Brexit and the Law – What CIOs need to know about EU GDPR and IT contracts

Not even the House of Commons library knows how many laws will be affected or need to be replaced as a result of the Brexit vote. But the effect on technology estates, and the applicable regulatory and compliance regime within which CIOs operate, is likely to be considerable.

[See also: Legal implications of Brexit for CIOs – Alistair Maughan’s top 10 tips on preparing for Brexit]

At the most basic level, laws that derive from an EU directive will have already been separately implemented in the UK, so the existing UK national law will continue to apply. But laws enacted in Brussels via a regulation have direct applicability in the UK and don’t require national implementation – so when the UK leaves the UK, the law ceases to apply. One immediate issue will be whether and how to replace existing legal regimes created by an EU regulation.

Most of the UK’s law on technology product safety and regulation and online consumer rights derives from EU law. The government will have to decide which laws should be retained and which could be adapted. The government may see Brexit as an opportunity, for example relaxing product standards or consumer rights for imports. However, UK technology exporters will have little choice but to meet EU-legislated standards if they want to continue their exports into Europe.

In terms of existing tech contract relationships, for the most part the prevailing view is that the Brexit vote is unlikely to provide a way out. Parties might try to rely on material adverse change or force majeure clauses as grounds for termination. But there’s no guarantee that such clauses, provisions or principles will allow for termination and each case will come down to a question of interpretation of the particular clause having regard to the relevant facts.

One area of particular exposure to bear in mind in larger services-based contracts is the extent to which either customer or provider bears the risk on change-in-law. Outsourcing contracts issued by the public sector and many large banks typically seek to push this risk to service providers – and given the scale of legal change likely to be required, the potential change-in-law costs over a period of years could be significant.

Companies will, of course, need to factor the Brexit decision into future technology operations. There may be an impact on the length of the terms of contracts going forward, for example. And if the significant market uncertainty and volatility experienced in the immediate Brexit aftermath continues for sustained periods, companies will want more flexibility built into contracts including more flexible rights to terminate, such as termination for convenience or express rights to terminate in the event of Brexit.

In respect of intellectual property (IP), when Brexit happens the most immediate impact will likely be on unitary pan-European IP such as Community trade marks and Community registered designs, which will not cover the UK post-withdrawal. It is anticipated that the UK will provide for right-holders, who lose protection in the UK in this way, to be granted an equivalent UK national registered trade mark or design right. But in the meantime, companies that use patents or trade marks to protect their technology may need to adjust their filing strategies. There ought to be a lesser effect on copyright because that is an essentially national-based right.

While the UK remains a member of the EU, the Data Protection Directive and e-Privacy Directive as currently implemented in UK law continue to apply. The Directive will be replaced by the EU General Data Protection Regulation (GDPR) in May 2018. Given the time that will elapse before Brexit actually occurs, it may well be the case that the GDPR will come into force before the UK formally exits the EU. But the situation will change when UK leaves the EU. From that moment on, the GDPR will no longer be applicable in the UK. The national laws implementing EU directives (including the e-Privacy Directive) will, however, remain in force until they are amended or repealed. Thus, the UK will become a “third country” under the data transfer rules in the GDPR. In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data, unless certain conditions have been met. This may require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, at least for a period of time while adequacy status is confirmed.