• Contact Us

What 'Schrems II' Means for Your University's Data Transfers

on Thursday, 03 December 2020.

In July 2020, the European Court dealt a major blow to organisations that transfer personal data to the US, with the striking down of the EU-US Privacy Shield.

The judgment also raised wider concerns for organisations relying on Standard Contractual Clauses (SCCs). In this article we consider what this actually means for UK higher education institutions (HEIs) who export personal data to the US and beyond and what the implications are for data transfers into the UK if we leave the EU without an adequacy decision.

Implications for Higher Education Institutions in the UK

Universities will need to review any specific arrangements where they rely on the Privacy Shield, or the SCCs, to permit transfers of student data outside the UK. This may include international pathway colleges and student recruitment agencies, as well as IT outsourcing and cloud storage arrangements. They should consider whether an adequacy assessment needs to be carried out and/or whether supplemental measures need to be implemented.

In particular, universities need to look out for arrangements with large corporations to store or transfer data (such as Google or Microsoft), to see if they have updated their data protection terms. Often, these will require HEIs to take some form of action to ensure that they are valid and apply to their agreement, so be aware that you may have to click a link, or request a specific agreement/set of terms in order to comply.

The Legal Background to the Schrems II Decision

Under data protection law in the UK, organisations cannot transfer personal data outside of the UK or the EEA without ensuring that the personal data is safeguarded in the same way that it would be if it remained in the EEA. There are some exceptions to this (such as where the individual has provided explicit consent to the transfer, after being made aware of the risks), but most large scale transfers rely on one of the following methods of securing equivalent protections:

  • The first of these is where the EU has issued an "adequacy decision". This means that the EU has assessed the laws of the relevant country and declared that they provide sufficient protections to allow a transfer.
  • Other options include SCCs, or Binding Corporate Rules (BCRs), both of which seek to place contractual safeguards on data being transferred which offer equivalent protections.

The US does not have an adequacy decision as such, but it did have the Privacy Shield. This was a voluntary code that US organisations could sign up to which purported to ensure information protection met EU standards.

The Decision

The Court found that the law in the US around surveillance and general privacy of citizens meant that, effectively, US organisations could not guarantee equivalent protections to personal data, even when complying with the Shield.

This means that organisations in the EEA (and the UK) can no longer rely on the Shield to transfer personal data to the US. Organisations can still rely on SCCs and BCRs in principle. However, organisations are required to carry out an assessment to ensure that safeguards are in place and put in place supplemental measures where appropriate.

What Are Your Options?

All international transfers that rely on SCCs or BCRs will need an assessment of the protections offered by the law of the recipient country, with a conclusion that the level of protection offered by the SCCs or BCRs is equivalent to that provided by the GDPR, or details of additional safeguards that have been put in place.

The European Data Protection Board (EDPB - a body which provides advice and guidance on European data protection law) has recently published guidance on what this assessment might look like and what sorts of safeguards could be put in place following the assessment (if the third country is deemed inadequate). It stresses that any assessment, or additional necessary safeguards identified, should be considered on a case-by-case basis as there is no 'one-size-fits-all' solution.

Coronavirus HE blogs

How to Carry out an Assessment

Whilst not being definitive, the guidance does set out some key requirements which should be met and also identifies some key steps in the process, for example:

  • The exporter (ideally with the help of the local importer) must identify any laws or practices in the third country that undermine the effectiveness of the specific safeguard relied upon (ie SCCs).
  • The EDPB has provided a non-exhaustive list of information sources which could be relied on when carrying out the assessment, including resolutions and reports from intergovernmental organisations and UN bodies.
  • The assessment should focus on the particular transfer in question and the specific transfer tool relied on, ie it need not become an assessment of the entire data protection landscape in the third country.
  • The assessment must be thoroughly documented to ensure that you can demonstrate the basis for the decision that was taken, when required.

What If the Assessment Deems the Third Country 'Inadequate'?

If the assessment determines that local laws undermine appropriate safeguards, then unless 'supplementary measures' can be put in place, the transfer must not go ahead, or if already being carried out, then the transfer must be suspended or terminated.

Coronavirus HE blogs

Supplementary Measures

These are measures which may be adopted to raise the protection level to the EU standard and otherwise permit the transfer (despite the third country being deemed inadequate).

The EDPB has provided a non-exhaustive list of what these measures may include, such as:

  • encrypting the data and ensuring 'encryption keys' are managed and retained solely outside of that third country by the exporter, and /or
  • adopting additional contractual safeguards requiring the recipient to resist requests from law enforcement agencies.

However, such options may not be practical in many cases. For example, encryption may work if the data is simply being stored in the US but not if it needs to be accessed or viewed there.

Whilst a helpful starting point and guide, the guidance and examples are worded cautiously to avoid amounting to definitive solutions and the EDPB reiterates that each data sharing scenario must be considered on a detailed case-by-case basis to determine what (if any) supplementary measures are appropriate in the circumstances.

Not a 'One-Off' Requirement

The guidance states that the protection afforded to data in the third country should be continuously monitored on an ongoing basis to ensure there have been no developments that may reduce the protection. What this specifically requires is not specified (for example does this require repeat assessments, or how frequently should this be re-examined?).

How to Mitigate the Impact of Schrems II

The Information Commissioner's Office (ICO) has confirmed that it will continue to regulate using a risk-based and proportionate approach and is still considering the effect of the decision.

HEIs should consider taking stock of their international transfers and reviewing any that might be high risk. Where personal data is clearly at risk, action should be taken to mitigate this where possible, such as encrypting the data and otherwise looking at where supplementary measures may be needed and what these could be.

What Will Be the Impact of Brexit?

In the event of a 'no-deal Brexit', and there being no 'adequacy decision' forthcoming from the European Commission in respect of the UK, then there will be imminent action required (which HEIs should start thinking about now). If SCCs are relied on, you should prepare to be involved in an adequacy assessment, for example, if requested by your EEA partner. Now is the time to consider how these requirements will be met, such as the practicalities of carrying out (and documenting) the adequacy assessment, whether to put in place SCCs for transfers into the UK, as well as identifying (and adopting) any necessary supplementary measures required.

We have focused on recent developments around international data transfer requirements. However, regardless of whether the UK gets an adequacy decision, there will likely be additional steps that you will need to take for data protection compliance following the end of the Brexit transition period. For example, some HEIs may need to appoint a representative in the EU and make changes to their data protection documentation.

For specialist legal advice regarding data protection and international transfers please contact a member of our Information Law team or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input