The insurance impact of the Schrems v Facebook case
The recent decision of the Court of Justice of the European Union in the Schrems v Facebook case is regarded as one of the most significant recent developments in data protection law, write Norton Rose Fulbright partner Ffion Flockhart and associate Steve Hadwin.
Not only will it have an impact on those insurers that are active in the cyber insurance market, it will also affect any insurer that currently transfers data into the United States.
In broad terms, the basic position under EU data protection law is that personal data may only be transferred to countries outside the European Economic Area if an adequate level of data protection is in place. Organisations transferring data are therefore required to ensure that this requirement is satisfied.
In the year 2000, an EU-US safe harbour framework was put in place in order to facilitate the transfer of personal data from the EU to the US. Under this framework, US companies were deemed to meet the EU data protection requirements as long as they self-certified that the personal data they received from the European Economic Area and Switzerland was handled in accordance with the safe harbour framework.
This made the transfer of personal data from the EU to the US a relatively straightforward process, which organisations could carry out with little fear of breaching European data protection laws.
In response to a legal challenge regarding the transfer of personal data to the US brought by Max Schrems, an Austrian privacy campaigner, the Court of Justice of the European Union ruled the safe harbour framework to be invalid, essentially on the basis that it did not ensure the provision of an adequate level of data protection. The effect of this decision is that, effective immediately, organisations can no longer rely on the safe harbour framework as a legal ground for exporting personal data to the US.
Instead, organisations will need to seek to justify transfers of data on alternative grounds, such as the use of model data protection clauses when dealing with data subjects or reliance on specific derogations from the general requirement that adequate data protection has been provided. It appears however that the Schrems decision has also cast doubt over the adequacy of some of these alternative forms of protection.
While steps are being taken to agree and implement ‘safe harbour 2.0’ - a revised version of the previous framework which would satisfy EU law requirements and would allow organisations to rely on the framework once again - there is presently a degree of uncertainty over whether organisations that transfer data from the EU to the US can fully comply with their data protection obligations.
This could leave those organisations exposed to regulatory investigations and / or penalties. Claims may also be brought by data subjects, who may have rights under national law to claim compensation as a result of the organisation breaching its legislative obligations in relation to data protection.
While data protection regulators are not expected to pursue organisations that previously relied on the safe harbour framework aggressively, the fact remains that, for now at least, organisations transferring data from the EU to the US face a greater liability risk than was previously the case.
Impact on insurers?
In light of Schrems, any insurer that transfers data from the EU to the US will need to consider whether it is still complying with data protection legislation in the EU jurisdictions in which it is active.
As well as heightened own-account liability risk, insurers writing business in the cyber market will need to consider the impact that Schrems will have on the risk profile of their insureds. The costs of dealing with regulators are likely to be covered under many cyber policy forms, so insurers may need to consider whether more claims are to be expected in the near future in relation to this type of cover.
Cyber insurers may also wish to consider their underwriting practices when writing new cyber business in order to obtain information on how potential insureds are taking steps to deal with the requirements they face post-Schrems. Pricing may also need to be considered to reflect increased liability risk and policy wordings may need to be revisited in order for insurers to ascertain whether the scope of the liability risks being underwritten matches their intentions.
While all insurers with a connection to the US should carefully consider their own-account position in light of Schrems, insurers in the cyber market should pay particularly close attention to the decision – as well as to any replacement to the safe harbour framework which is eventually agreed upon.