Asset Management & Investment Funds: EU & International Developments - Sept 2021

GDPR update

​Transfer of personal data to the UK

• ​​On 28 June 2021, the EU Commission adopted an adequacy decision for transfers of personal data to the UK, under the GDPR. Accordingly, SCCs are not necessary for transfers to the UK from within the EU. This means data can continue to flow as it did before from the EU to the UK. UK data protection law governs transfers from the UK to EU/non-EU. The EU Commission's UK adequacy decision includes a sunset clause limiting its duration until 27 June 2025. After that period the adequacy decision may be renewed. However, during this period the EU Commission will closely monitor legal developments in the UK, and may suspend or repeal the adequacy decision at any point. A list of countries with an adequacy decision can be found here.

Transfer of personal data to third countries not subject to adequacy decisions

• As referenced in our June AMIF bulletin, the European Commission published its final Implementing Decision on new standard contractual clauses (SCCs) for the transfer of personal data to third countries.
• The new SCCs address the entry into force of the GDPR and the requirements of that regime. The delay to the update was due partly to the European Court of Justice's decision in Schrems II (C-311/18), and the need for the European Commission to reconcile the new SCCs with that decision. They also take into account the EDPB's recommendations on supplementary measures.
• The new SCCs repeal and replace the old controller to controller SCCs (Decision 2001/497/EC, as amended) and the controller to processor SCCs (Decision 2010/87/EC). ​​​​ ​
• Accordingly, new agreements with third country (such as US) investment managers / distributors need to use the new SCCs from 27 September 2021 in order to comply with GDPR.
• Existing agreements with third country (such as US) investment managers / distributors must be replaced with the new SCCs by 27 December 2022

Commission Adopts PRIIPS RTS
The EU Commission adopted PRIIPS Regulatory Technical Standards (RTS) setting out detail of the content and format of the Key Information Document (KID) with Annexes which include templates which in-scope firms, such as UCITS ManCos, would be required to use. The RTS will be subject to approval by the European Parliament and Council, hopefully by year end. The text proposes the transition of the UCITS KIID to PRIIPS KID on 1 July 2022.

Draft RTS were submitted by the Joint European Supervisory Authorities in February (discussed in our February bulletin).

ESMA Trends, Risks and Vulnerabilities Report
ESMA published its second Trends, Risks and Vulnerabilities Report of 2021. The report highlights concerns due to the continued rise in valuations across asset classes in an environment of economic recovery and low interest rates. It also focuses on potential issues that could arise from increased risk taking by investors, and the materialisation of event risks such as GameStop, Archegos and Greensill. It notes that the financial sector is increasingly exposed to cyber risk.

The joint committee of the European Supervisory Authorities (comprising ESMA, EBA, EIOPA) also published its report on risks and vulnerabilities in the EU financial system. The report identified certain economic vulnerabilities (including a possible deterioration of asset quality in the financial sector) as well as cyber risk and information and communication technology related vulnerabilities and advised specific policy actions.

For more information please contact a member of the Asset Management & Investment Funds team.

Date published: 28 September 2021