UK post-Brexit risks – data protection and transfer; EEA customers

UK post-Brexit risks – data protection and transfer; EEA customers – April 2021

UK post-Brexit risks – data protection and transfer; EEA customers – April 2021


  • On 24 December 2020, the UK and EU announced that a free trade deal had been reached after many months of negotiations and delays
  • The “EU-UK Trade and Co-operation Agreement” (TCA) contains almost no clarity for any topics relevant to UK financial services
  • The UK and EU confirmed that no clarity would be available until at least the end of March 2021 after the next set of negotiations between the UK and EU

In April 2021, what do we know now?

  • This summary seeks to summarise some of the key points about what is known and what remains unknown; further changes are inevitable and needed
  • All of these risks need to be analysed for their potential impact and then suitably mitigated. Plan for the worst case and develop contingency plans.   Strengthen all aspects of resilience for your business activities.
  • Many regulatory changes impacting UK financial services activities started from 1 January 2021. Some changes are immediate; others contain transition periods.

Broad perspective for post-Brexit risk environment

With the loss of all passporting rights, all future business in the EU requires UK firms to negotiate rules and permissions in every EU state, individually or together if possible.

Under the terms of the TCA, the UK and the EU committed to agreeing a Memorandum of Understanding (MoU) relating to financial services regulation by 31 March 2021.

MoU agreement at the end of March 2021

On 26 March 2021, the UK and EU both confirmed that “technical negotiations” had been concluded for the text of the UK-EU Memorandum of Understanding (MoU).   The principles of this MoU were agreed in a Joint Declaration on Financial Services Regulatory Co-operation alongside the Trade and Cooperation Agreement (TCA).

The MoU, once signed, will create the framework for voluntary regulatory co-operation in financial services between the UK and the EU.   The MoU will establish the Joint UK-EU Financial Regulatory Forum as a platform to facilitate dialogue on financial services issues.

  • In the words of HM Treasury in a 26 March statement, “formal steps need to be undertaken on both sides before the Memorandum of Understanding (MoU) can be signed but it is expected that this can be done expeditiously”.
  • “The MoU will establish the Joint UK-EU Financial Regulatory Forum, which will serve as a platform to facilitate dialogue on financial services issues,” a spokesperson for the European Commission said. “On the EU side, the MoU will take the form of a Union non-binding instrument, which requires endorsement by the Council.”

MoU and equivalence decisions

The MoU is separate from any eventual decisions on equivalence, a series of unilateral rulings that each side can make and which will offer market access to financial services.

While the MoU process is entirely separate to equivalence, some EU officials have said that securing a common framework around certain financial services rules could help unlock some limited equivalence decisions allowing UK firms access to the wider EU market.

An earlier draft of the MoU agreement suggested that the UK Chancellor of the Exchequer and the European Commission’s top financial services official should meet twice a year to discuss regulation.   It also suggested that the forum’s activities should include:

  • Informal consultations on decisions to adopt, suspend or withdraw equivalence
  • Keeping the two sides informed on supervision and enforcement of rules
  • Sharing information and analysis about the financial industry, including on taxation and efforts to fight money laundering.

The trade agreement signed by the two sides in December 2020 largely sidelined the finance industry. The EU has said since that it is in no rush to grant “equivalence” findings to restore British firms’ trading rights because it is concerned that the UK is moving away from EU standards, taking it further away from “equivalent” status.

Continuing uncertainties remain for now

Since Brexit took effect at the beginning of 2021, London-based financial firms have been largely unable to operate in the bloc, forcing many firms to move billions of dollars in assets and thousands of staff to the continent.

Lenders are being asked by the Bank of England to secure its approval before shifting jobs and business out of Britain into the European Union.   The move signals a hardening of its stance over Brexit under Andrew Bailey, who became its governor a year ago.

Bailey has recently taken a tougher line with Brussels over its treatment of the UK financial services sector and, in February 2021, accused the EU of double standards.

Concerns for clarity, business opportunities and resilience

According to the Financial Times, the Bank is concerned about the impact on the resilience of firms’ operations that remain in London if more jobs and operations move to the EU to satisfy the demands of European regulators.

Finance chiefs have also expressed their concerns about the lack of clarity of a post-Brexit financial services deal which includes equivalence.   Nevertheless, many firms still have possibilities to invest in new services and buildings within the City of London as part of business developments as they adjust to a post-Covid and post-Brexit environment.

For now, London also dominates the world’s  £4.7 trillion-a-day foreign exchange market; it is the biggest centre for international banking and the second-largest fintech hub globally after the United States.

Data protection and data transfer

  • Data protection is very important for business activities. All firms must think about where data are processed and stored.   The UK has confirmed the acceptability of firms transferring data to the EU but there has so far been no reciprocal confirmation that the UK would be “adequate” for data transfers from the EU.
  • If the EU does not grant data adequacy to the UK, companies that want to transfer data from the EU to the UK may not have a legal basis on which to do so. This will affect many thousands of companies.
  • Until such equivalence is granted, firms need to put in place alternative arrangements to comply with GDPR and the UK Data Protection Act (DPA) to ensure a high standard of protection for individuals’ personal data.
  • The TCA states that data flows will continue as normal for (possibly) four to six months from 1 January 2021 and then the EU will make a “data adequacy” ruling. This implies that uncertainty may continue until at least June 2021, impacting all cross-border transfers and uses of electronic data.
  • Uncertainties remain until all related rulings including detailed requirements are made by the EU and the UK. The continuing absence of an adequacy decision would mean that it would become more difficult to store the data of private EU citizens on UK-based servers.
  • There is a similar concern over the handling of data. It had been hoped that the EU would take an early decision to approve the adequacy of British data protection but it has not yet done so.
  • Some important pressure groups within the EU remain dubious about Anglo-Saxon commitment to data privacy and the EU has previously criticised British and American protection of personal data.

Continued supply of UK-based financial services to EEA-resident customers

  • Since 1 January 2021, all UK firms that previously conducted retail business in the EEA countries have been unable to do so. Firms can no longer support any EU-resident customers from their UK offices and operations.
  • Retail banking services including lending, payments and deposit-taking will not be included in any equivalence decisions that may be taken by the EU.
  • The EU has for now dismissed any reciprocal temporary permissions regime with the UK for such services. Instead, the UK has become a “third country” with far greater restrictions upon all its EU-focused financial services activities.
  • UK firms need to understand all relevant EU local regulations and take legal advice.
  • There may be significant disruption to business activities and related adverse publicity if retail customers or corporate customers are disadvantaged.
  • Firms need to consider alternate operational practices and potential for revenue losses due to business activities being illegal in their previous (pre-2021) formats.

Timeline with relevant dates to be logged on regulatory calendar

  • The MoU should be signed by 31 July 2021 so there will be more clarity afterwards and more actions for all firms to take in response to detailed aspects

Next steps

All firms need to immediately continue their detailed planning and research for all impacts on their business activities, employees, stakeholders and clients.

If anyone has specific questions or needs any advice, contact our specialists.


Click here to contact our experts

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>