The legislation around data transfers between the EU and US is changing. Michael Klimes finds out what it means for trustees.
At a glance
- The EU and US are developing a replacement of safe harbour called Privacy Shield
- Trustees do not need to panic about data transfers between the US and Europe now
- But they need to follow developments in legislation closely
When the Court of Justice of the European Union (CJEU) ruled in the Schrems v Data Protection Commissioner case last October, the system of transferring personal data between the US and European Union (EU) was upended.
Maximillian Schrems originally complained to the Irish Data Protection Authority (DPA) that Facebook had violated his privacy rights based on Edward Snowden's (pictured above) whistle blowing. The Irish DPA struck the complaint down, arguing the transfer of data was adequately protected by safe harbour.
It also rejected the complaint, based on a decision from 26 July 2000, where the European Commission said the US adequately protected the data of EU citizens based on safe harbour. This was known as the Safe Harbour Agreement. The matter was referred to the Irish High Court, which referred the case to the CJEU.
The CJEU raised two concerns. First, it said US spy agencies could collect data of European citizens beyond what was considered proportionate. Second, non-US citizens had no way of legally addressing the misuse of their data. The ruling also pointed out that individual data commissioners were always free to investigate and impose penalties. This established that data protection authorities could question European Commission decisions about data transfer agreements and standards to third countries like the US.
The Article 29 Working Party, which is made up of the 28 EU DPAs, issued guidance on how the CJEU's decision should be interpreted. It said there was an unofficial grace period until the end of January 2016. If there was no agreement for a "safe harbour II" replacement, national data protection authorities would have to start interpreting and enforcing the decision of the CJEU. That could potentially put trustees at UK pension schemes on the hook if a member thought their personal data rights regarding pensions had been violated in some way.
It was suggested that trustees and third-party administrators could avoid transferring data to the US through safe harbour in two ways if an agreement (Safe Harbour II) between the US and Europe was not reached by 31 January. These are standard contractual clauses (also known as model contract clauses) and binding corporate rules. But there have been concerns these could be found to be inadequate for the same reasons safe harbour was: EU citizens' data could still be snooped on by US spy agencies. The Article 29 Working Party has been keen to ensure that EU citizens' data rights are protected in whatever agreement the commission makes with the US government.
On 2 February the European Commission and US government did come to an agreement agreed called Privacy Shield. But will Privacy Shield along with standard contractual clauses and binding corporate rules satisfy the Article 29 Working Party and data privacy activists?
In a statement the EU Commission said it had received several assurances from the US government that would protect the privacy of EU citizens. First, there are meant to be strong obligations on companies handling Europeans' personal data and enforcement. US companies wishing to import personal data from Europe will need to meet obligations on how personal data is processed and ensure individual rights are guaranteed. The Department of Commerce is meant to monitor the companies that publish their commitments. Under US law these can be enforced by the US Federal Trade Commission.
Second, the US has given the EU written assurances about indiscriminate mass surveillance on the personal data transferred to the US under Privacy Shield. The European Commission and the US Department of Commerce will review this annually. National intelligence experts from the US and European DPAs will be invited to the meeting.
Third, companies will have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. For complaints on possible access by national intelligence authorities, a new ombudsman will be created, probably within the State Department.
News of the deal was welcomed. Commissioner Věra Jourová said: "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area."
But beyond the optimism of policymakers at the commission, what is most significant for trustees is the response to the agreement from the Article 29 Working Party. In its statement on 3 February, it said two ways of transferring data, which have existed alongside safe harbour, are still valid. These are standard contractual clauses (also known as model contract clauses) and binding corporate rules. This means any UK scheme which uses one or both of these methods to transfer data to the US can still do so for the moment. The local DPA should not penalise them for it.
Trustees can have peace of mind for now, according to Dentons senior associate Simon Elliott. "The assurance that is helpful for trustees at the minute is an extension of the current 'grace period' [ending 31 January 2016] regarding the use of the remaining legal solutions for international transfers," he says. "The Article 29 Working Party had granted this grace period until the end of January. That has now expired but in its most recent announcement, the Working Party made clear that organisations can continue to rely on these other existing solutions until the Working Party has done an in depth analysis of the Privacy Shield [expected within the next couple of months]. So there is some comfort there for organisations that have acted on the [European] Court's decision to no longer rely on the previous safe harbour scheme."
However, there are a number of potential pitfalls that trustees and TPAs must be aware of. In the same statement, the Article 29 Working Party has called on the commission to "communicate all documents pertaining to the new arrangement [Privacy Shield] by the end of February". It argues it will then be in a position to complete its assessment for all personal data transfers to the US at an extraordinary meeting. That is expected in the coming weeks. The statement also said the Working Party would consider whether standard contractual clauses and binding corporate rules, can still be used for personal data transfers to the US.
Even if trustees and TPAs have stopped using safe harbour to transfer members' data to the US and have moved to standard contractual clauses and binding corporate rules, they could still get into trouble with DPAs.
The Schrems decision was very clear. Each local regulator in Germany, or the UK, could back some complaint from an individual. They could then investigate the adequacy of standard contractual clauses or binding corporate rules, which have been used to transfer data.
The Article 29 Working Party has also come up with four principles on which it will judge any new framework for transferring data. These are: processing data should be based on clear rules; a balance needs to be found between data snooping and the rights of the individual; an independent oversight mechanism should exist and remedies need to be available so anyone has the right to defend her/his rights before an independent body. It is likely the Privacy Shield's adequacy will be tested against these principles.
Taylor Wessing senior data protection adviser Sally Annereau says: "They [Article 29 Working Party] need to consider what the detail of that agreement is against the CJEU's decision in the Schrems case and whether it is goes far enough to deliver on adequacy safeguards [regarding data established from the Schrems case]. I think prior to this decision by the European Commission, the view of the Article 29 Working Party was not enough had been done."
While UK trustees can rest easy for the moment, they should watch the development of Privacy Shield closely. They must remember they are liable for what happens to members' data.
Any decision on data transfers between the US and EU from the European Commission, Article 29 Working Party or CJEU could affect their duties of care in how they handle members' details.
Safe Harbour Timeline
6 October 2015
Court of Justice of the European Union (CJEU) comes to a decision in the case: Schrems v Data Protection Commissioner. Judges rule that the US safe harbour system does not offer sufficient protection of personal data to comply with European law.
15 October 2015
European Commission Vice-President Andrus Ansip, European Commissioner (EC) Günther Oettinger and European Commissioner Věra Jourová meet business and industry leaders. They want a universal interpretation of the ruling and more information on how they can make data transfers between Europe and the US.
16 October 2015
Article 29 Working Party, which is made up of the 28 EU data protection authorities issue guidance on how the CJEU's decision should be interpreted. It says there is an unofficial break period until the end of January 2016 before there is any enforcement from data regulators based on the decision of the CJEU.
6 November 2015
European Commission issues guidance for companies on the interim solutions of transatlantic data transfers following ruling until a new framework is established.
2 December 2015
College of Commissioners discuss progress of negotiations. Commissioner Jourová receives a mandate to find a deal with the US for a new data transfer agreement.
January 31 2016
Deadline for agreement between EU and US expires.
2 February 2016
US government and European Commission announce agreement on new framework. But details still to be worked out.
Sources: European Commission and Court of Justice of the European Union.
In the first of a five-part series of articles for PP, pensions minister Guy Opperman sets out how impending legislation will improve pensions for members.
Tim Shepherd and Beth Brown look at the legal implications of working from home and how pension professionals can mitigate the risks.
Defined benefit (DB) schemes that provide GMPs must revisit and, where necessary, top-up historic cash equivalent transfer values (CETVs) that have been calculated on an unequal basis, a landmark court judgment said last week.
The Pensions Regulator (TPR) has substantially increased the usage of its powers against trustees – posting a sharp rise in the use of formal information gathering powers and High Court production orders during the three months to the end of September....
The Pension Schemes Bill has completed its third reading, crossing its latest hurdle in the House of Commons.