The Risk Manager The Latest News on Managing Your Risk May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS By Beata Aldridge The new Privacy Shield and other proposed changes to European privacy regulations expand compliance obligations and increase the likelihood of facing enforcement actions. In 2000, after the adoption of European Directive 95/46/EC, the European Commission and the US Department of Commerce agreed to the original Safe Harbor Framework which allowed companies to transfer data from the European Union to the United States while remaining in compliance with EU privacy laws. In its October 2015 judgement in Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice ( ECJ ) invalidated the Safe Harbor Framework, however, based on concerns over widespread surveillance by the US government and the lack of adequate redress for European citizens in case of privacy violations in the United States. 1 1 Schrems v. Data Protection Commissioner, European Court of Justice, Case C-362/14, Oct. 6, 2015, http://curia.europa.eu/juris/document/document.jsf?docid= 169195&mode=req&pageIndex=1&dir=&occ=first&part=1 &text=&doclang=en&cid=1121183. Additional Resources For more information on how Beecher Carlson can help with your insurance needs please contact: Christopher Keegan 646.358.8530 ckeegan@beechercarlson.com ABOUT BEECHER CARLSON S EXECUTIVE LIABILITY PRACTICE Beecher Carlson s Executive Liability Practice is comprised of experienced and knowledgeable attorneys, brokers, and claims advisors dedicated to identifying your risks and best positioning you in the marketplace. Our forward thinking practice was the first to provide revolutionizing analysis of our clients Directors & Officers and Cyber risks.
The United States and the European Union have been in the process of negotiating a new framework for some time. In February 2016, the EU Commission unveiled a detailed draft of the proposed Privacy Shield which would again allow the legal transfer of personal data from the European Union to the United States. 2 The European Commission has described the Privacy Shield as impos[ing] stronger obligations on U.S. companies and requiring the United States to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. 3 The new framework, broadly described, includes the following requirements: Greater transparency from US companies Increased oversight from the FTC, US Department of Commerce, European Data Protection Authorities ( DPAs ), and other US government agencies Increased threat of sanctions or exclusion of non-compliant companies More restrictive conditions for onward transfers of data What Do These Changes Mean in Practice? The new Privacy Shield is actually substantially similar to the Safe Harbor in a number of ways. 4 Companies still self-certify. Companies must cooperate with the European National Data Protection Authorities. It shares the same methods and standards for verification of compliance (e.g. selfassessment or outside review). It shares certain exceptions for journalistic contexts, secondary liability for ISPs, and data handled in the course of due diligence and audits. There are, however, several important differences that may translate to increased compliance obligations and heightened legal exposure. 2 European Commission, Implementing Decision, para12-13, p.3, [hereinafter Privacy Shield ] http://ec.europa.eu/justice/dataprotection/internationaltransfers/adequacy/index_en.htm, February 29, 2016. The Commission finds that the Privacy Shield would ensure an adequate level of protection for personal data and that it would meet the standards laid out by the ECJ in Schrems, Id. 112-116. 3 European Commission, EU-U.S. Privacy Shield Fact Sheet, February 2016, http://ec.europa.eu/justice/dataprotection/files/factsheets/factsheet_euus_privacy_shield_en.pdf. 4 Compare Commission Decision No. 2000/520/EC (Safe Harbor Framework), 2000 O.J. L 217/7, Annex II FAQ 7, http://eurlex.europa.eu/legalcontent/en/all/?uri=celex:32000d0520, with Privacy Shield, Supplemental Principle on Verification, Annex II, p.14-15 (Nearly identical texts). 2
1. Increased notice and access requirements In addition to information about the types of data collected and the purpose of its collection, organizations must also publish detailed information about their adherence to the Privacy Shield Principles, independent and governmental recourse mechanisms available to individuals, and the personal information required to be shared with local authorities in response to lawful requests. Previously when discussing the obligation to provide an individual with access to his or her own data, the Safe Harbor emphasized balancing the cost to the company with the risk of a privacy violation. Now the Privacy Shield instead emphasizes an individual s right to access, verify, and correct his or her data allowing fewer situations under which a company may restrict an individual s access. 2. Increased restrictions on the onward transfer of data Contracts (or binding corporate agreements) are now obligatory for all onward transfers of data whether the data is being transferred purely for processing to an agent or to another controller. The contracts must provide the same level of protection as the Privacy Principles and ensure that the data will be used only for limited and specified purposes consistent with the individual s consent. Where before such contracts would effectively insulate Safe Harborcompliant companies from liability in the event that data was mishandled by a third party, now companies remain liable for the actions of third party recipients of the data and must affirmatively prove that they are not responsible for the violation. 3. Increased number of redress mechanisms for European citizens Companies must respond directly to complaints received directly from European citizens within forty-five days. They must also provide an independent dispute resolution mechanism free of charge. 5 Consumers may also refer complaints to their national DPA or other privacy protection organizations which may then work directly with the company to resolve the complaint or further refer the complaint to the Department of Commerce. With the passage of the Judicial Redress Act in February 2016, 6 European citizens now also have the same rights as American citizens to judicial redress in the case of privacy breaches. 7 4. Increased role of the FTC and Department of Commerce in administering and enforcing the Privacy Shield The Department of Commerce, the FTC, and the Department of Transportation have all committed to greater efforts in monitoring and enforcing compliance with the Privacy Shield. Before any companies are placed on the Privacy Shield list, the Department of Commerce will verify that their self-certification submissions are complete. The Department will also engage in stronger monitoring of compliance with existing Safe Harbor orders. 5 Previously, this recourse mechanism was only required to be affordable. Safe Harbor FAQ 11, p.22. 6 7 It is also an important piece of the negotiations for the Umbrella Agreement between the EU and the US, which will govern the transfer and sharing of personal data for law enforcement. 3
The Privacy Shield has also more explicitly expanded the scope of enforcement to other government agencies within the United States. Where the Safe Harbor focused mainly on the enforcement of the framework under Article 5 of the Federal Trade Commission Act or similar statute, the Privacy Shield focuses on enforcement by the FTC, Department of Transportation, or other appropriate enforcement agency. This language may potentially extend the power to state authorities as well as other federal agencies to bring claims of deceptive business practices for violations of the Privacy Shield. Possible Changes to Liability Under the new framework, companies may face a greater possibility for legal exposure due to US regulators commitment to be more proactive about enforcement of the Privacy Shield, the increased role of EU regulators in monitoring and resolving complaints, and the increased ability of European citizens to inform authorities and pursue private actions. Organizations will need to review the language in their technology E&O policies to determine if non-compliance with the Safe Harbor or the Privacy Shield requires notification of insurers. They should also review policies to ensure that regulatory investigations by both US and EU authorities are covered and make sure that the definition of a claim includes alternative dispute resolution proceedings. What Should Companies Do in the Meantime? approval. Until a new framework is finalized, companies may rely on other data transfer mechanisms to ensure the protection of personal data like model contract clauses 8 and binding corporate rules. National DPAs have indicated that alternative data transfer mechanisms will not be contested for the time being and any complaints will be considered on a case-by-case basis. If the situation remains unresolved for long, however, organizations may face the challenge of complying with varying national standards and possible enforcement actions from multiple authorities. 9 Companies should also keep in mind that they are still obligated to protect any data previously transferred under the Safe Harbor that is still stored by the company in the United States. They also need to review onward transfer agreements and make sure that contracts with third-party vendors also ensure an adequate level of protection for personal data. 8 The DPAs have stated that they will not contest existing alternative data transfer mechanisms for the time being, however, Schrems has filed legal challenges to Facebook s use of model clauses. 9 In the Schrems ruling, the ECJ made it clear that national DPAs were not required to accept the adequacy determinations of the EU Commission and that they still had the right to suspend data transfers to countries deemed to violate their data privacy standards. The Privacy Shield has still not received final 4
Continuing Changes to the Regulatory Landscape The Article 29 Working Party has criticized the Privacy Shield 10 and wants to insert a revision clause that would allow the Privacy Shield to be updated as European data privacy regulations evolve meaning that compliance obligations for US enterprises could also be continually evolving. Even if the Privacy Shield is eventually adopted, it is likely that it will face immediate legal challenges. 11 Legality Rather Doubtful, Says German DPA, THE PRIVACY ADVISOR, Mar. 21, 2016, https://iapp.org/news/a/privacy-shield-legalityrather-doubtful-says-german-dpa/ (quoting Johannes Caspar). 12 Moreover, the EU Commission has also recently adopted a new General Data Privacy Regulation (GDPR) that will supersede Directive 95/46/EC taking effect in 2018. 12 The GDPR contains new, additional requirements that may invalidate all current data transfer mechanisms; even if the Privacy Shield passes in its current form, companies may again need to modify their data transfer mechanisms within the span of a few years. Remaining compliant with the Safe Harbor and Privacy Shield will make it easier for organizations to adapt to any new changes. 10 The criticisms relate more to mass U.S. government surveillance than to the handling of consumer data by commercial enterprises. 11 These challenges may come both from activist DPAs as well as from consumer groups. The German DPA has said that he finds it doubtful that the Privacy Shield will meet thigh level of requirements the ECJ postulated in the Schrems ruling. David Meyer, Privacy Shield This article is intended for informational purposes only. It is not a guarantee of coverage and should not be used as a substitute for an individualized assessment of one s need for insurance or alternative risk services. Nor should it be relied upon as legal advice, which should only be rendered by a competent attorney familiar with the facts and circumstances of a particular matter. Copyright Beecher Carlson Insurance Services, LLC. All Rights Reserved. 5