Brexit Checklist for Technology & Communications Businesses

By Sally Shorthose, Roger Bickerstaff, Yuichi Sekine, Elizabeth Upton, Nick Aries, James Mullock, Fabian Niemann, Bryony Hurst

09-2020

17 September 2020

The UK left the EU on 31 January 2020.  As a result of the Brexit transition period, EU law continues to apply in and in relation to the UK until the end of the transition period - which will end on 31 December 2020, assuming there are no extraordinary developments, as the UK opted not to extend the transition period. 

After the end of the transition period, the EU Treaties, EU free movement rights and the general principles of EU law (such as the single market and the customs union) will cease to apply in the UK. Prior EU regulations will continue to apply in UK law until they are modified or revoked by UK regulations.    

Technology and Communications businesses need to prepare for the end of the transition period. The following areas are outlined in this note:

This Checklist is an update to the Checklists previously issued by Bird & Bird in 2018 and 2019.

People

The UK will leave the EU single market at the end of the transition period, including the free movement of people. However, the Government has committed to protect the rights of EU nationals and their family members who wish to stay in the UK. The EU Settlement Scheme ("Scheme") requires EU nationals to register in order to preserve their rights under UK law (including rights to work, pensions, healthcare and other benefits). The Scheme went live on 29 March 2019 and is mandatory for all EU nationals who wish to continue living in the UK after 31 December 2020. Home Office guidance on the Scheme is available here.

Organisations with EU nationals working in the UK should implement a communication plan to inform and support employees with Scheme registration. We encourage businesses to take proactive steps at this stage to ensure their EU national employees retain the right to work in the UK and avoid business interruption. In particular, EU citizens lawfully resident in the UK at the end of the transition period will continue to receive access to NHS-funded healthcare in England but they will need to be able to provide evidence that they are lawfully resident in the UK and that they were residing in the UK at the end of the transition period and provided they register their new status by 30 June 2021.

Businesses with British Citizen employees residing and working in EU27 Member States should also ensure that affected individuals have complied with national requirements to protect their continued right to reside and work in that Member State after the end of the transition period.  In particular, cross-border workers based in the UK (who are British Citizens) but who work in multiple EU Member States will need to carefully plan their future activities as freedom of movement will cease to apply after 31 December 2020.  They may need to obtain multiple work permits, visas and/or residence permits in order to work at client sites in EU27 Member States.

Looking beyond the end of the transition period, the UK Government is on track to implement a new set of Immigration Rules which will apply to all non-UK nationals. A new policy document issued by the Home Office in July builds on the planned changes to the Immigration Rules that were announced in February 2020. 

For employers, the overall message is clear. The Home Office has effectively rolled back most of the restrictions placed on work visas since April 2011 and it will be much easier to sponsor non-UK nationals as new hires from January 2021. 

For more information click here.

Data protection

EU to UK data transfers: The departure of the UK from the EU on 31 January 2020 has not led to dramatic immediate changes in UK data protection law.  The GDPR (taking into account the derogations introduced by the Data Protection Act 2018) continues to apply in the UK through the transition period.  Afterwards the derogated Regulation will be enacted into UK law. The GDPR will also continue to apply to UK organisations which trade in the EU to the extent any of their processing activities are caught by the extra-territorial provisions.

Even so, unless the EU Commission grants an adequacy decision in respect of the UK by the end of the transition period, there is a risk that after 31 December 2020, transfers of personal data from the EU to the UK will constitute a transfer of personal data to a "third country" requiring the exporter to put in place alternative safeguards, such as Standard Contractual Clauses (SCCs) to legitimise the data transfer or to rely on an appropriate derogation. Note that the recent CJEU Schrems II judgment which invalidated the EU-US Privacy Shield framework, concluded that the SCCs remain valid. However, the CJEU indicated that data exporters need to take additional steps to ensure that personal data transferred to a third country is afforded essentially equivalent protections to those which apply within the EU and that the data subject has effective remedies in relation to infringements. In particular the CJEU stated that this requires the exporters to take into consideration both the contractual clauses and any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country.

This decision raises numerous questions for data transfers outside of the EEA and has yet to be reflected in any substantial guidance from EU data protection authorities. Nor do we have any Commission findings or a CJEU decision to guide the assessment of the laws applicable to the UK. As such there is still a considerable amount of uncertainty as to what additional safeguards EU exporters to the UK may need to put in place at the end of the transition period and will likely depend on the types of data being transferred and the UK recipients of such data.  In addition, we are expecting the European Commission to provide updated versions of SCCs hopefully by the end of the year, primarily to update in line with GDPR but also to address transfer scenarios not covered by the current SCCs and possible options to enable multiple parties to easily sign the SCCs. It is also anticipated that they will address some of the points arising from the Schrems II decision.  Therefore this is an area to be kept under review in the coming weeks.

The EU Commission has started the adequacy assessment for the UK and confirmed at the start of July that it will use its best endeavours to conclude the assessment of the UK regime by the end of 2020 with a view to adopting an adequacy decision if the applicable conditions are met. However, this timeline remains highly optimistic, so businesses should still take steps to understand their data flows between the EU and the UK so that they are ready to put alternative mechanisms and safeguards in place later in the year if needed.

Data transfers from the UK: The UK Government's position to date has been that the UK will continue to treat EU countries' laws as adequate for the purposes of the UK GDPR and the Data Protection Act 2018. Assuming this remains the case, transfer adequacy mechanisms will not therefore need to be deployed for UK to EU data transfers.

Personal data transfers to other jurisdictions will need to be made compliant with the UK GDPR and Data Protection Act 2018 obligations. Essentially these are as per the pre-Brexit position and the UK Government has confirmed that EU adequacy decisions, approved EU SCCs and BCRs will all also be recognised in the UK to legitimise data transfers to non-adequate countries. Transfers to Gibraltar will also be allowed to continue. 

Organisations with UK approved BCRs need to consider transferring oversight of those BCRs to a new BCR lead authority in the EU before the end of the transition period to ensure that the EU group members can continue to rely on them (whilst in many cases maintaining a separate UK set of BCRs to deal with continued transfers from the UK).

The ICO has however recognised the challenges that UK organisations face in light of the Schrems II decision and has confirmed that it will continue to provide practical and pragmatic advice and support. 

Lead supervisory authority and representative issues: At the end of the transition period, the GDPR "one stop shop" will no longer apply in the UK, in investigations that have a multi country dimension. EU regulators will no longer be bound to act through the ICO, even when a business has its overall European headquarters in the UK. Conversely, for organisations with their "main establishment" in one of the remaining EU countries, the ICO will no longer be bound by the GDPR's consistency mechanism. In either case, this means that organisations could face distinct investigations and sanctions in the UK and the EU. In a large scale data breach, for instance, both the ICO and at least one EU regulator may need to be notified with details of the breach, and each could follow up with distinct investigations and sanctions (such as fines). 

The situation will be worse still for EU-active, UK-headquartered businesses unless they can position one of their other (non-UK) EU presences as their "main establishment" in the EU. For offshore businesses without a "main establishment" in the EU, the EU GDPR's "consistency" rules do not apply; so in the aforementioned data breach scenario, for instance, the UK-headquartered business might have to notify (and then cooperate with investigations by) regulators in every relevant EU / EEA country (plus the UK, if the UK is relevant).

To avoid that worst-case outcome, many UK-headquartered multinationals are therefore looking at how best they can position a subsidiary in the EU as their "main establishment" in the EU; for efficiency, businesses might even decide to shift control of data protection matters entirely out of the UK, rather than split control between the UK and the EU.

UK businesses without an EU presence but which process the data of EU-based individuals (e.g. their online customers) will need to consider the GDPR's requirements to appoint an EU representative, including so that the representative can deal with regulators on their behalf. The same is also true of EU businesses which process the personal data of UK-based individuals but don't have a UK presence. They will need to appoint a UK representative.

Click here for more information on how Brexit can impact Data Protection and Cyber Security.

Trade, tax and tariffs

Multinational tech companies should review their international strategies to determine whether, and to what extent, they continue to use UK group companies as a gateway to the EU, particularly as companies within the EU will no longer be able to rely on EU directives to eliminate withholding tax on dividend, interest or royalty payments to the UK.

Businesses which currently rely on a UK-based Mini One-Stop Shop (MOSS), enabling businesses to register and account for VAT on all relevant supplies throughout the EU via a single registration for sales to EU customers, will need to register in an EU jurisdiction as the UK will no longer be part of the MOSS scheme.

At the time of this update, an agreement on a free trade agreement between the EU and the UK appears increasingly unlikely.  If a free trade agreement is agreed, its details will emerge towards the end of 2020 and its implications will need to be assessed quickly. As a matter of good practice, tech companies need to consider their trading position under WTO rules in case a free trade agreement is not agreed. 

Businesses trading goods with the EU27 should review their supply chains and consider how they will handle the logistics of import and export declarations and procedures. In particular, UK businesses trading goods with the EU27 should ensure that they have an Economic Operator Registration and Identification (EORI) number.  This will be essential in order to import into or export goods out of the EU into the UK after the end of the transition period. Businesses should check that they have an EORI registration in place and take steps to obtain one if they do not.

From 1 January 2021 to 30 June 2021 HMRC will introduce a new simplified import customs clearance system – Customs Freight Simplified Procedures/Entry In Declarants Records (CFSP-EIDR).  This system will replace the Transitional Simplified Procedure (TSP) process which has been abolished. Under CFSP-EIDR importers will have six months to present the import entry, but importers must keep records of arrivals. The system will be available to all companies and importers without the need to apply for it. From 1 July 2021, full import customs clearance formalities will apply (Form C88). Full Export declarations for exports from the UK to the EU will be required from 1 January 2021.

Safety & Security declarations will not be required for imports to the UK until 1 July 2021 but will be required for exports from the UK to the EU from 1 January 2021.

In terms of potential import/export tariffs on sales of software and services between the UK and EU, WTO rules treat sales of packaged software, in general, as "products" that are covered by the 1996 WTO Information Technology Agreement. This Agreement eliminates tariffs on a broad range of high technology products including packaged software and computer hardware. Whether cloud-based or sold on physical media, international software sales between the UK and the EU should remain tariff-free.

SaaS and other IT services (e.g. consultancy) are classified by the WTO as services rather than a product. These services fall under the General Agreement on Trade in Services (GATS). GATS imposes an unconditional most favoured nation obligation.  It also imposes requirements concerning national treatment and market access, subject to the member country having made relevant concessions in its schedule of commitments. GATS specifies generally that the international sales of services between WTO members are tariff-free.

For more information on future trading arrangements click here.

Contracts

Existing commercial contracts should be reviewed, particularly those involving entities within the EU, in order to assess the effect that a "no-deal" Brexit may have on the on-going enforceability of English law contracts where there is a non-UK element to the contract. 

Following an influx of hastily drafted "Brexit clauses", disputes are likely to arise as to their enforceability or otherwise. For those who attempt to rely upon more general "force majeure" clauses in the event of considerable disruption at the end of the transition period, there is an equal chance of disputes arising concerning their interpretation. A third problematic area is where contracts include territorial definitions which have been based upon the EU territory but are intended to include the UK.

As to procedure for contractual disputes/enforcement of judgments, on the choice of governing law in contracts, Rome I and Rome II, the EU Regulations which currently govern the choice of law of contractual and non-contractual obligations will be incorporated into UK law and therefore will continue to apply. This means that the position in relation to governing law will not change.

The position on determining the jurisdiction of a court to hear a dispute and the enforceability of any resulting judgment is less straightforward. During the transition period the current framework governing this area continues as before but this may fall away at the end of the transition period. Unlike with governing law, the current rules cannot just be replicated into UK law, as they rely on reciprocity.  One partial solution to this is for the UK to accede to The Lugano Convention 2007 (which it officially requested to do on 8 April 2020). This would be welcome as Lugano provides a reciprocal arrangement in the areas of jurisdiction and the enforcement of judgments on a broadly similar basis to that currently in operation between the UK and the EU. However, accession to the Convention depends upon consent from the other signatories and, currently, the EU and Denmark have withheld their support, rendering it impossible for the UK to join the Convention prior to the end of the transition period. In any event, the UK has confirmed its intention to accede in its own right to The Hague Convention on Choice of Court Agreements from the end of the transition period. The Convention provides a worldwide framework of rules in relation to exclusive choice of court (jurisdiction) clauses only and the recognition and enforcement of judgments based on these clauses in civil and commercial matters. Unlike the Lugano Convention, accession does not require the consent of other signatories, and so the process of joining the Hague Convention should be relatively straightforward at the end of the transition period.

The effect of accession would be that courts in EU Member States (and the other contracting states to the Hague Convention) would be obliged to honour exclusive choice of court agreements designating UK courts, and to enforce the resulting judgments. In respect of contracts signed before the date of accession, there is no certainty as to what regime will apply, nor to contracts which do not contain an exclusive jurisdiction clause. 

As a side note, a new Hague Convention on jurisdiction was drafted in 2019.  This proposed convention has a far wider scope than the 2005 Hague Convention in that it deals not just with exclusive jurisdiction clauses and, if ratified (not something that is expected for some time), may have the effect of harmonising this area between the UK and the EU.

If it is a priority to be able to obtain a judgment that can be enforced in the EU without difficult, then it is worth considering a dispute resolution clause that is not based on exclusive English jurisdiction.  This leaves options open if, at the end of the transition period, it appears that English court judgments are not going to be easy to enforce (despite the measures being explored currently described above).  Such options would include non-exclusive jurisdiction clauses, choosing another EU member state court, or arbitration.

Trade marks and other IP

Tech companies should identify which of their business' trade mark rights are likely to be affected by the UK's departure from the EU and may need further application/registration in order to achieve maximum protection over those rights; time is running out to make any further applications or registrations so any anomalies should be addressed as soon as possible. 

After the end of the transition period, EU Trade Marks (EUTMs) and Registered and Unregistered Community Designs will no longer have effect in the UK. The UK Government has provided that at the end of the transition period, the UK will automatically create a comparable UK trade mark for every registered EUTM, at no charge. The same will apply for Registered Community Designs (RCDs). However, this will not apply to pending EUTM applications, so tech companies with pending applications should apply to register a comparable UK trade mark by 31 January 2020 to benefit from the same filing date as the related EUTM application. 

Therefore there is technically no need for tech companies with existing EUTM and RCD registrations to re-file for equivalent registrations in the UK, as comparable UK registrations will arise automatically. However, for new filings, tech companies are advised to dual-file in the EU and UK. This is because EUTM applications pending at the end of the transition period will need to be re-filed in the UK anyway. Tech companies should also review the following:

  • Whether they have any pending oppositions/cancellation actions at the EUIPO: actions which are only based on UK rights will fall away; parallel actions against the new comparable UK trade mark will need to be brought.
  • Whether their existing EUTM legal representatives will remain entitled to represent them before the EU IPO after Brexit. Bird & Bird will be able to represent clients before both the UK and the EU IPOs.
  • Their broader enforcement strategy: after the end of the transition period a new pan-EU injunction will not cover the UK and will not be available in the UK, meaning both EU and UK proceedings will need to be brought to cover all of Europe.
  • Whether they have an EU customs notice ("Application for Action") in place which was filed via UK Customs: these will fall away and need to be renewed/re-filed via one of the remaining EU countries. A UK filing will also be needed.
  • Whether they have hardware businesses affected by parallel imports between the UK and continental Europe: the ability for trade mark owners to prevent imports from one territory to the other will differ depending which way the goods are going.
  • References to the EU in brand licence agreements will need to be considered.

For additional information on what to consider in regards to IP click here.

eCommerce Directive

The UK Government has made clear that at the end of the Brexit transition period, the eCommerce Directive will no longer apply to the UK. 

Article 3 of the eCommerce Directive provides protection for online service providers (including cloud solution providers) by allowing them to operate in any EEA country while only following relevant rules in the country in which they are established. Article 4 of the eCommerce Directive states that service providers that provide services in a regulated field, such as financial services, only need to obtain prior authorisation to do business in the country where they are established. As the eCommerce Directive will not apply in the UK after the end of the EU transition period these protections will no longer be available.

The loss of these protections will mean that online service providers based in the UK and providing services to customers across the EEA will need to consider and take steps to comply with the national rules applicable to their services in each EEA country where their services are available.  Similarly, EEA service providers doing business in the UK will need to consider and take steps to comply with the UK law applicable to their services.

For additional information on the implications of the eCommerce Directive in the UK click here.

Software export controls

Export controls apply generally to items that are specially designed or modified for military use and to items designed for civilian use which have potential military uses ("dual-use" items). Some software is subject to EU export control as dual use items, including many commonly used encryption protocols, unless the products are specifically excluded (such as smart cards and smart card reader/writers and mobile telephones for civil usage) or are excluded as being generally available to the public at retail selling points. 

The EU Dual Use Regulation has been incorporated into UK law. However, from the end of the transition period the UK will be regarded by the EU as being a third country for the purposes of EU export control. The European Commission has made clear that it will amend the General Export Authorisation (GEA) for the export of all dual use items (including encryption software) to include exports from the EU to the UK. Exporters of dual use software from the EU to the UK (that is not exempted) must notify the relevant national competent authorities of the first use of the GEA and EU Member States may require registration prior to first use of the GEA.

For transfers from the UK to the EU, the UK has issued an Open General Export Licence (OGEL) to cover the export of dual use items (including encryption software) from the UK to the EU from the end of the transition period. The OGEL has conditions and does not apply if the exporter is aware that the dual use item is intended to be used in certain weapons systems. Companies need to pre-register with the Department of International Trade for each product for which the OGEL is relied on and must comply with the terms of the OGEL, including a requirement to include a note on official export documentation that the items are exported under the OGEL.

Conformity Assessments (CE marks)

From the end of the transition period conformity assessments currently carried out by UK conformity assessment bodies will no longer be valid for EU purposes. Instead, EU conformity assessments will need to be carried out by EU-based bodies. Where companies hold existing certificates issued by a UK conformity assessor they will need either to apply for a new certificate from an EU-based conformity assessor or to arrange for a transfer – with the EU Conformity Assessor then taking over the responsibility for that certificate.

In the UK, in most instances until 1 January 2022, it will be possible to use the CE marking when placing their products on the UK market (if their product meets the relevant EU requirements), including where products have had a third-party assessment carried out by an EU-recognised body. The new UK Conformity Assessed (UKCA) mark will also be available for products that require third party assessment of conformity within the UK. This will need to be carried out by a UK-based Approved Body. After 1 January 2022 a UKCA marking will be required, declaring conformity with the UKCA marking regulations instead of the EU directives and regulations.

From the end of the transition period UK manufacturers exporting products to the EU27 must appoint an importer. Similarly products from the EU placed on the UK market will require a UK importer.

Importers must:

  • Mark the product with their name and address;
  • Understand and check the markings, declarations and technical file;
  • Satisfy themselves that the CE or UKCA marking process is complete;
  • Be the primary point of contact for the EU or UK authorities; and 
  • Be prepared to cooperate with the authorities if there is a product recall or similar.

Geo-blocking

The Geo-Blocking Regulation came into force in the UK in December 2018. Amongst other matters, it prohibits blocking access to, or forced redirection away from, a website on the basis of an internet user's EU nationality or place of residence within the EU.  The Regulation will remain in force until the end of the transition period. 

A Statutory Instrument has been made under the EU Withdrawal Act which will revoke the EU Geo-Blocking Regulation in the UK when it is brought into force – which is envisaged to be from the end of the transition period. Companies would then not be prohibited from discriminating in the UK between EU customers and UK customers in their on-line businesses. 

Within the EU27 the EU Regulation will continue to apply to UK businesses, meaning that UK companies will not be able to discriminate between customers in different EU Member States, for example

Competition

Companies operating in the UK and the EU should consider potential exposure to parallel investigations by the European Commission and UK Competition and Markets Authority (CMA) and the need to safeguard their position under both the UK and EU regimes.
 
They should re-assess territorial restrictions in agreements, as between the UK and the EU, under the anti-trust rules as from Brexit. More generally, companies should be aware that the Competition (Amendment etc.) (EU Exit) Regulations 2019 will adapt EU competition regulations to become a set of domestic regulations as from the end of the transition period.  The regulation of state aid in the UK following the end of the transition period remains – at the time of preparation of this update – a very "hot" political issue.  

If you are planning a large-scale merger or acquisition, consider whether it will be subject to merger control scrutiny by both the UK CMA and the European Commission, as the Commission will no longer be a "one stop shop" for large mergers affecting the UK, as from Brexit.

Read more on the competition law implications here

How Bird & Bird can help

Bird & Bird has a range of tools to help businesses prepare for the commercial impact of Brexit, this includes:

  • Our Brexit Briefings that offer further information about the ramifications of Brexit on a particular sector or area of law
  • Our Brexit Jargon Buster for simple explanations that help you get to the heart of the issues in the Brexit debate.
  • Our Commercial Drafting Checklist which highlights Brexit-related issues for businesses to consider when contracting during this period

Further Alerts and Briefings will be issued by Bird & Bird on our dedicated Brexit Portal as these issues become clearer.

For further information and advice on these topics please contact one of our specialists