Concerns regarding data security and privacy are changing the way international companies do business. Amazon, for example, has recently announced that it will open a large data centre in Frankfurt to allow German customers of its cloud computing business to have data hosted in Germany, rather than on one of Amazon’s network of international data centres.
This is just the latest in a growing trend to localise the storage and regulation of data following the Snowden revelations in June 2013, which led to the disclosure that the US government had been indiscriminately monitoring the personal data of non-US citizens held by US companies (the PRISM mass surveillance programme).
One of the most important implications of PRISM from an EU data security perspective is that it has brought into question the “safe harbour” regime under which US companies are permitted to process the data of EU citizens.
This article explains the current safe harbour regime and explains what might change and what that might mean for insurers.
Safe harbour – what is it?
The 1995 Data Protection Directive prohibits the transfer of personal data to a country outside the European Economic Area unless the receiving country guarantees adequate levels of protection for that data (Article 25(1)). The main way in which this is achieved for transfers to the US is the so called “safe harbour” arrangement agreed between the US and the EU concluded in 2000.
Safe harbour addresses a number of principles which are essentially designed to ensure that companies adhere to equivalent standards to EC data processors. A key concern however is that, although safe harbour is nominally policed by the US Federal Trade Commission, US companies are allowed to self-certify their compliance with the principles. Given that companies cannot both adhere to the safe harbour principles and allow the indiscriminate access to personal data required under the PRISM programme, it appears that the safe harbour rules are being widely flouted and questions have arisen regarding US companies’ willingness to ignore the safe harbour principles for reasons unconnected to national security.
What is happening now and what might change?
The initial European reaction to the PRISM disclosures was vociferous; the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) produced a report criticising the safe harbour regime culminating in a motion in June 2013 inviting the European Commission to reverse or suspend the safe harbour arrangement. In November 2013, the European Commission issued a statement identifying 13 recommendations to improve the effectiveness of the safe harbour framework. The key recommendations were that EU citizens should have the same privacy rights and ability to enforce those rights as US citizens and limiting the extent to which that data can be monitored for national security reasons.
At present the European Commission is engaged in talks with the US Federal Administration regarding reform of the safe harbour regime. The two critical aspects of those negotiations are:
- allowing EU data subjects, who are not resident in the US, to enforce regulations in the US courts; and
- ending indiscriminate mass surveillance of non-US residents
Progress was made on the first of those points in July 2014 when it was agreed in principle that the US would allow the direct enforcement of privacy rights by EU citizens. Progress regarding the second of issues has been slower. The subject of mass surveillance is currently a topic under discussion in the US. The US government has suggested that reforms to the mass surveillance of non-US citizens will be announced in autumn and the European Commission (EC) has extended the summer 2014 deadline for progress on this issue in order to consider the US proposal.
Given the sums at stake, it seems difficult to conceive that the safe harbour regime would be allowed to fail. However, we understand that not just European Parliament but the Commission considers that an end to indiscriminate mass surveillance of EU citizens is a “red line” issue so, it seems a real possibility that a more fundamental rethink of the safe harbour regime may occur.
Implications for insurers
Whatever the outcome of the current round of talks between the EU and the US there will be greater regulatory burdens on US companies and multinationals who engage in significant cross border data transfers.
Those pressures, together with consumer pressure (a recent study by the Information and Technology Foundation found that US cloud companies were losing 20% or $35bn in revenue due to customer concerns regarding data security), is increasing the emphasis on the geographical location of data and increasing the regulatory burden on companies by increasing the relevance of national data protection regulation outside the US. This in turn could drive the demand for cyber risk insurance outside the US.
As well as increasing the localisation of data, this trend is also likely to increase the difficulty and complexity of dealing with breaches which seem increasingly likely to involve technical and regulatory issues in multiple jurisdictions.