August 10, 2016

Data Privacy - Finding safe harbour in new data privacy shield

The adoption of the EU-US Privacy Shield should be welcomed by insurers.

Data transfers between EU- and US-based companies have been in a state of flux since last year when the Safe Harbour scheme was invalidated by the Court of Justice of the EU in Maximillian Schrems v Information Commissioner, following a case brought by the EU privacy champion, Max Schrems.

At the time, the scheme was one of the main mechanisms used by EU- and US-based companies to transfer data to the US in compliance with EU personal data protection rules. EU companies that had relied on the Safe Harbour scheme and wished to continue transferring data to the US following the Schrems decision were required to put in place alternative data transfer mechanisms.

On July 12, the European Commission adopted a replacement to the scheme known as the EU-US Privacy Shield. Similar to the Safe Harbour scheme, it is a self-certification system whereby US organisations commit to a set of privacy principles, the idea being that these privacy principles meet EU personal data protection rules and are guaranteed through a number of safeguards.

The increased safeguards under the EU-US Privacy Shield, in response to the Schrems decision, include: stronger obligations on US companies handling EU data; increased redress mechanisms for European citizens that consider their data has been misused; and written assurances from the US that the usage of data by US government authorities will be subject to clear limitations and safeguards, with complaints relating to data usage by US government authorities now being dealt with by an independent Ombudsman.

As from August 1, 2016, US organisations are able to self-certify. An organisation wishing to self-certify is required to make certain privacy information publicly available, including a privacy policy, contact details for handling complaints and subject access requests and details of the independent redress mechanisms. 

The adoption of the EU-US Privacy Shield should be welcomed by insurers as it restores a self-certification data transfer mechanism. However, there are two expected challenges to the new mechanism already on the horizon which provides uncertainty as to whether the mechanism will hold up to scrutiny.

Firstly, the Article 29 Working Party, the independent advisory body made up of representatives from all the EU data protection authorities, was heavily critical of a previous draft of the EU-US Privacy Shield and will shortly provide its opinion on the final version. Although not binding, a similar critical opinion may cause insurers to treat the mechanism with caution.

Secondly, the validity of the EU-US Privacy Shield is likely to be challenged in the courts, perhaps even by Max Schrems, since many observers do not feel it has gone far enough in addressing the issues that led to the invalidation of the Safe Harbor scheme. 

While some insurers may wish to use alternative transfer mechanisms, these are not without disadvantages. For example, model contract clauses are a heavy administrative burden and are currently subject to challenge by Max Schrems on grounds similar to that which resulted in the Safe Harbor scheme being held to be invalid.

Insurers should continue to monitor developments in the area of EU-US data transfers alongside their preparations for the General Data Protection Regulation, which will enter into force in the UK and elsewhere in Europe in May 2018 and is the biggest change in the European data protection landscape for more than a generation.