As we all know, on 31 December 2020, the Transition Period (sometimes also referred to as the “Implementation Period”) under the EU-UK Withdrawal Agreement will come to an end. And one of the areas still in the mix is data protection, so what is the status now and what changes?
Firstly, the GDPR isn't going away. It is enshrined in our local law - in this case, the Data Protection Act 2018 and the Information Commissioner's Office and the UK Government have stated that they are committed to maintaining its provisions.
What happens if there is no deal?
The UK has so far stated that nothing changes internally. And there will be no restrictions on data leaving the UK. And any changes only apply to data processed on or following the 1st January 2021 - any processing up to 31st December 2020 are unaffected and current rules apply.
The problem comes in two ways. Firstly - where is the destination of the data? And secondly - what about data coming into the UK.
Destination of the data
So leaving the EU not only affects data to and from the UK and the European Economic Area (where data can flow freely), it also affects the destinations that have an adequacy agreement or other data sharing protocols with the EU.
What does that mean? Well, just like the GDPR and DPA18 provides safeguards for an individuals data, adequacy and other tools provide equivalent safeguards in those destination countries, meaning data can flow freely. The list with adequacy probably isn't as long as you'd think:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
But when we leave, and if there is no deal and no adequacy agreement, then we have no legal protocols in place to recognize those safeguards anyway.
The big one in data protection matters is of course the US. And as with all the other countries not on the adequacy list (such as India or Australia), how can we safely transfer data?
In most cases, we use something called standard contractual clauses. These are published by the EU, to be added to a contract and builds the safeguards into the contract. In the case of the US, there have been other safeguards - originally Safe Harbor, then Privacy Shield. Both allowed the US FCC oversight of data protection in the businesses that signed up to them. But they have both been invalidated by the Court of Justice of the European Union. So the big American tech companies, now either rely on consent, or where controller-processor relationships exist, then standard contractual clauses.
We have standard contractual clauses embedded with our processor in the US. So we are OK?
The issue here is that the standard contractual clauses reference EU law. Also, the ones provided by the ICO were based on the 1995 Data Protection Directive, not the 2016 GDPR, so they are out of date anyway. And any organisation relying on them in the UK it referencing EU law and EU protections that no longer apply at the end of the transition period. We have recommended for some time that standard contractual clauses should reference UK law, not EU - the meaning of the clauses provide the safeguards, but the laws backing them up must be the law of the land.
What about data coming back into the UK?
This really is where the trouble starts. An organisation in the EEA (even a data processor) requires a lawful basis and safeguards to transfer data to the UK. Adequacy would provide that, but otherwise, they need under GDPR to have the standards contractual clauses that reference EU law. Which means that a data controller in the UK doesn't get it's data back unless it agrees on a contract that cedes control to EU jurisdiction. Seems unfair? Well, we voted to leave and if we want to continue working with organisations in the EU, then we still have to play by their rules. It makes contracts complicated as the legal context would have to reference the UK and EU laws. UK for the UK-based data controller and the EU standards contractual clauses for the EU-based processor.
What about where we have data coming back to the UK, but not from the EEA?
In these cases, the same issue applies. Your data process may agree to the standard contractual clauses and the safeguards they provide. But under what jurisdiction are they enforced? It's always been the problem with any agreement. Take the US for example, you can have a contract saying all safeguards are in place - but if the NSA wants access to your processor's data, then your contract won't mean much.
In any case, those contracts, if referencing EU law will be technically invalid on January 1st 2021.
We'll get an adequacy agreement, won't we? Didn't we implement the GDPR after all?
You would hope so, but it's tied up in the negotiation. Technically, you can't have an adequacy decision granted as a member of the EU - we've left and the transition period was supposed to sort this out. At the moment it's up in the air, both because it is a bargaining chip and a little thing called the Investigatory Powers Act 2016. That allows (following judicial approval) interception of (often bulk) communications. It's supposed to be targeted but allows bulk interception. And as it's all top secret, we don't really know what communications are being collected and analyzed. But we know it's at the very least a consideration in the evaluation of an adequacy agreement.
Data Protection rights all propagate from the European Convention on Human Rights - and the UK government hasn't exactly supported their full implementation in UK law, meaning data protection and other rights are subject to change.
What does the ICO say?
The ICO is for the time being, following the European Data Protection Board's(EDPB) lead on the revision of standard contractual clauses (it's yet to be seen if they will issue "UK" versions. The EDPB is currently evaluating the CJEU decisions and cases on Privacy Sheild and standard contractual clauses. But we aren't part of that regime from 2021. I doubt we will digress too far from any decisions - the ICO will still want to maintain as much parity as possible with the EU, for the time being at least. But in their last statement in November there is no indication about these safeguards in a post-Brexit world:
“We are reviewing the two recommendations published by the European Data Protection Board (EDPB) following the CJEU Schrems II ruling in July. The judgment confirmed how EU standards of data protection must travel with personal data when it goes overseas.
“The first recommendation updates the European Essential Guarantee for surveillance measures.
“The second has been published for public consultation and looks at the extra measures organisations may take to support the international transfer of data to meet EU standards, and is out for public consultation.
“This recommendation follows previous EDPB guidance stating that organisations must conduct a risk assessment as to whether a transfer tool, such as Standard Contractual Clauses (SCCs), provides enough protection within the legal framework of the destination country. If not, organisations must put extra measures in place to mitigate the risks.
“The Schrems II judgment said that supervisory authorities have an important role to play in the oversight of international transfers. As part of this role we are reviewing the recommendations and will consider whether we need to publish our own guidance in due course.
“We are also reviewing the European Commission’s new GDPR SCCs currently under consultation.
“We reiterate our advice that organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available.
“We continue to apply a risk-based and proportionate approach to our oversight of international transfers in accordance with our Regulatory Action Policy.”
With the fall of Privacy Shield and challenges to standard contractual clauses continuing in European courts the message from the ICO is that where possible use standard contractual clauses. But as in the latest communication, there may need to be a risk assessment undertaken and additional safeguards implemented. But no-one really knows what additional safeguards that you would put in place, other than avoiding data to that location.
Which brings us on to the best way of dealing with the impact of Brexit on data protection.
Keep your data in the UK. In most cases, this is what's happening with education products. And the ICO says that complying with the GDPR is the best preparation, even if you have no international data transfers.
The notable exceptions are Microsoft and Google, which most schools use at least one of. Microsoft hosts its data in the UK, and have but earlier in 2020 stated that:
"Due to the unprecedented circumstances around the COVID-19 crisis and the need to manage online services demand in Europe, if your organization is an educational institution, we may provision your Microsoft 365 tenant in the European Union (EU), European Free Trade Association (EFTA), the United Kingdom (UK), United States (US), or Canada (CA), or transfer your data to any data centers in the EU, EFTA, UK, US, or CA..."
Whilst that doesn't seem to be the case right now, it shows that they will change the terms if it suits them.
As for Google, it's in the G Suite for Education (Online) Agreement:
"Google may transfer, store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data."
So using cloud services, there is at least a chance that data leaves the UK. Both Microsoft and Google were certified under Privacy Shield and operate standard contractual clauses - and operate secure systems. In reality, there is little risk. But the risk of transfer out of the UK doesn't matter when the company is a US entity - the Clarifying Lawful Overseas Use of Data Act (2018) or CLOUD Act is a US law that allows federal law enforcement to compel U.S.-based technology companies to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil - so your data is within reach.
This is where the ICO's advice to assess risk is important. We can't operate without accepting a certain amount of risk. In relation to Brexit, that risk is mitigated where we can use UK based companies and keep data in the UK. Where it goes to the EU, we can use standard contractual clauses. Where it goes somewhere else, we can use variations of the clauses to contractually oblige other parties to apply an appropriate level of safeguards, but still where the US is concerned to have no choice but to tolerate certain risk.
At DPE as we work through the records of processing and document more processing and suppliers we'll be ensuring that the risk levels are documented. We use this tool to document international data transfers too and assess risk levels. Life will be easier with an adequacy agreement, but it doesn't make everything easier. Schools operate in the UK with UK data subjects (unless you are an overseas school that targets staff and students abroad - contact us in that case). The most important thing we can do to prepare is to continue with the compliance journey and ensuring we follow the best practice available. The risks around international data transfers may have changed, but they have always existed.
If you have suppliers outside of the UK that you are concerned about or any questions, then get in touch and we will help with documenting on the RoP and undertaking the appropriate risk assessments.
The Data Protection Education Team
The National Cyber Security Centre, a part of GCHQ, is supporting educational establishments to keep criminals out of their networks after a spike in ransomware attacks. The rise in attacks was recorded in August as cybercriminals turn their attention to a sector focused on the return of students.
The advice has been created with the input of the sector and is the latest in a series of support packages for academia. Cybersecurity experts have stepped up support for UK schools, colleges, and universities following a spate of online attacks with the potential to de-rail their preparations for the new term.
The National Cyber Security Centre (NCSC) issued an alert to the sector containing a number of steps they can take to keep cybercriminals out of their networks, following a recent spike in ransomware attacks. The NCSC dealt with several ransomware attacks against education establishments in August, which caused varying levels of disruption, depending on the level of security establishments had in place. Ransomware attacks typically involve the encryption of an organisation’s data by cybercriminals, who then demand money in exchange for its recovery.
With institutions either welcoming pupils and students back for a new term or preparing to do so, the NCSC’s alert urges them to take immediate steps such as ensuring data is backed up and also stored on copies offline.
They are also urged to read the NCSC’s newly-updated guidance on mitigating malware and ransomware attacks, and to develop an incident response plan which they regularly test.
Paul Chichester, Director of Operations at the NCSC, said:
“This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible. While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted.
We are absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and will not hesitate to act when that threat evolves.”
The new alert, Targeted ransomware attacks on the UK education sector by cybercriminals, supplements existing support that the NCSC, which is a part of GCHQ, provides academic institutions across the UK.
Examples of this included advice on the questions governing bodies and trustees should ask school leaders to improve a school’s understanding of cybersecurity risks, and the distribution of information cards which help staff understand how they can raise their school’s resilience to attack.
Some of you may have seen in the press the long-running legal dispute of Various Claimants vs Morrisons, which after starting in the High Court in 2017 has finally seen a ruling issued by the Supreme Court.
It's an important case in data protection and employment law, where a disgruntled employee deliberately posted the payroll data of Morrison's entire workforce online in order to damage them.
The employee was prosecuted and an application for damages by a group of employees made - the question ultimately being whether Morrison's was responsible for the actions of the employee.
The ultimate decision of the Supreme Court, was that Morrison's was not vicariously liable, mainly because the activities of the employee were not within the designated scope of activities - additionally, it considered the motive of the employee highly relevant (contrary to the lower courts opinion)
There is a deep a detailed write-up of the judgement here, from the QC representing Morrisons.
So what are the lessons that we can learn? After all, e
Firstly, to breathe a sigh of relief. If the judgement came down against Morrison's, any organisation with a rogue employee may have found themselves liable for their activities, even when they had no knowledge or connection to that employee's rogue activities. Effectively, the employee wasn't acting the course of his employment and therefore acting as a data controller in their own right, meaning that the initial data controller wasn't responsible in this case. But equally, the flip side applies - should an employee be processing data directly on behalf of the employer in a careless or negligent manner, the employer would likely be liable for those activities.
Lesson: every school is an employer, and data is often mishandled by employees, either deliberately or accidentally. As a data controller, you are responsible for all data processing under your direct control.
Secondly, Morrison's spent over £2.26 million to deal with the consequences of the breach, including helping with anti-fraud online protection for staff. Their breach response processes seem to have been adequate to the task in hand and ultimately, there was little, if no evidence of harm to the employees resulting from the breach.
Lesson: make sure that your breach response is fit for purpose. If in doubt, get in touch with Data Protection Education.
Thirdly, it was key that the breach wasn't caused by a lack of security in Morrison's security measures. This means that it's important to risk access and mitigate any risks with any data security concerns...data controllers are still responsible for the secure handling of data. It also again raises the fact that data is most at risk when it is being moved. The employee, an internal auditor, was providing data to an external auditor. Was this process defined and an appropriate data privacy impact assessment in place?
Lesson: Ensure data protection is at the heart of every activity. As we work in different ways during the coronavirus outbreak and move data from our typical place of work, don't use the crisis to discard your data protection responsibilities.
Lastly (for now) it does vindicate the Information Commissioner's Office who initially found that there was no further action required in relation to the incident.
Lesson: Data breach mitigation and reporting to the ICO requires procedure and evidence. That's what we help with as DPO and one of the reasons why we ask for evidence to be logged on the Knowledge Bank.
The Data Protection Education team.
