There have been several recent developments in connection with international data transfers. The most significant of these are the conclusion of the EU-UK Trade and Cooperation Agreement on 31 December 20201 and the European Court of Justice's "Schrems II" decision2. This briefing considers the implications of both for investment funds.
EU-UK Trade and Cooperation Agreement
While there is widespread relief that the EU-UK Trade and Cooperation Agreement was concluded before the expiry of the Brexit transition period, the provisions on data transfers to the UK provides only a temporary reprieve for such transfers.
Following the end of the Brexit transition period on 31 December 2020, the UK became a "third country" for GDPR purposes. This would ordinarily mean that all transfers of personal data to the UK would (i) be treated as transfers outside of the European Economic Area ("EEA"); and (ii) need to satisfy one of the GDPR's transfer tools legitimising the transfer of personal data to the UK.
The EU-UK Trade and Cooperation Agreement includes a six month grace period allowing data transfers to the UK to continue without the need to put a GDPR transfer tool in place. The grace period is intended to give the European Commission time to perform an adequacy assessment on the UK. An adequacy decision would allow transfers to the UK to continue without the need for further measures to be put in place.
The UK Information Commissioner's Office, however, recommends that UK businesses put in place alternative transfer mechanisms in case there is no adequacy decision at the end of the grace period. The UK government suggests that European Commission standard contractual clauses ("SCCs") will be the most relevant transfer tool3.
There are three key aspects of Schrems II decision, summarised as follows:
- The decision reinforces the core principle that essentially equivalent protection to the GDPR must travel with personal data when it goes outside the EEA. This principle also applies when SCCs are put in place.
- The court held that businesses transferring personal data outside the EEA on the basis of SCCs are responsible for verifying on a case-by-case basis that the law in the non-EEA country does not impinge on the effectiveness of the clauses. Where the law in that non-EEA country does impinge on the effectiveness of the clauses, businesses must adopt supplemental measures to ensure that essentially equivalent protection is maintained when the data is outside the EEA.
- The court also held that the "US Privacy Shield", which to date had facilitated the legitimate transfer of personal data from the EEA to the US was invalid as it did not contain essentially equivalent protection to GDPR.
In light of the potential for there to be no UK adequacy decision and Schrems II, any EEA based investment funds and non-EEA based investment funds to which the GDPR applies4 which transfer, or rely on service providers which transfer, investor, director or other personal data outside of the EEA (including the UK) will need to review their ongoing data transfer to ensure that appropriate transfer mechanism are put in place and those tools ensure essentially equivalent protection as per the Schrems II decision.
The European Data Protection Board ("EDPB") recommends a six step methodology to ensure compliance with the GDPR's data transfer restrictions in light of the Schrems II decision. This methodology involves:
- Mapping data flows;
- Verifying transfer tools used;
- Assessing the non-EEA country's equivalence;
- Identifying supplementary measures;
- Adopting supplementary measures; and
- Periodic review.
If, following this review, it is not possible to put appropriate supplemental measures in place, businesses must identify another transfer tool. In the absence of another appropriate transfer tool, businesses are obliged to suspend existing data transfers and/or not start new personal data transfers.
The expiry of the EU-UK Trade and Cooperation Agreement grace period, Schrems II and the subsequent regulatory recommendations could significantly impact global data transfers – particularly data transfers to the US and the UK.
Where an investment fund is a data controller it will retain responsibility for ensuring, and demonstrating, that any transfers by itself and/or service providers acting on its behalf are compliant with the data transfer regime.
2. C-311/18, 16 July 2020 http://curia.europa.eu/juris/documents.jsf?num=C-311/18
3. The European Commission has published new draft SCCs addressing some of the implications of Schrems II. There is no definitive timeline available for their adoption. They are available at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741
4. Such funds may need to appoint an EU based representative and notify the representative's details to data subjects.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.