Does your pensions administrator or any other service provider access your personal data from outside the EEA, such as in the US? If so, it is important to take action now to ensure continued compliance with your obligations as data controller. This could also apply to schemes with a sponsoring employer (or parent company) located outside the EEA in addition to schemes whose third party administrator hosts client personal data on servers situated outside the EEA.
As a reminder, the GDPR (General Data Protection Regulation) provides that pension trustees should only permit personal data to be transferred from the UK/EU to a recipient outside the European Economic Area (EEA) (either by the trustees directly or by a third party service provider) if there are appropriate safeguards in place, unless one of a limited number of derogations applies. The legal framework in the US is not considered to contain adequate protection for personal data and so additional measures have to be taken by trustees to protect personal data transferred to the US in addition to other non-EEA countries, except those who have been designated as having adequate data protection laws by the European Commission. For a US service provider those safeguards are typically either certification by the US company to the EU-US Privacy Shield Framework (Privacy Shield) or the Standard Contractual Clauses (SCCs), although some of the larger service providers may use Binding Corporate Rules (BCRs).
What has happened?
On 16 July 2020, the Court of Justice of the EU (CJEU) delivered a landmark decision on international data transfers – the so-called Schrems II judgment. In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the Privacy Shield, on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US. In the same decision, the CJEU confirmed the validity of the SCCs in principle, but made clear that their legality must considered on a case-by-case basis, in light of the circumstances of the particular transfer.
What should trustees do?
As a result of this decision, all organisations in the UK, including pension trustees, need to carry out some due diligence on the international transfers of their personal data. They should start by (1) identifying all transfers of personal data outside the EEA; and (2) checking the data transfer mechanism that is in place to enable the transfers to comply with EU/UK data protection laws.
For pension trustees, this will primarily involve reviewing their data maps and service agreements to determine whether their service providers, such as administrators and investment consultants, process their scheme personal data from locations outside the EEA.
US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of an alternative data transfer mechanism such as the SCCs or BCRs or, where applicable, rely on one of the specific transfer-related derogations provided for in the GDPR.
Pension trustees who identify transfers of their personal data to US companies relying on Privacy Shield, need to liaise with the US company to find out how they intend to deal with this decision. If the provider already has SCCs in place as a back-up to Privacy Shield, or if it intends put them in place as an alternative data transfer mechanism, a documented assessment needs to be carried out to assess whether the US company is able to comply with its obligations under the SCCs, in light of the factors identified in the Schrems II judgment. The same assessment needs to be carried out for all data transfers that rely on SCCs or BCRs and not just those to the US. The obligation to carry out that assessment is imposed on both the US company and the trustees who have engaged its services.
In other words, even contracts that purport to be compliant (because they incorporate SCCs) still require further action to check that the relevant service provider can comply with their terms. Reliance on a data mapping exercise in 2017/18 will not be sufficient – we recommend that trustees ask all their service providers at least annually to confirm compliance with contractual terms and that there have been no material changes to the information provided for the initial data map, but this is an additional assessment that needs to be carried out.
A key consideration when assessing whether a data transfer to the US carried out pursuant to the SCCs or BCRs is valid, will be whether the personal data involved has been, or is likely to be, the subject of sweeping bulk data collection activities by US law enforcement or national security agencies under the U.S. Foreign Intelligence Surveillance Act, or relevant Executive Orders or Presidential Directives.
When should action be taken?
The European Data Protection Board (EDPB) is expected to issue updated guidance in due course, which will hopefully assist trustees in carrying out an assessment as to whether their suppliers are able to comply with their obligations under the SCCs or BCRs.
In the meantime, trustees should review their scheme’s data map and their service agreements to identify any transfers of personal data outside the EEA and ask the relevant suppliers to provide information that will help the trustees to carry out their assessment once the EDPB guidance is released.
Not just a US issue
Although the issue before the CJEU in Schrems II was the transfer of data between the EU and the US, the implications of the Court’s judgment are far-reaching and could also impact transfers between the EU and other “non-adequate” countries, including EU-China transfers and, post-Brexit, EU-UK transfers.
UK/EU organisations transferring personal data without ensuring that a valid adequacy mechanism is in place can face fines under the GDPR of up to €20 million (or 4% of their annual worldwide turnover if higher – although this is hard to apply to a pension scheme). There is no formal grace period granted by the EU Data Protection Authorities to enable organisations using Privacy Shield to put in place alternative arrangements, but the ICO has recently stated that it will continue to apply a risk-based and proportionate approach in line with its Regulatory Action Policy.