In the December edition of Pensions Pieces we reported on the impact of a decision of the Court of Justice of the European Union1 which declared the Safe Harbor scheme to be invalid. Self-certification under the scheme had been used by a wide range of organisations as a method of lawfully transferring personal data from the EEA to the USA, and its demise caused great concern.

The European Commission has now decided to give effect to a regime to replace Safe Harbor called the ‘EU-US Privacy Shield’ and US entities have been able to sign up to this from 1 August 2016. The Privacy Shield has its detractors but for now, it joins model clauses and binding corporate rules as one of the data export tools for data moving from the EU to the US.

On the issue of data protection regulation more widely, and as previewed in our article on pension scheme records in the February 2013 edition of Pensions Pieces, the European Union has now adopted new data protection measures (the General Data Protection Regulation (GDPR)) after four years of negotiation. The legislation will apply from 25 May 2018 and will bring in a large number of changes.

Issues which are attracting particular attention include stricter requirements around consent to processing, increased administrative requirements, data exports and new obligations on data processors – i.e. those processing personal data on behalf of data controllers (for example, in a pension scheme context, scheme administrators). Notwithstanding timing issues and Brexit, it is likely that, for commercial reasons, UK entities will have to comply with the Regulation in any event, so familiarity with it is important. We will report on this in more detail in a future edition of Pensions Pieces.