On 6 October 2015 the Court of Justice of the European Union gave a ground-breaking ruling regarding the rules surrounding transfer of data from the EU to the US. The Court held invalid a European Commission decision on the "safe harbor" regime which many businesses had relied on as allowing them to transfer data from the EU to the US. Many UK pension schemes have entered into agreements which allow the transfer of personal data to the US. We consider here the implications of the Court's judgment for UK pension schemes.
English data protection legislation, which reflects the principles of EU law, provides that personal data must not be transferred to a country outside the European Economic Area for processing unless that country "ensures an adequate level of protection for the rights and freedoms" of individuals in relation to data processing. In July 2000 the European Commission confirmed that the "safe harbor" self-certification regime fulfilled these requirements in relation to US companies which signed up to it.
In the case in question, an Austrian national brought a claim regarding the transfer by Facebook of his personal data from Ireland to the US. The EU Court had to decide whether the European Commission's decision as to the adequacy of safe harbor was binding on the Irish Data Protection Commissioner. The Court held that the European Commission's decision on the adequacy of safe harbor was invalid, and that the Irish Data Protection Commissioner must reach its own decision on whether the safe harbor provisions offer adequate protection for individuals' data. Further the EU Court found that the sweeping surveillance powers of the US authorities (which could operate notwithstanding the safe harbor regime) did not reflect the principles of EU data protection law.
What are the implications for UK pension schemes?
Dealing with pension scheme administration will normally involve processing personal data such as members' details. Large consultancies will often have administration agreements that allow data to be transferred outside the EU for processing. Scheme trustees may previously have taken the view that checking that the administrator had signed up to safe harbor was sufficient to comply with the trustees' obligations regarding data transfer to the US. In the light of the Court's judgment, it is clear safe harbor does not provide a legally watertight defence against data protection claims. A statement issued by the UK Information Commissioner (ICO) in the wake of the judgment states that the ICO is considering the implications of the judgment and will publish further guidance on its website in the coming weeks. The ICO acknowledges that businesses that use safe harbor will take some time to review how the judgment affects them.
Some of the reporting of the case has been quite sensationalist in nature, but while we are still awaiting further guidance from the ICO, it seems premature to start seeking to renegotiate existing data protection provisions. At this stage, trustees should be monitoring the ICO's website for further announcements and identifying whether they have entered into agreements which allow transfer of personal data to the USfor processing. For any such agreements trustees should understand the legal mechanism that has been used to protect data, eg are the trustees relying on safe harbor or have model data protection clauses or other protections been included in the agreement? To understand this will ensure Trustees are ready to respond when the ICO issues further guidance.