The Court of Justice of the European Union ("CJEU"), following the opinion of the Advocate General, invalidated European Commission Decision 2000/520 dated July 27, 2000 (the "Decision"), which allowed transfers of personal data to US companies that self-certified under the US/EU Safe Harbor Program ("Safe Harbor").
The Safe Harbor Program
What is Safe Harbor? To transfer personal data to a country outside the European Economic Area ("EEA"), the receiving country must have in place "adequate protection" in accordance with Article 25(1) of the EU Data Protection Directive (95/46/EC) (the "Directive").
In order to better facilitate the transfer of personal data from the EU to the US, the Safe Harbor Program was developed. Article 1 of the Decision provided that US organisations who joined the Safe Harbor Program would be deemed to have "adequate protection" in place, such that EU companies could transfer data to such organisations in compliance with EU law.
The CJEU Judgment
So what has changed? The CJEU was asked to consider whether the Irish Data Protection Commissioner "may and/or must" independently evaluate whether a third country (in this case, the US through the implementation of Safe Harbor) offers "adequate protection" for personal data within the meaning of the Directive, or whether the Irish Data Protection Commissioner is bound by the Decision.
The CJEU found that the Decision did not prevent a supervisory authority of a member state from examining whether an adequate level of protection exists in a third country and, furthermore, that the Decision itself is invalid. Further detail on the CJEU's reasoning can be found here.
What does this mean for UK pension schemes?
Effectively the judgment means that UK companies, and pension schemes, can no longer rely on the Safe Harbor Program to comply with the requirement to ensure that the recipient has "adequate protection" when transferring personal data to the US.
This will be of relevance to UK employers and Trustees who, as data controllers, are responsible for their members' personal data, particularly where member data is transferred to a US parent company, or where administration for all group company pension arrangements is managed from a US-based subsidiary.
If your scheme currently transfers, or will in the future transfer, members' personal data to the US and you currently rely on the Safe Harbor Program,
you will need to consider other cross-border transfer mechanisms to ensure "adequate protection". Note that the transfer of data includes the situation where the third party (for example, the scheme administrator) is a UK company but holds the data in the US or subsequently transfers the data to the US. Given this, it would be advisable for schemes to confirm with their administrators, and other recipients of personal data, whether data ever passes through the US.
As an alternative to the Safe Harbor Program, schemes can put in place a data protection agreement ("DPA") with the receiving US entity, which includes particular approved contractual clauses. A decision adopted by the European Commission provides standard contractual clauses ("Model Clauses") for use by data controllers established in the EU when transferring data to data processors/controllers in countries outside the EEA. The use of Model Clauses has been authorised by the UK Information Commissioner, which means that transfers made under a DPA that incorporates the Model Clauses are deemed to be made in a manner that ensures adequate safeguards for the rights and freedoms of data subjects.
Until further guidance is issued and/or a new amended Safe Harbor Program is agreed, using Model Clauses seems, at present, one of the most practical ways of ensuring compliance. However, each scheme should consider its own circumstances carefully and take advice to ensure compliance with data protection law.