What Happens in the British Virgin Islands, Stays in the British Virgin Islands

On 13 April 2021, the British Virgin Islands (“BVI” or “Virgin Islands”) became the latest jurisdiction to enact a comprehensive information privacy law when the territory published the Data Protection Act, 2021 (the “DPA 2021” or the “Act”) in its Official Gazette. Despite being a territory of the United Kingdom, the Virgin Islands was not bound by Europe’s General Data Protection Regulation (“GDPR”). Unsurprisingly however, the DPA 2021 has much in common with the GDPR, including the overarching goal of balancing the necessity of processing personal data with protecting users’ privacy, and promoting transparency and accountability.

Scope:

The DPA 2021 applies to any person or entity that processes, or has control over or authorizes the processing of, personal data in connection with a commercial transaction, so long as that person either:

• Is established in the Virgin Islands and processes personal data, or employs or engages any other person to process personal data on their behalf, whether or not in the context of that establishment; or
  
  
• Is not established in the Virgin Islands, but uses equipment in the Virgin Islands for processing personal data other than for the purposes of transit through the Virgin Islands.

Core Provisions:

1. “Data Controllers” vs. “Data Processors.” Similarly to the GDPR, the DPA 2021 distinguishes between “data controllers,” those who determine the purpose and means of processing personal data, and “data processors,” those who process personal data on behalf of others. Much like the GDPR, the Act imposes heightened obligations on data controllers.
   
   
2. Data Processing and Transfer Restrictions. As a general matter, a controller may process “adequate but not excessive” amounts of personal information only with the express consent of the data subject, when such processing is for a lawful purpose directly related to an activity of the controller, and when it is necessary for or directly related to that purpose. Exceptions to the consent requirement include when processing is necessary for: the performance of a contract with the data subject, compliance with legal obligations, and protection of the data subject’s “vital interests.”
   
   Additionally, controllers may not transfer personal data outside of the Virgin Islands unless there are adequate safeguards, or if the data subject consents.
   
   The Act places additional restrictions on disclosing personal data to third parties, as well as processing “sensitive personal data,” such as information regarding a data subject’s physical or mental health, sexual orientation, political opinions, or religious beliefs.
   
   
3. Notice. Data controllers must provide notice to data subjects at the point of collection that describes, among other things, the purpose for processing personal data, the sources of personal data, the categories of third parties to whom the data controller shares personal data, and the data subject’s rights under the Act.
   
   
4. Data Subject Rights. The DPA 2021 grants data subjects several rights with respect to their personal data, including the rights to access and correct their personal data, withdraw their consent to process their data, and opt out of direct marketing communications.
   
   
5. Data security, integrity, and retention. Controllers must “take practical steps” to safeguard personal data, ensure that the personal data they process is accurate and up-to-date, and retain data for no longer than is necessary to fulfill the purpose for which it was processed, after which time the data should be deleted.
   
   
6. Office of the Information Commissioner. The DPA 2021 establishes the Office of the Information Commissioner, which will have the power to monitor, investigate, and enforce compliance with the Act.

Enforcement:

The DPA 2021 charges the newly established Information Commissioner with enforcement of the Act and provides for a private right of action for data subjects. Violations can result in fines of up to $500,000 for businesses as well as imprisonment for individual offenders.

Entry Into Force:

Although enacted by the legislature and “gazetted,” the DPA 2021 will not enter into force until a date appointed by a BVI Cabinet member, an event which itself will be announced in the Gazette. Moreover, different dates may be appointed for the entry of different provisions of the Act.

You can view the full text of the DPA 2021 here.

Goodwin's Chambersand Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs.