News

Richard Baxter and Hannah Solel provide a legal update on data protection in 2021

  • January 11, 2021
  • By Richard Baxter, Partner and Hannah Solel, Trainee Solicitor

Legal update: Data protection in 2021

The purpose of this legal update is to inform businesses on their existing and future data protection obligations in light of the Trade and Cooperation Agreement between the UK and EU.

Departure from the EU took four-and-a-half years and the culmination of the process is the Trade and Cooperation Agreement.[1] Contained within the 1246-page Agreement are some details about the receipt and transfer of personal data.

Note that while the UK legislature has ratified the deal and incorporated it into English law via the European Union (Future Relationship) Act 2020, the European Parliament is yet to ratify the deal. The Agreement therefore applies provisionally until then.

Were there any changes as of 1 January 2021?

There has been no immediate impact on existing data protection laws in force in the UK, meaning personal data can continue to flow from the EU and EEA countries to the UK and vice versa.[2] The flow from the EU and EEA can continue because, from 1 January 2021, the Trade and Cooperation Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo.[3]

The specified period will last for a maximum of six months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision will determine whether or not the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime.[4] When the decision is made, the specified period will end.[5]

What is the UK’s existing data protection legal framework?

The EU’s GDPR has been incorporated into UK law through the Data Protection Act 2018 and the EU (Withdrawal) Act 2018. There is also secondary legislation.

Section 3(10) of the Data Protection Act 2018 establishes the term “UK GDPR” to make clear that the GDPR has been retained as a UK law.

Will there be changes in the future?

If the UK’s existing regime is deemed adequate, the result will be that personal data can continue to flow from the EU (and EEA countries) to the UK without additional measures being introduced. The foregoing applies for so long as neither jurisdiction substantively changes its legislation because an adequacy decision would be regularly reviewed and could be revoked.

If the European Commission decides that the UK regime is not adequate, data will still be able to flow to the UK but the flow will be subject to new legal and administrative requirements. For example, UK businesses will have to enter into contracts, containing EU-approved Standard Contractual Clauses, with their EU contacts – entering into such a contract will establish that a UK business has adequate data protection standards.

The Trade and Cooperation Agreement contains a provision that the specified period will cease if, before the adequacy decision is determined, the UK makes amendments to the current regime without EU approval.[6] This would be unlikely, as to do so would ruin the apparent consensus with the EU on the importance of data protection – the Agreement makes clear that the EU and UK “affirm their commitment to ensuring a high level of personal data protection”.[7] It therefore seems unlikely that the UK would, in the long term, depart from the high standards established by the GDPR.

Final comments

For all businesses and organisations, whether for profit or not for profit, it is important to continue to adhere to the existing data protection rules. Businesses should also review where their personal data comes from, how it is processed and recorded.

As the specified period progresses, regular monitoring of the guidance from the Government and Information Commissioner’s Office is strongly recommended. As and when the adequacy decision is announced, we will publish relevant updates.

If you have any questions about this article, please do not hesitate to speak to your usual contact at Hunters or to get in touch with any of the Partners in the Business Services Department.

[1] Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/948119/EU-UK_Trade_and_Cooperation_Agreement_24.12.2020.pdf

[2] Data Protection Act 2018, Schedule 21, paragraphs 4 – 5

[3] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (1) – (2)

[4] See: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[5] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (4)(a)

[6] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (5)

[7] Trade and Cooperation Agreement, Part 6, Article COMPROV.10 (1)

Related News

Mar 17, 2021
Stephen Morrall comments on Uber drivers entitled to minimum wage, holiday pay and pension following the Supreme Court decision in The Sunday Times Driving, The Times and the Daily Mail
Feb 19, 2021
Stephen Morrall comments on Uber losing a landmark Supreme Court battle in the Evening Standard and the Financial Times
Feb 12, 2021
Richard Baxter and Hannah Solel examine data protection post-Brexit in Information Security Buzz
Feb 05, 2021
Budget 2021 – Still time to prepare for any changes to Business Asset Disposal Relief
Jan 13, 2021
Stephen Morrall and Hannah Solel discuss the gig economy in 2021 in Employee Benefits
Jan 06, 2021
Stephen Morrall comments on unfair dismissal in Real Business
Dec 14, 2020
Hunters strengthens its Business team with new arrival
Jun 25, 2020
Stephen Morrall and Philippa Kum discuss witnessing a deed remotely
Jun 01, 2020
Amanda Lathia examines the legal challenges of returning to work during the post-COVID-19 lockdown in WealthBriefing
May 15, 2020
Amanda Lathia comments on returning to work during the pandemic

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)