How will Brexit affect the IP community? What about my privacy rights and obligations?
As you have certainly heard by now, the United Kingdom (UK) will be leaving the European Union (EU) after 43 years of membership. What action should you take in response? When? It is certainly too early to say for sure, and we will monitor the situation as it evolves. Nevertheless, it is possible to provide some observations and suggestions as to prudent steps to be considered.
However the situation may evolve, it will take a while. Formal exit terms must be negotiated between the UK and the rest of the EU, and nothing will be effective for at least two years, and probably longer. Pending situations will not be impacted at all.
Over time, we suggest consideration of the following.
Regarding patents, the United Kingdom has been and will continue to be aligned with the European Patent Office. The European Patent Office is not an institution of the European Union, but is organized under a separate treaty and the UK continues to be a member of the European Patent Convention alongside numerous other members who are not part of the European Union. The Unitary Patent program that is currently in process will also continue to move forward. Under this program, a single patent will be granted for all of the member countries with a single court system to enforce the patents and determine validity. The UK is currently signed up for this program and is also scheduled to host some of the institutions of the single court system. As such, the impact of Brexit on patent rights in the UK should be negligible.
As mentioned, there will be no immediate impact of Brexit on IP rights in the UK. However, since European Trade Marks and Registered Designs are specific to each EU state, there may be some future impact. It will remain to be seen whether the UK will grandfather Community Trademark and Registered Design owners or provide some type of transitional provisions for existing marks and designs to continue to apply to the UK. This will be something to watch in the near future.
The demise of the Safe Harbor for personal data transfers from the EU to the US and uncertain status of its replacement with the Privacy Shield as well as status of Standard Contract Clauses created a great deal of uncertainty even if the Brexit vote had gone the other way. Now, the uncertainty is compounded as we anticipate separate tracks for regulation by the UK and the rest of the EU. While beyond the scope of this Alert, companies with operations in the UK and the rest of the EU will need to follow the negotiation of separation terms to determine the extent to which the EU will recognize UK practices as “adequate” with respect to transfers between the UK and the rest of the EU.
In that the Edward Snowden revelations were leading to increasingly onerous, impractical demands by the EU privacy regulators on businesses transferring material from the EU to the US, and the Brexit vote was apparently fueled at least in part by resentment toward the demands of the EU bureaucracy in Brussels, one might expect the UK to adopt its own set of more pragmatic, flexible standards. Whether this will happen or matter in practice with respect to issues such as EU insistence on the maintenance of a US government privacy ombudsman or limitations on government ‘snooping’ is questionable.
For companies which confine their EU operations only to the UK, this bears watching. For companies with operations in both the UK and the rest of the EU, it probably makes little sense to adopt two sets of practices. Across the board compliance with the new EU standards, once they are known is likely to be most efficient. Of course, the terms of the UK’s Data Protection Act of 1998 must be taken into account as well. Depending on the outcome of the pending legal controversy involving the Standard Contract Clauses – initiated by Ireland, which may or may not remain in the UK – their use may remain prudent, although for the present, there is little reason to emphasize them in contract negotiations.
Similarly, for companies which were seriously considering reducing cross border data transfers by moving data centers to the US, they should continue to do so and continue to use their original decisional criteria.
In contract negotiations, references to EU requirements will probably continue, although some may desire to take an exception for UK requirements to the extent they differ.
We do not suggest major investments in hardware or changes in practice governing data transfers until the EU and UK positions become clearer and the updated General Data Protection Regulation is implemented in 2018. Good operational and contract practice remains the order of the day. While Brexit may ultimately impact prospective compliance obligations, it will have no impact at all to exposure to legal or operational consequences of a data breach. Good due diligence, contract and insurance practice remain a must as a data breach will be quite costly irrespective of its situs.