Data Protection Following the End of the Brexit Transition Period - Key Issues for Schools
Data protection law has been in a state of flux over the past few years with the introduction of the GDPR, the new Data Protection Act and the additional uncertainty caused by Brexit.
Whilst things have now settled to an extent, a number of issues remain up in the air. Here we look at the current state of play and key developments for 2021 that schools should be aware of.
Transfers of Personal Data from the EEA to the UK
The UK Government has applied for an adequacy finding to ensure that personal data can continue to flow freely from the EEA (the EU member states plus Norway, Iceland and Lichtenstein) to the UK following the end of the Brexit transition period. An adequacy finding would mean confirmation from the EU that UK data protection laws offer an adequate level of protection and are up to EU data protection standards.
It had been hoped that the UK/EU trade and co-operation agreement would come with an adequacy finding. This did not happen as the EU require more time to assess the UK's data protection compliance. However, the trade agreement does include a breathing space of up to six months to allow completion of the adequacy process. This means that, for the time being at least, personal data can continue to flow from the EEA to the UK without the need for UK organisations to take additional steps.
Should the UK not be granted adequacy in the next six months, then transfers of personal data from the EEA to the UK will not be able to take place unless a GDPR safeguard is in place or one of the limited exemptions applies. For example, if a school uses a cloud storage platform based in the EU then it is likely that its agreement with the platform provider would need to be updated to incorporate standard contractual clauses (SCCs) for data transfers.
The UK has already decided that European data protection laws are adequate, so there is no issue with personal data going the other way, ie from the UK to the EEA.
Appointing a European Representative
UK organisations without an EEA presence are required to appoint a European representative if the UK organisation offers goods or services to individuals in the EEA or if the UK organisation monitors the behaviour of individuals in the EEA. However, the requirement does not apply to occasional low risk processing that does not involve the large-scale use of special category (eg health) or criminal offence data. A European representative acts as the organisation's point of contact in the EEA. For example, if someone in the EEA wanted to make a subject access request against a UK school they are entitled to do so by contacting the school's European representative.
The European representative requirement applies irrespective of whether the UK gets adequacy. Therefore, if they have not already done so, schools should be actively considering whether they need to appoint a European representative. In our view most activities would not trigger the requirement to appoint a representative, even if there is an EU connection. For example, having EU-based pupils on the roll will not by itself trigger the obligation. On the other hand, having an EU-based overseas recruitment agent may do so.
International Data Transfers Generally
There were a number of significant developments in 2020 regarding international personal data transfers unrelated to Brexit. In July, the Court of Justice of the European Union (CJEU) struck down Privacy Shield, which was one of the more well-known mechanisms used to lawfully transfer personal data from the UK/EEA to the USA.
In the absence of Privacy Shield, most organisations are turning to SCCs as an alternative means of making a transfers lawful. However, the court found that it wasn't sufficient to rely on the SCCs on their own and as a further step organisations should risk-assess the transfer and if necessary put additional safeguards in place. The additional safeguards contemplated are onerous to say the least and the practical implication is that many businesses will struggle to meet the requirements. By way of illustration, if a school wanted to use an online app that stored personal data in the USA then it will likely need to check that the correct version of the SCCs are incorporated into the contract and in addition to this, risk-assess the transfer and put further safeguards in place. Such safeguards might include ensuring that the data was encrypted whilst it was in the USA and additional contractual provisions on top of the SCCs.
In November, the European Commission published new draft SCCs, which are set to replace the existing SCCs that have been used for a number of years and which many schools will be familiar with. New SCCs are long overdue as the existing SCCs are showing their age and have not kept up to date with how personal data is used and shared.
In terms of the implications for UK schools:
- The Brexit transition period ended before the new draft SCCs were finalised. This means that the new SCCs cannot be used for compliance with UK data protection law. Nevertheless, we anticipate that the ICO will published UK specific SCCs in 2021 which are likely to be very similar to the EU draft versions. Schools should therefore switch to the new UK versions of the SCCs once they have been finalised to ensure continued compliance with data protection law. There will likely be a limited grace period, to allow organisations a bit of time to switch to the new SCCs.
- The ICO has hinted that it may take a more pragmatic line compared to the EU in terms of the additional safeguards that may be required in light of the European case. Nevertheless it is likely that UK organisations will need to carry out some degree of checks before transferring personal data outside of the UK. The ICO is expected to provide further guidance and clarity during 2021.
