We’re pleased to report what looks like some good news for pension schemes on data protection.
The European Commission has published a draft decision as to the “adequacy” of the UK’s data protection laws. If the draft decision is formally approved by EU Member States, this would allow personal data to flow from the EU or EEA to the UK uninterrupted after a temporary arrangement put in place at the start of this year expires. This is the so-called “data bridge” agreed as part of the Brexit Trade and Cooperation Agreement, which will last until the end of April or until the end of June if extended.
What is the significance of this development for pension schemes?
The UK information commissioner previously recommended putting in place alternative transfer mechanisms by the end of April “as a sensible precaution”. For UK schemes which receive personal data from the EU or EEA, this potentially meant building data protection standard clauses into any relevant service provider contracts. This would ensure that these data flows could continue after April if the “data bridge” wasn’t extended or if the European Commission did not grant the UK a favourable adequacy decision. (See our Brexit briefing here or blogpost here.)
These additional contractual clauses will no longer be needed, at least in the short-term, if the EU votes favourably on this issue before the “data bridge” expires.
When will the EU confirm this decision?
The European Commission published its draft decision on February 19.
The draft decision will now be shared with the European Data Protection Board (which comprises representatives from each EU data protection authority) for a non-binding opinion. After taking this into account, the European Commission will present the draft decision to EU Member States for formal approval. Following this, the European Commission may adopt the draft decision.
Whilst we expect this process to be complete within the next couple of months, there is no clear timetable and so a scheme wanting to err on the side of caution may still prefer to build robust clauses into relevant contracts to exclude the possibility of any interruption to data flows. However, the European Commission is soon to publish new standard clauses for transfers of personal data (which the UK is also expected to adopt). Therefore, this could become a more complicated exercise as schemes will need to consider how best to incorporate the new clauses as and when they become applicable.
As it now seems likely that the European Commission will grant the UK an adequacy decision – which was previously far from clear – schemes may prefer to keep a watch on developments for the time being, rather than incurring the potentially unnecessary costs of contract updates.
One word of caution though: in keeping with all things Brexit-related, it is possible that the decision will only be signed off late in the day, so swift action could be needed if the EU does not after all grant the UK adequacy.
Is that then the end of the matter?
All adequacy decisions are reviewed after four years. So, if the UK does diverge on data protection in a way that the EU doesn’t think is compatible with EU data protection standards then the UK could risk losing its data adequacy status. So this issue could resurface again in the future.