Brexit and its consequences for personal data transfer to United Kingdom

05/02/19

The consequences of United Kingdom leaving the UE with no deal are severe for personal data transfers. What are the risks and possible scenarios from personal data management perspective?

Risks

The consequences of United Kingdom leaving the UE with no deal are severe for personal data transfers. With no deal and no adequacy decisions UK will be regarded as a “third country”- like China or India Companies transferring data  may not have a legal basis to do so.

Transferring personal data with no legal basis may result in fines up to 20 000 000 EUR or 4% of the total worldwide annual turnover.

Talk status

In the last months, the UK government acknowledged that no substantial talks regarding the data transfers to the remaining EU27 were commenced. In the last days, the representatives of the UK government, ambassadors and  ICO hosted a number of meetings with the representatives of EU27, including Polish data Protection Authority and the Ministry of Digitalization. According to a political declaration made by the UK, their desire is to put in place a transition period, ensuring the applicability of GDPR (among other EU laws) till the end of 2020.

As of yet, no formal decisions were made. So what do we know so far?

Scenarios

The most likely scenarios is a hard Brexit with no deal March 31 2019. This means that that UK will indeed become a  third country and any personal data transfers must comply with Chapter V of the GDPR. The transfers should be based on one of the following:

  • Adequacy decisions issued by the Commission
  • Binding Corporate Rules
  • Codes of conduct
  • Certification mechanism
  • Standard Contractual Clauses
  • Consent of the data subject
  • Other, based on derogations for specific situations

At this stage we have no information regarding plans to adopt an adequacy decision. Given a number of mass surveillance cases brought against the UK in the European Court of Humans Right, many expect a case to be brought before the European Court Justice. The court may decide to invalidate the decision, similarly to decision for US in the famous Schrems case.

Fast way

The transfer may continue for those with:

  • approved Binding Corporate Rules, or
  • codes of conduct, or
  • when using certification mechanism,

For those without them, the best fast-track solution are standard contractual clauses, although for companies transferring data to many entities,  other options may be best for medium you long term business needs- preparing the contracts for each party may be time-consuming. Even after choosing the SCC’s, a company needs time to prepare the contract and negotiate business terms, which usually takes few months.

To do’s and how can we help you

What do you need to do if you transfer data to UK?

It is highly recommended to prepare an inventory of on-going transfers and of their legal bases. If needed- adopting one of the other, above-mentioned bases for transfers, at least till and adequacy decision is rendered. We are happy to help with the choice of legal basis and prepare the documentation.

Also note that you me be required to update your privacy notice and add information regarding transferring data to third countries.

 

Contact us

Gerard Karp

PwC Legal Partner, Head of TMT/IP and Data Protection, Advocate, PwC Poland

Tel: +48 502 184 707

Arwid Mednis

PwC Legal Partner, Head of TMT/IP and Data Protection, Attorney-at-law, PwC Poland

Tel: +48 510 087 786

Karolina Gałęzowska

Associate, PwC Poland

Tel: +48 519 506 842

Follow us