“Ew Part II: EU/US Reach Privacy Shield Agreement”

It’s been four months since the EU invalidated the Safe Harbor agreement that had been allowing US companies to transfer data into and out of the EU despite the EU’s more stringent privacy laws.  I wrote about that here.

In the ensuing clusterkerfuffle (trademarked term), US companies have scrambled to adopt policies incorporating the EU’s Model Contractual Clauses.  These clauses, however, have given rise to complicated issues of interpretation, particularly with respect to the distinction between “data processors” and “data controllers.”  These designations drive the applicability of particular clauses and dictate the range of responsibilities of parties dealing in EU data.  As companies have struggled to define themselves in this context, most have been holding out hope for a clearer, more streamlined arrangement akin to the prior EU/US safe harbor agreement.

Well, it’s here.  Sort of.

On February 2, 2016, the European Commission approved the “EU-US Privacy Shield.”  This arrangement requires the US to limit governmental access to EU data (even – er, especially – for national security purposes), and to set up a process whereby EU citizens can raise data privacy issues through a designated ombudsperson.  The new framework will require US companies to publish compliance policies, which sounds pretty similar to what had been required under Safe Harbor.  For businesses, it would therefore seem as though little will change from a practical standpoint.

But there’s still a long road ahead.  An “Adequacy Decision” is expected to issue later this month, with the EU’s Article 29 Working Party weighing in on that decision prior to formal adoption.  Even then, there are rumblings that Max Schrems (the guy who blew up Safe Harbor in the first place) is planning a legal challenge to the new Privacy Shield.  US companies therefore need to continue to rely on the Model Contractual Clauses.

With a relative dearth of actuarial data about the scope of losses, and with the increasing frequency and unpredictability of those losses, the unknowns in this context are already considerable.  The interesting, and unique, aspect of cyberinsurance, however, is that in addition to a rapidly evolving claim-facts landscape, the legal landscape is also far from settled.  All this at the cyberinsurance market enters its teenage years.  Hide the car keys, lock the liquor cabinet and stay tuned to the Ninja.