Annual Data Privacy Regulatory Updates

White Paper

Annual Data Privacy Regulatory Updates


While various ransomware attacks have been monopolizing recent headlines, it is critical to remember that data breaches are the baseline to cyber losses. As of Sept. 30, 2021, the number of publicly reported data breaches, year-to-date, had already exceeded the total number of breaches reported for the entirety of 2020. From both a regulatory and consumer-obligation perspective, organizations and their management teams should remain informed about developments to both novice and existing data privacy rules and regulations. This piece intends to provide customers with an update on data privacy regulations from an international and domestic standpoint.

Data Privacy Regulation Update

European Union (EU) – General Data Protection Regulation

Since the spring of 2018, the General  Data  Protection  Regulation (GDPR) has served as the primary legislative mechanism regulating how companies protect citizens’  personal data of the European  Union (EU).  The introduction of the GDPR bolstered the EU’s commitment to addressing  “privacy” as a fundamental human right; the EU  now possesses some of the strictest data privacy and protection laws worldwide.

During the summer of 2021, the European Commission published novice Standard  Contractual  Clauses (SCCs)  regarding the transfer of personal data from the EU to third-party countries outside of EU jurisdiction, such as the United  States. However, there was one jurisdictional exception:  post-Brexit, the SCCs do not apply to transfers of personal data from the United  Kingdom.

While the previous SCCs only stipulated specific requirements for controller-to-controller and controller-to-processor transfers, the SCCs introduced in  June 2021 stipulate requirements for those as well as transfers between processor-to-sub-processors and processors-to-controllers. The new guidelines contain novice requirements for data importers or controllers and processors located beyond the borders of the EU.  They are required for all new transfer agreements entered on or after Sept. 27, 2021. Agreements already in effect must be replaced with the new secs by Dec. 22, 2022.

The new SCCs require data importers to confirm they will only disclose personal data to third parties outside of EU jurisdiction if such a  party has agreed to be bound by the terms of the clauses or that a  specific legal exemption applies. Since previous guidance explained that exemptions are not permitted for systemic transfers of personal data, a  data importer must now ensure that any party involved in processing the data, this includes any potential sub-processor, has also signed and agreed to the updated secs.

With the novel SCCs, it is no longer necessary for organizations to enter into separate data processing agreements to comply with  Article 28 of the GDPR. Article  28 requires data controllers to ensure they only appoint data processors capable of providing  “sufficient guarantees” of their intent and abilities to implement the terms set forth by the GDPR. The Article also requires data processing to be conducted pursuant to a contract,  making it a violation of the regulation for controllers and processors to fail to enter a written data-processing contract.  Modules Two and Three of the new clauses contain the requirements articulated within  Article  28; therefore, for controller• to-processor and processor-to-processor data transfers, supplementary data processing agreements are no longer imperative.

The new clauses also contain a  “docking clause”. While the previously utilized  SCCs were devised for two-party contracts, the new provisions allow for execution by multiple parties. The “docking clause” permits and highlights the process of adding additional parties to the SCCs during a contract’s lifetime.

by Nina Nisanova

and the Specialty Risk Solutions Cyber Risk team