Data Protection Considerations For Insurers Post-Brexit
On Dec. 31, the Brexit transition period ended, and the U.K. formally exited the European Union.
Perhaps surprisingly, despite such a seismic shift in the U.K. constitution, the key principles of U.K. data protection law remain fundamentally unchanged.
This is partly due to the U.K.’s wider obligations under international law stemming from the U.K.’s membership in the Council of Europe, and also because the U.K. still needs to secure an EU adequacy decision in an effort to avoid significant impact to U.K. companies that rely on international data flows for their business.
Companies operating inside the U.K. are still required to comply with U.K. data protection law, in the form of the existing Data Protection Act and the new U.K. General Data Protection Regulation, which incorporates the key data protection principles, rights and obligations of the EU GDPR.
As a result, for companies operating only in the U.K., leaving the European Union has so far had little practical impact upon their data protection obligations, although, such companies must be aware that there remains a possibility for future divergence.
Nonetheless, for companies who operate in both the U.K. and the European Economic Area (i.e. the 27 EU member states plus Iceland, Liechtenstein and Norway), either by offering goods or services to individuals in the EEA or monitoring those individuals, Brexit imposes additional data protection burdens.
This is because such companies are now required to comply with both the U.K. GDPR and the EU GDPR, resulting in additional expenses and potential liabilities for such companies and their insurers, discussed below.
The End of the One-Stop Shop
The Information Commissioner’s Office is no longer the regulator for any European-specific activities caught by the EU GDPR because the EU GDPR’s one-stop shop mechanism no longer includes the U.K.
As a result, in the event of a large data breach incident impacting data subjects in the U.K. and EU, a company with operations in the U.K. and the EEA would now be required to notify both the ICO and the lead EU data protection authority, and such a company may also be liable for two separate fines or penalties under the two regimes.
Moreover, if a business is unable to demonstrate a main establishment in an EEA country, then — in the event of a large data breach — they may have to notify (and then cooperate with inquiries from) regulators in every relevant EEA country plus the U.K., leading to potentially significant expenses for businesses and their insurers to engage experts in all relevant jurisdictions to defend against such proceedings.
U.K. and EU Representatives
U.K. companies must consider whether they should appoint an EU representative if they are offering goods or services to individuals in the EEA or monitoring the behavior of individuals in the EEA.
Likewise, if a business is located anywhere outside of the U.K. with no offices, branches or other establishments in the U.K., and offering goods or services to individuals in the U.K. or monitoring the behavior of individuals within the U.K., then such businesses must consider whether to appoint a U.K. representative.
As such, it is imperative for multinational corporations to reassess their obligations in the U.K. as well as the EEA, to avoid potential liability for violations of both U.K. and EU data protection law.
Data Transfer Restrictions
The U.K. government is currently seeking adequacy decisions from the European Commission under both the EU GDPR and Law Enforcement Directive, to allow for the free flow of personal data to the U.K. from the EEA to continue uninterrupted.
The EU recently agreed to delay restrictions on the transfer of EEA personal data to the U.K. until June 30, enabling personal data to flow freely from the EEA to the U.K. until either adequacy decisions are adopted, or the bridge ends.
In the meantime, the ICO recommends that U.K. companies that receive personal data from the EEA put alternative safeguards in place, such as standard contractual clauses, before the end of April 2021, resulting in potentially significant compliance costs for U.K. companies.
At the end of the bridge period, unless the EU has made adequacy decisions, transfers of data from the EU to the U.K. will be subject to local transfer requirements in the sender’s country, and companies may find that their European partners ask them to comply with additional safeguards to ensure that data can continue to flow into the U.K.
U.K. companies should therefore consider whether they need to introduce additional safeguards to ensure they can continue receiving personal data from the EEA, or risk liability for violations of both EU GDPR and their commercial contractual provisions at the end of the bridge period.
Considerations for Insurers
In an effort to mitigate their potential additional data exposures, we recommend insurers offering coverage to U.K. and multinational businesses consider the following:
- Insurers should consider whether amendments are required to their existing policy wordings to reflect the changes to data protection laws following Brexit. In particular, where the EU GDPR is referred to, the wording may need to be updated to reference the U.K. GDPR as well as the EU GDPR, and to reflect other U.K. GDPR terminology differences.
- The underwriting process may require additional inquiries, for example: to find out whether companies operate solely in the U.K. and, if not, whether they have registered their main EU establishment with that EU regulatory authority; to determine where a company’s data protection is controlled; and/or, to confirm that a business has updated their client and vendor contracts to address international data transfers.
- Insurers should be prepared for additional exposure to costs to comply with additional regulatory obligations in the U.K. and EU, defend against inquiries from multiple regulators with contrasting approaches, and must consider the potential for fines/penalties from both the U.K. and EU.
- Cyberinsurers should work with their insureds to identify suitable breach response experts in all potentially relevant European jurisdictions.
- Insurers should ensure their own vendors are both U.K. GDPR and EU GDPR compliant and have the appropriate contractual provisions in place to deal with international data transfers.