The consequences of United Kingdom leaving the UE with no deal are severe for personal data transfers. With no deal and no adequacy decisions UK will be regarded as a “third country”- like China or India Companies transferring data may not have a legal basis to do so.
Transferring personal data with no legal basis may result in fines up to 20 000 000 EUR or 4% of the total worldwide annual turnover.
In the last months, the UK government acknowledged that no substantial talks regarding the data transfers to the remaining EU27 were commenced. In the last days, the representatives of the UK government, ambassadors and ICO hosted a number of meetings with the representatives of EU27, including Polish data Protection Authority and the Ministry of Digitalization. According to a political declaration made by the UK, their desire is to put in place a transition period, ensuring the applicability of GDPR (among other EU laws) till the end of 2020.
As of yet, no formal decisions were made. So what do we know so far?
The most likely scenarios is a hard Brexit with no deal March 31 2019. This means that that UK will indeed become a third country and any personal data transfers must comply with Chapter V of the GDPR. The transfers should be based on one of the following:
At this stage we have no information regarding plans to adopt an adequacy decision. Given a number of mass surveillance cases brought against the UK in the European Court of Humans Right, many expect a case to be brought before the European Court Justice. The court may decide to invalidate the decision, similarly to decision for US in the famous Schrems case.
The transfer may continue for those with:
For those without them, the best fast-track solution are standard contractual clauses, although for companies transferring data to many entities, other options may be best for medium you long term business needs- preparing the contracts for each party may be time-consuming. Even after choosing the SCC’s, a company needs time to prepare the contract and negotiate business terms, which usually takes few months.
What do you need to do if you transfer data to UK?
It is highly recommended to prepare an inventory of on-going transfers and of their legal bases. If needed- adopting one of the other, above-mentioned bases for transfers, at least till and adequacy decision is rendered. We are happy to help with the choice of legal basis and prepare the documentation.
Also note that you me be required to update your privacy notice and add information regarding transferring data to third countries.