The United Kingdom officially left the European Union in January 2020 with the implementation period, or transition stage, concluding on 31 December 2020 and the new UK/EU a trade deal finally agreed on 24 December 2020. However, large technology companies such as Facebook and Google did not leave their preparations until the last minute, and had been planning how to navigate the new sovereign relationship between the UK and EU for some time. These plans included how to deal with the vast amounts of data collected from users to create profiles for targeted and personalized advertising, much of it personal and likely subject to privacy regulations.
UK users’ data
Before Brexit, UK users' personal information was subject to the EU’s General Data Protection Regulation (now referred to as the ‘EU GDPR’). Post-Brexit, that information is subject to the Data Protection Act 2018 which sits alongside the UK’s mirrored version of the GDPR (the ‘UK GDPR’). The data controllers responsible for the user information held by Facebook and Google were and are based in Dublin, Ireland, and are subject to the EU GDPR.
However, in February 2020 and December 2020, Google and Facebook respectively announced that post-Brexit they will transfer the legal responsibility and obligations for UK users' data from Ireland to the United States. Both companies cited the UK's departure from the European Union as the reason for the decision.
After this change, UK residents will no longer have recourse to the EU GDPR, and will generally lose the protection of EU law.
Data privacy in the US is governed by a constellation of state and, to a lesser extent federal, laws. Some states are strengthening their privacy laws – in November 2020, California passed the Privacy Rights Act, which in part expands the California Consumer Privacy Act by adding provisions prohibiting covered businesses from retaining personal information for longer than reasonably necessary, allowing consumers to prevent covered businesses from sharing personal information, and limiting businesses’ use of “sensitive personal information”. However, other states’ laws are less restrictive than the EU GDPR, and we might expect Facebook and Google to choose low-regulation states to house user data.
UK users’ data will of course still be subject to the UK GDPR, which currently generally tracks the EU GDPR. But we see the way as being clear for large technology companies to lobby the UK to relax its data protection laws as part of its newly independent working relationship with the US.
What does this mean for insurers and insureds?
The immediate concern is of course loss, corruption or theft of data during a companywide change in data centers, as well as questions over how would coverage respond to such a potential mid-year increase in risk? This remains to be seen, but it would be advisable for underwriters, brokers and risk managers to come to an understanding about coverage before any moves are made.
More broadly, insureds with data controllers currently in the EU, but handling the data of UK residents may be considering a similar strategic decision. Companies may start to move their data responsibility from the EU to other jurisdictions to try and achieve a non-GDPR regulatory regime. However, this is not necessarily an easy path as the extra-territorial reach of the GDPR for US companies offering services to EU or UK customers is well established. Furthermore, whilst the US can have fewer data protections than GDPR, there are still requirements and, pending federal legislation – which does not seem on the horizon – each US jurisdiction is currently going its own way. This menagerie of laws is also constantly changing, being developed, and US regulators do not hesitate to file enforcement actions.
In theory, insureds could benefit from a more relaxed regulatory scheme, and that would in turn be beneficial to insurers. However, compliance with the laws of various 50+ US jurisdictions, the reach of the GDPR plus federal oversight of health and banking data among other things, complicates matters. Further, affected individuals will still have a private right of action against violators, and the common view is that, like regulators, United States residents and plaintiffs’ lawyers are not shy about asserting their rights.
Comment
Issues could also arise concerning coverage for a particular violation or incident. Negotiations leading to bespoke insurance covering UK business losses from EU GDPR violations and lawsuits will need to take into account any change.
However, the cyber insurance marketplace uses a variety of forms, some more “standard” than others, but which have varying limitations on coverage. One limitation to keep in mind is the security standards exclusion. While the language varies, generally coverage is excluded for an insured failing to comply with "industry standards." Some policies explicitly list the minimum required practices of the insured for data protection, but this is rare, and more likely the governing law is where the insured states in it application it does business.
If this changes while the policy is pending, the coverage result could be less certain, and courts may not interpret policies the way the parties might want. The best way to address this is, of course, proactively – prior to policy inception, or before any mid-year material changes to the risk.
Related items:
- Just go with the flow? Data flows in a post-Brexit world
- US data privacy rights cometh: multiple states contemplating passage of significant data rights legislation
- Breaking down New York's Department of Financial Services' new cyber insurance framework
- Australian Government announces a major review of the Privacy Act
- Brazil’s data protection law will transform risk landscape
- Staying GDPR compliant during COVID-19
- Happy New Year from California: an introduction to the CCPA data privacy law
- GDPR and the Data Protection Act 2018 - key matters for healthcare professionals and care providers