According to Theresa May, the UK’s recently installed prime minister, Brexit means Brexit. But what this actually means in practice is still unknown. There is still a huge amount of debate over what Brexit will look like, what process should be followed and how long it will take. Some commentators, such as Michael Dougan, Professor of European Law at the University of Liverpool, have suggested that it could take up to 10 years to make all the necessary adjustments.

In the meantime, it’s business-as-usual in the field of commercial contracts, outsourcing and technology deals. That said, there are some key areas that should be considered when putting these deals together, given what we now know (and still don’t know) about Brexit, as well as provisions that should be kept under review as the Brexit story unfolds. This is going to be an evolving area, but, based on discussions with both buyers and sellers over the past couple of weeks, here are my top ten:

1. Data Protection

The potential impact on data protection compliance and related contractual mechanisms should not be underestimated. It is made more complicated by the EU’s General Data Protection Regulation (GDPR) which will enter in force on 25 May 2018. The GDPR is a Regulation, meaning that it is “directly applicable” in all the Member States and does not require local implementation to be effective (as is the case where EU laws are enacted as a Directive). The GDPR is primarily concerned with “beefing up” protection for European consumers and will apply to businesses which handle EU data subjects’ personal data regardless of where the business is actually located.

When the UK leaves the EU, then unless it opts to join the EEA, it will become a “third country” in EU privacy parlance meaning that, until such time as it receives an adequacy finding by the European Commission, or some other mechanisms is put in place (such as a UK version of the EU-U.S. Privacy Shield), the UK will no longer be considered as an automatically safe destination for data transfers. Although, the UK’s Information Commissioner’s Office (ICO) has said that the UK’s data protection laws will be updated for this purpose, obtaining an “adequacy” designation from the Commission will take time. This means companies that move personal data from the EU to the UK (whether intra group or via a third-party processor) will need to “plug this gap” through implementing their own compliance mechanisms such as contractual clauses approved by the Commission, or Binding Corporate Rules for intra-group transfers, as well as reviewing data flows and arrangements with third parties where personal data is handled.

2. Change in Law and Regulation

In addition to the standard representations and warranties of compliance with applicable laws and regulations, outsourcing agreements often include heavily negotiated clauses which seek to apportion the cost of complying with mid-term changes in laws and regulations between a customer and its service provider.

One approach is to provide that the increased costs of compliance which flow from general changes in law and regulation are borne by the service provider, whereas costs which are sector-specific, and which result in a change to the way Services are performed are paid for by the customer. Sometimes the service provider is under an obligation to seek to share that cost with its other customers (e.g., where the service provider performs business process services via a multi-tenant platform). Another approach is to provide for a regulatory buy-out a sum of money which is paid by the customer to the service provider in return for the service provider not charging for the cost of changing its services to comply with future changes in law and regulation. A third approach, common in cloud-based deals, is for the service provider to warrant day-one compliance but all future change is implemented on a paid-for basis—where the cloud provider offers a multi-tenant platform, a customer user group (comprising representatives of all the different customers on the platform) may determine, in consultation with the provider, the pace and extent of the change which is needed.

These provisions, which are often complex, and can give rise to contrary interpretations, and sometimes disputes, will need to be considered carefully, since however Brexit is implemented there is bound to be impact at some level.

3. TUPE

The UK law governing employment rights in an outsourcing scenario derives from the EU’s Acquired Rights Directive (ARD); however, unlike GDPR, the ARD required local law implementation, hence the UK’s Transfer of Employment (Protection of Employment) Regulations, commonly referred to as TUPE. In fact, TUPE goes beyond what was strictly required under the ARD in that it applies not just to a customer’s initial outsourcing but also covers 2nd generation outsourcing (i.e., service provision change). Brexit of itself will not change this; however, some commentators have suggested that, post Brexit, the government may seek to remove some of the constraints that it imposes on businesses by making it easier to harmonise terms and conditions following a TUPE transfer.

4. Force Majeure and Termination

Unless there is an express clause in an existing agreement that treats Brexit as an event of force majeure or gives rise to a right to terminate, it is going to be difficult to argue that rights under these provisions will be triggered. If Brexit means that a once profitable contract ceases to be so, there might be scope to argue that the contract is frustrated or even illegal (such as where the continuance of a contract depends on the operation of EU legislation which, on Brexit, will likely cease to apply). Some contracts contain clauses which come into play where there is a material adverse change. Again, the specific terms need to be considered to see if they might be applicable.

Looking ahead, it is worth considering inclusion of a Brexit-review clause, for example bringing the parties back round the table in the event that Brexit’s implementation shifts the contractual balance so that the deal starts to operate to the detriment of either party.

5. VAT

Whilst the UK’s VAT regime is set out in local legislation, it is currently subject to EU Directives and Regulations and to EU case law.

Within the EU, VAT law has been undergoing harmonisation since 1977. Currently, EU member states must apply a ‘standard’ VAT rate of at least 15%—in practice there is quite a significant range between the different Member States, with Hungary’s rate the highest at 27% and Luxembourg’s rate the lowest at 17%. UK and Germany are at 20% and 19%, respectively. Whilst most commercial contracts simply allow the service provider to charge VAT at the prevailing rate, in VAT-exempt sectors such as financial services and insurance, which have given rise to a spate of decisions in the European courts, outsourcing agreements typically contain far more complex terms which may have material impact on the deal economics if exemptions and input VAT rules change; at the very least there may be a mutual cooperation clause which requires consideration.

It is too early to say how the UK’s VAT regime will change following Brexit and whether HMRC’s approach in applying the rules will alter. One possibility is that the rules are changed so that transactions with non-UK counterparties are granted a right to recovery, meaning that financial firms can significantly reduce irrecoverable VAT on IT and related spend.

6. Insurance Clauses

Historic policies that still provide cover, such as occurrence-based policies, will need to be reviewed for provisions referring to the EU which, following Brexit, will exclude the UK.

Outsourcing agreements often mandate the types and amounts of insurance cover held by a service provider during the term and as such, there may be some impact to be considered here as well.

7. Territorial References

Agreements often refer to the European Union or to the EEA. Examples of commercial arrangements which may assign certain rights across these geographies include intellectual property licences, commercial agency, distribution and franchise agreements, as well as insurance policies (mentioned above).

8. Definitions

In addition to territorial references, there are definitions commonly used in outsourcing and other commercial agreements which we take for granted and which will need to change, as will references to EU legislation to the extent it is no longer applicable. For example, pan-European outsourcing deals commonly define terms such as Data Protection Laws and TUPE Transfer Regulations by reference to the primary EU legislation (the Data Protection Directive—being replaced by the GDPR—or the Acquired Rights Directive) as well as local implementing laws in the applicable Member State. Post Brexit, this approach won’t always work, depending on the Brexit-model adopted.

9. Governing Law

Whilst there is no immediate impact, since the UK remains with EU for the time being, we can certainly expect some change here since on Brexit, the EU’s Rome I and Rome II Regulations dealing with choice of law rules applicable to contractual and non-contractual obligations, will cease to apply in the UK. This could give rise to interesting questions of interpretation. For example, how will an English governing law clause be interpreted where the UK was in the EU at time of contracting but by the time of performance it has left?

This will be important for cross-border business-to-business deals, and with the current uncertainty in terms of how this gap will be bridged following Brexit, we can also expect to see civil code lawyers in countries such as Germany and France making a concerted push for their laws to apply to commercial contracts in place of English law.

10. Intellectual Property

IP is at the heart of many outsourcing and commercial deals. There are no immediate changes but given that much of EU IP law is harmonized, there are implications depending on how the UK seeks to fill the legislative void, which will undoubtedly creep into contract negotiations and drafting of agreements in cross-border deals. One obvious impact of Brexit is that unitary, pan-European, intellectual property rights such as Community Trade Marks and Community Registered Designs, will cease to cover the UK on its exit from the EU.

The UK’s legal system is in many areas inextricably linked to and interwoven with the laws of the EU. Untangling the UK’s system is going to be a lengthy task, with the consequences of the Brexit vote for commercial contract and IT/Outsourcing lawyers and their clients, some anticipated some not, still unfolding.