After a long period of negotiation, the United Kingdom (UK) and the European Union (EU) have reached a deal on the sharing of personal data, only a few days before the end of the Brexit transition period.

The agreed trade deal allows for the continued free flow of personal data from the EU to the UK for a maximum of six months after the transition period expires. During that time, the UK hopes that the European Commission will issue an adequacy decision in relation to the UK, thus allowing the free flow of personal data to continue beyond the six months. In relation to transfers of personal data outside the UK, the UK has already deemed adequate the 30 EU/European Economic Area countries and the 12 countries that have received EU adequacy decisions, as mentioned in our previous blog post (available here).Continue Reading EU-UK data flows following the Brexit transition period

With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear.

As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to recipients in jurisdictions outside the EU/EEA, unless specific conditions are met. One such condition under the GDPR is an “adequacy decision” granted by the European Commission. If a third country is deemed adequate by the European Commission, the personal data can be transferred to that country without any additional safeguards being required.Continue Reading The UK is preparing its adequacy decisions post Brexit

On 18 March, the Task Force for Relations with the United Kingdom (UKTF) of the European Commission published its Draft Text of the Agreement on the New Partnership with the United Kingdom (Draft Agreement). It translates the negotiating directives, approved by Member States, into a legal text, in line with the Political Declaration agreed between the EU and the UK. The Draft Agreement was sent to the UK following consultation with the European Parliament and the Council of the European Union, and aims to provide a tool to support the negotiations and enable progress with the UK’s relationship with the EU.

The Draft Agreement covers all areas of the negotiations. Most importantly for us, the Draft Agreement includes provisions around the digital economy and data protection. These draft provisions ensure that the parties commit to a high level of data protection and recognise the importance of promoting and protecting the fundamental rights of privacy and data protection. The parties also agree to cooperate (as much as national laws permit) at bilateral and multilateral levels, which may include dialogue, exchange of expertise, and cooperation on enforcement with respect to personal data protection.
Continue Reading No, we haven’t forgotten about Brexit: UKTF publishes a draft agreement for the future EU-UK partnership

Following the UK Conservatives Party’s landslide victory in December 2019, there were immediate implications for the UK’s Withdrawal from the European Union, which resulted in the UK withdrawing from the EU on 31 January 2020. With the European Parliament’s approval of the Withdrawal Agreement, the UK is now in a transition period until 31 December

The UK’s new prime minister, Boris Johnson, has vowed that the UK will leave the EU on October 31, 2019. A unilateral (or “hard”) Brexit poses many privacy and data protection challenges for companies that operate in the UK.  Post-Brexit privacy and data protection issues that you need to consider include:

  • how to maintain uninterrupted

25 May 2019 was GDPR’s first birthday. Since its introduction, privacy and data protection issues have continued to dominate public debate and regulators have signalled that large fines for non-compliance are imminent. Now is an opportune time to review your privacy and data protection regimes. We have more regulatory guidance and case law than we

On 12 February 2019, the European Data Protection Board (EDPB) met for its seventh plenary session. You can see our blog on the full session here.

At this session, the EDPB adopted two information notes. The information notes offer guidance on data protection issues in the event of a no-deal Brexit, namely: data transfers generally and binding corporate rules lead supervisory authorities (BCR lead).

Data transfers in the event of a no-deal Brexit

The guidance is separated into three distinct sections.

Preparation for transfers of data from the EEA to the UK

The EDPB sets out five steps for businesses to take in advance of Brexit. Businesses who transfer data from the European Economic Area (EEA) to the United Kingdom (UK) should start preparing now. To prepare, the EDPB suggests the following:

I. Identify the processing activities that require the transfer of personal data

II. Determine the data transfer mechanism that is most appropriate on the facts

III. Prepare the relevant transfer mechanism in advance of 30 March 2019

IV. Indicate in internal documents that you will be transferring data to the UK

V. Update your privacy notices accordingly.Continue Reading No-deal Brexit: EU regulators issue data transfer guidance

The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 have been laid before the UK Parliament.

The regulations are introduced under the European Union (Withdrawal) Act 2018. The Withdrawal Act grants powers to correct deficiencies in UK legislation that will arise as a result of Brexit.

The regulations introduce a large number of technical amendments to UK law. The main amendments are made to:

  1. the General Data Protection Regulation 2016/679 (GDPR) as retained by UK law;
  2. the Data Protection Act 2018 (DPA 2018); and
  3. The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

When the United Kingdom (UK) leaves the European Union (EU), the UK will no longer be subject to obligations under GDPR (except for processing still caught by the GDPR’s extra-territorial scope). However, the Withdrawal Act provides that the text of the GDPR will form part of UK domestic law after Brexit (UK GDPR). As a result, the text of UK GDPR must be amended to remedy potential deficiencies for when the UK is no longer part of the EU. The text of the DPA 2018 must also be amended to implement UK GDPR.Continue Reading Brexit countdown: UK government to amend domestic data protection legislation

Mark Carney’s extension as the governor of the Bank of England to January 2020 was put in place to ensure a smooth Brexit.

Mr Carney has become increasingly vocal in his attempts to maintain financial stability during that period. This has resulted in ‘Brexiteers’ hurling accusations of fuelling “Project Hysteria” after the bank published its economic analysis of Brexit at the end of November. To help mitigate such gloomy predictions, what else could Mr Carney do to support an orderly exit (and possibly create a lasting legacy for himself)?

Back in June, Mr Carney spoke about modernising the UK bank payment system by rebuilding the Bank of England’s real time gross settlement (RTGS) service “so that new private payment systems, including those using distributed ledgers, can simply plug into our system”, which includes those running off blockchain technology.[1]Continue Reading The fintech Carney-val

London has historically been considered the centre of European financial services. Now it is also viewed as the capital of financial technology (FinTech). However, with the likelihood of a no-deal Brexit becoming ever more real, and increasing attempts to lure FinTech firms to the continent, London’s title is under threat.

London provides a haven where