On May 25, the European Union’s new rules on personal data protection and privacy went into effect. And just what does that have to do with U.S. agencies and brokerages?

Potentially quite a bit if you have any EU operations or customers or if personal data in your business is flowing between the EU and the United States.

The General Data Protection Regulation sweeps in non-EU-based insurance intermediaries through its so-called “long arm” jurisdiction. There are two key pieces at work here:

  • The framework applies to all controllers and processors of natural persons’ data (i.e., anything that could be used to identify an individual, like name, address, etc.). It is not specific to the insurance industry. “Controllers” determine the purposes and means of the data processing, and “processors” process the data on behalf of the controllers. The distinction matters because it determines your specific obligations and liability parameters under the regulation. The respective roles are determined on a case-by-case, fact-specific basis. Under U.K. guidance, for example, indicators of a controller include making the decisions regarding collecting information in the first place, how much and what data to collect, purposes for which the data are used, whether and to whom to disclose data, and how to manage the data. 
  • The regulation applies to controllers and processors outside of the EU when their data processing activities are related to the offering of goods or services to individuals in the EU or to the monitoring of individuals’ behavior if that behavior occurs in the EU. And notably, the regulation’s consumer protections and requirements travel with the data, so any transfers of personal data from the European Union to the United States will require compliance with the regulation on the U.S. side.

So what does it mean if you’re covered as a U.S.-based intermediary? At a high level, it means additional complexity and the potential for increased exposure on multiple fronts. For instance, with respect to the data rules you must follow, it will require reconciling existing insurance-focused rules like HIPAA with this broader regime. All this as Congress continues to explore its own data-security standards and breach notification requirements.

It also portends a new dynamic between intermediaries, sub-intermediaries and carriers as these entities figure out how to limit their own liability exposure and establish new, top-to-bottom processes and procedures to comply with the EU regulation. There are real consequences for how you structure the controller-processor roles, and sub-agents, third-party service providers—everyone in the data processing chain—will have to be considered.

It means dealing with new supervisory authorities beyond U.S. insurance regulators (e.g., national authorities in the EU) and the risk of multiple or disparate enforcement actions. And the enforcement stakes in the EU are high. In addition to civil damages for violations, hefty administrative fees are in play—up to the greater of €20 million or 4% of a company’s worldwide annual revenue.

At an operational level, the regulation is extensive and multifaceted, governing the circumstances in which you can process data at all, the purposes for which you can process data and how much of it, how to store and protect data and consumers’ privacy, and what to do in the event of a data breach. There are special rules for certain categories of data like health data and criminal history. The rules and responsibilities get even more onerous in these cases.

To give you more of an idea of the sheer breadth of the EU construct, here are its seven fundamental principles for processors of personal data—each of which drives buckets of onerous regulatory standards:

  • Lawfulness, fairness and transparency
  • Purpose limitations
  • Data minimization
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality
  • Accountability.

Additionally, consumers are given robust rights with respect to their data, including access, “the right to be forgotten,” the right to correct data, portability and various notifications.

With the compliance date now here, covered entities are expected to be able to demonstrate and document full compliance with the regulation or face substantial enforcement and financial consequences. This is, to say the least, a very big deal for U.S. businesses with EU ties.

Sinder is The Council’s chief legal officer and Steptoe & Johnson partner. ssinder@steptoe.com

Jensen is an associate in Steptoe’s DC office. kjensen@steptoe.com

Shenk is a partner in Steptoe’s London office. mshenk@steptoe.com

Soussan, gsoussan@steptoe.com, and Woolfson, pwoolfson@steptoe.com, are partners in Steptoe’s Brussels office.