Privacy Laws in British Virgin Islands
Law in British Virgin Islands
There is currently no formal legislation regulating data protection in the British Virgin Islands (“BVI”) however, the BVI Government has pledged the promulgation of suitable data protection legislation, based on internationally recognised standards, to be enacted in 2014.
English Common law is persuasive (although not binding) in the BVI and accordingly, a BVI Court will recognise and subscribe to the Common law duties of confidentiality and privacy. In essence, a person's details will need to be kept confidential provided an appropriate and satisfactory exception applies. Moreover, the duty of confidentiality has been statutorily codified in various aspects of BVI legislation, in particular the Banks and Trust Companies Act, 1990 (as amended) which regulates all banking and trust/ fiduciary related activities in the BVI.
In terms of specific exceptions, limitations on the duty of confidentiality and privacy would arise in terms of appropriate anti money laundering legislation (primarily regulated by the BVI Proceeds of Criminal Conduct Act, 1997 and the Anti Money Laundering Regulations, 2008).
Definitions
Definition of Personal Data
No specific definition at present. Data Protection Bill to be promulgated in 2014 which will contain definitions as appropriate.
Definition of Sensitive Personal Data
No specific definition at present. Data Protection Bill to be promulgated in 2014 which will contain definitions as appropriate.
National Data Protection Authority
No specific data protection authority at present pending promulgation of data protection legislation in 2014. The Courts of the BVI would be guided by English Common law duties of confidentiality and privacy. Moreover, the Financial Services Commission (the “Commission”) regulates the fiduciary and trust business sectors, pursuant to the Banks and Trust Companies Act, 1990 (as amended).
Registration
No specific mechanisms of registration pending the promulgation of data protection legislation in 2014.
Data Protection Officers
There is presently no requirement for the appointment of data protection officers in the BVI.
Collection & Processing
Entities, which manage and maintain personal information data will be subject to the Common law duty of confidentiality. From a fiduciary/trust perspective, licensees are under a general obligation to maintain the privacy and confidentiality of a client’s personal information unless specific permission is granted for its release or dissemination to third parties. This obligation may however be limited pursuant to the requirements of appropriate anti money laundering legislation/regulations. From a corporate perspective, the Registrar of Corporate Affairs (the “Registrar”) is able to release only limited information regarding the particulars of any registered company including the name, type of company, the date of registration/incorporation, the address of its registered office and the status of the company. Accordingly, details of shareholders and directors are not available for public inspection (unless specifically authorised and filed by the company itself). Except where assistance to law enforcement agencies to combat illicit activity is mandated or authorised, disclosure of information by government officials, professional agents, attorneys and accountants and their employees is prohibited.
Transfer
Transfer of data to third parties would be subject to the common law duty of confidentiality (which may include a statutory duty (where the common law duty of confidentiality has been codified) depending on the nature of data being transferred). A transferor would need to ensure that appropriate measures have been taken in order to obtain the necessary consents/ approvals prior to such data being disseminated.
The Commission is under a general obligation of confidentiality but has the power to disclose in certain circumstances, including disclosure to foreign regulators in approved jurisdictions of information necessary to enable the regulator to exercise similar functions to those exercised by the Commission. However, before doing so, the foreign regulator is required to undertake that the information will not be transmitted to any other person without the prior written consent of the commission.
Security
There are no formal statutory security measures currently in place (pending the promulgation of appropriate data protection legislation envisaged in 2014), however the holder would be subject to a general obligation to ensure the technical and organisational safeguarding of such confidential information and personal data.
Breach Notification
There is no current mechanism or requirement in place to report data security breaches in the British Virgin Islands.
Enforcement
Presently, the Commission and the BVI Courts will be tasked with the enforcement of data protection and confidentiality related matters (insofar as applicable pending promulgation of appropriate data protection legislation).
Electronic Marketing
No formal electronic communications regulations or legislation currently in place however, the Telecommunications Act (No 10 of 2006) regulates the telecommunications industry in the British Virgin Islands and provides sanctions protecting the confidentiality and disclosure of personal information.
Online Privacy
No such legislation at present in the British Virgin Islands.