Whilst things have now settled to an extent, a number of issues remain up in the air. Here we look at the current state of play and key developments relating to international data transfers that schools should be aware of.
The UK Government has applied for an adequacy finding to ensure that personal data can continue to flow freely from the EEA (the EU member states plus Norway, Iceland and Lichtenstein) to the UK following the end of the Brexit transition period. An adequacy finding would mean confirmation from the EU that UK data protection laws offer an adequate level of protection and are up to EU data protection standards.
It had been hoped that the UK / EU trade and co-operation agreement would come with an adequacy finding. This did not happen as the EU require more time to assess the UK's data protection compliance. However, the trade agreement does include a breathing space of up to six months to allow completion of the adequacy process. This means that, for the time being at least, personal data can continue to flow from the EEA to the UK without the need for UK organisations to take additional steps.
Should the UK not be granted adequacy in the next six months, then transfers of personal data from the EEA to the UK will not be able to take place unless a GDPR safeguard is in place or one of the limited exemptions applies. For example, if a school uses a cloud storage platform based in the EU then it is likely that its agreement with the platform provider would need to be updated to incorporate standard contractual clauses (SCCs) for data transfers.
The UK has already decided that European data protection laws are adequate, so there is no issue with personal data going the other way, ie, from the UK to the EEA.
There were a number of significant developments in 2020 regarding international personal data transfers unrelated to Brexit. In July, the Court of Justice of the European Union (CJEU) struck down Privacy Shield, which was one of the more well-known mechanisms used to lawfully transfer personal data from the UK / EEA to the USA.
In the absence of Privacy Shield, most organisations are turning to SCCs as a means of making transfers lawful. However, the court found that it wasn't sufficient to rely on the SCCs on their own and as a further step organisations should risk assess the transfer and if necessary put additional safeguards in place. The additional safeguards contemplated are onerous to say the least and the practical implication is that many businesses will struggle to meet the requirements. By way of illustration, if a school wanted to use an online app that stored personal data in the USA then it will likely need to check that the correct version of the SCCs are incorporated into the contract and in addition to this, risk-assess the transfer and put further safeguards in place. Such safeguards might include ensuring that the data was encrypted whilst it was in the USA and additional contractual provisions on top of the SCCs.
In November, the European Commission published new draft SCCs, which are set to replace the existing SCCs that have been used for a number of years and which many schools will be familiar with. New SCCs are long overdue as the existing SCCs are showing their age and have not kept up to date with how personal data is used and shared.
In terms of the implications for UK schools: