A bitter legal battle is brewing between the Bermuda court-appointed Joint Provisional Liquidators (JPLs) of Custodian Life and the company’s former CEO, Joakim Samuelsson, over access to confidential client data. The case highlights a growing tension between international legal jurisdictions and the stringent data protection regulations of the European Union’s General Data Protection Regulation (GDPR).
In mid-2024, John Johnson and Ed Wilmott of Deloittes, acting as JPLs for Custodian Life, filed a court application demanding that Samuelsson, a Swedish national based in Sweden, hand over all confidential client data pertaining to approximately 2,000 insurance policy holders. What’s interesting is that this data is managed by JP Consulting AB, a Swedish company, placing it squarely under the jurisdiction of EU GDPR law.
Samuelsson maintains he received explicit instructions from a number of clients not to release their data to the JPLs. “My primary concern has always been the well-being and privacy of Custodian Life’s clients,” Samuelsson stated in a recent interview. “I had a legal and ethical obligation to respect their wishes and uphold GDPR regulations.”
The potential penalties for violating GDPR are severe, reaching up to €20 million. Despite this, the JPLs secured a court order, and Samuelsson was ultimately held in contempt of the Bermuda courts for non-compliance. Since then, according to sources close to Samuelsson, he has been effectively blocked from engaging with the Bermuda courts to protect his company.
Adding fuel to the fire, critics point to the substantial fees – reportedly over US$4 million over two years – charged by the JPLs, while, allegedly, failing to establish any collaborative agreement with Samuelsson for the benefit of Custodian Life’s policyholders. “It’s a classic case of ‘justice’ being served at a premium, but is it really serving the clients?” questioned one industry analyst familiar with the case.
But the GDPR saga doesn’t end there. In October 2024 and again in August 2025, the JPLs allegedly sent emails to Custodian Life’s clients, copying in all recipients – a move widely regarded as a blatant breach of confidentiality. To make matters worse, a number of competitor firms were reportedly included in these emails, effectively handing over a valuable client list to Custodian Life’s rivals.
“That single act could be interpreted as a catastrophic violation of GDPR,” explained privacy law expert Dr. Anya Sharma. “The fine alone could cripple the company, not to mention the reputational damage.”
The situation raises serious questions about the Bermuda courts’ and the JPLs’ understanding and respect for EU law. Some observers suggest a worrying disregard for client confidentiality in favor of self-serving actions. The contrast is stark when compared to recent GDPR enforcement actions, such as the €1.2 billion fine levied against Facebook for unlawful data transfers to the USA.
