Now that the UK Parliament has rejected the withdrawal agreement which was prepared by the UK Government and the EU institutions, questions are mounting about what to expect now and which preparations may be in order. In this article, we will take out our crystal ball and outline how your organisation may be impacted if it is involved in any cross-border IT activities between the EU and the UK. We will conclude by suggesting what, if anything, you may consider doing in preparation.
A third country in terms of privacy?
In a ‘no-deal’ Brexit scenario, the UK would become a ‘third country’ in the parlance of the GDPR, as soon as the UK would no longer be part of the EU. This would mean that organisations established in the EU would have to take additional measures (‘appropriate safeguards’) if they wish to use, or continue using, any IT services delivered from the UK involving the processing of personal data. As it is fair to say that nowadays almost all IT services involve the processing of personal data in some way or another, this would have a substantial impact on the IT sector.
Appropriate safeguards; model clauses until adequacy decision for the UK?
If you didn’t know already, ‘appropriate safeguards’ are required under the GDPR when personal data is transferred from the EU to a country where privacy protection does not meet EU standards. When a country’s privacy protection is deemed adequate, as indicated in an ‘adequacy decision’ by the EU Commission, such additional measures are not necessary. Appropriate safeguards as intended in the GDPR include standard contractual clauses (‘SCCs’, also called ‘model clauses’) created by the EU Commission or supervisory authorities, which must be included in the contract between the supplier of the IT service (data importer) and the customer (data exporter).
Besides such model clauses, there are several other measures qualifying as appropriate safeguards, such as binding corporate rules or specific certifications, but in most provider-customer IT relationships, model clauses are still the easiest and most practical to implement. Although it should be noted here that the adequacy of model clauses has come under fire in a court case between Facebook and privacy advocate Max Schrems, which is still pending.
As the UK has already adopted its Data Protection Act 2018 in order to further implement the GDPR, it seems somewhat absurd to think that the privacy protection in the UK would no longer be considered ‘adequate’ as soon as the UK has left the EU. However, in the event of Brexit without a supporting (withdrawal) agreement, it appears this would legally be the case until an adequacy decision would be made by the EU, which process usually takes a year to several years. In a no-deal scenario, it seems imaginable that the EU may not be inclined to make a fast-track decision for the UK, even if UK privacy law would be highly similar to and compatible with EU privacy law.
A no-deal Brexit could also have significant effects on intellectual property (IP) and therefore the IT sector as a whole, which is heavily reliant on IP. For example, if your organisation has an EU-wide trademark, your mark will only remain valid in the UK if you request this explicitly from the UK IP Office (UKIPO). Another consequence is that IP infringements spanning across the EU and UK would have to be litigated separately in both the UK and the EU, and any injunctions covering the entire EU, would no longer apply in the UK.
Copyright, which is the most important intellectual property right for software, would also be affected. The effects are limited by the fact that EU Directives on copyright have been implemented into UK national law already and that the UK already is a party to the most important international treaties on copyrights. Moreover, the UK Government has declared that “The EU Directives and Regulations on copyright and related rights will be preserved in UK law as retained EU law under the powers in the EU Withdrawal Act 2018. The government will make adjustments under the powers of the Act to ensure the retained law can operate effectively.”
From the EU side it has been suggested, however, that e.g. cross-border portability of online content services as guaranteed under Regulation (EU) 2017/1128, may no longer apply in the UK after a no-deal Brexit. Another consequence would be that companies in the UK could no longer have or exercise ‘sui generis’ database rights within the EU. These are rights to databases which have been created as a result of substantial investments, e.g. websites containing large selections of real estate or cars for sale.
Assessing the risks
Readers familiar with risk assessment will know that risk is generally defined as the product of (1) the negative consequences associated with an uncertain event and (2) the likelihood that the event and associated negative consequences materialise. Assessing risk is by definition an inexact exercise due to the uncertainties in play. Of course, the words ‘Brexit’ and ‘uncertainty’ go together like a wink and a smile, which is precisely why you are reading this article and also why I mentioned a crystal ball, which you would need to make a precise assessment. Only adding to the uncertainty of Brexit, is the uncertainty around legal developments in the field of privacy, such as whether model clauses will remain valid as ‘appropriate safeguards’ for transfers of personal data to third countries. So, with the largest of disclaimers, you may consider the following thoughts.
- Although it appears legally true that the UK would become a third country as soon as it is no longer in the EU, it could potentially be argued that adequacy should reasonably be assumed even in the absence of a decision by the EU Commission, as UK privacy law incorporates and is based on the GDPR. For the same reason, it may also be expected that EU supervisory authorities will not suddenly make it a priority to start issuing fines for data transfers to the UK.
- Whereas the necessity to implement appropriate safeguards for EU-UK data transfers would be a nuisance, this obstacle would be far from insurmountable. The same conclusion appears applicable to the consequences in the field of IP.
- A no-deal Brexit would have such broad negative consequences on the UK and EU as a whole, that delay seems far more likely than a no-deal exit on 29 March 2019.
- Tough-talk on either side indicating a willingness to let a no-deal Brexit happen if the other side does not agree to their position, should probably be taken as negotiation strategy rather than literal truth.
Conclusion: should you take action to prepare for the worst?
Consequences of a no-deal Brexit specific to the IT sector, such as those described above, can be categorized as substantial nuisance rather than catastrophic and appear less grave than the general consequences which would affect all citizens and organisations in the UK and EU. Although a no-deal Brexit on 29 March technically still is a possibility, the likelihood of such a doomsday scenario currently appears limited.
Therefore, at this moment it seems generally advisable to keep a very close eye on the developments, without doing anything drastic. If you are providing IT services from the UK and have many clients in the EU, or if you are established in the EU and depend on IT services delivered from the UK, you may wish to prepare yourself in order to be able to implement appropriate safeguards very quickly in the event the worst-case scenario would suddenly materialize.