Fintech Market Overview

This article does not constitute legal advice.

Data protection in the UK

Fintech Software

The provisions in the General Data Protection Regulation (GDPR) relating to the processing of personal data (now renamed the EU GDPR) have been merged with the UK version of the GDPR (the Data Protection Act 2018) to become the UK GDPR. The UK is one of the most connected countries in the world, and, post Brexit, the maintenance of dataflows between the UK and the EU remains an obvious priority. On 28 June 2021, the European Commission adopted an 'adequacy' decision for the UK meaning most of the data protection rules affecting fintechs prior to Brexit will stay the same. However, this is subject to ongoing review and, in any event, renewal on a four-year basis. If the UK government decides to vary the provisions of the UK version of the GDPR to support the UK's National Data Strategy, it may potentially risk the continuance of the adequacy decision.1

If, at the end of the four-year period, the EU decides not to renew the adequacy decision, the UK will become a third country as far as EU dataflows are concerned, and companies will have to put in place more cumbersome compliance mechanisms to govern these, such as binding corporate rules, EU standard contractual clauses (SCCs) or other approved arrangements. The recent Schrems II decision will also apply to transfers from the EU to the UK and vice versa. This decision requires that entities make an assessment as to whether those SCCs provide protection that is 'essentially equivalent' to the protections in the UK data protection regime, and if necessary, put in place additional measures.1

On 2 February 2022, the UK Information Commissioner's Office laid before Parliament a new international data transfer agreement (IDTA) and addendum to the European SCCs, with the aim of supporting organisations transferring data outside the UK to countries not covered by adequacy decisions in light of and in compliance with the Schrems II decision. The addendum is to be used where there are transfers of personal data subject to both the EU GDPR and the UK GDPR while the IDTA is intended for transfers subject to the UK GDPR only. If there are no objections by Parliament, the IDTA and addendum will come into force on 21 March 2022 with the Commissioner's Office expected to issue guidance on their use. The entry into force of the IDTA and addendum will substantially simplify data sharing for multinational fintechs subject to both the EU GDPR and the UK GDPR. In the same way as for intellectual property, financial services technologies also test the existing legal framework around data protection, despite the GDPR being of relatively recent provenance.1

The Information Commissioner's technology priorities for 2022 include engaging with government on reforms to the UK GDPR, which is highly pertinent to technologies within the financial services sector that handle huge amounts of personal and pseudonymised data.1

In addition to the GDPR, PSD II includes a number of specific rules concerning the processing of personal data. For example, PSD II provides for 'explicit consent' raising the question of whether this constrained the use of the various other bases for processing set out in the GDPR. The European Data Protection Board has clarified that it did not. 'Explicit consent' referred to in PSD II is a contractual consent that is an additional requirement of a contractual nature. Payment services are always provided on a contractual basis between payment service user and payment service. There still needed to be a requisite basis for processing the data under the GDPR; for example, processing necessary for the performance of a contract to which the data subject is party.1

Cross-border payments in the UK

Fintech in the UK

Fintech in other countries

Let's introduce you

UK Fintech Lawyers

Maxim Minaev

Maxim Minaev

We provide legal and organizational services for the creation, structuring and development of fintech companies

Languages: EN LV RU

Dr Irena Dajkovic

Dr Irena Dajkovic

International law firm authorised by the UK Solicitors Regulation Authority

Languages: EN FR

Ilya Druzhinin

Ilya Druzhinin

I have over 22 years of experience in legal practice, most of which is accompanied by e-com and fintech projects

Languages: RU EN

  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/spain
Offer for startups

Fast start for $5K

You can launch your platform by paying $5000 initially and the rest after 6-12 months if your business grows