On 23 June 2016, the United Kingdom voted to leave the European Union ("EU"), commonly known as 'Brexit'. The result went against the final polls which had predicted a slim 'Remain' victory. In this note we consider the possible implications in the areas of data privacy, technology and IP.
The UK does not immediately leave the EU as a result of this vote. The process for exit is triggered formally by a notice under the Lisbon Treaty which governs the EU, and such a notice provides for a two year negotiation period before the exit happens. That period can be extended, but it is unclear when the UK will give notice. The UK's Prime Minister has resigned and has indicated that he intends to leave office in October, and that it will be for his successor to decide when to give notice. It will take at least two years to unravel the complex web of legal, trade and political relationships that have been created over the 43 years that have elapsed since the UK first joined the EU's predecessor.
The Data Protection Act 1998, although implementing a European Directive, is an Act of the UK Parliament and as such will continue in force until it is amended or repealed. Consequently, the existing obligations on organisations will continue to apply. It remains to be seen the extent to which the UK Government will mirror the recently agreed General Data Protection Regulation ("GDPR"), which provides radical reforms to EU data privacy laws. The GDPR may not automatically apply to the UK if the UK exits prior to the date the GDPR comes into force on 25 May 2018. However, US companies which are not established in the EU will still have to comply with the GDPR where the personal data of EU individuals is processed in relation to the offering of goods or services to them (e.g. offering for sale goods on a French language website), or the monitoring of their behaviour in the EU (e.g. placing cookies on computers).
International data transfers
For the moment, and during the two year negotiating period, we believe it to be business as usual, and that therefore existing lawful international data flows will continue to apply.
Under existing laws the transfer of personal data outside of the EU is generally unlawful as the EU Commission has determined that most countries outside the EU do not provide adequate protection for EU citizens' personal data. Exceptions to this include the individual’s consent to the transfer, Model Clause agreement being entered into between the data exporter and importer and intra-group Binding Corporate Rules.
We believe it is likely that the Commission will find that the UK does not provide adequate protection unless the UK Government implements legislation similar to the GDPR. In this regard, the UK Government will not want question marks hanging over the ability for personal data to be transferred from the EU to the UK. Accordingly, it is possible that the UK may have to pass legislation which is at least equivalent to the GDPR so that the UK can be seen to provide the same level of protection as the EU.
As regards data transfers from the UK to the US, it remains to be seen whether, after the two year exit period, Model Clauses (and/or the proposed Privacy Shield – if and when fully approved by the EU) will continue to be available as a means of lawfully transferring data. No doubt this will be one of the many complex legal issues which will be assessed and negotiated. However, in any event, one way of circumventing any uncertainty would be for UK-based companies which wish to transfer data outside of the UK (including to the US) is to reassess whether consent from the individuals to the transfer can be gained in an efficient and business-friendly manner. The review and updating of privacy policies with a view to securing individuals’ consent should help in this regard.
The Cyber Security Directive, due to be implemented within around two years, will oblige digital service providers to take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations and to notify the competent authority of significant security incidents. As a result of Brexit, this Directive is also unlikely to apply in the UK, but as with the GDPR, there may be some pressure on the UK Government to implement similar legislation.
- The Data Protection Act 1998 will continue to apply in the UK.
- The forthcoming GDPR and the Cyber Security Directive may not automatically apply in the UK.
- Existing lawful data transfer arrangements will continue to apply, but the complex inter-relationships between the UK, EU and US regarding data transfers will need to be monitored. Accordingly, organisations should consider reviewing their privacy policies to determine whether consent is a viable option.
EU trade marks and EU registered designs, act as EU-wide rights. It is possible that following the expiration of the two year negotiating period, EU trade marks and registered designs will no longer offer automatic protection in the UK. As such, it is important that protection is ensured through national registrations in the UK. Accordingly, if necessary, fresh applications should be considered. Another possible action would be to convert EU trade marks into national rights – the advantage of this course of action being that the national registrations would continue to enjoy the same priority date as the EU trade mark.
Software is protected by copyright laws which are enshrined in the UK's Copyright Designs and Patents Act 1988. This will continue in force until it is amended or repealed. However, copyright law has been harmonised across the EU to some extent by various Directives, and there are many cases from the Court of Justice of the European Union which have provided binding interpretations of many aspects of copyright law. The European Court's decisions made after exit are unlikely to bind the UK.
As regards patents, following the two year period, applicants will still be able to apply for national patent rights in all European Patent Convention countries via a single application. These national registrations will not be affected by Brexit. However, the new Unitary Patent (still to be fully ratified and implemented by participating Member States), which will be enforceable across most EU Member States, will probably not cover the UK following Brexit. Nevertheless, British patentees will still be able to apply for Unitary Patents in other Member States.
- EU trade marks may not offer protection in the UK following Brexit.
- National registrations and European conversions should be considered.
- Nationally registered IP rights will be unaffected by Brexit.
- Copyright is not registrable in the UK or Europe – protection in the UK will be largely the same.
If you would like further guidance on the implication of Brexit on data privacy, technology & IP then please contact Barry Fishley.
Barry Fishley, Editor.