The UK technology sector received an estimated £30 billion in investment between 2017 and 2019 – more than in France and Germany combined over the same period – and now the boost of a Brexit trade deal with the EU should encourage further investment into the sector here in the UK.
Some of the UK-EU Trade and Cooperation Agreement’s new rules will be phased in, but the vast majority apply immediately, so the UK’s tech sector should familiarise itself with the deal right now and prepare for the extra paperwork and bureaucracy. Below, therefore, is a summary of the key aspects of the deal the UK’s tech sector needs to be aware of.
The Trade and Cooperation Agreement sets out the new terms of trade for all UK businesses in respect of the EU from 1 January 2021.
No tariffs or quotas for importing and exporting goods
Although the Agreement ensures no tariffs or quotas will apply to goods traded between the UK and EU, and no limit on quantities of goods that can be traded, there will now be non-tariff barriers (border checks, extra paperwork and regulatory procedures, etc) with which the tech sector has to comply.
(The Government provides detailed information on additional paperwork companies need at http://www.gov.uk/topic/business-tax/import-export)
In the absence of mutual recognition for certified products, hardware manufacturers will now require regulatory approval in both the UK and EU for certain products. UK manufacturers exporting goods to the EEA (European Economic Area) must appoint an importer to deal with EU authorities, and EEA manufacturers will need to do the same when exporting to the UK.
Commercial Contracts and the Supply Chain
New non-tariff barriers that apply to goods could result in border delays and longer delivery times. Therefore, any supply contract relating to goods needs to be reviewed to check:
• the allocation of risk in relation to delays;
• the interpretation of “EU” or “EEA” in relation to the UK in existing contracts;
• the effectiveness of jurisdiction clauses as the legal position on jurisdiction and enforcement of judgments in the EU is not clear now that the Brussels Regulation no longer applies.
Data Protection and the Transfer of Personal Data between the UK and EU
In parallel with the Brexit trade deal, the UK and EU have agreed to allow a further six-month period for the free flow of personal data between their territories. For now, this means that no additional rules or procedures need to be complied with.
Longer term, it’s hoped that the EU will confirm that UK data protection laws offer data adequacy (the same level of protection as EU law) . If they do, case-personal data can continue to be transferred without taking any extra steps or measures. Whether or not a finding of data adequacy is made, it is important for UK tech businesses to remember that EU GDPR will still apply to UK data controllers who:
- have an establishment in the European Economic Area (EEA); or
- are monitoring or targeting individuals in the EEA.
UK – EEA data transfers
Given that the UK Government has confirmed that it regards EU data-protection rules as being adequate, the transfer of personal data from the UK to the EEA should not cause problems.
EEA – UK Data Transfers
As EU authorities are still to decide whether UK law offers data adequacy, the position here is not yet clear. If the EU does not confirm data adequacy, UK businesses will need to take additional safeguards to ensure that personal data received from the EEA is compliant with EU GDPR. The easiest and most straightforward way of doing this is to adopt the Standard Contractual Clauses as approved by the EU Commission.
The Need for EU Representatives
Any UK businesses that do not have a branch or establishment in any other EEA state but which either (i) offer services to EEA individuals or (ii) monitor the behaviour of EEA individuals, will need to appoint an EU representative.
That business will need to appoint a representative in writing to act on its behalf in relation to the GDPR compliance, and deal with any EEA supervising authorities or individuals. The representative can be an individual, company or organisation; they must also be located one of the EEA countries that is processing the personal data of relevant individuals. Details of the representative must be given to EEA-based individuals whose data is being processed, and the representative must also be “accessible” to EEA supervising authorities – for example, by being identified on the company’s website.
If personal data processing is only occasional or is of low risk to the rights of individuals and does not involve large scale use of special category or criminal offence data, then a representative is not required.
Continuing EU Regulatory Oversight of UK Businesses
Importantly, Brexit marks the end of the “one stop shop” approach. This means that UK tech businesses involved in cross-border processing of personal data may now be subject to additional regulatory investigation by the supervisory bodies in one or more EEA states in addition to the ICO. Even worse, businesses could be open to fines from an EEA supervisory body too.
Even the simplest scenario where a UK business has two establishments, one in UK and one in the EEA, and there is a security breach affecting EEA customers, the business could find itself investigated by both the ICO and relevant EEA supervisory body, potentially being fined by both.
For a UK business that has no establishment in the EEA but has personal data processing likely to substantially affect individuals in one or more EEA state, any security breach affecting individuals will be subject to investigation by the ICO (Information Commissioner’s Office) in relation to UK GDPR. If individuals have been affected in their state, the business may also be investigated by any (or all) of the EEA supervisory authorities. Consequently, fines could be imposed by both the ICO and the supervisory authority in every EEA state where individuals have been affected. This, admittedly, is a worst-case scenario, but one worth being aware of, nonetheless.
In order to avoid the risk of investigations by several supervising bodies, UK businesses with EEA establishments should consider arranging matters so that one of the EEA establishments becomes the “main establishment” under EU GDPR rules.
Intellectual Property Rights
The general position regarding copyright and patents is that Brexit will have no great effect, as neither is governed by EU rules or institutions.
However, EU trademarks and other EU-registered rights are affected, with the result that:
- existing EU rights are no longer valid in the UK but the UK has introduced equivalent UK rights so that no practical action is needed;
- for any pending or future filings, dual applications will be needed in both the UK and EU to ensure full geographic coverage;
- businesses will need to check that their legal representatives are still able to represent them before the UK or EU IPO (Intellectual Property Office);
- pan-EU injunctions will no longer cover the UK, so additional proceedings may be necessary.
Exhaustion of IP Rights
The new trade deal states that although owners of UK IP rights will not be able to prevent parallel imports from the EEA (as the UK will no longer be an EU Member State) owners of IP rights in the EEA will be able to prevent parallel imports from the UK. Any UK parallel importers will need to review whether they require the EEA-based IP rights holder’s permission to export goods to the EEA.
More ambitious than most free-trade agreements entered into by the EU, the Brexit trade deal encourages digital trade between the UK and EU. It also encourages the provision of products and services via digital channels such as the internet, and includes:
- an obligation in favour of cross-border data flows;
- a ban on data localisation, which means that, in general, there can be no requirements for data to be stored in the UK or EU;
- a ban on any requirement to see the source code of applications being used to provide products and services;
- a general rule that electronic contracts, signatures and the provision of services digitally will receive equal treatment in both the UK and EU;
- a commitment from both the UK and EU to ensure high standards of personal data protection;
- an obligation from the UK and EU to co-operate in the development of emerging technologies such as Artificial Intelligence and quantum computing. It’s hoped that common understanding and co-operation will enable any technologies developed in the UK or EU to be marketed more easily in the other’s markets.
The ability of UK workers to deliver services in the EEA
The agreement has been largely successful in ensuring that UK businesses can continue to provide technology services throughout the EEA without significant disruption. The main points of the agreement are:
- no requirement for visas for short-term trips to the EEA (less than 90 days in any 180-day period);
- there will generally be no economic needs test to be satisfied for workers providing short-term services in the EEA, and the list of permitted activities will include meetings, sales, consultancy and post-sales services such as repair and maintenance;
- a prohibition on the EEA states or the UK discriminating against service-suppliers based in the other’s territory;
- a ban on any requirements for a local presence to provide most services.
Given that there is not yet full harmonisation of the provision of services within the EU, there are a number of exceptions at the EEA member state level in relation to employees physically travelling to deliver services. Businesses should therefore check the relevant national rules.
An open approach to the telecoms market has been followed, with both UK and EU providers having access to each other’s telecoms network. Therefore, there’s no need to wait for prior authorisation before beginning to deliver services. Such a high level of mutual access goes beyond traditional pre-trade agreements.
A framework has been created for strong UK-EU co-operation and the UK will be participating in relevant expert bodies such as the European Union Agency for Cyber Security (ENISA) and the Network and Information Systems Co-operation Group (NIS), and will co-operate with the EU’s Computer Emergency Response Team (CERT-EU).