You can see the rules and regulations in other jurisdictions.
The provisions of the General Data Protection Regulation (GDPR), now called the EU GDPR, have been combined with the UK version of the GDPR known as the Data Protection Act 2018 to create the UK GDPR. The UK is an incredibly connected nation, and keeping data flows between it and the EU has become a major goal following Brexit. On 28th June 2021, The European Commission acknowledged this importance by giving an 'adequacy' decision for the UK, meaning most of the data protection rules applying to fintechs pre-Brexit will stay in place for now. Nevertheless, this decision must be reviewed every four years and could be changed if needed. This especially applies if changes are made to fit with the guidelines set out in The National Data Strategy – alterations that may risk losing the adequacy decision completely.1
At the end of the four-year period, should the EU decide not to renew its adequacy decision regarding dataflows, the UK will then become a third country. Companies will need to set in place specific compliance mechanisms to govern data transfers, such as binding corporate rules or EU standard contractual clauses (SCCs). The Schrems II judgment applies to both EU and UK data transfers; this requires companies to evaluate if the SCCs provide an equivalent level of protection as that present in the UK’s data protection regime, and any additional measures may have to be taken.1
On 2 February 2022, the UK Information Commissioner's Office submitted a new international data transfer agreement (IDTA) and addendum to the European SCCs to Parliament, as part of their efforts to facilitate data transfer outside the UK, complying with the Schrems II decision. The IDTA is intended for transfers subject to just the UK GDPR and the addendum shall be used when both EU GDPR and UK GDPR are applicable. If no objections arise in Parliament, they will come into force on 21 March 2022, following which, the Commissioner's Office plans to publish an explanatory guide on their usage. This will represent a big boon to multinational fintechs that are bound by both EU GDPR and UK GDPR, being similar in its importance to intellectual property legislation. As a result of such financial services technologies development, it has become necessary for data protection laws to keep up with modern demands - especially given that the GDPR is relatively recent.1
It is highly relevant to technology within the financial services sector that handles huge amounts of pseudonymous and personal data that the Information Commissioner's technology priorities for 2022 include engaging with government on reforms to the UK GDPR.1
Aside from the GDPR, PSD II contains a number of regulations regarding personal data processing. For example, it introduces the concept of 'explicit consent', raising doubts about how this affects the other legal processing grounds established in the GDPR. The European Data Protection Board has clarified that there is no conflict: 'Explicit consent' in PSD II means an extra contractual consent required by payment services between user and provider. There have to still be valid reasons for data processing under the GDPR; such as conducting operations necessary to fulfil a contract to which the subject is a party.1
Cross-border payments in the UK
International law firm authorised by the UK Solicitors Regulation Authority
We provide legal and organizational services for the creation, structuring and development of fintech companies
Comprehensive legal services for businesses on corporate, tax law, cryptocurrency legislation, investment activities
