I. Core Principles of the Privacy Shield
In order for a U.S. company to take advantage of the ability to receive personal data from the EU through compliance with the Privacy Shield, it must certify its compliance with the Privacy Shield’s principles with the U.S. Department of Commerce (the “DOC”). While certification is completely voluntary, any company that certifies compliance with the Privacy Shield will be subject to enforcement action either by the U.S. Federal Trade Commission (the “FTC”) or the U.S. Department of Transportation (the “DOT”), depending on whether either entity exercises jurisdiction over the certifying entity.
II. Privacy Shield Application to Insurance Companies
- An individual’s right to be informed. The company must inform every individual whose personal information is being collected about (i) the type of data being processed, (ii) the reasons for why such data is being processed, (iii) whether and why such data will be further transferred to another company, (iv) the right to access one’s personal data, (iv) information regarding certain “opt-in” and “opt-out” rights with respect to particularly sensitive data, (v) how to contact the company, (vi) enforcement mechanisms, (vii) the responsible U.S. agency for enforcing the Privacy Shield, and (viii) the possibility of required disclosure of personal information to U.S. public authorities.
- Limitations on data usage. Collected data may only be used for the purposes in which it was originally collected; if such data is used in a related but materially different manner, the individual must give consent if such data is particularly sensitive.
- Temporal limitations. A company may only keep collected data as long as necessary and must ensure that such data is always accurate.
- Data security. All data must be secured against loss, misuse, unauthorized access, disclosure, alteration and destruction.
- Protection of data when subsequently transferred. Any transferee of personal data must enter into a contract with the transferor guaranteeing the same level of protection that the transferor is required to provide to such data under the Privacy Shield, as well as agree to inform the transferor when it cannot continue to meet its obligations, in which case the transferee must halt using all transferred data.
- Individual’s right to access its personal information. All individuals who have had their information transferred to a certifying entity have the right to request access to their data.
- Individual’s right to file a complaint for remedial action. All individuals who have had their information transferred to a certifying entity are entitled, at no additional charge, to an independent recourse mechanism to investigate complaints, including through a dispute resolution body, the DOC, and the FTC or DOT as applicable.
While the Privacy Shield framework undoubtedly provides enhanced protection for individuals who are exposed to data collection and transfer, no company can avail itself of the Privacy Shield’s negotiated compliance with EU law unless it self-certifies with the DOC. Unfortunately for insurance companies, the self-certification process is, in most instances, foreclosed.
The DOC website provides guidance to assist companies in the self-certification process. Critically, the DOC notes that “[a]ny U.S. organization that is subject to the jurisdiction of the [FTC] or the [DOT] may participate in the Privacy Shield. The FTC and DOT have both committed that they will enforce the Privacy Shield Framework.”1 Regardless of whether an entity complies with the principles of the Privacy Shield, EU recognition will only be granted if the applicable entity is subject to FTC or DOT jurisdiction through the self-certification process.
The DOT’s jurisdiction extends exclusively to air carriers, leaving the FTC as the potential agency to enforce Privacy Shield certifications by insurers. When considering whether an insurance company may self-certify, the DOC notes that “the FTC’s jurisdiction with regard to insurance activities is limited to certain circumstances.”2 In practice, the FTC will rarely have the ability to exercise its enforcement powers over insurers. Only a company that both conducts the “business of insurance” and has such activity or activities directly regulated by state law will be exempt from FTC jurisdiction.3 Because the insurance sector is heavily regulated on the state level, in practice, an insurance company will rarely encounter a scenario where FTC jurisdictional oversight would be appropriate for purposes of Privacy Shield self-certification.
III. Current and Future Legal Structures Applicable to Insurance Companies
While it is unlikely that insurance companies can gain EU recognition through the self-certification process, the Privacy Shield may have additional implications on the legal structures already in effect that allow insurance companies to receive data from the EU. On May 4, 2016 the General Data Protection Regulation (“GDPR”) was introduced in the EU. The plan is for the GDPR to go effective in 2018. The GDPR’s principles will apply to all companies that process personal data of EU individuals regardless of the entity’s principal location, so long as the processing is related to the offering of goods and services or the monitoring of EU behavior.
The impact that the GDPR will have on U.S. insurers is multifold and perhaps substantial. The GDPR will directly apply to any U.S. insurer who insures EU risks and collects data from EU individuals. In addition, while the GDPR framework will directly impose further regulatory oversight over certain U.S. insurers, some industry participants believe the GDPR may also lead to the removal of other avenues that insurance companies have traditionally used to comply with EU law. For example, without the ability to self-certify under the Privacy Shield, insurance companies that wish to collect EU data may currently satisfy applicable EU law through “model contract clauses” or “binding corporate rules” that provide adequate protection mechanisms for sensitive data. However, with the implementation of the GDPR along with the Privacy Shield, the EU Article 29 Working Party (a body comprised of protection authority officials throughout the EU) has indicated that model clauses and binding corporate rules may be reassessed in the near future as to their adequacy in protecting data transfers to the U.S.
Further complicating the regulatory regime as it applies to insurance companies is the fact that the Privacy Shield itself may be subject to legal challenge. Just as the U.S.-EU Safe Harbor program was declared invalid, so may the Privacy Shield be challenged on the grounds that its heightened protection principles may nevertheless fail to provide adequate data protection. Should the Privacy Shield framework be dismantled, it is unclear how the GDPR and other relevant data protection mechanisms will be affected as they apply to U.S. insurance companies.
IV. Should U.S. Insurers Pay Attention to the Privacy Shield?
As discussed above, U.S. insurers will rarely be able to take advantage of the self-certification process and gain EU recognition afforded through Privacy Shield compliance. Furthermore, there are no guarantees that the Privacy Shield will withstand future EU judicial scrutiny. A U.S. insurance company could therefore rightfully question whether complying with the Privacy Shield principles is even worth consideration. Yet, there are some compelling reasons to monitor and comply with aspects of the Privacy Shield even if certification is not achievable.
First and foremost, the regulatory landscape is quickly and unpredictably changing. What is clear is that the EU is consistently striving to heighten data protection measures, and while insurance companies may currently satisfy their obligations through model clauses or binding corporate rules, such outlets may not last for long. Whether the principles of the Privacy Shield become an EU requirement for U.S. insurance companies in some form or fashion remains to be seen; however, voluntary compliance now can save headaches later.
In addition, adhering to the Privacy Shield principles may serve as an effective marketing tool. Being able to market to potential insureds that their information will be protected to the highest standards in compliance with expectations applicable to most other industries can serve as a powerful incentive to purchase a policy over competitors. In addition, as the insurance industry is driven in large part by agents and brokers, a producer may be more likely to direct business toward an insurer that complies with the standards set forth by the Privacy Shield.
Of course, insurance companies may have valid reasons to disregard adherence to the Privacy Shield principles as well. Complying with the Privacy Shield’s heightened standards without the added benefit of EU recognition may prove to be a burdensome task, particularly when an insurer must also satisfy applicable EU law through other means as well. Furthermore, as the Privacy Shield framework may face a real challenge in the foreseeable future, a U.S. insurer may reasonably decide that the effort to comply with a voluntary framework that may not even exist down the road is a cost not worth the effort.
Insurance companies in the U.S. that wish to receive data from EU individuals face a regulatory regime with many questions and limited answers. On the one hand, the Privacy Shield sets forth clear and concise guidelines for data protection but does not afford insurance companies the ability to self-certify and achieve EU recognition. On the other hand, the current options for U.S. insurers may be rendered null and void in the near future in part due to the Privacy Shield’s principles, and the GDPR does not go live until 2018. As a result, insurance companies must ultimately decide whether or not to stay the course or voluntarily strengthen their data collection standards in anticipation of what may be coming down the road.