The Brexit transition period ends on 31 December, which means that from then the UK will no longer be treated as part of the EU for data protection purposes. Here we look at the key data protection compliance implications for schools.
Will the UK Get an "Adequacy Finding" and Why Does It Matter?
The GDPR provides that personal data can only usually leave the EEA if:
- the destination country has been giving a finding of adequacy by the EU Commission
- in the absence of an adequacy finding, the transfer is subject to one of the safeguards in the GDPR
- in the absence of an adequacy finding and a safeguard, the transfer falls under one of the limited exceptions (referred to as derogations) in the GDPR
From a UK perspective, an adequacy finding would be plainly beneficial as without this, UK organisations (including schools) will need to check that there is a safeguard or exemption in place for all transfers of personal data from the EEA to the UK.
Whilst the UK has applied for an adequacy finding and negotiations are ongoing, there is no guarantee that the UK's application will be successful. On the one hand, it may seem surprising if the UK was not granted adequacy, particularly as UK and EU data protection laws will remain aligned (at least in the short term) through the UK's adoption of the GDPR. Whilst this is the case, there are some concerns at EU level about the UK's wider data privacy practices, for example, in relation to national security and surveillance.
We suggest that schools should map out the different scenarios in which personal data it is responsible for moves from the EEA to the UK and identify the appropriate safeguard or derogation in case there is no adequacy finding. Schools should note that the requirements just relate to transfers from the EEA to the UK. Transfers from the UK to the EEA will continue to be lawful after the end of the transition period.
One way to make a transfer lawful is to incorporate the European Commission's standard contractual clauses for international data transfers (SSCs) into your agreement with the EEA based party, and we anticipate that this will be one of the more frequently used safeguards in the absence of an adequacy finding. For example, if you use a EEA-based cloud storage provider who stores school personal data on EEA servers, then the SSCs may be an appropriate way of achieving compliance.
Many will be familiar with the recent Schrems II decision, in which the European Courts found that it is not sufficient to rely on the SSCs alone and organisations will need to put additional "safeguards" in place for compliance. It is unclear what these safeguards will look like (guidance from the regulators has been promised but is not yet forthcoming). There are also persistent rumours that the current SSCs are going to be replaced with new SSCs shortly. Notwithstanding these current uncertainties, SSCs are likely to remain a cornerstone of compliance with regards to international data transfers.
Whilst the SSCs will be helpful in a lot of cases, there will be transfers where their use would not be appropriate or practical. For example, when a school is corresponding with a EU-based parent.
Will I Need to Appoint a European Representative?
After the end of the transition period, a UK school that does not have an establishment in the EEA will need to appoint a EU representative where:
- the school offers goods or services to individuals based in the EEA (whether or not payment is required)
- the school monitors the behaviour of individuals whilst those individuals are in the EEA
The representative must act as a point of contact in the EEA. For example, if a parent based in Italy wanted to make a subject access request to the school, they would be able to do so by contacting the representative. The representative can be an individual or an organisation.
In respect of the first criteria (offering goods or services), if a school happens to have pupils with EU-based parents, this by itself is not sufficient to trigger the obligation to appoint a representative. However, if, for example, a school ran a virtual open day specifically targeting German parents and children, and placed an advert for the school in a French magazine, then this may be enough to trigger the threshold.
At first glance, a school would appear to be unlikely to be caught by the second criteria (monitoring the behaviour of individuals in the EEA). However, it is possible that some school activities might constitute monitoring, eg, some interactions with EU based individuals via social media.
Schools should also note that even if the criteria are met, a representative is not required if the processing is occasional, low risk and does not involve the large-scale use of special category (eg, health) or criminal offence data.
We expect that, whilst some schools will need to appoint a EU representative, most will not. Schools should nevertheless consider the criteria carefully in order to make an informed decision.
What Else Does My School Need to Think About?
Changes will also need to be made to data protection documentation, for example, a school's privacy notices and Article 30 record will likely need to be updated.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.