Brexit and Business
In this newsletter, we consider three key areas in our Business document folder and the impact on those areas of a no-deal Brexit. In each case, the UK’s departure from the EU will mean some changes to the legal landscape; however, for many businesses, particularly small businesses, the impact of such changes is likely to be relatively minor.
It is still unclear at this point whether the UK will leave the EU with a deal, whether our departure will again be deferred as it was earlier in the year, or whether we will leave without a deal. Here at Simply-Docs we will, as always, monitor legal developments closely and update our content as and when changes are required.
Consumer Rights
Current consumer protection law in the UK is derived from EU law. In fact, in the form of the Consumer Rights Act 2015, it actually surpasses the standards of protection established in the basic EU provisions. In the event of a no-deal Brexit, therefore, UK consumer law and EU consumer law will be essentially the same, at least to begin with.
Cross-border enforcement will become more difficult. As an EU member state, the consumer protection regime in the UK is supported by a reciprocal cross-border framework. No-deal would mean the UK’s immediate departure from that framework. Consumers in the EU buying from UK-based businesses could, therefore, find enforcing their rights difficult. Similarly, access to the European Commission’s Online Dispute Resolution Platform would end.
The Government has said that it will take steps to ensure that traders can still use Alternative Dispute Resolution for UK disputes, and your ADR obligations as a business will not change. If your website makes any reference to the EU Online Dispute Resolution Platform, however, such references should be removed in the event of no-deal.
UK businesses selling to UK consumers should not expect much to change in the event of a no-deal Brexit, but those selling to EU consumers must keep in mind that, while current UK law reflects EU law, this will not necessarily be the case after 31 October and future changes in the EU must be monitored carefully.
At present, we do not expect our documents in this area to change as a result of a no-deal Brexit; however, we will continue to monitor the situation and advise you of any chances as and when they become necessary.
Data Protection
Data protection is currently governed in the UK primarily by the GDPR and the Data Protection Act 2018. Because the GDPR is an EU regulation, it will cease to apply in the UK in the event of a no-deal Brexit. The Government, therefore, will write the GDPR into UK law with certain changes to make it UK-relevant. This is known as the UK GDPR. In most cases, it will be exactly the same as the EU GDPR, albeit with certain alterations, for example, where the GDPR refers to the UK as an EU member state or refers to certain EU entities.
Cross-Border Personal Data Transfers
Restrictions on moving personal data across borders will change in the event of a no-deal departure from the EU, particularly when moving personal data from the EU or EEA to the UK.
When transferring personal data from the UK to a country outside the EEA, the same mechanisms will apply. EU Commission adequacy decisions made before exit day will be recognised in the UK (and a new UK adequacy framework is also planned), the EU/US Privacy Shield will apply subject to modifications (the US organisation in question must update its commitments to expressly refer to the UK), EU Commission-approved standard contractual clauses will continue to be recognised in the UK, and binding corporate rules authorised under the EU process before the exit date will be recognised (but those rules must be updated to refer to the UK as a third country outside the EEA). Where there is no adequacy decision or safeguards, it may be possible to rely on one of the exceptions included in the GDPR. These exceptions will be preserved in the UK GDPR.
Where personal data is transferred from the UK to the EEA, things will continue as normal and no additional measures will be needed.
The EU, however, will not treat the UK in the same way. No-deal Brexit means that the UK will become a ‘third country’, despite its data protection regime being practically identical to the EU’s. Until the EU Commission makes an adequacy decision (which will not be granted before the exit date), additional measures will be needed when transferring personal data into the UK from the EU or EEA. For most businesses, the ICO recommends that EU Commission-approved standard contractual clauses are used. Certain limited exceptions (including, but not limited to, explicit consent, the conduct of legal claims, and public interest reasons) may also be relied upon.
When receiving personal data into the UK from states that are covered an EU Commission adequacy decision, it will be important for you and the party transferring the personal data to you to consider how to comply with the legal requirements for such data transfers in that state.
European Representatives
If your business offers goods or services to individuals in the EU or EEA, or if you monitor the behaviour of individuals located in the EU or EEA, and do not have a branch, office, or other establishment in an EU or EEA state, you will need to appoint a European representative.
Representatives must be appointed in writing and can be individuals, companies, or organisations. Details of the representative must be provided to those individuals whose personal data is being processed. The representative will, in essence, be their point of contact.
In a business context, if your processing is only occasional, of low risk to the rights of individuals, and does not involve special category or criminal offence data on a large scale, you will not need to appoint a representative. However, “occasional” and “low risk” are likely to be interpreted very restrictively.
The End of the One-Stop-Shop
Under the GDPR, businesses dealing with personal data in multiple EU or EEA states only need to deal with one “lead supervisory authority” (e.g. the Information Commissioner’s Office). This will end for UK organisations in the event of a no-deal Brexit. Depending upon your use of personal data across borders, therefore, you may need to deal with the ICO and one or more other supervisory authorities in the EU or EEA.
Updating Your Privacy Notices
Given that the UK GDPR will replace the EU GDPR post-Brexit, the information required in your privacy notice or privacy policy will not change. What may change, however, is information about international data transfers as well wording and references that treat the UK as an EU member state.
What’s Next?
For many businesses, particularly those who only process the personal data of UK individuals within the UK, not much is expected to change in the event of a no-deal departure from the EU. Where personal data crosses borders, however, additional steps may be needed to ensure compliance with what will become multiple regimes. Documentation and notices should be reviewed to ensure that their wording and effect still makes sense with the UK as a third country with its own version of the GDPR and, where appropriate, measures such as Data Protection Impact Assessments and your data sharing activities should be reviewed, particularly with regard to international data transfers.
Most references to the GDPR in Simply-Docs’ templates include references to successor legislation that may be enacted in the future. We will be monitoring Brexit and the progress of data protection legislation and will amend our documents with more specific definitions as and when the situation crystallises.
Intellectual Property
Copyright protection is generally harmonised globally by international treaties. Within the EU, it is also governed by a body of EU legislation. UK copyright law is substantially derived from EU law and thus includes a number of EU references, particularly those concerning cross-border enforcement within the EU. UK law will be amended to remove or correct references to the EU and will aim to preserve the effect of UK copyright law where possible.
UK and EU copyright works will continue to be protected in both the UK and the EU thanks to international treaties (e.g. TRIPS and the Berne Convention).
EU trade marks and Community designs (both registered and unregistered) currently apply in all EU member states. The registered rights will no longer have effect in the UK in the event of a no-deal Brexit. The Government has said that it will provide EU rights holders with an equivalent right in the UK after exit, thus providing continued protection. Those with an application for an EU trademark or registered Community design in progress on exit day will have nine months from exit day to apply in the UK for the equivalent protections while retaining the priority date of the EU application.
Unregistered Community design rights will continue to be protected in the UK for the remainder of their term and the Government will also create a new equivalent UK right. Confusingly, however, this would sit alongside the existing regime for unregistered designs in the UK.
As to patents, the new Unitary Patent system is not expected until next year. In the event of a no-deal Brexit, it is currently unclear whether or not the UK would still be able to participate.
Database rights currently bestowed by EU law may also be affected by a no-deal Brexit. UK owners of UK database rights may not be able to enforce their rights in EU and EEA states.
Domain names may also be adversely impacted by no-deal. UK businesses with .eu domain names may have those domains revoked and will not be able to renew them.
We do not anticipate that our Intellectual Property templates will change considerably as a result of a no-deal Brexit. As with all areas in our portfolio, we will be monitoring legal developments associated with Brexit closely, and will advise our customers of key changes.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.