On October 22, we posted about the anticipated EU General Data Protection Regulation. As expected, the EU adopted the Regulation as part of its data protection reform package on December 15.
US businesses have been concerned about protecting the data of EU subjects transmitted to the US because in October, the European Court of Justice declared the US Safe Harbor regime invalid. EU and US negotiators have been frantically working on a new data transfer agreement to replace the Safe Harbor program. Some commentators also believe that amending the Electronic Communications Privacy Act (ECPA) could be a workable solution. However, no viable replacement of the Safe Harbor is yet available.
Two features of the new EU Data Protection Regulation are of particular concern to US businesses with offices in, or doing business with, EU member countries: 1) joint liability of the processor and the controller of the data belonging to EU subjects, and 2) the data breach notification requirement and the steep administrative fines.
Even though the regulation won’t take effect for two years, US businesses with European connections are well advised to start preparing now. The new rules require that large and medium-sized companies have a Data Protection Officer who will be responsible for implementing the new EU data regime within the organization, and for notifying the national regulator and the affected individuals in case of a data breach.
US businesses should also evaluate the need for EU-specific cyber coverage. Until now, the European cyber insurance market has been relatively small compared to the US, but the demand has been steadily growing as companies start preparing for the new Data Protection Regulation.
We are watching this closely and will continue to post more information as the situation develops.