• Contact Us

Data Protection Update - UK Regulator Publishes its Response to the European Court of Justice's Ruling on Safe Harbour

on Wednesday, 16 December 2015.

In October, the European Court of Justice found that Safe Harbour, the route used by many organisations to lawfully transfer personal data to the USA, was invalid.

This decision will likely have an impact on any school which relies on cloud based storage where personal data is stored on US based servers (such as Google Apps). It may also be relevant to other online activity (for example, emails, parent portals, etc) if personal data is stored in the US. Even if a school's service provider is based in the UK, often they will have servers located in the US and therefore transfer school personal data to the USA as part of their services or back-up procedures.

The ECJ's decision is wide ranging in scope. It means that any school which uses cloud based storage or similar web based services may be in breach of the Data Protection Act.

The good news is that the ICO has no plans to take immediate enforcement action which gives schools a degree of breathing space.

The UK data protection regulator, the Information Commissioner's Office (ICO) has issued a statement.

The bad news is that, as the ICO identifies, the ECJ decision goes beyond Safe Harbour and calls into question any data transfer outside of the European Economic Area (EEA). This means that the alternatives to Safe Harbour (such as those listed below) might also be found to be inadequate if challenged.

Organisations are being encouraged to consider the alternative measures for US transfers in the absence of Safe Harbour. Such measures include:

  • Using the model contractual clauses for international data transfers which have been approved by the European Commission;    
  • Obtaining consent from data subjects; and
  • Carrying out an assessment of adequacy on the destination country.

It will be interesting to see how this area of law develops as none of these measures represent a perfect solution. For example, cloud providers might not be prepared to agree to the use of the model contractual clauses. Asking staff, pupils and parents to consent to their data being transferred outside of the European Economic Area (EEA) is clearly impracticable and there are risks that this option may not be enforceable. Carrying out an assessment of adequacy can be a mammoth task as it often involves carrying out detailed due diligence on both the contractor's and the destination country's data protection practices.

One option for schools is to adopt a 'wait and see' approach. As the ICO identifies, there is push to introduce what the ICO calls 'Safe Harbour 2.0', which would hopefully contain sufficient guarantees to satisfy the courts and the regulators.

However, there is no clear timescale on this and accordingly we recommend that schools should be doing what they can now to identify the risks and be ready to take remedial action. Such action might involve:

  • identifying which contracts are affected (ie, those where the contract allows for transfers of school data outside of the EEA)
  • using an alternative to Safe Harbour (albeit that, in light of the ECJ decision, there are no guarantees that any such alternative would protect the school in all cases)

Of the Safe Harbour alternatives, the use of the model wording has its attractions because it should just be a question of the contractor agreeing to adopt the wording. However, we recommend that any use of the model wording should be 'topped up' by including practical obligations on the contractor around information security which are specific to the data transfer (for example, requiring the contractor to use encryption or to adhere to a relevant recognised information security standard).

For further advice on all aspects of data protection in schools, please contact our Academies specialists Andrew Gallie on 0117 314 5279 or Claire Hall on 0117 314 5623.