Although the British Virgin Islands have long been considered a privacy haven thanks to the country’s lack of data retention laws, there was no formal law providing adequate data protection safeguards until very recently. Thankfully, BVI privacy laws have changed with the passing of the Data Protection Act (DPA) in 2021.

Key Takeaways: British Virgin Islands Privacy Law

• The DPA is the BVI’s foremost piece of data protection legislation, meant to protect personal data belonging to BVI citizens.
• The DPA covers all data controllers processing personal data, regardless of whether that data belongs to a BVI citizen or not.
• Personal data collected must be processed in a fair and transparent manner, with adequate security measures defined by the DPA.
• Under the DPA, a data processor cannot collect or process a data subject’s personal data without prior express consent.

The DPA protects personal data of BVI citizens from being collected and processed without express consent. It also protects citizens of other countries whose data is processed by a company based in the BVI. Read on to learn more about the DPA and other privacy laws in the BVI.

The History of BVI Privacy Laws

The BVI was previously known for having no data retention laws. However, even then, it had two major privacy laws that protected sensitive financial data: the Financial Services Commission Act of 2001 and the BVI Business Companies Act of 2004. There’s also the 2019 Consumer Protection Act that covers some of the same ground as the later DPA.

The BVI Data Protection Act (DPA)

The BVI’s Data Protection Act was first proposed in 2019 with the intent to bring the archipelago’s privacy in line with U.K. and EU standards. It was formally passed in April 2021 and came into force on July 9 of the same year.

Based on the EU’s General Data Protection Regulation (GDPR), it follows many of the same data protection principles and uses similar definitions as the landmark European law. Its main purpose is to protect the sensitive personal data of individuals living in the BVI, as well as manage the collecting and processing of personal data by BVI data processors.

Under the data protection principles of the DPA, a data controller must request access before processing a data subject’s personal data. A data access request must be clearly worded and the data subject must provide express consent to the processing of data.

Throughout this article, we’ll be using some jargon that you’re probably unfamiliar with (unless you’ve read our GDPR article), so let’s define some of the terms that the DPA uses:

• Personal data — Any data that can identify you as an individual, either directly or indirectly, when combined with other data
• Data subject — Any person having their personal data processed
• Data user or data controller — Any company, organization or other public or private body that collects and stores personal data and processes it themselves or with the aid of a separate data processor
• Data processor — Any company, organization or other entity that processes personal data (an entity can be a processor and controller at the same time)
• Sensitive personal data — Any personal data relating to a data subject’s physical or mental health, sexual orientation, political opinions, religious beliefs and committed, or allegedly committed, criminal offenses

What Is the DPA For?

The DPA is meant to protect the personal data of BVI data subjects from unauthorized and unethical processing. It also prevents companies based in the BVI from gaining unauthorized or accidental access to their data subjects’ personal data, no matter where those subjects are.

Like the GDPR, the DPA regulates data processors to both uphold the right to privacy and to promote increased transparency and accountability for companies using data unethically.

What Data Does the DPA Cover?

The DPA covers all identifiable personal data, meaning data that can be used to identify an individual. This includes directly identifying information such as your name, home address, email address, ID number and so on. It also includes indirectly identifying information, like your date of birth, postal code, IP address, license plate information and geolocation data.

Personal data, such as the data covered by the “sensitive data” category we described above, is also covered. Our article on data anonymization has more information about how personally identifying data can be used to harm you and why its protection is so crucial.

It’s important to note that the law speaks of these terms as relating to commercial transactions. It defines commercial transactions as “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing and insurance.”

Thus, the data collected must have a lawful purpose directly related to the service provided by the data controller, especially if they’re processing sensitive personal data.

Who Is Covered by the DPA?

The DPA protects people residing within the BVI whose data is processed by a data controller that’s incorporated in the BVI or any other country. It also explicitly states that data subjects not residing in the BVI, but whose data is processed by a BVI-based data controller, are also protected by the law.

This means that BVI-based companies, like ExpressVPN, must abide by the law and handle your data in a responsible and transparent manner. You can read our ExpressVPN review if you’re interested in learning more about the best VPN service.

What Are the Consequences For Breaking the DPA?

The penalties for breaching the DPA can vary, depending on the severity of the breach. The Information Commissioner’s Office (ICO) is responsible for overseeing how the DPA is implemented and determines the penalties.

If a company fails to meet its legal obligation under the DPA, the ICO first issues a notice of compliance. Failure to comply will lead to prosecution. If convicted, a data controller might face penalties of up to $100,000, up to five years imprisonment or both.

For sensitive data processed without a lawful basis, the data controller could face a maximum penalty of up to $200,000, imprisonment of up to two years or both.

In cases where a corporate entity is found to be in breach, a director, company secretary or similar officer may also be held liable. The corporate body could also face fines of up to $500,000.

Final Thoughts: BVI Personal Data Protection

The BVI’s Data Protection Act protects the sensitive personal data of anyone living there, as well as anyone doing business with a company headquartered in the Caribbean country. Based on the GDPR, it provides a great level of protection for your personal data whenever you use a BVI-based service, such as Surfshark (read our Surfshark VPN review).

Do you use any services based in the BVI? Are you traveling there soon? If so, you should rest assured that your data is handled securely. Let us know your thoughts on the BVI’s privacy laws in the comments below, and as always, thank you for reading.

FAQ

• Does GDPR Apply to British Virgin Islands?

  Although the GDPR does not apply to the BVI, the country has its own privacy law based on the GDPR. Although more loosely defined, the BVI’s Data Protection Act covers the same categories of data as the GDPR, and its effects reach beyond the borders of the island country to anyone using a service based there.

• What Rule of Law Does the BVI Have?

  As a British overseas territory, the BVI follows English common law. However, the country is self-governing, and its laws are a mixture of U.K. laws intermingled with some international laws, as well as its own local legislation.

• What Is the BVI Consumer Protection Act?

  The BVI Consumer Protection Act aims to protect consumers from unfair business practices by establishing adequate safeguards on product safety, unfair contract terms and misleading advertising or marketing material. The law also provides mechanisms for consumers to seek redress, and aims to promote fair competition in the BVI.