News

Richard Baxter and Hannah Solel provide a legal update on data protection in 2021

  • January 11, 2021
  • By Richard Baxter, Partner and Hannah Solel, Trainee Solicitor

Legal update: Data protection in 2021

The purpose of this legal update is to inform businesses on their existing and future data protection obligations in light of the Trade and Cooperation Agreement between the UK and EU.

Departure from the EU took four-and-a-half years and the culmination of the process is the Trade and Cooperation Agreement.[1] Contained within the 1246-page Agreement are some details about the receipt and transfer of personal data.

Note that while the UK legislature has ratified the deal and incorporated it into English law via the European Union (Future Relationship) Act 2020, the European Parliament is yet to ratify the deal. The Agreement therefore applies provisionally until then.

Were there any changes as of 1 January 2021?

There has been no immediate impact on existing data protection laws in force in the UK, meaning personal data can continue to flow from the EU and EEA countries to the UK and vice versa.[2] The flow from the EU and EEA can continue because, from 1 January 2021, the Trade and Cooperation Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo.[3]

The specified period will last for a maximum of six months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision will determine whether or not the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime.[4] When the decision is made, the specified period will end.[5]

What is the UK’s existing data protection legal framework?

The EU’s GDPR has been incorporated into UK law through the Data Protection Act 2018 and the EU (Withdrawal) Act 2018. There is also secondary legislation.

Section 3(10) of the Data Protection Act 2018 establishes the term “UK GDPR” to make clear that the GDPR has been retained as a UK law.

Will there be changes in the future?

If the UK’s existing regime is deemed adequate, the result will be that personal data can continue to flow from the EU (and EEA countries) to the UK without additional measures being introduced. The foregoing applies for so long as neither jurisdiction substantively changes its legislation because an adequacy decision would be regularly reviewed and could be revoked.

If the European Commission decides that the UK regime is not adequate, data will still be able to flow to the UK but the flow will be subject to new legal and administrative requirements. For example, UK businesses will have to enter into contracts, containing EU-approved Standard Contractual Clauses, with their EU contacts – entering into such a contract will establish that a UK business has adequate data protection standards.

The Trade and Cooperation Agreement contains a provision that the specified period will cease if, before the adequacy decision is determined, the UK makes amendments to the current regime without EU approval.[6] This would be unlikely, as to do so would ruin the apparent consensus with the EU on the importance of data protection – the Agreement makes clear that the EU and UK “affirm their commitment to ensuring a high level of personal data protection”.[7] It therefore seems unlikely that the UK would, in the long term, depart from the high standards established by the GDPR.

Final comments

For all businesses and organisations, whether for profit or not for profit, it is important to continue to adhere to the existing data protection rules. Businesses should also review where their personal data comes from, how it is processed and recorded.

As the specified period progresses, regular monitoring of the guidance from the Government and Information Commissioner’s Office is strongly recommended. As and when the adequacy decision is announced, we will publish relevant updates.

If you have any questions about this article, please do not hesitate to speak to your usual contact at Hunters or to get in touch with any of the Partners in the Business Services Department.

[1] Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/948119/EU-UK_Trade_and_Cooperation_Agreement_24.12.2020.pdf

[2] Data Protection Act 2018, Schedule 21, paragraphs 4 – 5

[3] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (1) – (2)

[4] See: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[5] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (4)(a)

[6] Trade and Cooperation Agreement, Part 7, Article FINPROV.10A (5)

[7] Trade and Cooperation Agreement, Part 6, Article COMPROV.10 (1)

Related News

Oct 20, 2021
Partner Richard Baxter is attending the FT Live’s The Banking Revolution
Oct 18, 2021
Richard Baxter and Constance Tait discuss considerations for dispute resolution and M&A scenarios
Sep 29, 2021
Richard Baxter outlines lessons for business owners from an abortive company sale and purchase transaction
Sep 22, 2021
Stephen Morrall examines worker status in the gig economy in Economy Standard
Jul 22, 2021
Gregor Kleinknecht and Constance Tait examine the impact on trademark litigation and provide 10 tips on navigating the post-Brexit era in Managing IP
Jul 16, 2021
Gregor Kleinknecht and Anastassia Dimmek examine the growing threat of zombie firms in Lawyer Monthly
Jul 07, 2021
Richard Baxter and Constance Tait examine a report suggesting that firms with targeted support for ethnic minority workers see benefits
Jun 28, 2021
Richard Baxter discusses UK-EU Data Protection and how adequacy decisions avoid imminent disruption to data flows
Jun 23, 2021
Richard Baxter and Constance Tait examine the recent Burnell v Trans-Tag Ltd case in the High Court
Jun 22, 2021
Anastassia Dimmek discussed the key challenges of protecting clients’ healthy businesses from zombie firms in a webinar hosted by Advoselect

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)