The UK Government has described the Trade and Co-operation Agreement (TCA) agreed between the UK and EU as containing "some of the most liberalising and modern digital trade provisions in the world". Title III of Part Two (Part Two covers Trade, Transport, Fisheries and other Arrangements) of the TCA contains a number of provisions designed to facilitate digital trade and to ensure an open, secure and trustworthy online environment for businesses and consumers. The measures also provide for EU/UK co-operation on emerging digital trends in the future. The scope of the provisions includes all trade enabled by electronic means, but audio-visual services are (as would be expected) specifically carved out.
Key points of interest for businesses trading online include:
Data protection and cross-border data flows
The TCA provides that the UK and EU commit to ensuring cross-border data flows to facilitate trade in the digital economy. Specifically, neither can adopt certain measures – such as requiring localisation of data in the relevant territory for storage or processing – to restrict such data flows.
The free flow of personal data between the EEA and the UK beyond the end of the transition period has been an issue of critical importance, and concern, for many businesses. The TCA provides for a four-month bridging period (which will extend to six months if necessary) for the EU Commission to conclude its assessment of the UK's data protection regime and whether it is adequate. During the bridging mechanism period, the UK will not be treated as a third country for the purposes of data transfers from the EEA, provided that it does not modify its data protection law (the 'UK GDPR') or exercise certain powers in relation to international transfers, unless by mutual agreement. If the EU objects to any changes or exercise of certain powers by the UK, and the UK goes ahead to make them, the bridging mechanism will come to an end. During this period, data transfers from the EEA to the UK can therefore continue without further safeguards being necessary, though it remains advisable to conduct audits of international data flows and consider appropriate transfer mechanisms to avoid any interruption to data flows at the end of the bridging period. We discuss this in more detail in our Brexit and Data Protection guide.
More generally, the TCA provides that both the UK and EU recognise that individuals have a right to the protection of personal data and privacy, and that nothing in the TCA prevents either from adopting/maintaining measures on the protection of personal data and privacy, including in relation to cross-border data transfers. The UK has retained the EU General Data Protection Regulation in its laws as 'UK GDPR' and has stated that it 'remains committed to high data protection standards'. However, the Government has also previously indicated a desire to adapt data protection laws, but this may depend upon the impact on any adequacy assessment by the EU.
No imposition of customs duties on electronic transmissions
Electronic transmissions are considered as the supply of a service, and are not subject to customs duties.
No requirement for prior authorisation of service provision based on online provision
No prior authorisation of a service by electronic means (subject to certain exceptions) can be required solely on the grounds that the service is provided online.
Concluding contracts by electronic means
The TCA provides that neither the UK nor EU will deny the legal effect and admissibility of electronic signatures or documents on the basis that they are in digital form. Further, it provides that contracts may be concluded electronically, but does contain carve outs for certain types of services and contracts which may need to be considered carefully.
Transfer of or access to source code
The TCA provides, subject to certain exceptions (and, of course, to commercial negotiations), that neither the UK nor EU can require the transfer of, or access to, the source code of software owned by a natural or legal person of the other party.
Online consumer trust
The TCA requires both the UK and EU to adopt or maintain a range of measures ensuring effective protection of consumers in e-commerce transactions. It is worth noting here that, at the EU level, a number of relevant Directives are due to be implemented by Member States this year - including the Digital Content Directive and the Sale of Goods Directive (to be transposed into Member States' laws by 1 July 2021), and the Enforcement and Modernisation Directive (to be transposed into Member States ' laws by 28 November 2021). For businesses trading online across the EU and UK, it will be necessary to navigate both regimes.
There is nothing in the TCA relating to the Electronic Commerce Directive, which contains a number of rules relating to online activities in the EEA. From 1 January 2021, the country of origin principle no longer applies to UK-based online service providers (including e.g., online retailers) and so they need to comply with the relevant rules in each EEA country in which they operate in relation to online information, advertising, shopping and contracting. The UK Government meanwhile has said that it will fully remove the country of origin principle from UK legislation, to bring EEA online service providers in scope of UK laws. It will continue to uphold the E-Commerce Directive's safe harbour from liability regime for online intermediaries, with legislation also to be introduced this year in relation to online harms. The EU has recently published its package of measures relating to regulation of internet intermediaries, including the draft Digital Services Act, with provisions relating to illegal content.
Unsolicited direct marketing communications
The TCA provides that both the UK and EU should effectively protect users against unsolicited direct marketing communications. A direct marketing communication is defined in the TCA as any form of commercial advertising by which a natural or legal person communicates marketing messages directly to a user via a public telecommunications service, covering email, SMS and MMS. This could, for example, raise implications for the ICO's position that non-commercial advertising (such as by charities and political parties) is included within the definition of "direct marketing communication".