EU ruling raises non-EEA pension data transfer questions - SPB

Pension schemes with an administrator that accesses personal data from outside of the European Economic Area (EEA) should check their compliance with data control regulations, according to Squire Patton Boggs (SPB).

This follows a ruling by Court of Justice of the EU (CJEU), which on 16 July invalidated the EU Commission’s adequacy judgement of the EU-US Privacy Shield Framework, which is one of the primary safeguards adopted by US service providers dealing with EU data.

A blog from SPB noted that CJEU also confirmed the validity of Standard Contractual Clauses (SCC), another primary safeguard used by US service providers, but cautioned that their legality must considered on a case-by-case basis.

SPB director, Francesca Fellowes, wrote: “Although the issue before the CJEU in Schrems II was the transfer of data between the EU and the US, the implications of the court’s judgment are far-reaching and could also impact transfers between the EU and other ‘non-adequate’ countries, including EU-China transfers and, post-Brexit, EU-UK transfers.”

SPB warned that all organisations in the UK, including pension trustees, should carry out due diligence on the international transfers of their personal data, starting by identifying all transfers of personal data outside the EEA, before checking that the data transfer mechanisms used enable the transfers to comply with EU and UK data protection laws.

While the European Data Protection Board is expected to issue updated guidance shortly, it was recommended that trustees review their scheme’s data map and service agreements to identify transfers of personal data outside the EEA and ask the relevant suppliers to provide pertinent information.

If transfers have taken place with US-based companies using the Primary Shield, SCCs may have been used as a backup and SPB recommended that an assessment should be carried out to ensure that the US firm can adhere to the requirements of said SCC.

“Reliance on a data mapping exercise in 2017/18 will not be sufficient – we recommend that trustees ask all their service providers at least annually to confirm compliance with contractual terms and that there have been no material changes to the information provided for the initial data map, but this is an additional assessment that needs to be carried out,” said Fellowes.

    Share Story:

Recent Stories

Climate Investing
Laura Blows speaks to Aled Jones, Head of Sustainable Investing for Europe at FTSE Russell, and Adam Matthews, Director of Ethics and Engagement for the Church of England Pensions Board, about the role of climate investing within a pension fund portfolio.

Managing volatility
In the latest Pensions Age podcast, Laura Blows speaks to Cambridge Associates head of European pension practice, Alex Koriath, about the Covid-related market volatility and how pension funds can prepare for the challenges ahead

De-risking options for pension schemes
In this latest Pensions Age podcast, Linklaters' Sarah Parkin talks to Laura Blows about the wide range of choice available to pensions schemes for the partial, or full, removal of their risks

Risk transfer opportunities
Laura Blows speaks to Lisa Purdy, Head of Fiduciary Distribution at Legal & General Investment Management and Gavin Smith, Pricing and Execution Director - UK PRT at Legal & General, about the impact of the recent market volatility on the bulk annuity and risk transfer market and the potential opportunities for the future

Bulk annuities during coronavirus
Laura Blows speaks to Just business development manager Prash Mehta about the impact of coronavirus on transactions