Legal update: Data protection in 2021
The purpose of this legal update is to inform businesses on their existing and future data protection obligations in light of the Trade and Cooperation Agreement between the UK and EU.
Departure from the EU took four-and-a-half years and the culmination of the process is the Trade and Cooperation Agreement. Contained within the 1246-page Agreement are some details about the receipt and transfer of personal data.
Note that while the UK legislature has ratified the deal and incorporated it into English law via the European Union (Future Relationship) Act 2020, the European Parliament is yet to ratify the deal. The Agreement therefore applies provisionally until then.
Were there any changes as of 1 January 2021?
There has been no immediate impact on existing data protection laws in force in the UK, meaning personal data can continue to flow from the EU and EEA countries to the UK and vice versa. The flow from the EU and EEA can continue because, from 1 January 2021, the Trade and Cooperation Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo.
The specified period will last for a maximum of six months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision will determine whether or not the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime. When the decision is made, the specified period will end.
What is the UK’s existing data protection legal framework?
The EU’s GDPR has been incorporated into UK law through the Data Protection Act 2018 and the EU (Withdrawal) Act 2018. There is also secondary legislation.
Section 3(10) of the Data Protection Act 2018 establishes the term “UK GDPR” to make clear that the GDPR has been retained as a UK law.
Will there be changes in the future?
If the UK’s existing regime is deemed adequate, the result will be that personal data can continue to flow from the EU (and EEA countries) to the UK without additional measures being introduced. The foregoing applies for so long as neither jurisdiction substantively changes its legislation because an adequacy decision would be regularly reviewed and could be revoked.
If the European Commission decides that the UK regime is not adequate, data will still be able to flow to the UK but the flow will be subject to new legal and administrative requirements. For example, UK businesses will have to enter into contracts, containing EU-approved Standard Contractual Clauses, with their EU contacts – entering into such a contract will establish that a UK business has adequate data protection standards.
The Trade and Cooperation Agreement contains a provision that the specified period will cease if, before the adequacy decision is determined, the UK makes amendments to the current regime without EU approval. This would be unlikely, as to do so would ruin the apparent consensus with the EU on the importance of data protection – the Agreement makes clear that the EU and UK “affirm their commitment to ensuring a high level of personal data protection”. It therefore seems unlikely that the UK would, in the long term, depart from the high standards established by the GDPR.
For all businesses and organisations, whether for profit or not for profit, it is important to continue to adhere to the existing data protection rules. Businesses should also review where their personal data comes from, how it is processed and recorded.
As the specified period progresses, regular monitoring of the guidance from the Government and Information Commissioner’s Office is strongly recommended. As and when the adequacy decision is announced, we will publish relevant updates.
If you have any questions about this article, please do not hesitate to speak to your usual contact at Hunters or to get in touch with any of the Partners in the Business Services Department.
 Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/948119/EU-UK_Trade_and_Cooperation_Agreement_24.12.2020.pdf
 Data Protection Act 2018, Schedule 21, paragraphs 4 – 5
 Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (1) – (2)
 See: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
 Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (4)(a)
 Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (5)
 Trade and Cooperation Agreement, Part 6, Article COMPROV.10 (1)