Legal implications of Brexit for CIOs | Morrison & Foerster partner Alistair Maughan shares his top 10 tips on preparing for Brexit

The full impact of Brexit on UK businesses remains unclear, but proper planning can help minimise disruption, smooth the transition, and may provide opportunities to organisations as Britain prepares to leave the EU.

Alistair Maughan, a CIO UK columnist and leading outsourcing and technology lawyer at Morrison & Foerster, shared his advice at the CIO Summit 2016 of the 10 key areas CIOs and technology executives need to bear in mind for their organisations as the UK considers how it will negotiate the terms of Brexit. [See also: Brexit and the Law – What CIOs need to do about EU GDPR and IT contracts]

1. Be aware of what sector you’re in

Probably the key current concern is accounting for the specific circumstances within your sector. For regulated sectors this is particularly important, with sectors such as financial services where issues such as passporting are significant worthy of special attention. The current EU regulations will be replaced by a parallel UK system, but the details remain unconfirmed.

There are two categories of laws emanating from Brussels. The first is EU directives that are locally implemented, such as the EU copyright directive, which become part of UK law through an Act of Parliament or statutory instrument. These will not be affected by Brexit as they are already incorporated into domestic legislation.

The second category is the rules and regulations that stem directly from EU treaty. These will disappear as soon as the UK leaves the EU. Lawmakers will determine which of them require British replacements. The origins and replication of regulations will need to be tracked, and the process of doing that will vary across different sectors. Make sure you’re aware of any regulatory regime that affects you.

2. Check your existing contracts

Consider how Brexit will affect your current contracts. This is relevant to all types of contracts, but particularly to long-term services, base contracts and outsourcing contracts.

The Brexit vote is unlikely to provide a means to escape existing tech contracts. The suggestions that termination clauses, material adverse change clauses and force majeure clauses could be used have been overstated, as the principles for termination will likely lack the precision to be triggered by Brexit.

“A force majeure is an act of God,” explained Maughan. “Act of Boris isn’t really the same thing.”

That could be good or bad news, depending on both your position in the organisation and whether you’re on the buying or selling side of the business.

Other contract provisions are more likely to be affected, the most common being agency or distribution contracts in EU territories. The impact on third parties you have contracts with should also be checked. They may be more at risk of currency fluctuations than they were when the contract was awarded.

Revisit your contracts and prioritise by their scale, value and importance, and by who the partner is. Analyse the current implications of Brexit on the existing contract base and put in place a process to track them as we move closer to leaving the EU.

3. Understand who bears the Change-in-Law risk

Another point pertinent to large services-based outsourcing contracts is over who bears the risk when a change in law or regulation imposes new services or investment. The customer and service provider will both try to push that risk on to each other.

The outcome is often somewhere in the middle. The customer will likely bear the brunt of the risk from changes specific to them or their industry, while the provider might carry the risk of more general issues and changes, such as in health or safety. Both parties must agree on how they split the costs and risks of Brexit, whether they’re in changes to the law or in impact on long-term services contracts.

When a change in law affects a service provider’s customer base as a whole, the provider may implement that change but then share the cost among its customer base. That could be a neat compromise in theory, but ironing out the details of the application and auditing will be more difficult. Be aware of the potential impact of a change-in-law.

4. Anticipate Data Privacy issues

This is an area that will certainly change in time. The Data Protection Act, which implements European Law, will remain UK law. The General Data Privacy Regulation (GDPR), meanwhile, will come into force across the EU in May 2018. Once the UK leaves the EU, it will no longer apply. Establishing a radically different alternative will not be in British interests, so an alternatively will likely be established that is close to prevailing EU regulations.

The transfer of data outside the EU currently requires either model clauses, binding corporate rules, or certification from the EU that the external country has adequate data privacy rules. The UK will require such certification once it leaves the union. Before that is granted, a transitional regime may be installed, but there could be a gap in which other means of transferring data would be required.

Issues may arise from the method of the transfer, the location of databases and how consent was attained. This is an area where it would be wise to begin analysing data storage and consent management, and tracking the evolution of the replication of the GDPR.

5. Know your Intellectual Property position

The UK’s Intellectual Property office has issued a paper clarifying the situation, making it one of the few areas with official guidance. The area with most potential impact for CIOs will likely be trademarks.

In the EU, a single application to the EU trademark office can result in a trademark granted that covers the entire union. Continue with any ongoing EU trademark filing, but make a backup filing in the UK to ensure that protection isn’t lost when the UK leaves the EU.

The patent system is unlikely to be materially affected. European patents are usually completed by European treaty, but not specifically EU treaty. The UK will remain a part of the European Patents Conventions (EPC), and will still be eligible for single filings for European patents.

More irksome is the loss of access to the planned unitary patent system and content. This would have simplified the enforcement of patents by assigning infringement rulings in the EU to a single court. The UK was set to be the home of one of these patent courts, but will no longer benefit from the system.

Copyright is likely to have a larger impact for CIOs. The existing domestic copyright law will continue to to apply, but the UK will not benefit from the EU’s proposals for copyright modernisation under the digital single market initiative.

6. Is this the end for English law?

English law will likely remain a popular choice for international contracts, especially in the tech sector. There’s relatively little regulation that supersedes English law and it has a reputation for compatibility with the many legal systems that emerged from it and for supporting commercial common sense. The certainty and stability it provides remain attractive for many large corporations.

The enforcement of judgements currently made by European conventions may be more problematic. A convention that enables a mutual recognition of judgements appears likely to be enacted.

7. Future-proof your contracts

Think about the contracts you’re entering into now and what could need changes as a consequence of Brexit. Consider whether they will last when the UK leaves the EU, and evaluate potentially problematic areas, such as scope changes to the law-risk territory.

Your rights to specify location could have consequences for cloud businesses and data-heavy services, so try to predict the impact on existing contracts and future negotiations. The effect of variability, the foreign exchange risk, and shifts in location could all be affected.

8. Don’t consider Brexit as just a risk

There are potential opportunities that will stem from Brexit, depending on the approach of the UK government. The legal and regulatory systems are unlikely to undergo radical reformation, but some aspects of life outside the EU may be commercially beneficial.

Tax laws could be more favourable to businesses. Patent box revenues could be expanded from the current cap of 10%. Taxes on profits from other IP could also be reduced, or profits could come directly from patents. New laws and regulations that make the UK a more attractive starting point for e-commerce businesses could be devised. The freedom to make these changes is currently limited by EU rules.

9. Does Brexit create M&A technology acquisition opportunities?

The comparatively rapid recoveries from the recession in Japan and the USA triggered a big upswing in tech M&A at MoFo, as corporations collected small and mid-size tech businesses at improved values.

That has disappeared in the past 18 months, but may happen again, particularly due to the fluctuations in the dollar-pound exchange rate. The prospect of an increased vulnerability to takeovers presents both risk and opportunity, depending on your position.

10. Make sure that IT has a voice in the Brexit risk assessment

When businesses assemble their key stakeholders to assess risk, ensure that IT is involved. Urgent action may not be necessary for anything specific, but understanding the potential risks will ensure a business is well placed to act when the time becomes right.