• Contact Us

Data Protection Considerations Following the End of the Brexit Transition Period

on Thursday, 04 February 2021.

Data protection law has been in a state of flux over the past few years with the introduction of the GDPR, the new Data Protection Act and the additional uncertainty caused by Brexit.

Whilst things have now settled to an extent, a number of issues remain up in the air. Here we look at the current state of play and key developments relating to international data transfers that schools should be aware of.

Transfers of Personal Data from the EEA to the UK

The UK Government has applied for an adequacy finding to ensure that personal data can continue to flow freely from the EEA (the EU member states plus Norway, Iceland and Lichtenstein) to the UK following the end of the Brexit transition period. An adequacy finding would mean confirmation from the EU that UK data protection laws offer an adequate level of protection and are up to EU data protection standards.

It had been hoped that the UK / EU trade and co-operation agreement would come with an adequacy finding. This did not happen as the EU require more time to assess the UK's data protection compliance. However, the trade agreement does include a breathing space of up to six months to allow completion of the adequacy process. This means that, for the time being at least, personal data can continue to flow from the EEA to the UK without the need for UK organisations to take additional steps.

Should the UK not be granted adequacy in the next six months, then transfers of personal data from the EEA to the UK will not be able to take place unless a GDPR safeguard is in place or one of the limited exemptions applies. For example, if a school uses a cloud storage platform based in the EU then it is likely that its agreement with the platform provider would need to be updated to incorporate standard contractual clauses (SCCs) for data transfers.

The UK has already decided that European data protection laws are adequate, so there is no issue with personal data going the other way, ie, from the UK to the EEA.

Other International Data Transfers

There were a number of significant developments in 2020 regarding international personal data transfers unrelated to Brexit. In July, the Court of Justice of the European Union (CJEU) struck down Privacy Shield, which was one of the more well-known mechanisms used to lawfully transfer personal data from the UK / EEA to the USA.

In the absence of Privacy Shield, most organisations are turning to SCCs as a means of making transfers lawful. However, the court found that it wasn't sufficient to rely on the SCCs on their own and as a further step organisations should risk assess the transfer and if necessary put additional safeguards in place. The additional safeguards contemplated are onerous to say the least and the practical implication is that many businesses will struggle to meet the requirements. By way of illustration, if a school wanted to use an online app that stored personal data in the USA then it will likely need to check that the correct version of the SCCs are incorporated into the contract and in addition to this, risk-assess the transfer and put further safeguards in place. Such safeguards might include ensuring that the data was encrypted whilst it was in the USA and additional contractual provisions on top of the SCCs.

In November, the European Commission published new draft SCCs, which are set to replace the existing SCCs that have been used for a number of years and which many schools will be familiar with. New SCCs are long overdue as the existing SCCs are showing their age and have not kept up to date with how personal data is used and shared.

In terms of the implications for UK schools:

  • The Brexit transition period ended before the new draft SCCs were finalised. This means that the new SCCs cannot be used for compliance with UK data protection law. Nevertheless, we anticipate that the ICO will publish UK specific SCCs in 2021 which are likely to be very similar to the EU draft versions. Schools should therefore switch to the new UK versions of the SCCs once they have been finalised to ensure continued compliance with data protection law. There will likely be a limited grace period, to allow organisations a bit of time to switch to the new SCCs.
  • The ICO has hinted that it may take a more pragmatic line compared to the EU in terms of the additional safeguards that may be required in light of the European case. Nevertheless it is likely that UK organisations will need to carry out some degree of checks before transferring personal data outside of the UK. The ICO is expected to provide further guidance and clarity during 2021.

Coronavirus academies page 750px

We will provide further updates on these points during the course of the year but if you have any questions in the meantime, please contact Andrew Gallie in our Information Law team on 07467 220831, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input