Brexit...what we know so far.

As we all know, on 31 December 2020, the Transition Period (sometimes also referred to as the “Implementation Period”) under the EU-UK Withdrawal Agreement will come to an end. And one of the areas still in the mix is data protection, so what is the status now and what changes?

Firstly, the GDPR isn't going away. It is enshrined in our local law - in this case, the Data Protection Act 2018 and the Information Commissioner's Office and the UK Government have stated that they are committed to maintaining its provisions. 

What happens if there is no deal?

The UK has so far stated that nothing changes internally. And there will be no restrictions on data leaving the UK. And any changes only apply to data processed on or following the 1st January 2021 - any processing up to 31st December 2020 are unaffected and current rules apply.

The problem comes in two ways. Firstly - where is the destination of the data? And secondly - what about data coming into the UK.

Destination of the data

So leaving the EU not only affects data to and from the UK and the European Economic Area (where data can flow freely), it also affects the destinations that have an adequacy agreement or other data sharing protocols with the EU.

What does that mean? Well, just like the GDPR and DPA18 provides safeguards for an individuals data, adequacy and other tools provide equivalent safeguards in those destination countries, meaning data can flow freely. The list with adequacy probably isn't as long as you'd think:

Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

But when we leave, and if there is no deal and no adequacy agreement, then we have no legal protocols in place to recognize those safeguards anyway.

The big one in data protection matters is of course the US. And as with all the other countries not on the adequacy list (such as India or Australia), how can we safely transfer data? 

In most cases, we use something called standard contractual clauses. These are published by the EU, to be added to a contract and builds the safeguards into the contract. In the case of the US, there have been other safeguards - originally Safe Harbor, then Privacy Shield. Both allowed the US FCC oversight of data protection in the businesses that signed up to them. But they have both been invalidated by the Court of Justice of the European Union. So the big American tech companies, now either rely on consent, or where controller-processor relationships exist, then standard contractual clauses.

We have standard contractual clauses embedded with our processor in the US. So we are OK?

The issue here is that the standard contractual clauses reference EU law. Also, the ones provided by the ICO were based on the 1995 Data Protection Directive, not the 2016 GDPR, so they are out of date anyway. And any organisation relying on them in the UK it referencing EU law and EU protections that no longer apply at the end of the transition period. We have recommended for some time that standard contractual clauses should reference UK law, not EU - the meaning of the clauses provide the safeguards, but the laws backing them up must be the law of the land.

What about data coming back into the UK?

This really is where the trouble starts. An organisation in the EEA (even a data processor) requires a lawful basis and safeguards to transfer data to the UK. Adequacy would provide that, but otherwise, they need under GDPR to have the standards contractual clauses that reference EU law. Which means that a data controller in the UK doesn't get it's data back unless it agrees on a contract that cedes control to EU jurisdiction. Seems unfair? Well, we voted to leave and if we want to continue working with organisations in the EU, then we still have to play by their rules. It makes contracts complicated as the legal context would have to reference the UK and EU laws. UK for the UK-based data controller and the EU standards contractual clauses for the EU-based processor.

What about where we have data coming back to the UK, but not from the EEA?

In these cases, the same issue applies. Your data process may agree to the standard contractual clauses and the safeguards they provide. But under what jurisdiction are they enforced? It's always been the problem with any agreement. Take the US for example, you can have a contract saying all safeguards are in place - but if the NSA wants access to your processor's data, then your contract won't mean much.

In any case, those contracts, if referencing EU law will be technically invalid on January 1st 2021.

We'll get an adequacy agreement, won't we? Didn't we implement the GDPR after all?

You would hope so, but it's tied up in the negotiation. Technically, you can't have an adequacy decision granted as a member of the EU - we've left and the transition period was supposed to sort this out. At the moment it's up in the air, both because it is a bargaining chip and a little thing called the Investigatory Powers Act 2016. That allows (following judicial approval) interception of (often bulk) communications. It's supposed to be targeted but allows bulk interception. And as it's all top secret, we don't really know what communications are being collected and analyzed. But we know it's at the very least a consideration in the evaluation of an adequacy agreement.

Data Protection rights all propagate from the European Convention on Human Rights - and the UK government hasn't exactly supported their full implementation in UK law, meaning data protection and other rights are subject to change. 

What does the ICO say?

The ICO is for the time being, following the European Data Protection Board's(EDPB) lead on the revision of standard contractual clauses (it's yet to be seen if they will issue "UK" versions. The EDPB is currently evaluating the CJEU decisions and cases on Privacy Sheild and standard contractual clauses. But we aren't part of that regime from 2021. I doubt we will digress too far from any decisions - the ICO will still want to maintain as much parity as possible with the EU, for the time being at least. But in their last statement in November there is no indication about these safeguards in a post-Brexit world:

“We are reviewing the two recommendations published by the European Data Protection Board (EDPB) following the CJEU Schrems II ruling in July. The judgment confirmed how EU standards of data protection must travel with personal data when it goes overseas.

 “The first recommendation updates the European Essential Guarantee for surveillance measures.

“The second has been published for public consultation and looks at the extra measures organisations may take to support the international transfer of data to meet EU standards, and is out for public consultation.

“This recommendation follows previous EDPB guidance stating that organisations must conduct a risk assessment as to whether a transfer tool, such as Standard Contractual Clauses (SCCs), provides enough protection within the legal framework of the destination country. If not, organisations must put extra measures in place to mitigate the risks.

“The Schrems II judgment said that supervisory authorities have an important role to play in the oversight of international transfers. As part of this role we are reviewing the recommendations and will consider whether we need to publish our own guidance in due course.

“We are also reviewing the European Commission’s new GDPR SCCs currently under consultation.

“We reiterate our advice that organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available.

“We continue to apply a risk-based and proportionate approach to our oversight of international transfers in accordance with our Regulatory Action Policy.”

With the fall of Privacy Shield and challenges to standard contractual clauses continuing in European courts the message from the ICO is that where possible use standard contractual clauses. But as in the latest communication, there may need to be a risk assessment undertaken and additional safeguards implemented. But no-one really knows what additional safeguards that you would put in place, other than avoiding data to that location.

Which brings us on to the best way of dealing with the impact of Brexit on data protection. 

Keep your data in the UK. In most cases, this is what's happening with education products. And the ICO says that complying with the GDPR is the best preparation, even if you have no international data transfers.

The notable exceptions are Microsoft and Google, which most schools use at least one of. Microsoft hosts its data in the UK, and have but earlier in 2020 stated that:

"Due to the unprecedented circumstances around the COVID-19 crisis and the need to manage online services demand in Europe, if your organization is an educational institution, we may provision your Microsoft 365 tenant in the European Union (EU), European Free Trade Association (EFTA), the United Kingdom (UK), United States (US), or Canada (CA), or transfer your data to any data centers in the EU, EFTA, UK, US, or CA..."

Whilst that doesn't seem to be the case right now, it shows that they will change the terms if it suits them.

As for Google, it's in the G Suite for Education (Online) Agreement:

"Google may transfer, store and process Customer Data in the United States or any other country in which Google or its agents maintain facilities. By using the Services, Customer consents to this transfer, processing and storage of Customer Data." 

So using cloud services, there is at least a chance that data leaves the UK. Both Microsoft and Google were certified under Privacy Shield and operate standard contractual clauses - and operate secure systems. In reality, there is little risk. But the risk of transfer out of the UK doesn't matter when the company is a US entity - the Clarifying Lawful Overseas Use of Data Act (2018) or CLOUD Act is a US law that allows federal law enforcement to compel U.S.-based technology companies to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil - so your data is within reach.

This is where the ICO's advice to assess risk is important. We can't operate without accepting a certain amount of risk. In relation to Brexit, that risk is mitigated where we can use UK based companies and keep data in the UK. Where it goes to the EU, we can use standard contractual clauses. Where it goes somewhere else, we can use variations of the clauses to contractually oblige other parties to apply an appropriate level of safeguards, but still where the US is concerned to have no choice but to tolerate certain risk.

At DPE as we work through the records of processing and document more processing and suppliers we'll be ensuring that the risk levels are documented. We use this tool to document international data transfers too and assess risk levels. Life will be easier with an adequacy agreement, but it doesn't make everything easier. Schools operate in the UK with UK data subjects (unless you are an overseas school that targets staff and students abroad - contact us in that case). The most important thing we can do to prepare is to continue with the compliance journey and ensuring we follow the best practice available. The risks around international data transfers may have changed, but they have always existed.

If you have suppliers outside of the UK that you are concerned about or any questions, then get in touch and we will help with documenting on the RoP and undertaking the appropriate risk assessments.

The Data Protection Education Team

 

Subscribe to our newsletter

Please enable the javascript to submit this form

©2021 Data Protection Education Ltd.

Search