What does the Brexit deal mean for compliance?

Brexit image

How the Brexit deal impacts legal and financial services and data protection

At the last minute, the UK and EU agreed to a Trade and Cooperation Agreement (TCA) governing the new relationship between Great Britain and the EU bloc, Great Britain being the correct term since Northern Ireland remains inside the customs union.

In general, the TCA establishes a trading relationship without tariffs and quotas. But non-tariff barriers such as customs checks, paperwork and regulatory processes will become the norm as they did not exist inside the single market. The services sector, in particular professional services, will be quite significantly affected by the new deal.

What does the Brexit deal mean for legal and professional services?

The TCA does not allow for the mutual recognition of professional qualifications. This means accountants, lawyers and others with recognised professional qualifications may need to seek recognition with the appropriate UK, EU or member state-level body.

But the agreement includes what the UK government described as “groundbreaking provisions” on legal services that allow UK lawyers to advise clients across the EU on UK and public international law, except where EU members place specific limits on this.

Those limits are carefully worded inside the TCA. Section 61 states: 

Where EU Member States require UK lawyers to register in order to provide advice on UK and public international law, the agreement makes clear this cannot mean re-qualification or admission to the local legal profession. 

While there will be some processes and hoop-jumping that will likely be required, wholesale re-qualification or admission to the local legal professional, and the obvious language barriers that includes, is outside the scope of the agreement.  

However, this can vary from country to country. For example, in the Czech Republic, lawyers holding UK qualifications that have not been recognised by 1 January would need to be resident in the Czech Republic in order to advise on UK law. But in Austria, they do not have to be resident and can instead deliver advice from the UK.

Even with the Agreement in place, there will no longer be automatic recognition of insolvency proceedings of an EU jurisdiction in the UK and vice versa, which means that recognition will be based on other sources of recognition, such as the Cross-Border Insolvency Regulations 2006.

If you intend to enter into a contract governed by English law, there is no material change in respect of the choice of English law as the governing law of the contract; however, enforcement of judgments will be based on private international law or other treaties that are or will come into force. 

What does the Brexit deal mean for financial services?

If you are a financial services provider, you can reclaim input VAT attributable to outbound supplies you make from the UK into the EU (or vice versa) from 1 January 2021, as you currently can in respect of outbound supplies from the UK to third countries.

To continue serving customers in the EU, UK-based institutions will have to be granted equivalence rights, under which the EU allows them to conduct certain financial activities. Equivalence rights can be withdrawn at short notice. So far the EU has granted temporary equivalence rights to British clearinghouses, which operate between buyers and sellers in trades and pledge to complete the deal even if one side reneges.

But in general, there is little in the deal for financial services to get excited about. Few observers expect Brussels will be in any hurry to ease the new restrictions on UK firms’ access to EU markets by regulatory “equivalence” decisions. So far, equivalence decisions granted by the EU can be withdrawn at short notice, as Switzerland has discovered. This is off-putting for investors who will want legal certainty regarding the status of cross-border contracts.

Electronic contracts, signatures and providing services digitally; for the vast majority of services, the TCA gives equal treatment to electronic signatures and electronic documents versus paper-based documents. The UK-EU TCA also contains clauses that mean services can be provided digitally by default without requiring prior authorisation. But there are some specific exemptions for certain kinds of legal, gambling and broadcasting services.

The full text of the Agreement states that the EU and UK:

Shall make their best endeavours to ensure that internationally agreed standards in the financial services sector for regulation and supervision, for the fight against money laundering and terrorist financing and for the fight against tax evasion and avoidance, are implemented and applied in their territory.

This means that the UK will have to keep up with the progression of internationally agreed standards such as those adopted by the G20, the Basel Committee on Banking Supervision, the FATF and the OECD. These standards are often of course less stringent than ones proposed by the EU itself, although they do tend to filter down. There’s likely to be some lag between the farthest-reaching standards the EU decides to adopt, and when the UK and the rest of the international community catch up with that.

What does the Brexit deal mean for data protection?

Section 182 of the Agreement states:

This Part also includes a provision to provide for the continued free flow of personal data from the EU and EEA EFTA States to the UK until adequacy decisions are adopted, and for no longer than 6 months. The UK has, on a transitional basis, deemed the EU and EEA EFTA States to be adequate to allow for data flows from the UK.

This means for data protection purposes, there is a further transition period of up to six months. For the time being, personal data can continue to flow across the channel without the need for any additional safeguards.

Read more: up-to-date GDPR training suite

Additionally, the full text of the Agreement binds the UK to keeping data protection standards high. This includes maintaining rules on breaches, data subject rights, level of security, lawful processing, and safeguards for appropriate transfer to third countries

As long as the UK doesn’t do something horrendous to data protection by unilaterally amending the regime, approving new binding corporate rules or contractual clauses and approving new code of conduct for safeguards or certification mechanisms, the UK will retain adequacy until a final decision is made, or for four months from 1 Jan, extendable by another two months unless one party objects.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.