United Kingdom | Publication | January 2021
On 24 December 2020, the European Union (EU) and the United Kingdom (UK) reached agreement on an EU-UK Trade and Cooperation Agreement (TCA). The TCA governs the future relationship between the EU and the UK following the end of the Brexit transition period and consists of a Free Trade Agreement, a partnership for citizens’ security and a horizontal agreement on governance.
The EU has provisionally applied the TCA from 01 January while awaiting endorsement by the European Parliament and ratification. The UK Government has already ratified the TCA. In effect, the EU and UK applied the rules of the TCA from the moment the Brexit transition period expired, i.e. at 11.00 PM on 31 December 2020.
Besides trade in goods and, to some extent, services, the TCA covers a broad range of areas, such as investment, competition, state aid, tax transparency, sustainability, data protection and certain industry sectors (such as air and road transport and energy). The technology and innovation sector is not the subject of detailed, separate consideration (except in relation to telecoms) in the TCA.
The European Union (Withdrawal) Act 2018, in combination with the European Union (Withdrawal Agreement) Act 2020 and the Agreement on the Withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community of 19 October 2019 (Withdrawal Agreement) provide some clarity in relation to certain areas of law affecting businesses operating in the technology and innovation sector. In addition, the TCA touches on a number of areas of law relevant to the sector (discussed below). In many respects it will continue to be “business as usual” for many businesses operating in the technology and innovation sector. Accordingly, in this publication, we deal only with the following aspects of the legislation, Withdrawal Agreement and the TCA which do involve notable changes:
Part Two of the TCA covers telecoms regulation. We do not cover that area (nor audio-visual regulation) in this document.
Yes, for the time being.
Under the TCA, the UK is not to be treated as a third country for an interim period of four to six months from 1 January 2021 (Interim Period). This is to allow time for the European Commission (EC) to finalise its adequacy assessment of the UK.
The purpose of the adequacy assessment is for the EC to decide whether the UK provides “essentially equivalent” protection for personal data as the EU and, therefore, whether transfers of data may be permitted without the need for organisations to take further measures (Adequacy Decision).
The Interim Period will last for a minimum of four months and will be automatically extended to six months, unless either the UK or the EU unilaterally objects. The application of the Interim Period is subject to two main conditions:
It is important to note that the Interim Period applies in respect of data transfers only. Therefore, other post-Brexit data protection obligations apply immediately.
The UK Information Commissioner’s Office (ICO) has issued a statement confirming the Interim Period, but recommending that organisations nevertheless consider putting in place data transfer mechanisms during this period, as a “sensible precaution” to safeguard against any interruption to transfer of personal data at the end of the Interim Period.
It is uncertain as to how likely it is that the UK will be granted an Adequacy Decision.
As part of the adequacy assessment process, the EC is obliged to take into account the national security and surveillance laws of the UK, which must offer guarantees ensuring an adequate level of protection for personal data that are “essentially equivalent” to EU law.
Reaching this standard could be a challenge for the UK. Over recent years, privacy campaigners have taken legal action against the UK for its national security and surveillance laws, including one that reached the European Court of Human Rights (Big Brother Watch v United Kingdom). This case found that aspects of the Regulation of Investigatory Powers Act (which has now broadly been replaced by the Investigatory Powers Act 2016) were incompatible with Articles 8 and 10 of the European Convention on Human Rights.
The UK’s national security practices have also received scrutiny from the Court of Justice of the European Union (CJEU). On 6 October 2020, the CJEU published a decision which found that UK law which enabled the UK government to require the providers of electronic communications services to carry out the general and indiscriminate transmission of traffic and location data to the security and intelligence agencies was not permissible under EU law.
In addition, the European Parliament published a resolution in February 2020 in relation to the Brexit negotiations. The Parliament directed the EC to pay particular attention to the legal framework in the UK in the fields of national security and the processing of personal data by law enforcement authorities, and stated that the UK’s mass surveillance programmes may not be adequate under EU law.
The European Parliament also commented that the UK Data Protection Act 2018 provides for a general and broad exemption from the data protection principles and data subjects’ rights for the processing of personal data for immigration purposes, and that this conflicts with the EU General Data Protection Regulation.
Where no Adequacy Decision is found following the end of the Interim Period, EU entities will need to implement data transfer mechanisms to cover the flow of personal data from the EU to the UK.
It should be noted that, for transfers of personal data from the UK to the EU, the UK Government has stated that one-way flows of personal data from the UK to EU will be considered adequate under the UK’s domestic data protection law.
The TCA seeks to ensure that the UK and EU will co-operate on digital trade issues, and a digital trade chapter sets the terms under which businesses can provide products and services to each other via digital channels, such as over the Internet.
The TCA provides that no customs duties will be imposed on electronic transmissions, and there is a positive obligation on the UK and EU to co-operate on the development of emerging technologies.
To facilitate digital trade, address unjustified barriers to trade enabled by electronic means and to ensure an open, secure and trustworthy online environment for businesses and consumers, the TCA contains certain provisions in relation to the free-flow of data. Specifically, it provides that the EU and the UK are committed to ensuring cross-border data flows to facilitate trade in the digital economy and that, to that end, cross-border data flows shall not be restricted between them by a party (that is, one or other of the EU or the UK):
The TCA provides that:
The requirements in the first three bullets above are quite generic, and are already the subject of extant English law provisions. The TCA seeks to lay down de minimis or baseline legal requirements in relation to e-commerce, without calling for actual compliance with specified EU legislation. To the extent that such TCA provisions are not already enacted in existing domestic law in all respects, section 29 of the European Union (Future Relationship) Act 2020 is the mechanism by which such provisions are implemented.
Section 29 provides for the general implementation, via a “glossing mechanism”, of provisions of the TCA that are not implemented by any other mechanism. The mechanism provides that existing domestic law has effect with such modifications as are required for the purposes of implementing the TCA so far as it is not otherwise so implemented and so far as such implementation is necessary for the purposes of complying with the international obligations of the United Kingdom under the TCA.
In other words, the modifications are to be read across to domestic law (in contrast to text amendments to the law itself). Any equivalent or other provision in legislation implementing the TCA takes precedence over section 29(1).
The TCA contains a provision on open government data. When governments choose to make non-personal or anonymised public sector data available, the TCA provides that the data will be, among other things, easily accessible, in machine-readable format, and regularly updated.
The TCA creates a framework for UK-EU cooperation in the field of cybersecurity.
As well as the UK’s participation in expert bodies (such as European Union Agency for Cybersecurity (ENISA) and the Network and Information Systems (NIS) Cooperation Group), the TCA envisages that UK and EU will co-operate in the field of cyber issues by sharing best practices and co-operative practical actions aimed at promoting and protecting an open, free, stable, peaceful and secure cyberspace.
The short answer is that the extent to which such legal requirements change is (with some exceptions) determined by the transitional and savings arrangements under the European Union (Withdrawal) Act 2018 in combination with the effect of the European Union (Withdrawal Agreement) Act 2020. As a result, a considerable body of English consumer protection law continues to be aligned with EU law under such legislation.
The TCA provides that the UK and EU agree to adopt or maintain measures to ensure the effective protection of consumers engaging in e-commerce transactions - for example, measures that:
Speaking generally, such matters are in one form or another (for the most part) already part of English consumer protection law. The TCA seeks to lay down de minimis or baseline legal requirements for the legal protection of consumers, without calling for actual compliance by the UK with specified EU legislation. To the extent that such TCA provisions are not already enacted in existing domestic law in all respects, section 29 of the European Union (Future Relationship) Act 2020 (discussed above) is the mechanism by which such provisions are implemented.
A similar de minimis approach under the TCA is taken in relation to unsolicited direct marketing campaigns.
The TCA also recognises that consumer protection bodies can co-operate and enforce breaches of UK and EU consumer rights in order to protect consumers and enhance online consumer trust.
Businesses located in the UK will still wish to sell to consumers and other businesses in the EU after Brexit. To do that, regardless of the technical position under the legislation and the TCA, such businesses will still need in practice to comply with a significant amount of EU law (not least because such requirements may be imposed on them as part of supply chain requirements from their own business customers within the EU).
The TCA includes provisions designed to avoid making access to another’s markets conditional on acquiring a business’s intellectual property rights.
For example, under the TCA (and with some exceptions) neither the UK nor the EU may impose or enforce any requirement, or enforce any commitment or undertaking, in connection with the establishment or operation of any enterprise in its territory to transfer technology, a production process or other proprietary knowledge to a natural or legal person or any other entity in its territory.
Under the TCA, the UK and EU agree not to require the transfer of, or access to, the software source code of the other’s residents or businesses. This is without limit to private parties’ ability to negotiate agreements for the transfer of source code.
For a detailed analysis of Brexit in relation to the intellectual property rights, see Impact of Brexit on Intellectual Property.
Publication
The Regulator has provided a link to its dashboard webinar held on November 26, 2024, which it urges scheme trustees to watch. The Money and Pensions Service also collaborated with the Pensions Dashboard Programme to host a “town hall” dashboard event on December 2, 2024.
Publication
The new DB scheme funding code came into force on November 12, 2024, and the Regulator has now published the final part of the new funding regime framework: updated employer covenant guidance for trustees.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023