Richard Baxter and Hannah Solel provide a legal update on data protection in 2021

  • January 11, 2021
  • By and Hannah Solel, Associate

Legal update: Data protection in 2021

The purpose of this legal update is to inform businesses on their existing and future data protection obligations in light of the Trade and Cooperation Agreement between the UK and EU.

Departure from the EU took four-and-a-half years and the culmination of the process is the Trade and Cooperation Agreement.[1] Contained within the 1246-page Agreement are some details about the receipt and transfer of personal data.

Note that while the UK legislature has ratified the deal and incorporated it into English law via the European Union (Future Relationship) Act 2020, the European Parliament is yet to ratify the deal. The Agreement therefore applies provisionally until then.

Were there any changes as of 1 January 2021?

There has been no immediate impact on existing data protection laws in force in the UK, meaning personal data can continue to flow from the EU and EEA countries to the UK and vice versa.[2] The flow from the EU and EEA can continue because, from 1 January 2021, the Trade and Cooperation Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo.[3]

The specified period will last for a maximum of six months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision will determine whether or not the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime.[4] When the decision is made, the specified period will end.[5]

What is the UK’s existing data protection legal framework?

The EU’s GDPR has been incorporated into UK law through the Data Protection Act 2018 and the EU (Withdrawal) Act 2018. There is also secondary legislation.

Section 3(10) of the Data Protection Act 2018 establishes the term “UK GDPR” to make clear that the GDPR has been retained as a UK law.

Will there be changes in the future?

If the UK’s existing regime is deemed adequate, the result will be that personal data can continue to flow from the EU (and EEA countries) to the UK without additional measures being introduced. The foregoing applies for so long as neither jurisdiction substantively changes its legislation because an adequacy decision would be regularly reviewed and could be revoked.

If the European Commission decides that the UK regime is not adequate, data will still be able to flow to the UK but the flow will be subject to new legal and administrative requirements. For example, UK businesses will have to enter into contracts, containing EU-approved Standard Contractual Clauses, with their EU contacts – entering into such a contract will establish that a UK business has adequate data protection standards.

The Trade and Cooperation Agreement contains a provision that the specified period will cease if, before the adequacy decision is determined, the UK makes amendments to the current regime without EU approval.[6] This would be unlikely, as to do so would ruin the apparent consensus with the EU on the importance of data protection – the Agreement makes clear that the EU and UK “affirm their commitment to ensuring a high level of personal data protection”.[7] It therefore seems unlikely that the UK would, in the long term, depart from the high standards established by the GDPR.

Final comments

For all businesses and organisations, whether for profit or not for profit, it is important to continue to adhere to the existing data protection rules. Businesses should also review where their personal data comes from, how it is processed and recorded.

As the specified period progresses, regular monitoring of the guidance from the Government and Information Commissioner’s Office is strongly recommended. As and when the adequacy decision is announced, we will publish relevant updates.

If you have any questions about this article, please do not hesitate to speak to your usual contact at Hunters or to get in touch with any of the Partners in the Business Services Department.

[1] Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part:

[2] Data Protection Act 2018, Schedule 21, paragraphs 4 – 5

[3] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (1) – (2)

[4] See:

[5] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (4)(a)

[6] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (5)

[7] Trade and Cooperation Agreement, Part 6, Article COMPROV.10 (1)

Related News

Mar 23, 2023
Stephen Morrall and Sophia Smout discuss firing someone for gross misconduct in People Management
Feb 20, 2023
Stephen Morrall discusses the impact of the four-day work week in TheWealthNet
Jan 30, 2023
Stephen Morrall and Sophia Smout examine the new rules on flexible working in People Management
Dec 12, 2022
Stephen Morrall comments on the new flexible working rights in Personnel Today
Oct 18, 2022
Stephen Morrall comments on gig economy rulings challenging pension enrolment in Law360
Sep 20, 2022
Stephen Morrall and Annabelle Woosnam discuss the legal rights for gig economy employees to a pension in People Management
Jul 06, 2022
Stephen Morrall and Annabelle Woosnam discuss pensions in the gig economy, in Employee Benefits
Feb 11, 2022
Stephen Morrall comments on what COVID rules means for workers and employers in Mail Online, This is Money, Mail on Sunday, Daily Mail and MSN Money
Nov 30, 2021
Stephen Morrall and Aman Khokhar explore how employers can best determine worker status in People Management
Nov 17, 2021
Richard Baxter examines whether Brexit creates uncertainty for online software sales agents in Reports Legal

© Hunters Law LLP 2023 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)