Stormy waters for EU-US Safe Harbor framework – pensions implications of CJEU decision on data transfers

The issue in brief

European data protection legislation provides that transfers of personal data outside of the EEA are prohibited unless the personal data is adequately protected. For personal data transfers to the US, a solution was implemented in 2000 in the form of the EU-US Safe Harbor framework. However, a recent decision of the Court of Justice of the European Union (CJEU) has invalidated that framework. In this update we set out the implications of the CJEU’s decision for pension schemes based in EU Member States where member data is transferred to and processed in the US, and steps that affected schemes need to take.

Implications of the CJEU’s decision for pension schemes

An EU working party has been considering the implications of the CJEU’s decision and how regulators and organisations previously relying on the Safe Harbor framework should respond to the decision. It has issued a preliminary statement which confirms that transfers taking place purely on the basis of Safe Harbor are unlawful, and that a new, negotiated Safe Harbour 2.0 could be part of the solution in the future. In the meantime affected organisations will need to look to alternative ways of dealing with the issue that are acceptable within existing EU law.

Pension schemes which currently rely on Safe Harbor for the transfer of personal data to the US will need to put in place alternative data transfer solutions as soon as possible. Pension schemes should consider how this decision will affect them if they have a parent company or group company that is US-based, or there are third-party administrators who hold pension scheme data and transfer that data to the US, either directly, or using a third party processor.

Practical steps which should be taken in the wake of the CJEU’s decision

As a preliminary step, pension schemes and administrators should carry out due diligence to investigate the extent to which personal data is being transferred to the US and the existing measures in place for doing so in compliance with EU data protection laws. They should also carefully consider the requirements of local data protection laws and the guidance issued by local data protection authorities.

If Safe Harbor is being relied upon, there are a number of alternative compliance tools that affected schemes and administrators may use until further cross-border compliance solutions (such as a revised Safe Harbor framework) are finalised. These include:

• using Model Clauses which have been approved by the European Commission and require the EU based data exporter and US data importer to execute a standard form contract (often the only practical solution);
• obtaining data subject consent (a solution that requires considerable caution and is often impractical due to the large numbers of individuals involved);
• anonymising data as far as possible so it is subject to less stringent controls (another solution that will often be unhelpful in a pension scheme context).

If your scheme is affected by this ruling, please contact your usual OC pensions lawyer, and we can involve our specialist data protection lawyers as appropriate.