PM EDT on this warm July evening, captures five reported personal data breaches affecting over 3,000 individuals, a steady stream of written requests and general queries, and a nuanced approach to guiding organizations through this uncharted territory. For anyone curious about how Bermuda is navigating its privacy journey, this report is a treasure trove of insights into a society balancing individual rights with the realities of a digital world.

The report’s headline figure—five breaches impacting more than 3,000 people—sets the stage for understanding the scale of privacy challenges in Bermuda’s nascent regulatory framework. These incidents, though limited in number, suggest that organizations are still grappling with the transition to PIPA’s stringent requirements, which demand secure handling of personal information from collection to disposal. PrivCom’s spokesperson emphasized that this data reflects only incidents reported to the Investigations Unit during Q1, with some figures potentially subject to revision as more information emerges. This cautious approach highlights the office’s commitment to accuracy, especially in a period where businesses and public entities are still calibrating their compliance efforts. The breaches, while not detailed publicly, likely span various sectors—financial services, healthcare, or even small businesses given Bermuda’s diverse economy, and they underscore the urgency of robust data protection measures as the island aligns with global standards.

Beyond breaches, the report sheds light on consumer engagement with their newfound privacy rights. PrivCom received a notable volume of written requests and general queries, reflecting a public eager to exercise control over their personal information. However, a significant observation emerged: some individuals attempted to use PIPA as a shortcut to resolve ongoing legal or grievance proceedings, a misuse the Commissioner is keen to address. Under Section 38(3) of PIPA, PrivCom can require individuals to exhaust other available remedies before pursuing a privacy complaint, ensuring the Act isn’t stretched beyond its intended purpose. This nuance is critical, as it balances individual empowerment with the need to maintain orderly dispute resolution. For instance, if someone is already in court over a data misuse claim, PrivCom encourages them to see that through rather than overlapping with a PIPA request unless the privacy issue stands apart.

Key Insights from Q1 2025 Statistics

• Early Breach Patterns: The five reported breaches affecting over 3,000 individuals indicate initial compliance struggles, potentially linked to inadequate training or outdated systems as organizations adapt to PIPA.
• Consumer Awareness Gaps: Written requests and queries suggest growing public interest, but confusion about PIPA’s scope—especially regarding pre-2025 data—points to a need for clearer education.
• Regulatory Clarity: PrivCom’s stance on prioritizing other legal proceedings over PIPA complaints reflects a deliberate effort to define the Act’s boundaries in its early days.
• Pre-Implementation Data: The exclusion of pre-January 2025 data from compliance scrutiny, per Section 4(2) of PIPA, offers organizations a grace period but raises questions about historical data risks.

The report also tackles a thorny issue: data collected before PIPA’s full enactment. PrivCom clarified that information gathered prior to January 1, 2025, is deemed collected with consent for its original purpose, shielding organizations from retroactive liability. This provision, outlined in Section 4(2), aims to ease the transition for businesses already operating under frameworks like the EU’s General Data Protection Regulation (GDPR), which Bermuda has studied closely. However, it leaves a gray area—what happens if that pre-2025 data is mishandled now? The Commissioner’s guidance suggests organizations must still protect it under current standards, a challenge for firms relying on legacy systems. This balance between leniency and accountability is a tightrope walk, reflecting Bermuda’s effort to foster a privacy-conscious culture without crippling its economy, which thrives on international finance and tourism.

PrivCom’s role extends beyond enforcement to education and support, a theme woven throughout the report. The office is actively guiding organizations through compliance, drawing on years of preparation that began with the 2016 Act’s partial enactment and intensified with the 2024 Road to PIPA campaign. This initiative, launched during Data Privacy Week 2024, offered weekly steps—appointing privacy officers, mapping data flows, and securing third-party contracts—to ready businesses for the January 2025 deadline. The Q1 statistics build on this foundation, with PrivCom encouraging organizations to use its resources, like the comprehensive Guide to PIPA, to address gaps exposed by early breaches. The report’s release coincides with Commissioner Alexander White’s upcoming departure to Queensland, Australia, on September 30, 2025, adding a layer of anticipation about leadership continuity as Bermuda refines its privacy framework.

Steps Toward a Privacy-Ready Bermuda

1. Enhance Training Programs: Organizations should leverage PrivCom’s monthly PIPA training sessions, piloted with public sector executives, to upskill staff and prevent breaches.
2. Audit Pre-2025 Data: Businesses must review legacy data stores to ensure compliance with current security standards, despite the exemption from retroactive penalties.
3. Streamline Complaint Processes: Individuals need clearer guidance on when to use PIPA versus other legal avenues, reducing confusion and strengthening trust in the system.
4. Collaborate Globally: PrivCom’s participation in the Global Privacy Enforcement Network (GPEN) and the International Age Assurance Working Group should inform local policies, aligning Bermuda with international best practices.

The global context adds depth to Bermuda’s efforts. PrivCom’s involvement in GPEN’s 2024 sweep, which examined 196 local websites, and its signing of the Joint Statement on Age Assurance in October 2024, show a commitment to learning from jurisdictions like the UK and Canada. The Q1 report’s focus on children’s data—protected under PIPA for those under 14—ties into this, with organizations now required to secure parental consent for digital services. This aligns with global trends, yet Bermuda’s small size—about 65,000 residents—means every breach or query carries outsized impact, amplifying the need for precision in enforcement. The five breaches, though modest compared to larger nations, affected over 4.6% of the population, a statistic that underscores the stakes.

As Bermuda moves forward, the Q1 2025 report is a snapshot of a society in transition. The five breaches, while a concern, are a starting point for refining compliance, with PrivCom’s guidance offering a lifeline to organizations.

Q1 2025 Statistics Summary (January 1 – March 31, 2025)

• Personal Information Breaches:
  • Total reported: 5
  • Estimated people affected: 3,000+
  • Nature: Majority related to unauthorized disclosures or access likely to adversely affect individuals.
  • Status: 4 concluded, 1 remains open.
• Written Requests:
  • Total received and accepted: 6
  • Types: 2 requests for Review, 4 requests initiating a Complaint under PIPA.
  • Status: 4 closed by resolution prior to formal investigation, 2 remained open post-quarter end.
• General Queries:
  • Total received: 22
  • Nature: Related to PIPA guidance, general concerns, and procedural steps.
  • Status: All 22 closed informally by providing recommendations or guidance to relevant resources.

Q1 Key Takeaways

• Personal Information Breach Assessment:
  • Organizations face challenges in measuring adverse effects and complying with “without undue delay” breach notification.
  • Recommendations for Organizations:
    • Designate an effective Privacy Officer.
    • Implement accessible policies and procedures for breach assessment.
    • Develop risk assessments, impact questionnaires, and other tools.
    • Conduct PIPA compliance training for all employees.
• Exhaustion of Alternative Grievance, Complaint or Review Procedures:
  • Individuals sometimes pursue PIPA rights concurrently with other legal or grievance procedures.
  • PIPA is not intended to circumvent or supplement existing procedures.
  • The Commissioner may require individuals to exhaust other procedures (Section 38(3) of PIPA).
  • Individuals should first attempt to exercise their rights through a PIPA Rights Request before making a complaint of non-observance by an organization.
• Transitional Aspects of PIPA:
  • PrivCom has received queries regarding personal information collected or used before PIPA’s effective date (January 1, 2025).
  • PrivCom cannot consider non-compliance prior to this date.
  • Personal information collected before January 1, 2025, is deemed collected with consent under Section 4(2) of PIPA and can continue to be used for its original purpose.
  • Individuals can contact organizations to withdraw consent or exercise their rights via a PIPA Rights Request.

You can find the full report with more details at: https://www.privacy.bm/post/the-office-of-the-privacy-commissioner-for-bermuda-privcom-is-releasing-statistics-for-q1-2025