This week, the Court of Justice of the European Union (CJEU) ruled that the “Safe Harbor” regime is invalid with immediate effect. The Safe Harbor regime is relied upon by many organisations to ensure adequate protection of data transferred from the EU to the U.S. This judgment may therefore have implications for pension plans and employers and there are various steps that they ought to take in response.
What do employers and pension plans need to do?
There are two key questions to consider:
1. Are you Safe Harbor certified?
Where pension plans or employers based in the EU transfer personal data to the U.S. (for example, to a US parent or group company) and have so far relied on the Safe Harbor regime as their relevant safeguard for doing this lawfully, they will need to put in place an alternative form of ‘adequate’ protection (their “Plan B”). Practically, this is likely in the short term at least to be a contract based on the “off the shelf” EU model clauses, if one is not already in place. Whilst questions remain about these other mechanisms, and the development of other replacement solutions, this remains a pragmatic response at this point.
If you would like any assistance with updating the mechanisms you have implemented to safeguard the transfer of personal data from the EU to the U.S., please do not hesitate to contact us.
2. Are you contracting with third parties that are Safe Harbor certified?
Pension plans and employers also need to consider their liability for third party service providers who may be transferring personal data supplied by the employer or plan to the U.S. and relying on Safe Harbor as a means of doing this. In light of this, trustees and employers should:
- ask their third party service providers whether they transfer any personal data supplied by the employer/plan to the U.S. (this includes where data is simply stored in the U.S. or held on a U.S. server or accessed from the U.S.), and
- check whether any of their contracts with third party service providers refer to data being transferred to the U.S. in accordance with the Safe Harbor regime.
If any service providers transfer personal data to the U.S. and rely on a Safe Harbor certification in order to do this, or the contract makes reference to the Safe Harbor regime or is silent on data protection, please let us know as we can help you update your contracts with these service providers in light of this decision (as required).
Importance of data protection
This judgment highlights the high profile nature of general data protection matters and the importance of ensuring that you have in place contracts that adequately cover data protection matters with any party with whom you share personal data (including group companies, sponsoring employers and third parties).
Therefore, this is a good time to ensure:
- that you are sharing personal data lawfully, in accordance with applicable data protection legislation (i.e. in the UK, the Data Protection Act 1998)
- that you have contracts in place with any parties with whom you share personal data (whether as a data processor or data controller)
- that those contracts adequately cover data protection matters (including data transfer, storage, security breach reporting, rights of data subjects and security mechanisms (as appropriate)), and
- where any such contracts were put in place some time ago or do not cover data protection in detail, that they are reviewed and updated (where necessary) to ensure that they contain the necessary contractual protections.