In this newsletter, we consider three key areas in our Business document
folder and the impact on those areas of a no-deal Brexit. In each case, the
UK’s departure from the EU will mean some changes to the legal landscape;
however, for many businesses, particularly small businesses, the impact of
such changes is likely to be relatively minor.
It is still unclear at this point whether the UK will leave the EU with a
deal, whether our departure will again be deferred as it was earlier in the
year, or whether we will leave without a deal. Here at Simply-Docs we will,
as always, monitor legal developments closely and update our content as and
when changes are required.
Consumer Rights
Current consumer protection law in the UK is derived from EU law. In fact,
in the form of the Consumer Rights Act 2015, it actually surpasses the
standards of protection established in the basic EU provisions. In the
event of a no-deal Brexit, therefore, UK consumer law and EU consumer law
will be essentially the same, at least to begin with.
Cross-border enforcement will become more difficult. As an EU member state,
the consumer protection regime in the UK is supported by a reciprocal
cross-border framework. No-deal would mean the UK’s immediate departure
from that framework. Consumers in the EU buying from UK-based businesses
could, therefore, find enforcing their rights difficult. Similarly, access
to the European Commission’s Online Dispute Resolution Platform would end.
The Government has said that it will take steps to ensure that traders can
still use Alternative Dispute Resolution for UK disputes, and your ADR
obligations as a business will not change. If your website makes any
reference to the EU Online Dispute Resolution Platform, however, such
references should be removed in the event of no-deal.
UK businesses selling to UK consumers should not expect much to change in
the event of a no-deal Brexit, but those selling to EU consumers must keep
in mind that, while current UK law reflects EU law, this will not
necessarily be the case after 31 October and future changes in the EU must
be monitored carefully.
At present, we do not expect our documents in this area to change as a
result of a no-deal Brexit; however, we will continue to monitor the
situation and advise you of any chances as and when they become necessary.
Data Protection
Data protection is currently governed in the UK primarily by the GDPR and
the Data Protection Act 2018. Because the GDPR is an EU regulation, it will
cease to apply in the UK in the event of a no-deal Brexit. The Government,
therefore, will write the GDPR into UK law with certain changes to make it
UK-relevant. This is known as the UK GDPR. In most cases, it will be
exactly the same as the EU GDPR, albeit with certain alterations, for
example, where the GDPR refers to the UK as an EU member state or refers to
certain EU entities.
Cross-Border Personal Data Transfers
Restrictions on moving personal data across borders will change in the
event of a no-deal departure from the EU, particularly when moving personal
data from the EU or EEA to the UK.
When transferring personal data from the UK to a country outside the EEA,
the same mechanisms will apply. EU Commission adequacy decisions made
before exit day will be recognised in the UK (and a new UK adequacy
framework is also planned), the EU/US Privacy Shield will apply subject to
modifications (the US organisation in question must update its commitments
to expressly refer to the UK), EU Commission-approved standard contractual
clauses will continue to be recognised in the UK, and binding corporate
rules authorised under the EU process before the exit date will be
recognised (but those rules must be updated to refer to the UK as a third
country outside the EEA). Where there is no adequacy decision or
safeguards, it may be possible to rely on one of the exceptions included in
the GDPR. These exceptions will be preserved in the UK GDPR.
Where personal data is transferred from the UK to the EEA, things will
continue as normal and no additional measures will be needed.
The EU, however, will not treat the UK in the same way. No-deal Brexit
means that the UK will become a ‘third country’, despite its data
protection regime being practically identical to the EU’s. Until the EU
Commission makes an adequacy decision (which will not be granted before the
exit date), additional measures will be needed when transferring personal
data into the UK from the EU or EEA. For most businesses, the ICO
recommends that EU Commission-approved standard contractual clauses are
used. Certain limited exceptions (including, but not limited to, explicit
consent, the conduct of legal claims, and public interest reasons) may also
be relied upon.
When receiving personal data into the UK from states that are covered an EU
Commission adequacy decision, it will be important for you and the party
transferring the personal data to you to consider how to comply with the
legal requirements for such data transfers in that state.
European Representatives
If your business offers goods or services to individuals in the EU or EEA,
or if you monitor the behaviour of individuals located in the EU or EEA,
and do not have a branch, office, or other establishment in an EU or EEA
state, you will need to appoint a European representative.
Representatives must be appointed in writing and can be individuals,
companies, or organisations. Details of the representative must be provided
to those individuals whose personal data is being processed. The
representative will, in essence, be their point of contact.
In a business context, if your processing is only occasional, of low risk
to the rights of individuals, and does not involve special category or
criminal offence data on a large scale, you will not need to appoint a
representative. However, “occasional” and “low risk” are likely to be
interpreted very restrictively.
The End of the One-Stop-Shop
Under the GDPR, businesses dealing with personal data in multiple EU or EEA
states only need to deal with one “lead supervisory authority” (e.g. the
Information Commissioner’s Office). This will end for UK organisations in
the event of a no-deal Brexit. Depending upon your use of personal data
across borders, therefore, you may need to deal with the ICO and one or
more other supervisory authorities in the EU or EEA.
Updating Your Privacy Notices
Given that the UK GDPR will replace the EU GDPR post-Brexit, the
information required in your privacy notice or privacy policy will not
change. What may change, however, is information about international data
transfers as well wording and references that treat the UK as an EU member
state.
What’s Next?
For many businesses, particularly those who only process the personal data
of UK individuals within the UK, not much is expected to change in the
event of a no-deal departure from the EU. Where personal data crosses
borders, however, additional steps may be needed to ensure compliance with
what will become multiple regimes. Documentation and notices should be
reviewed to ensure that their wording and effect still makes sense with the
UK as a third country with its own version of the GDPR and, where
appropriate, measures such as Data Protection Impact Assessments and your
data sharing activities should be reviewed, particularly with regard to
international data transfers.
Most references to the GDPR in Simply-Docs’ templates include references to
successor legislation that may be enacted in the future. We will be
monitoring Brexit and the progress of data protection legislation and will
amend our documents with more specific definitions as and when the
situation crystallises.
Intellectual Property
Copyright protection is generally harmonised globally by international
treaties. Within the EU, it is also governed by a body of EU legislation.
UK copyright law is substantially derived from EU law and thus includes a
number of EU references, particularly those concerning cross-border
enforcement within the EU. UK law will be amended to remove or correct
references to the EU and will aim to preserve the effect of UK copyright
law where possible.
UK and EU copyright works will continue to be protected in both the UK and
the EU thanks to international treaties (e.g. TRIPS and the Berne
Convention).
EU trade marks and Community designs (both registered and unregistered)
currently apply in all EU member states. The registered rights will no
longer have effect in the UK in the event of a no-deal Brexit. The
Government has said that it will provide EU rights holders with an
equivalent right in the UK after exit, thus providing continued protection.
Those with an application for an EU trademark or registered Community
design in progress on exit day will have nine months from exit day to apply
in the UK for the equivalent protections while retaining the priority date
of the EU application.
Unregistered Community design rights will continue to be protected in the
UK for the remainder of their term and the Government will also create a
new equivalent UK right. Confusingly, however, this would sit alongside the
existing regime for unregistered designs in the UK.
As to patents, the new Unitary Patent system is not expected until next
year. In the event of a no-deal Brexit, it is currently unclear whether or
not the UK would still be able to participate.
Database rights currently bestowed by EU law may also be affected by a
no-deal Brexit. UK owners of UK database rights may not be able to enforce
their rights in EU and EEA states.
Domain names may also be adversely impacted by no-deal. UK businesses with
.eu domain names may have those domains revoked and will not be able to
renew them.
We do not anticipate that our Intellectual Property templates will change
considerably as a result of a no-deal Brexit. As with all areas in our
portfolio, we will be monitoring legal developments associated with Brexit
closely, and will advise our customers of key changes.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific
legal matter.