The Brexit Deal Between the EU and the UK: What’s the Effect on Compliance?
What’s this all about?
The European Union (EU) and the United Kingdom (UK) finally reached a post-Brexit deal at the end of 2020 to establish a new relationship for the future. This article provides a snapshot of what this is about along with some thoughts about what this means for compliance with a particular focus on the hot topic of personal data transfers.
What’s the recent Brexit timeline?
The recent Brexit timeline is as follows:
- 31 January 2020: the UK left the EU;
- 1 February-31 December 2020: transition period, during which generally-speaking EU rules still applied to the UK;
- 1 January 2021: a new relationship between the UK and the EU starts in the form of a trade deal.
In a nutshell what’s the new EU-UK deal all about?
The deal between the EU and the UK is officially called the Trade and Cooperation Agreement (TCA). It is essentially about trade in goods, although it does address some services issues. The main upshot is tariff-free trade between the EU and the UK. Whilst this is a positive development (i.e. rather than no deal at all) now that there is a border between the EU and the UK, there are customs checks, form-filling, and detailed and challenging rules of origin to work out.
The deal also agrees a level playing-field for open and fair competition, such as for controlling subsidies (State aid), and sets out a framework for cooperation and coordination on certain issues for the future, such as on law enforcement and in certain sectors such as air transport.
The TCA is not the end of the story though as the EU and the UK are in discussions about other areas to do possible deals on, a key one being financial services.
Does pre-Brexit EU law still apply to the UK?
Yes. The UK has “retained” EU law that existed prior to the UK leaving the EU. This means that areas of UK law, such as so-called “UK GDPR” (see below) will be interpreted in the UK in line with the “retained” rulings of the Court of Justice of the European Union, although the UK Supreme Court can depart from these.
Is there anything in the TCA about compliance?
Apart from privacy/data protection (see below) the TCA doesn’t really address compliance directly – any impact that there may be will be more indirect. The TCA does emphasise maintaining existing standards but also makes it clear that there is scope for divergence. Compliance rules concerning anti money-laundering and sanctions were addressed at an earlier stage in the Brexit process by the UK (see below).
What about anti money-laundering, sanctions and export control?
The UK now operates its own regimes concerning anti money-laundering, sanctions and export controls. The UK put this in place a couple of years before the TCA; this mainly (but not entirely) now falls under the Sanctions and Anti-Money Laundering Act 2018.
The UK can be expected to have a showcase approach to sanctions, which may therefore differ in certain respects to both the US and EU sanctions regimes. The UK is not expected to differ from the EU in its anti money-laundering regime. The UK has in substance adopted the EU approach to export controls (such as dual-use goods), but now exports from the EU to the UK and from the UK to the EU will require licenses.
What about anti-bribery and modern slavery compliance?
The UK Anti-Bribery Act 2010 will not be affected by Brexit in itself as it has nothing to do with the EU. So it will essentially be business as usual as regards anti-bribery and corruption compliance and enforcement (the latter has been on the increase) in the UK.
UK Modern Slavery Act 2015, which has a compliance disclosure requirement (that also affects US businesses doing business in the UK) will not be affected by Brexit in itself as it has nothing to do with the EU. But modern slavery compliance will remain a prominent issue post-Brexit for the UK; this has been recently highlighted by a UK Parliamentary inquiry into supply-chains in Xianjing, China.
What’s the score on privacy/data protection?
Because the UK has left the EU, the EU’s General Data Protection Regulation is no longer part of UK law. Instead the UK has a stand-alone privacy/data protection regime, mainly consisting of the Data Protection Act 2018 and the so-called “UK General Data Protection Regulation” (UK GDPR). UK GDPR is “retained” EU law and so is very similar to EU GDPR. Therefore, core GDPR obligations, rights etc. continue in the UK, but take note that the UK privacy/data protection regime has its own particularities, including the obligation for data controllers to register with the UK’s regulator the Information Commissioner’s Office along with some specific criminal offences.
What’s the score on privacy in the TCA?
Because the UK is now outside the EU it is considered by the EU to be a third country in data protection terms. In order for personal data transfers to be freely made (i.e. without additional particular legal or technical safeguards) from the EU to the UK the EU must adopt a so-called “Adequacy Decision”. There is no “Adequacy Decision” in the TCA as this falls under a separate process (see below).
But, pending an “Adequacy Decision”, the TCA provides for a 4-month “bridging period” (until 11pm UK time on 30 April 2021), extendable by another 2 months (until 11 pm UK time on 30 June 2021), during which time data transfers from the EU to the UK can continue to be freely made; this would include US businesses in the EU transferring personal data from the EU to the UK. The “bridging period” has been provided on the basis that the UK does not change its current data protection regime.
Note that currently, data transfers from the UK to the EU can continue to be made freely (i.e. without any additional particular legal or technical safeguards); watch this space for the future though as this may change.
On 19 February 2021 the European Commission announced that it was satisfied with the UK data protection regime post-Brexit and issued draft “Adequacy Decisions” for the UK. The European Commission said that it had analysed the UK’s situation over the preceding few months, including UK rules on access to data by public authorities (notably the intelligence services), and had concluded that the UK ensures an essentially equivalent level of protection to that guaranteed under both EU GDPR and EU rules on data protection and law enforcement.
The two draft decisions are now making their way through the EU legislative pipeline. Once this procedure has been completed and the two decisions have been adopted they will be valid for an initial period of four years. After that period expires, it would seem likely that the adequacy findings would be renewed if the level of protection in the UK continues to be adequate.
Comments & Thoughts
The issue of data transfers from the EU to the UK remains an open one for now. Adequacy for the UK is not a done deal and may be subject to legal challenge, such as from privacy activists. Organisations should therefore still review their data transfers and plan in case adequacy is not confirmed or as an insurance policy against any possible legal challenges once granted.
Organisations will have to adapt existing policies and processes concerning sanctions as regards the UK and also check the UK’s own sanctions list (published by the Office of Financial Sanctions Implementation).
As regards export controls, organisations will need to consider whether their current licences are still legally valid and/or whether they need to seek new licences from either the UK or an EU Member State.
Finally, watch out for expected changes to the UK’s modern slavery compliance regime (including some toughening up); an EU compliance regime concerning human rights (which may also cover modern slavery) may also be coming.
This article is by André Bywater and Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues (https://www.corderycompliance.com/).
The NYSBA held a webinar on these Brexit issues on 23 February 20021 presented by Jonathan Armstrong & André Bywater of Cordery (https://www.corderycompliance.com/our-people/) and Bob Leo of Meeks, Sheppard, Leo & Pillsbury (https://www.mscustoms.com/robert-j.-leo.html), which can be accessed here: https://nysba.ce21.com/ViewerUnAutheticatedLink?x=PTd389n8GE2TvOmSFSvJNg==&ce21=true