The Court of Justice of the European Union (CJEU) recently handed down its decision in the Schremscase. It agreed with the Advocate General and effectively decided as follows:
- the fact that the EU Commission had made a Decision (2000/520/EC) to approve the US Safe Harbor does not prevent national data protection authorities from investigating claims in connection with it; and
- the EU Commission's decision (2000/520/EC) on the Safe Harbor is invalid.
In this case, Max Schrems (Austrian privacy campaigner) made a complaint to the Irish Data Protection Authority based on the revelations of Edward Snowden in 2013 in relation to information stored by Facebook. The complaint was based on the contention that US law and practice do not provide an adequate level of protection in respect of personal data transferred from the European Economic Area (EEA) to the US.
The Irish DPA dismissed the complaint because the relevant transfer was covered by Safe Harbor. The matter was then referred to the Irish High Court, which having some sympathy with Schrems' concerns, referred the matter to the CJEU for a ruling.
The CJEU decision has a wide-reaching impact and touches all those persons and entities who transfer personal data outside the EEA. Therefore the issues arising from the judgment will be of relevance to some pension schemes.
At the recent "Fireside Chat" with the UK Information Commissioner at Dentons' London office, the message from the Information Commissioner was not to panic. The ICO has since, in a press release, stated that reviews should take place as to how data is transferred to the US and reminded everyone that Safe Harbor is not the only basis for data transfers.
This was echoed by the recent press release by the Article 29 Working Party (a body composed of representatives of each of the EU data protection authorities), which stated that model contracts and binding corporate rules can still be used, but local data protection authorities could investigate individual cases (e.g. when a complaint is received). The Working Party will continue to assess the remaining "transfer solutions" and, if a solution is not reached with US authorities on transferring data to the US by the end of January 2016, EU data protection authorities could start taking enforcement action against companies transferring data outside Europe.
What is Safe Harbor?
In 2000, the EU Commission and the US Department of Commerce agreed a policy that regulates the export of data from the EEA to the US. Provided a US organisation self-certifies that it adheres to the Safe Harbor principles and registers that certification, data can be freely transferred from the EEA to the US organisation.
What does the CJEU decision mean for pension schemes?
Technically, the Safe Harbor agreement no longer applies because the CJEU decided it is invalid. Therefore any entity exporting data needs to find alternative legal bases for data exports from the EEA to the US. For pension schemes, there could be implications if:
- EU pension schemes transfer members' personal data to the US: if Safe Harbor is currently relied upon, a new data export solution will need to be put in place (e.g. model contracts); and
- a pension scheme uses a third-party administrator that holds scheme data in the US: if the third party administrator relies on Safe Harbor, the scheme and the administrator will need to ensure a new data export solution is put in place (e.g. model contracts).
Pension schemes are most likely to be affected where there has been a data exchange in relation to a scheme and its members, between an EU subsidiary and a US parent company. Equally, schemes sponsored by a company that is part of a large international network of companies may have a practice whereby pensions administration is done centrally at parent company level for all pension schemes within a group by a US-based entity.
Any agreements, whether between group companies or with third-party providers, should be analysed to understand the current data flows and ensure that, where Safe Harbor is currently relied upon, new arrangements are put in place.
For many pension schemes there will be no issue. However, even for these schemes the decision serves as a timely reminder to review current data protection principles and procedures in place in relation to members' personal data. All too easily duties relating to storage, transfer and protection of data can be forgotten or fall down the priority order when having to deal with the mêlée that can be pension scheme administration and wrangling with seemingly impossible funding requirements. However, despite other ongoing issues and work streams, data protection should remain a high priority for all involved in the lifecycle of pension schemes.