Data Protection – Brexit fall-out

We have three matters to report relating to the impact of Brexit and a CJEU (the Court of Justice of the European Union) decision on data protection law. 
 

1. The EU GDPR and the UK GDPR
   
   First, the UK left the EU at midnight on December 31 2020. At that point, EU Regulations - including what we are now to call the 'EU GDPR' - ceased to apply to the UK. Instead, data protection law in the UK is set out in the Data Protection Act 2018 (which has been slightly amended to take account of Brexit) and the provisions of the EU GDPR have been incorporated directly into UK law as the 'UK GDPR'. In practice, there is little change to the core data protection principles, rights and obligations but that may change over time. If it does, we will let you know.
    
2. Adequacy decision made in favour of the UK
   
   Second, the EU granted 'adequacy' status to the UK in June 2021, meaning that the EU regards the UK as having an essentially equivalent level of data protection to the EU. In practice, this means that organisations in the EU can transfer personal data to the EU without requiring any additional safeguards such as the EU's Standard Contractual Clauses (SCCs) or ensuring that the transfer falls within available exemptions or derogations.  Uniquely, the EU's adequacy decision for the UK is limited to a four year period so that it could be withdrawn if UK data protection law diverges significantly from EU law during that period. The UK government has also made an 'adequacy regulation' in respect of the EU so that you can make transfers of personal data to the EU without the need for any additional safeguards. 
    
3. The case of Schrems II
   
   Third, in July last year, the European Court of Justice ruled (in Schrems II) that the US Privacy Shield framework no longer provides adequate safeguards for the transfer of personal data to the United States from the EEA and the UK has not departed from the position post-Brexit. UK organisations which regularly transfer personal data to the US would normally put in place the UK's Standard Data Protection Clauses (SDPCs) by way of additional safeguards but the Schrems II decision also cast doubt on whether SDPCs/SCCs provide sufficient protection. The European Data Protection Board (whose guidance is still relevant in the UK but not binding) recommends that organisations conduct a risk assessment to consider the adequacy of SDPCs/SCCs and we are waiting for further ICO guidance to explain what is required.  
    
4. So what does this mean for schools? 
   
   You should update your privacy notices, policy documents and data sharing and processing agreements to reflect:
   
   -    the post-Brexit terminology;
   -    the fact that the UK is no longer part of the EU; and
   -    the grant of the EU adequacy decision. 
   
   Any schools which transfer personal data to the USA will need to:
   
   -    consider whether the transfer falls within any of the exemptions and derogations available under the UK GDPR. If not, the school should put in place SDPCs. While there are question marks as to the sufficiency of SDPCs, the ICO is unlikely to sanction an organisation which relies on them given the present uncertainty following Schrems II; and
   -    update your data protection documents to reflect the basis on which you transfer personal data to the US. 

If in doubt, we are here to help.

---

For further information or to discuss any queries, please contact Debbie Ashenhurst, Vicky Wilson or your usual Wilsons contact.