1. Home
  2. news
  3. european union privacy law updates

European Union privacy law updates

January 19, 2022

This is a general update to remind insurance brokers of the European Union (EU) General Data Protection Regulation (GDPR) requirements which came into effect in 2018 and a recent decision impacting the previous ‘US Privacy Shield’ certain entities could rely on.

GDPR background

By way of background, the GDPR requirements are in effect privacy obligations, similar in parts to those under the Australian Privacy Act 1988 (Cth).

The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers with an establishment in the EU. Generally speaking, a controller says how and why personal data is processed and a processor acts on behalf of the controller. Where a business has ‘an establishment’ in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.

The GDPR also applies to the data processing activities of processors and controllers outside the EU, regardless of size, where the processing activities are related to:

  • offering goods or services to individuals in the EU (irrespective of whether a payment is required); or
  • monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU.

Insurance brokers can refer to the OAIC guidance on these requirements for Australian entities for further information. The OAIC provides the following examples of Australian businesses that may be covered by the GDPR:

  • an Australian business with an office in the EU
  • an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
  • an Australian business whose website mentions customers or users in the EU
  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours, and attitudes.

Recent decision affecting EU-US Privacy Shield

On 16 July 2020, the European Court of Justice issued its judgement in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II case”).

The decision in the Schrems II case has impacted on US-based entities in particular (and in the case of locally-based insurance brokers that are US-owned, in most cases their subsidiaries) who previously relied on the ‘EU-US Privacy Shield’ which allowed companies to self-certify their data practices for the purposes of GDPR adequacy.

The Schrems II case ruled that the EU-US Privacy Shield is inadequate and standard contractual clauses (“SCCs”), by which the sender and recipient of data agree that their data processing meets GDPR standards should now instead be used (which should have been the case in any event for Australian based insurance brokers that are non-US owned entities).

Some countries have been determined by the EU Commission to have adequate privacy regimes for the purposes of the GDPR standards, meaning data can flow between such countries without the need for additional requirements (such as SCCs).

However, Australia does not have adequacy status and this means that insurance brokers dealing with EU client information will need to separately agree on SCCs with the data provider/processor.

This has been the case for Australian insurance brokers in any event, unless they are part of a US group and have been relying on the former EU-US Privacy Shield.

Therefore, the main impact of the Schrems II case is on US-owned entities that previously relied on the EU-US Privacy Shield and which should now have their privacy measures aligned with any SCCs or to the GDPR when transferring to, receiving, or collecting personal information on EU individuals to or from the EU.

Insurance brokers that deal with EU individuals or transfer data to or from the EU relating to individuals in the EU are therefore reminded to check that their privacy processes meet any applicable EU GDPR requirements where applicable. In terms of applicability, Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The issues can be complex and if in doubt, NIBA recommends you seek independent legal advice on your obligations regarding any EU privacy requirements relevant to your business.

IMPORTANT NOTICE

This document is designed to provide helpful general guidance on some key issues relevant to this topic. It should not be relied on as legal advice. It does not cover everything that may be relevant to you and does not take into account your particular circumstances. It is only current as of the date of release. You must ensure that you seek appropriate professional advice in relation to this topic as well as to the currency, accuracy, and relevance of this material for you.