We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

EU-US Privacy Shield Could Bring Tougher Data Protection Standards for US Companies

Posted by Thomas Reagan February 05, 2016

The EU Commission and the United States agreed on a new framework that calls for US regulators to enforce greater privacy standards for transferring data on individuals between the US and Europe. The agreement, struck earlier this week, raises significant liability concerns for US companies that transfer data without observing the stricter requirements.  

The EU-US Privacy Shield is designed to prevent generalized access to data that migrates between the EU and the US. Under the agreement, US companies that import the personal data of Europeans would be obligated to protect and monitor that data or be subject to regulatory action in the US.

The new agreement addresses the gap that was created in an October 2015 judgement when the European Court of Justice (ECJ) negated the EU-US Safe Harbor for data transfer, largely due to concerns about the sharing of data between the private sector and the US government. The ECJ decision terminated a process that companies had enjoyed for years, leaving companies with strategies involving the transfer of data without jurisdictional encumbrances, like telecommunications and cloud providers, particularly vulnerable.                                                                                                                                      

Greater Commitment

The EU-US privacy shield has a long way to become binding.  Details for compliance with the standards will need to be approved by EU member states.  The high-level framework from the current agreement commits to the following:

  • Companies must publish their commitments to the safety of European personal data, which will be monitored by the US Department of Commerce and enforceable by Federal Trade Commission (FTC).
  • The US has ruled out indiscriminate mass surveillance of the data transferred, and has agreed to an annual joint review by the European Commission and the US Department of Commerce.
  • Any European citizen who believes his or her data has been misused under the new arrangement will have recourse to contact the Department of Commerce and the FTC.

Call to Action

While the framework further strengthens the partnership between the EU and US over data-sharing, it carries considerable risk management implications for US companies. A number of preparatory actions should be taken by those who import European data:  

  • Review policy language in your current data protection insurance policies, including coverage such as technology errors and omissions, to see what may need to change.
  • Consult with insurance advisors over how best to comply with the new obligations, to see if any part of operations is now non-compliant, and consider whether insurance notification is needed.
  • Determine whether your company transfers payroll or other human resource data from Europe to a parent company or subsidiary in the US.

Data-sharing is important for the growth of many companies in both the US and Europe, but must be balanced against consumer demand for privacy protection.

Related to:  Cyber Risk , Cyber Risk

Thomas Reagan

Tom oversees client advisory and placement services for cyber risk throughout the U.S. He also serves as the senior cyber advisor for some of Marsh’s largest clients.