DLA Piper Intelligence

Data Protection
Laws of the World

Law

British Virgin Islands
British Virgin Islands

There is currently no formal legislation regulating data protection in the British Virgin Islands (BVI) however, the BVI Government has pledged the promulgation of suitable data protection legislation, based on internationally recognised standards, to be enacted in the near future.

English Common law is persuasive (although not binding) in the BVI and accordingly, a BVI Court will recognise and subscribe to the Common law duties of confidentiality and privacy. In essence, a person's details will need to be kept confidential provided an appropriate and satisfactory exception applies. Moreover, the duty of confidentiality has been statutorily codified in various aspects of BVI legislation, in particular the Banks and Trust Companies Act, 1990 (as amended) which regulates all banking and trust/ fiduciary related activities in the BVI.

In terms of specific exceptions, limitations on the duty of confidentiality and privacy would arise in terms of appropriate anti money laundering legislation (primarily regulated by the BVI Proceeds of Criminal Conduct Act, 1997 and the Anti Money Laundering Regulations, 2008).

Last modified 24 Jan 2017
Law
British Virgin Islands

There is currently no formal legislation regulating data protection in the British Virgin Islands (BVI) however, the BVI Government has pledged the promulgation of suitable data protection legislation, based on internationally recognised standards, to be enacted in the near future.

English Common law is persuasive (although not binding) in the BVI and accordingly, a BVI Court will recognise and subscribe to the Common law duties of confidentiality and privacy. In essence, a person's details will need to be kept confidential provided an appropriate and satisfactory exception applies. Moreover, the duty of confidentiality has been statutorily codified in various aspects of BVI legislation, in particular the Banks and Trust Companies Act, 1990 (as amended) which regulates all banking and trust/ fiduciary related activities in the BVI.

In terms of specific exceptions, limitations on the duty of confidentiality and privacy would arise in terms of appropriate anti money laundering legislation (primarily regulated by the BVI Proceeds of Criminal Conduct Act, 1997 and the Anti Money Laundering Regulations, 2008).

Last modified 24 Jan 2017
Definitions

Definition of personal data

No specific definition at present.  Data Protection Bill to be promulgated in the near future which will contain definitions as appropriate.

Definition of sensitive personal data

No specific definition at present.  Data Protection Bill to be promulgated in the near future which will contain definitions as appropriate.

Last modified 24 Jan 2017
Authority

No specific data protection authority at present pending promulgation of data protection legislation in the near future. The Courts of the BVI would be guided by English Common law duties of confidentiality and privacy. Moreover, the Financial Services Commission (the 'Commission') regulates the fiduciary and trust business sectors, pursuant to the Banks and Trust Companies Act, 1990 (as amended).

Last modified 24 Jan 2017
Registration

No specific mechanisms of registration pending the promulgation of data protection legislation in the near future.

Last modified 24 Jan 2017
Data Protection Officers

There is presently no requirement for the appointment of data protection officers in the BVI.

Last modified 24 Jan 2017
Collection & Processing

Entities, which manage and maintain personal information data will be subject to the Common law duty of confidentiality. From a fiduciary/trust perspective, licensees are under a general obligation to maintain the privacy and confidentiality of a client’s personal information unless specific permission is granted for its release or dissemination to third parties. This obligation may however be limited pursuant to the requirements of appropriate anti money laundering legislation/regulations.

From a corporate perspective, the Registrar of Corporate Affairs (the 'Registrar') is able to release only limited information regarding the particulars of any registered company including the name, type of company, the date of registration/incorporation, the address of its registered office and the status of the company. Accordingly, details of shareholders and directors are not available for public inspection (unless specifically authorised and filed by the company itself). Except where assistance to law enforcement agencies to combat illicit activity is mandated or authorised, disclosure of information by government officials, professional agents, attorneys and accountants and their employees is prohibited.

Last modified 24 Jan 2017
Transfer

Transfer of data to third parties would be subject to the Common law duty of confidentiality (which may include a statutory duty (where the Common law duty of confidentiality has been codified) depending on the nature of data being transferred). A transferor would need to ensure that appropriate measures have been taken in order to obtain the necessary consents/ approvals prior to such data being disseminated.

On 1 September 2014 the Computer Misuse and Cybercrime Act, 2014 came into force which regulates and penalises the unauthorised transfer and dissemination of information stored on a computer.

The Commission is under a general obligation of confidentiality but has the power to disclose in certain circumstances, including disclosure to foreign regulators in approved jurisdictions of information necessary to enable the regulator to exercise similar functions to those exercised by the Commission. However, before doing so, the foreign regulator is required to undertake that the information will not be transmitted to any other person without the prior written consent of the commission.

Last modified 24 Jan 2017
Security

There are no formal statutory security measures currently in place (pending the promulgation of appropriate data protection legislation in the near future), however the holder would be subject to a general obligation to ensure the technical and organisational safeguarding of such confidential information and personal data.

Last modified 24 Jan 2017
Breach Notification

There is no current mechanism or requirement in place to report data security breaches in the British Virgin Islands.

Last modified 24 Jan 2017
Enforcement

Presently, the Commission and the BVI Courts will be tasked with the enforcement of data protection and confidentiality related matters (insofar as applicable pending promulgation of appropriate data protection legalisation).

Last modified 24 Jan 2017
Electronic Marketing

No formal electronic communications regulations or legislation currently in place however, the Telecommunications Act (No 10 of 2006) regulates the telecommunications industry in the British Virgin Islands and provides sanctions protecting the confidentially and disclosure of personal information.

Last modified 24 Jan 2017
Online Privacy

No such legislation at present in the British Virgin Islands.

Last modified 24 Jan 2017
Contacts
Alan Hughes
Alan Hughes
Senior Associate
T +1 284 494 4030
Last modified 24 Jan 2017