EU ruling raises non-EEA pension data transfer questions - SPB

Pension schemes with an administrator that accesses personal data from outside of the European Economic Area (EEA) should check their compliance with data control regulations, according to Squire Patton Boggs (SPB).

This follows a ruling by Court of Justice of the EU (CJEU), which on 16 July invalidated the EU Commission’s adequacy judgement of the EU-US Privacy Shield Framework, which is one of the primary safeguards adopted by US service providers dealing with EU data.

A blog from SPB noted that CJEU also confirmed the validity of Standard Contractual Clauses (SCC), another primary safeguard used by US service providers, but cautioned that their legality must considered on a case-by-case basis.

SPB director, Francesca Fellowes, wrote: “Although the issue before the CJEU in Schrems II was the transfer of data between the EU and the US, the implications of the court’s judgment are far-reaching and could also impact transfers between the EU and other ‘non-adequate’ countries, including EU-China transfers and, post-Brexit, EU-UK transfers.”

SPB warned that all organisations in the UK, including pension trustees, should carry out due diligence on the international transfers of their personal data, starting by identifying all transfers of personal data outside the EEA, before checking that the data transfer mechanisms used enable the transfers to comply with EU and UK data protection laws.

While the European Data Protection Board is expected to issue updated guidance shortly, it was recommended that trustees review their scheme’s data map and service agreements to identify transfers of personal data outside the EEA and ask the relevant suppliers to provide pertinent information.

If transfers have taken place with US-based companies using the Primary Shield, SCCs may have been used as a backup and SPB recommended that an assessment should be carried out to ensure that the US firm can adhere to the requirements of said SCC.

“Reliance on a data mapping exercise in 2017/18 will not be sufficient – we recommend that trustees ask all their service providers at least annually to confirm compliance with contractual terms and that there have been no material changes to the information provided for the initial data map, but this is an additional assessment that needs to be carried out,” said Fellowes.

    Share Story:

Recent Stories


Closing the gender pension gap
Laura Blows discusses the gender pension gap with Scottish Widows head of workplace strategic relationships, Jill Henderson, in our latest Pensions Age video interview

Endgames and LDI: Lessons to be learnt
At the PLSA Annual Conference, Laura Blows spoke to State Street Global Advisors EMEA head of LDI, Jeremy Rideau, about DB endgames and LDI in the wake of the gilts crisis of two years ago

Keeping on track
In the latest Pensions Age podcast, Sophie Smith talks to Pensions Dashboards Programme (PDP) principal, Chris Curry, about the latest pensions dashboards developments, and the work still needed to stay on track
Building investments in a DC world
In the latest Pensions Age podcast, Sophie Smith talks to USS Investment Management’s head of investment product management, Naomi Clark, about the USS’ DC investments and its journey into private markets

Advertisement