One of the highest profile legal cases in recent months is the decision of the Court of Justice of the European Union (“CJEU”) relating to the “safe harbor” principle in data protection legislation. The case caught the public’s attention as it related to a high-profile international business, Facebook, and referenced the Edward Snowden revelations, particularly relating to the surveillance of European data by the US security services. However, it has implications for the pensions industry as well, and this article looks at those issues.
Data protection legislation in the UK arises out of the 1995 Data Protection Directive issued by the EU, which is enacted in the UK under the Data Protection Act 1998. Essentially, the legislation requires that data about individuals that is held by an organisation is held in a way that complies with the eight data protection principles. For pension schemes, this has long been a challenge, as a vast amount of information, some of which is very sensitive (such as details of health and marital status), is held by schemes to allow them to calculate benefits and operate on a day-to-day basis. As the Pensions Regulator has highlighted in recent years, the data held by schemes is not always accurate, and data cleansing forms part of the obligations of trustees to ensure they comply with the data protection legislation.
The obligations under the data protection legislation relate primarily to anyone who is the party for whom the data is primarily held, known as the data controller. In the pensions context, this is often both the trustees and the employer (who holds the same data for a slightly different purpose). The data controller is obliged not only to comply with the eight data protection principles, but to ensure that anyone it gives the data to, known as a data processor (such as a scheme administrator or actuary), also complies with the seventh principle in relation to data security obligations.
The eighth data protection principle places a requirement for data to be kept within the EEA or in a jurisdiction with a similar level of data protection. In these days of international transfers, and overseas analysis of data, it is common for data to travel outside Europe. Indeed it is very easy to trigger a ‘data export’ when data is accessed or otherwise processed outside the EEA, for example with data hosting and related services. Historically, data travelled to the US in compliance with the data protection legislation where the company holding the data in the US had signed up to the “US Safe Harbor” scheme, effectively a self-certification mechanism which is policed by the US Federal Trade Commission. This followed a decision of the European Commission in 2000 that the Safe Harbor scheme was sufficient.
The recent case relates to a claim brought by an Austrian citizen to the Irish Data Protection Commissioner against Facebook Ireland that his data, held by Facebook Ireland and kept on servers in the US, was not safe from breach of the data protection legislation because the revelations of Mr Snowden suggested routine surveillance of European data held in the US. The Commissioner had said that he did not need to investigate, because Facebook Ireland was signed to Safe Harbor. The decision of the CJEU in October this year was that the Commission’s 2000 decision did not stand, and it was necessary to investigate and not rely on Safe Harbor as an automatic assurance that the data was appropriately kept.
This of course causes significant issues for any business that has relied on Safe Harbor to hold or analyse EU data in the US. It also impacts those who rely on those businesses. Pension schemes’ data is often held by third party administrators, actuaries, auditors and others, often outside the UK and quite regularly outside Europe. If the trustees or employer have passed data to a data processor who is holding it in the US, having used the Safe Harbor route to do so, there may be breaches by both the data processor (e.g contractual) and the trustees and/or employer (e.g. under the eighth data protection principle).
It is important for any employer or trustee who has contracted with someone else who may hold data for them or as part of their professional work for the scheme to check where that data is held. If data is held in the US, it is important to find out from the party holding the data how they believe they comply with the legislation and, to the extent that they have historically relied on Safe Harbor, what they are intending to do now.
In addition, trustees and employers should check the terms of their agreements with anyone to whom they have passed data. It is quite common for agreements, particularly longer standing ones, not to provide the appropriate indemnities and obligations relating to the data protection principles, and this may mean that there is not the protection in place that is necessary in any event to comply with data protection obligations This may be a time for revisiting those arrangements.
If data is held in the US using the Safe Harbor process, then this needs to be moved immediately or compliance needs to be achieved using a method that is appropriate now. The most practical solution for a pension arrangement would be the adoption of a model contract clause, and it is important to ensure that this is put in place if the data is not moved. The Information Commissioners’ Office does have power to take action against those who do not comply but, rather as with the Pensions Regulator, its approach is generally more pragmatic so that, as long as the matter is dealt with speedily, trustees and employers are likely to be protected. However, those who do not confirm the position, or who spend a long time considering taking action, may find it much harder to defend themselves, should a complaint be raised or action taken.