Politicians, business groups, citizens' rights advocates and legal experts have been among those debating proposed reforms to the EU's existing data protection law framework since the European Commission outlined formal proposals on the issue in January 2012.
The Commission set out a draft General Data Protection Regulation which would establish a single data protection law that would apply across all 27 EU member states and to companies based elsewhere that wish to process the personal data of EU citizens.
Earlier this month a rapporteur to a European Parliament committee on the data protection reforms published a report containing proposed amendments to the Commission's draft Regulation.
In his report, Jan-Philipp Albrecht MEP said that companies seeking to process personal data in 'third' countries, which are nations based outside of the European Economic Area (EEA) which have not been pre-approved as meeting EU data protection standards, should have to provide “financial indemnification” to individuals for any data breaches that occur through those international processing activities.
"Where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a legally binding guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred," the proposed amendments state.
"That guarantee should include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of national legislation, to provide full details of all access to the data by public authorities in the third country," according to the terms.
Data controllers are organisations that determine the purpose for which and manner in which personal data is or is likely to be processed. They are responsible for complying with all aspects of data protection law in the EU. In contrast, data processors – third-parties contracted by data controllers to process personal data on behalf of the controller – only have to comply with data security rules and any other data protection obligations that are prescribed in the terms of their contracts with data controllers – such as those that define the scope of their processing activities.
Insurance law and data risk specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that it was current practice for data controllers outsourcing personal data processing to data processing firms to require those companies to take on the bulk of risk associated with data breaches. In turn, he added, insurance companies are increasingly offering specialist policies that allow companies to obtain protection from the exposure to those risks.
Developing the legal framework to force companies to provide "financial indemnification" will therefore see the growth of this specialist market continue, the expert predicted.
"The proposed amendment to the draft EU data protection Regulation highlights increasing levels of concern on data exposures and transferring data risks," Birdsey said. "Contractual negotiations between data controllers and data processors are increasingly focusing on data exposures and mechanisms, through warranties and indemnities, to transfer the risk from the controller to the processor."
"Just as the commercial and legal focus has shifted towards data exposures, the need for specialist and bespoke insurance products to transfer risk from the data processor or controller has grown. While a standard professional indemnity policy may have been considered adequate 5 years ago, both companies and insurers have appreciated the need for specialist insurance products dealing with the myriad data risks," he added.
Current EU data protection laws prevent companies sending personal data outside of the EEA except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. New Zealand last month became the latest country to qualify as meeting the standards. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.
When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another. Organisations can make use of model contract clauses or gain regulatory approval to binding corporate rules, among other methods, in order to achieve compliance with the adequacy standards.
The European Commission has proposed that similar 'adequacy' requirements would be in place for international data transfers under a reformed data protection framework.