Global menu

Our global pages

Close

Things to think about when transferring member data overseas

  • United Kingdom
  • Pensions

28-09-2020

It is now well over two years since trustees and sponsors were forced to become more familiar with data protection than they might have wanted to as a result of the need to comply with the General Data Protection Regulation (GDPR). However, data protection continues to be an issue that should remain on trustees’ agenda because of ongoing obligations to ensure that they comply with GDPR and keep member data secure.

This article considers the impact of the European Court decision in Schrems II at the beginning of the summer. The case gives rise to additional issues for trustees, administrators and anyone else handling member data to think about where that data might be transferred to ‘third countries’ outside the EEA. This will, of course, include the UK after the end of the Brexit transition period.

Keeping data secure when transferring it overseas

Trustees may transfer members’ personal data overseas more often than they expect. For example, their administrators may use services, including cloud storage, based in other countries. Simply viewing member data on screen in a non-EEA country can effectively export that data. An IT helpdesk service provider based overseas will be taking in a transfer of member data just by looking at it on a screen during a helpdesk call.

Where that other country is in the EU, the data recipient will need to comply with GDPR and therefore, the same standards of data protection and security will apply and no further measures need to be taken. EEA countries are deemed to provide for adequate protection of personal data so transfer mechanisms are not needed inside the EEA. However, where personal data is transferred outside the EEA, additional steps are required to ensure that it protected - one part of which is ensuring it is kept secure. There used to be a several mechanisms to achieve this:

  • standard contractual clauses (SCCs) which create contractual obligations to protect personal data
  • binding corporate rules (BCRs) which are internal codes of conduct adopted by multinationals around the transfer of personal data and ensuring it is kept secure
  • ensuring the recipient of the data is signed up to an agreed “privacy shield” which sets out how data transferred to a specified country can be kept secure

Impact of Schrems II

In July, the European Court considered the validity of these mechanisms in the context of data transfers to the US. It held that the US privacy shield was invalid with immediate effect because of concerns over US state surveillance powers which impact disproportionately on the rights of data subjects.

In addition, where SCCs are used, the European Court said that to ensure compliance with GDPR additional due diligence will need to be done to assess whether the SCCs will in reality, when considered alongside the laws and practice of the receiving jurisdiction, actually deliver the required level of protection. This obligation is likely to fall on the trustees as it is generally the data controller which enters into SCCs, rather than data processors, such as scheme administrators.

The supervisory authority in any member state is required to suspend or prohibit data transfers to territories where it considers that SCCs are not or cannot be complied with there. The Irish regulator has for instance commented that the application of SCCs to transfers to the US is now ‘questionable’ (though it has not ruled them out). The ICO said that it ‘stands ready to support organisations and work to ensure that global data flows continue’ but it is still obligated to implement the requirements of Schrems II.

The Schrems II decision did not consider the use of BCRs but it seems likely that they should be treated in the same way as SCCs and that additional due diligence will therefore be required.

What should trustees be doing now?

So what does all of this mean for pension schemes where member data may be transferred outside of the EEA in the course of scheme administration?

The Information Commissioner has said that data controllers, which includes pension scheme trustees, should “take stock of the international transfers [they] make and react promptly as guidance and advice becomes available”. This means that trustees should:

  • identify any third party agreements which allow for the transfer of data outside of the EEA. This might well include scheme administration and is likely to cover IT related agreements
  • consider what mechanisms (such as SCCs) are currently in place to keep that data secure
  • consider the impact of Schrems II on those mechanisms and identify whether additional due diligence is now needed
  • talk to the recipient of the data to identify what issues may arise in relation to their local legal framework
  • consider what additional safeguards can be put in place to protect data being transferred ahead of the EU reviewing the SCCs (possibly that review will happen by the end of 2020)
  • take advice where required. This might well include advice from lawyers in other countries to which member data is being transferred as ultimately the question of whether a third party can comply with any SCCs given will be a matter of domestic law in their jurisdiction

Implications of Brexit

The Brexit transitional period will come to an end on 31 December 2020 and GDPR will remain part of UK law until then. From 2021 the UK version of GDPR will apply (in essence, GDPR but with EU terminology replaced). Trustees will need to ensure that measures are in place to ensure that overseas data transfers are compliant with GDPR and from 2021, UK GDPR. Where data is being transferred outside of the EEA, the end of the withdrawal period should have limited implications for what trustees need to be doing.

UK GDPR (just like GDPR) means there needs to be a mechanism, such as SCCs, for transfers of member data from the UK to third countries i.e. countries outside of the EEA to happen lawfully. From 2021, transfers from the UK to countries inside the EEA will not require any such mechanism, although this may change. For now the UK has said that transfers inside the EEA do not pose any risk for personal data. If this changes, the simplest way of providing appropriate safeguards may be to use SCCs.

The position is more complicated where data is being transferred from the EU to the UK from 2021. There are a number of scenarios where this is likely, for example, where member data is held in the EU. Such transfers will technically require SCCs as the UK will be a third country relative to the EEA after the transition period, and does not yet have any formal adequacy status in terms of data protection laws. For this to change, the UK needs a decision from the European Commission recognising UK GDPR as providing adequate protections for personal data. Surveillance authorities here might make that difficult. As might the political landscape.

Trustees also need to keep in mind that their data record must by law refer to all transfers to third countries and what mechanism is relied upon. It’s a living document which should be kept up to date. If SCCs are used to plug the gap left by privacy shield, or are newly entered into for other reasons, the data record will need updating.

Next steps?

Trustees need to identify any potential international flows of member data and consider what, if any, additional steps they may need to take to keep that data compliant with GDPR and secure. Trustees might also wish to consider some service providers bringing member data back ‘on shore’ if it’s being stored or hosted overseas.

If you would like any help understanding the data flows in your scheme and what your obligations are, please get in touch with your usual Eversheds Sutherland adviser or the contacts below.