SARs vs School Records: Subject Access or Education Regulations?

If you’ve ever opened your inbox and seen a message from a parent asking for “all the information you hold on my child,” your first thought was probably:

“Subject Access Request!”

But hold on — not every request for pupil information automatically falls under the UK GDPR. Sometimes, it’s actually a request under education regulations, depending on what’s being asked — and the type of school you are.

Understanding the difference is key. Not only does it help you respond lawfully and efficiently, but it also helps manage expectations and avoid unnecessary workload.

There are two main legal routes parents (or pupils themselves) might use to request access to information:

  1. Subject Access Request (SAR) – under the UK GDPR / Data Protection Act 2018

This allows an individual, including a pupil depending on their age and capacity, to request their own personal data.

  1. Request for the Educational Record – under the Education (Pupil Information) (England) Regulations 2005

This allows parents to request a copy of their child’s educational record, but only if the child attends a maintained school.

Let’s look at each in a little more detail.

Subject Access Requests (SARs) – GDPR territory

This is all about personal data.

Anyone can ask for a copy of the data you hold about them, including pupils (depending on their age and maturity), staff, or parents asking for their own data.

When it comes to parents asking for their child’s data, you’ll need to check whether the child is old enough and mature enough to understand what’s being asked. If they are, they should normally be the one making the request or at least give permission for the parent to do it on their behalf.

If they’re younger or not able to understand, the parent can usually make the request.

What does a SAR cover?

Any personal data you hold about that person. That might include:

  • Behaviour notes
  • Emails mentioning the pupil
  • Health or SEN info
  • Safeguarding logs (with care!)
  • CCTV footage (if the pupil is clearly visible)

When it comes to Subject Access Requests, any type of school may receive a request, including maintained, academies, free schools, and independents and you have 1 calendar month to respond.

Request for the Educational Record – Pupil Regulations

This one is specifically for parents of children at maintained schools (i.e. those run by local authorities). It gives them the right to see their child’s educational record, which is basically anything to do with their progress, learning, and life in school.

What counts as an educational record?

Think stuff like:

  • School reports
  • Attendance records
  • SEN plans
  • Notes from parent-teacher meetings
  • Behaviour points
  • Targets or interventions

It doesn’t include:

  • Child protection files
  • Teacher’s personal notes
  • Information that could seriously harm the child or someone else

Under these regulations, you have 15 school days to respond. You can also apply a charge to cover printing or postage, though most schools just send it electronically for free these days.

For academies and free schools, the right to the educational record doesn’t apply. But many still choose to share records in a similar way, just to be helpful and consistent. It is the same deal with Independent schools, there is no right to the educational record. Parents need to go down the SAR route if they want information about their child, and only if the child isn’t old enough to make the request themselves.

While SARs and education record requests are different, there’s a bit of crossover. Some information might be shared under both, and that’s OK. The key is understanding which law applies and making sure you’re not accidentally oversharing or withholding something you shouldn’t.

When in doubt, take a breath, talk to your DPO, and go from there.

/by

Sentry System Updates 2023

Over the past 12 months, we’ve been busy behind the scenes, rolling out exciting new features, fine-tuning your favourite tools, and delivering enhancements that make your day-to-day work a little bit smoother (and a lot more efficient). Whether it’s a shiny new module or subtle improvements to existing systems, we’ve been listening to your feedback and turning it into action.

So, what’s new in our tech treasure trove?

A brand-new User Manual to guide you through every step, An incredible, new, Complaints module to streamline your processes, New data fields in the reporting of SARs, Breaches, and FOIs to give you even more control and clarity. Oh, and if you’ve ever wished for a cleaner, more intuitive layout you’ll love the updated Group Summary section.

Plus, for those “I need help right now” moments, we’ve made sure you’re covered with fully comprehensive help sections that are always just a click away.

Intrigued? Want to know more?

Existing customers can contact their dedicated Customer Success Manager for more information on all of the latest updates, or even a “show and tell”.

If you’re new to Sentry, why not book a Demo of our system. Its quick and simple, just click on “book a demo” on the homepage and choose a date and time that suits you.

/by

“It’s Not the End of an Era Without a Hoodie”: School Leavers, Traditions and the Truth About GDPR

It’s that time of year again.

The weather’s warming up (at least in theory), the final exam papers are piling up in the staffroom, and the Year 11s, full of nervous energy, optimism, and just a hint of mischief, are preparing to say their goodbyes. It’s the season of leavers’ assemblies, nostalgic slide shows, and of course, the all-important question: “Can we get hoodies with all our names on them?”

Cue the GDPR panic.

Every year, in schools up and down the country, a familiar scenario plays out. A well-meaning teacher or member of the PTA offers to organise personalised hoodies or put together a yearbook featuring class photos and messages. And then, someone asks the question that stops the printer in its tracks: “Wait… is this even allowed under GDPR?”

Let’s unravel this together, because despite what some may believe, GDPR isn’t the fun police. It doesn’t mean you have to cancel prom or produce an anonymised yearbook with stick figures instead of class photos.

The truth is, most of these cherished school traditions can go ahead, so long as they’re handled with care, clarity, and a bit of common sense.

Take the humble leavers’ hoodie. It’s one of those rites of passage that students will cling to years after they’ve grown out of it. Names printed on the back, sometimes nicknames, sometimes surnames, sometimes the dreaded full first-middle-last-name combo. From a data protection point of view, names are indeed personal data. But does that mean you can’t print them?

Absolutely not. You just need a lawful basis to do it—and in most cases, that’s as simple as getting consent.

Whether it’s for hoodies, a yearbook, or a slideshow featuring baby photos, if you’re collecting and sharing personal data outside of core educational purposes, it’s best practice to ask students (or their parents, depending on age) for permission. A simple form will do the trick. The key is to be clear about what data you’re using, where it will appear, and who will see it. No tricks, no fine print in size six font.

And yes, you can still include photos. There’s no secret clause in the UK GDPR that says a picture of Year 11 on the school field at lunchtime is forbidden. If it’s for a yearbook, prom night collage, or school website tribute, the same principle applies; be transparent, get the appropriate permissions, and store images securely. That’s it.

There’s a myth that GDPR somehow outlawed all joy in schools, but the reality is it just asked us to stop being sloppy with data. It’s about respect, not restriction.

Then there’s the classic signing shirts. The ink-stained rite of passage, where uniforms are transformed into messy tributes of inside jokes and hastily scrawled farewells. A few educators have raised their eyebrows at this tradition, worrying it could constitute “uncontrolled data sharing.”

Realistically, if a student voluntarily hands their shirt to a friend and says, “write something embarrassing on my back,” this isn’t a data protection issue, it’s a social one. GDPR doesn’t govern private, student-to-student interactions unless the school is actively collecting and publishing that content. So, you don’t need to enforce a shirt-signing ban (and if you tried, good luck…).

Now, about prom. Some schools host their own; others let parents or external companies run the show. Either way, collecting names for tickets, dietary needs, or emergency contact details is fine, just make sure you’re only collecting what you actually need, and that the data isn’t floating around on someone’s USB stick or unprotected spreadsheet. The golden rule? If you wouldn’t want your own teen’s info handled that way, don’t do it to someone else’s.

So here’s the bottom line: don’t let GDPR myths steal the spotlight from your leavers’ celebrations. Data protection doesn’t mean you can’t celebrate your students. It just asks that you do it with intention.

After all, what better way to send off the next generation than by teaching them that privacy and parties can coexist?

Let them have their yearbooks. Let them wear hoodies emblazoned with names they’ll cringe at later. Let them dance the awkward final dance at prom. And let them remember that their school cared enough to protect their memories without over-policing their goodbyes.

/by

FOI Requests in Schools: Navigating Transparency and Avoiding Misuse of Exemptions

As public bodies, UK schools are increasingly in the spotlight when it comes to transparency. Freedom of Information (FOI) requests are a key legal mechanism for parents, campaigners, and the media to access information about how schools operate but they’re also on the rise, especially around exams, assessments, and decision-making processes.

For school administrators and data protection leads (DPLs), responding to FOI requests isn’t just a legal duty under the Freedom of Information Act 2000, it’s also an opportunity to build public trust through transparency. Therefore, it’s crucial to understand your responsibilities, and the risks, when responding to these requests, especially as scrutiny intensifies.

Why Are FOI Requests Increasing in Schools?

Since the pandemic, there’s been a noticeable uptick in FOI activity directed at schools and trusts. Some of the key drivers include:

  • Concerns about exam grading during teacher-assessed years
  • Requests for exam board correspondence and internal moderation policies
  • Transparency around assessment algorithms or standardisation approaches
  • Access to emails or records related to grade appeals
  • Inquiries about pupil exclusions during exam periods

Schools across the UK have reported a surge in FOI requests during May–July, often clustered around GCSE and A-Level periods. These are not always straightforward, and many come from organised campaigns or media investigations.

What Is Covered by FOI in Schools?

Under the Freedom of Information Act 2000, anyone can request recorded, non-personal information. This includes:

  • Curriculum and assessment policies
  • Staff guidance or marking frameworks
  • Internal minutes or email chains (if recorded)
  • Communication with exam boards or local authorities

It does not cover:

  • Personal data about students or staff (that’s handled under UK GDPR)
  • Opinions that weren’t formally recorded

The Right Way to Respond

Every request must be handled lawfully, objectively, and in good faith. The basic process:

  1. Acknowledge: Respond within 20 working days
  2. Clarify if the request is vague or excessive
  3. Assess whether you hold the data and how much effort is required
  4. Apply exemptions only where legally justified
  5. Provide the information, or explain your reasons for refusal

Maintain a full audit trail of your decisions, especially if you’re applying an exemption.

Use of Exemptions: Don’t Overreach

The FOI Act includes several exemptions but misusing them can damage your reputation and trigger ICO scrutiny. Common (and often misapplied) exemptions in schools include:

  • Section 36 (prejudice to effective conduct of public affairs): Often used to withhold internal discussions but must be supported by recorded reasoning from a qualified person (e.g. Headteacher)
  • Section 40 (personal data): Use only where releasing the info would breach data protection law
  • Section 22 (future publication): You must have a clear intention to publish the info soon

Exemptions serve a purpose, but overusing or misapplying them risks eroding public confidence and triggering ICO complaints. As stewards of public funds and student welfare, UK schools should aim to default to openness, using the FOI framework as a tool to engage, not to evade.

Real-world caution:

A secondary school used Section 36 to refuse a request for internal marking guidance during a teacher-assessed grading period. The requester complained to the ICO, who found that the school had not sufficiently evidenced how disclosure would “prejudice the conduct of public affairs.” The school had to release the material.

Best Practices for UK Schools

  • Have a written FOI policy and publish it on your website
  • Train front-office and SLT staff on identifying and escalating FOI requests
  • Work with your DPO or local authority when applying exemptions
  • Log every request, decision, and rationale
  • Avoid redacting out of caution: Redact only what is necessary under the Act
  • Be proactive: Publishing certain information online (e.g. assessment policies, appeals processes) can reduce the volume of individual FOIs

When FOI Meets Exams: Be Prepared

To reduce stress and ensure legal compliance during exam season:

  • Review your assessment policy and have a version ready to share
  • Document all grade moderation discussions formally
  • Keep communications with exam boards organised and accessible
  • Clarify what can and cannot be disclosed under FOI vs. Subject Access Rights

Final Thought: Transparency Is a Strength, Not a Risk

It’s tempting to view FOI requests as administrative burdens or reputation threats. But when handled lawfully and openly, they demonstrate professionalism, fairness, and accountability. Use exemptions sparingly and transparently, and never to avoid embarrassment or scrutiny.

/by

“We’re Getting Fingerprint Scanners!” – Wait… Did Anyone Do a DPIA?

There’s a certain kind of email that arrives in a school inbox that immediately raises eyebrows. It starts with something like:

“Exciting news! We’re trialling new biometric scanners in the canteen to speed up lunch queues!”

It’s followed by promises of efficiency, reduced lunch line chaos, and fewer forgotten PINs. On the surface, it sounds brilliant. Who wouldn’t want a futuristic solution to an age-old problem?

But here’s the thing: before you ask a group of eleven-year-olds to hand over their fingerprints for a chicken nugget, you need to stop and ask a bigger question… Have we done a Data Protection Impact Assessment (DPIA)?

You may wonder why it is so important. A DPIA isn’t just some bureaucratic hoop to jump through. It’s a vital safeguard designed to help schools understand how a new system or process might affect people’s privacy, especially when you’re dealing with sensitive or high-risk data.

In schools, we hold data about children who are arguably some of the most vulnerable individuals in society. Introducing new tech that collects biometric data (like fingerprints or facial recognition) raises serious privacy concerns. Biometric data is classed as “special category data” under the UK GDPR, which means it requires extra care and justification.

A DPIA helps you figure out: What data is being collected, why you need it, what risks it poses to individuals and, how to mitigate those risks. Even more crucially, it helps you decide whether the shiny new system is really necessary in the first place.

Let’s return to that canteen scanner idea. The supplier promises that fingerprinting pupils will slash queue times and reduce cash handling. Sounds efficient, right?

But have we asked:

  • Do we really need biometric data for this?
  • Could a swipe card or QR code achieve the same result with less risk?
  • What happens if a student refuses to give their fingerprint?
  • How securely will this data be stored and, who can access it?

Without a DPIA, these questions may never even surface.

Or take another example: your school is rolling out a new online safeguarding tool that uses artificial intelligence to flag potential risks based on student writing. Impressive? Maybe. Intrusive? Potentially. A DPIA would help you assess whether the tool’s benefits outweigh the privacy implications, and what safeguards should be in place.

Remember… behind every “data point” is a real child. Their birthday. Their behaviour record. Their image. Their fingerprint.

A DPIA isn’t about red tape. It’s about respecting the trust families place in us. It’s about making thoughtful, informed choices, not just because it’s the law, but because it’s the right thing to do.

And honestly, it’s also about protecting your school. If things go wrong, if a data breach happens, or parents push back, a completed DPIA shows you took privacy seriously. It shows you were proactive, not reactive.

A Culture Shift, Not a Paper Exercise

The best schools aren’t just doing DPIAs to tick a box. They’re building a culture where people ask early on:

“Could this new system affect how we handle personal data?”

“Do we need to speak to the Data Protection Officer before we go ahead?”

“Have we thought this through, not just for us, but for our students?”

That’s where real digital responsibility begins. Not in a policy document, but in everyday conversations.

So next time someone suggests a new app, platform, or process… pause. Before you roll it out, before the training sessions and the excited emails, check whether a DPIA is needed.

Because in a world where data is power, doing a DPIA is how we wield that power wisely. Not to impress with tech, not to dazzle with dashboards but, to protect, to consider, and to educate with integrity.

/by

Curtain Up, Camera Out: Navigating Photos, Videos and GDPR at the School Play

It’s opening night. The school hall smells faintly of paint and paper mâché. There’s a Year 5 pupil with a cardboard crown that’s just a little too large for their head, nervously adjusting their costume backstage. Parents are streaming in, phones at the ready, clinging to the best seats like it’s Glastonbury. You’ve made it to the school play and so has the annual data protection dilemma.

Because as predictable as last-minute prop malfunctions and forgotten lines, come the whispered queries: “Can I film this?” “What if someone else’s child is in the shot?” “Are we even allowed to take photos anymore?”

Ah yes, welcome to the wonderfully confusing world of data protection and school performances. Where nativity scenes meet nuanced legislation, and Mary’s not the only one cradling something precious.

Let’s start with the basics. Parents taking photos or videos for personal use? Absolutely fine. UK GDPR isn’t interested in mums and dads snapping a picture of their little star as the third shepherd from the left. That’s considered a “purely personal or household activity,” and data protection laws don’t apply. Parents can cheer, film, and Instagram away, within reason.

But let’s say a parent asks for a copy of the school’s official video of the play. Now we’ve stepped into a different category. If the school is recording or photographing the event, it’s processing personal data. That means GDPR applies. The school must be clear about what it’s capturing, why, and how that footage will be used or shared.

It’s here that things can get thorny.

For instance, imagine you’ve got a pupil in Year 4 whose parent has specifically requested their child not be photographed, perhaps due to safeguarding concerns. If that child ends up in the wide-angle shot of the final scene, and the video is later shared on the school’s website, that’s not just a mistake, it’s a potential data breach.

So schools have to tread carefully. It means thinking ahead. It means letting parents know in advance what will be filmed, how long the footage will be kept, and getting clear consent for public use, especially if the content might be shared beyond the school community.

Then there’s the grey area of social media. Suppose a proud grandparent posts a clip of the school play on Facebook, featuring multiple children in the background. No malice, no agenda, just pride. Still, if that video ends up widely circulated or accessible to people outside the immediate circle, concerns can start to surface. And suddenly, the school may get complaints from parents who hadn’t realised their child might appear in someone else’s family montage.

Educators often find themselves caught between celebrating achievements and navigating consent. You want to showcase the joy, the creativity, the culmination of weeks of rehearsal. But you also don’t want to inadvertently violate someone’s privacy or their trust.

So what can be done?

Communication, as always, is your best friend. Set expectations early. Let families know what the school’s policy is on filming and photography. Provide opportunities for opt-outs and be clear that personal recordings must not be posted publicly without consent from all those featured.

And if you’re recording the event as a school, make sure your privacy notices are up to date, your consents are meaningful, and your editing software is ready just in case someone needs to be cropped or blurred.

One school I worked with handled it beautifully: before the play, the headteacher gave a warm, informal announcement. “We know you’ll want to remember tonight,” she said. “Feel free to take photos of your own child, but please be mindful of others. Let’s celebrate the magic without forgetting that we all have different comfort levels.”

The audience appreciated the reminder. Phones were out, but respectfully so. And not a single complaint followed.

Ultimately, the aim isn’t to dampen the occasion, it’s to protect the people in it. Children deserve to shine on stage without worrying about where that footage might end up. And parents deserve clarity about how their children’s images are being used.

So as the lights dim and the narrator clears their throat, take a breath. You’ve got the play under control. And with a little forethought, you’ve got the data protection side covered too.

Break a leg, and maybe set your camera to “portrait mode.”

/by

“But Why Do We Still Have That?” – Why Data Retention in Schools Matters More Than You Think

Picture this: You’re clearing out a dusty old cupboard in the staffroom and stumble across a stack of paper files labelled “Year 11 – 2009”. A mix of test scores, behavioural logs, and, oddly, a permission slip for a trip to Alton Towers.

Your first thought? How did this survive the last clear-out?

Your second? Should we even still have this?

If you’ve ever found yourself asking those questions, you’re not alone. But when it comes to managing personal data in schools, it’s not just about tidiness or storage space, it’s about legal responsibility, privacy, and respect for the individuals behind the information.

Let’s talk about data retention, and why getting it right is more than just best practice, it’s the law.

Data Isn’t Just Data. It’s Someone’s Life Story

In education, we collect a lot of data: names, addresses, medical notes, academic records, safeguarding files, staff performance reviews, you name it. And it all serves a purpose… for a time.

But once that purpose is fulfilled? Keeping it longer than necessary can be a breach of the UK GDPR and Data Protection Act 2018 (DPA).

The GDPR (General Data Protection Regulation), still part of UK law post-Brexit, tells us that personal data must be:

  • Accurate
  • Kept up to date
  • Not kept longer than necessary

In other words: Just because you have it, doesn’t mean you should still keep it.

“Just In Case” Isn’t a Policy

One of the most common phrases you’ll hear in schools when asking why old data still exists is:
“We might need it one day.” But the law says otherwise.

Every piece of personal data must have a defined retention period based on its purpose. These periods should be recorded in your data retention policy or information asset register, which should be reviewed regularly.

Let’s look at a few examples:

  • Safeguarding records? Kept until the child is 25 (or 6 years after the last entry if the child was not looked after).
  • Recruitment records for unsuccessful applicants? Typically 6 months.
  • Staff employment files? Usually retained for 6 years after employment ends.

These timeframes aren’t arbitrary. They’re based on legal, educational, and best practice guidance (such as from the IRMS toolkit for schools).

Imagine if a former pupil, now 30, asked for all the information you still held about them. Could you confidently justify why you still have that Year 8 report from 2006?

Or worse, what if their data was part of a breach and it turned out it should have been deleted a decade ago?

This isn’t just theoretical. Schools have been fined for poor data management practices, including keeping data for far longer than necessary.

So what can schools do to stay compliant and responsible?

Have a Clear Retention Schedule

Refer to sector-specific guidance (like the IRMS Records Management Toolkit) and document retention periods in your data protection policy.

Build a Culture of Data Hygiene

Make data deletion as routine as fire drills. Annual “digital spring cleans” can be helpful for reminding staff to review and remove old files.

Use Technology Wisely

Modern MIS and HR systems often allow automated data archiving or deletion after a set period. Use these tools, but make sure they’re configured correctly.

Train Your Staff

Teachers and admin staff are on the frontlines of data processing. Make sure everyone knows why data retention matters—and what they’re responsible for.

Final Thoughts: Respecting the Past Without Hoarding It

Data retention might not be the most glamorous part of running a school, but it is one of the most important for protecting your pupils, your staff, and your reputation.

Ultimately, it comes down to this: Respect the data as you would respect the person it belongs to.

You wouldn’t keep old student essays or report cards pinned to a noticeboard for years, so why keep their digital (or paper) equivalents indefinitely?

Managing data well isn’t just about compliance, it’s about ethics, trust, and good governance.

So next time you come across a file from five headteachers ago, ask yourself: Why do we still have this? And if there’s no good answer, it might be time to let it go.

/by

“Can I Share That?”: Why Regular GDPR Training Matters in Schools

It’s a typical Tuesday morning in the staffroom. Someone’s burnt their toast, the last tea bag has mysteriously vanished, and your inbox flashes up with a reminder: “Mandatory GDPR Refresher – 20 minutes.” There’s a quiet groan. Not because anyone doubts its importance but because, for many, data protection training sits firmly in the category of necessary but dry.

And yet, in schools, the relevance of GDPR couldn’t be more real. Far from being a background compliance exercise, it’s something woven into nearly every task we undertake whether we realise it or not. It’s in the way we send emails to parents, the way we store SEN reports, or how we display pupil names on classroom walls.

The truth is, GDPR awareness isn’t a one-off event. It’s a practice. And like all good practice, it requires routine reflection, updated understanding, and yes, refreshers.

Take, for example, a school that proudly circulated a birthday list to families in a class newsletter. A small act of celebration, warmly intended. But one child on the list was under a court order that required their identity to be protected. The result wasn’t malicious, but it did amount to a serious lapse in data handling, one that could have been avoided with more regular, scenario-based reminders.

Every member of staff in a school; teachers, support staff, lunchtime supervisors, even volunteers, comes into contact with personal data. That might be in the form of a safeguarding note, an attendance register, or a photo taken during a school trip. It’s not the presence of data that’s the issue, but how thoughtfully and lawfully it is used.

Regular GDPR training and awareness sessions provide the confidence and clarity staff need to navigate this landscape. They help reinforce the day-to-day decisions like locking screens, avoiding personal email use, or checking consent for photographs, that protect children’s rights and safeguard the school from reputational and legal risk.

Some schools are rethinking the format of these refreshers. One primary school incorporated short GDPR tips into their weekly staff briefings: “This week’s reminder is about using BCC in group emails.” It was informal, quick, and incredibly effective at keeping privacy principles front of mind without overwhelming staff.

Others have taken a more reflective approach, using anonymised real-life incidents from within the school to frame learning: “Remember when a report was accidentally emailed to the wrong parent?” These moments serve as powerful learning tools. They aren’t theoretical, they’re rooted in the real and immediate experience of the staff team.

In a world of competing priorities, it’s easy for GDPR to feel like a tick-box activity. But when an incident happens, be it a data breach, a complaint, or a safeguarding issue, it instantly becomes urgent and central. At that point, it’s not just about compliance. It’s about trust.

GDPR, at its core, is about respecting people, their privacy, their safety, their dignity. Educators are entrusted with not only children’s learning, but their stories, their vulnerabilities, and their personal details. That trust deserves care and vigilance, not just once a year, but as part of our professional mindset.

So, the next time a GDPR refresher request lands in your inbox, perhaps see it for what it is, a professional check-in that helps you protect your pupils, your school, and yourself. It’s not about ticking a box, it’s about reinforcing a culture of thoughtful, respectful data handling.

Because good data protection practice in schools isn’t about fear. It’s about professionalism, empathy, and safeguarding, both online and offline.

/by

Will Meta Cut Off the EU?

We’re Back!

It’s 2022, and with a new year comes new opportunities to look at the world through a data protection lens. To kick things off, News has broken Facebook’s parent company Meta is threatening to cut off its main consumer services like Facebook and Instagram from customers in the EU.

 

Unlike last year’s piece-meal banning of news content in Australia, this would be a cataclysmic withdrawal of the services entirely. Is this realistic? Could it really happen? Are there any wider implications? These are some of the questions on our minds.

 

It’s not the first time that media giants have made threats, but Meta stands to lose billions of dollars of advertising revenue if it did so. Underneath all this bluster is a real risk to the company, as well as many other companies looking to process personal data in the United States. 

 

EU-US Data Sharing: A History

The history of data sharing with the US is complicated and has seen several upheavals.

There was once a protocol called ‘Safe Harbour’ a set of principles that governed the exchange of data between the United States of America and the European Union, but the European Court threw it out in 2015, as it didn’t offer the level of protection that the Data Protection Directive (the forerunner of GDPR) demanded.

This caused a multitude of difficulties. So in 2016, the EU-US Privacy Shield was rather hastily erected to replace Safe Harbour. However, this European Courts struck this down in 2020, thanks to campaigning from Austrian activist Max Schrems.

With Safe Harbour gone, and the Privacy Shield destroyed, those of us wanting to transfer data to the US were left with the use of Standard Contractual Clauses (SCCs) to govern data flow. These clauses must be put in place by every company, take more negotiation and must be written into a legal agreement.

 

What’s Next for EU-US Transfers?

Moving on from Schrems’s success, there is now action brewing to invalidate SCCs. The Irish data protection regulator has already ruled that they fail to protect against snooping from US Intelligence Agencies.

Without them, it will become incredibly difficult to transfer data to the US without breaking Data Protection Regulations. Companies would need to provide specific contracts, where they can show safeguards against intelligence monitoring. Given the wide scope of homeland security based legislation in the US, this would be near impossible.

Let’s say the courts strike down SCCs. Firms transferring data to the US will fail to abide by the rules and could face huge fines. In the case of Meta this could be nearly $3 billion. 

 

What About the UK?

Facebook and Instagram users in the UK can relax a little, as any new EU ruling would not automatically affect us. In fact, the UK Government have made strong noises about loosening information transfer regulation rather than tightening it. 

However, if you use applications based in Europe that move data to the US (such as for support services or data backup) you may see disruption. 

 

The level of outcry should these platforms go dark means Meta will probably work something out. Indeed, facebook have since released a statement that they are not “threatening” to do anything. However, this topic does demonstrate that data protection legislation has an array of real-world implications. Real-world implications we can’t just ignore. 

 

/by