Related Author: Alistair Ho, Trainee Solicitor, Mayer Brown
Over the last year there have been the following important data protection developments:
- Brexit – Whilst the Brexit transition period ended as 2021 began, the EU-UK Trade and Cooperation Agreement provided for a further transitional period of up to six months from 1 January 2021 (the "Additional Transition Period"). During this time the UK is not a third country for the purposes of the European General Data Protection Regulation ("EU GDPR").
Under the European Union (Withdrawal) Act 2018, the EU GDPR was incorporated directly into UK law as the UK GDPR. This now sits alongside an updated version of the Data Protection Act 2018 ("DPA 2018"). The UK GDPR is currently substantially the same as the EU GDPR.
- Schrems II – A significant Court of Justice of the European Union ("CJEU") decision, which alongside subsequent European Data Protection Board ("EDPB") guidance, has altered how international data transfers must be evaluated and undertaken (for a further analysis of the judgment see our client alert and further commentary).
- New standard contractual clauses for international data transfers ("New SCCs") – Following Schrems II, the European Commission ("EC") has published a draft of New SCCs (see our client alert). It is expected to be adopted by the EC early this year, whereupon it will replace the previous standard contractual clauses used by organisations as an appropriate safeguard for making international transfers of personal data under the EU GDPR. Although not certain, the UK is likely to adopt the same standard contractual clauses for international data transfers from the UK.
All of these developments have an impact on pension schemes since trustees, as data controllers, are under a legal obligation to ensure the secure transfer and processing of personal data.
Members' personal data is transferred to third parties in a variety of contexts, such as processors, sponsoring employers or a parent company. Third parties may then transfer data onwards, i.e. to sub-processors (see below). Therefore, data processing agreements and the mechanisms used for transfers to third parties should be reviewed by trustees to ensure compliance with applicable data protection legislation in light of the developments outlined above. The following are some typical examples to consider:
1.1 UK third parties
Where third parties are based in the UK, trustees need to ensure that data protection arrangements which are compliant with the UK GPDR are in place. Currently, the requirements are substantially similar to those under the EU GDPR. However, trustees may wish to consider updating references to refer to the UK GDPR, for example when reviewing their data protection documentation. It is also worth noting that the UK data protection regime is likely to diverge from the EU's over time and further amendments may be required from time to time.
1.2 Transfer of personal data between UK and EEA third parties
Transfers from the UK to adequate EEA countries – Such transfers are now considered a "restricted transfer" under the UK GDPR. However, the UK Government has applied a provisional adequacy decision (kept under review), which means that no new arrangements are currently needed for transfers from the UK to the EEA.
Transfer from EEA to UK – During the Additional Transition Period, the transfer of personal data to the UK from the EEA may continue to flow freely.
Post Additional Transition Period – On the 19 February 2021, the European Commission published a draft adequacy decision in favour of the UK with the aim of completing the adoption process by the end of the Additional Transition Period. If the draft adequacy decision is adopted within this timeframe, then when the Additional Transition Period ends, transfers of personal data to and from controllers and processors in the UK and EEA will be able to continue as they do currently, i.e. as if the UK were still an EU Member State. If this is the case, there is nothing further for trustees to do. However, if the draft decision is not adopted by the end of the Additional Transition Period, and no alternative bridging mechanism is put in place, EEA based third parties will be required to implement an appropriate transfer mechanism under the EU GDPR for transfers of personal data to the UK after the Additional Transition Period ends (although UK pensions schemes would be able to transfer personal data to the EEA without additional transfer mechanisms). If this were to be the case, trustees will need to take steps to ensure transfer mechanisms required under the EU GDPR are put in place with EEA third parties.
1.3 Transfer of personal data between the UK and non-EEA third parties
Transfer to adequate non-EEA from UK – The UK has recognised the existing 12 EU adequacy decisions (which apply to non-EEA countries). So long as this remains the position, trustees can transfer personal data to non-EEA third parties in these jurisdictions freely. The UK is preparing to start its own adequacy assessments of non-EEA countries.
Transfers to UK from adequate non-EEA countries – 11 of the 12 jurisdictions currently deemed adequate by the EU (Andorra pending) have confirmed they will allow uninterrupted data transfers to the UK. So long as this remains the position, non-EEA third parties in these jurisdictions can transfer personal data to the UK, and therefore trustees, freely.
Transfers to other non-EEA countries – If the non-EEA country does not enjoy a UK recognised adequacy decision, then it will be necessary to ensure that the transferred data is adequately protected using other means (e.g. SCCs or Article 49 UK GDPR derogations will need to be in place) and an assessment of the non-EEA legal framework will need to be undertaken. If this is the position, trustees will need to take these steps. For noting, EDPB guidance and CJEU decisions have cast particular doubt on the adequacy of the legal frameworks in the U.S., China, and India due to their national security laws – transfers of personal data to such countries therefore carry heightened due-diligence requirements. If this is the position, trustees need to check that appropriate safeguards are in place and the requisite assessments are carried out.
1.4 Onward transfers by third party processors
Any data processing agreements in place between trustees and third parties must ensure that where third parties are transferring personal data onwards to operations elsewhere that they are doing so in compliance with the UK GDPR and /or EU GDPR. They must also do so only with the trustee consent (general or specific).
If trustees transfer personal data to a third party processor using the SCCs, these clauses will include obligations that the contract between the third party and sub-processor mirrors the relevant rights and obligations set out in the trustee / third party arrangement. Generally, trustees rely on third parties to supervise their sub-processors' data processing activities. However, EDPB guidance on supplemental transfer tools and the New SCCs suggest that this may not be an adequate arrangement, and data transfer agreements with processors should include adequate protections for the supervision and monitoring of onwards transfers.
Trustees should ensure that member personal data will be adequately protected during the onward transfer to, and processing by, the proposed sub-processor before they consent to the use of sub-processors. If sub-processors are in place already, then trustees should map the relevant data flows to ensure adequate protection of personal data is in place.
2. Controller / Joint-Controller / Processor
Trustees are "controllers" under data protection laws.
Where a third party acts on behalf of the trustees and only processes data on the trustees’ instructions for specified purposes, that third party is likely to be a processor (typically the third party administrator or employer in-house administrator is a processor). However, aside from the contractual terms in place, it is important for trustees to ensure that the facts and circumstances of the arrangements in place reflect the roles identified and provided for in the contract with these third parties.
While certain non-essential means of processing, concerning practical aspects of implementation (e.g. the choice of a particular type of hardware or software, or the security measures) can be left for the processor to determine, the determination of the essential means of processing (e.g. which and whose data shall be processed? for how long? who shall have access?) is reserved to controllers, e.g. the trustees. Where processors make decisions beyond these non-essential means of processing they may be considered separate controllers or joint-controllers with the trustees. If this is the case, trustees will need to review the arrangements and update them to reflect the division of roles and different obligations that need to be imposed on counterparties under applicable data protection legislation.
3. Pension scheme members residing in the EEA
Pension scheme members living in the EEA may need to send personal data to the UK. If there is no EC adequacy decision for the UK, at the end of the Additional Transition Period such transfers may require an alternative appropriate transfer mechanism to be in place (see above).
In relation to special category data, additional steps need to be taken regardless of whether adequacy is achieved. A typical special category data is incapacity information, for example where an application for an incapacity benefit is being made by the member. In such cases, explicit consent from the member to process this data will be required.
Subject to the above, members of a UK pension scheme who are living in the EU can continue to correspond directly with the trustees – for example in relation to the setting up and payment of pensions, and in relation to existence checks.