With so much political uncertainty surrounding Brexit and what it might mean for the UK, companies can be forgiven for assuming that many legal developments in the EU will now not affect them. Other than companies inserting some key contractual clauses into any existing or future agreements – as explained in our article here – companies may feel that there is little more they can (or need to) do in the current political landscape.
However, whilst the future impact of EU law is by no means certain, such an assumption would be dangerous. There is still plenty of new EU legislation that companies should take active steps to comply with and an awareness of the latest legal developments in the EU is as critical as ever. Businesses that want to operate in the EU post-Brexit will still be required to comply with EU law and there are significant changes which are due to be implemented in 2018 – whilst the UK is still an EU member and bound by EU terms. Furthermore, the European Union (Withdrawal) Bill is to convert all EU law (that is directly applicable or implanted into UK law as a result of the UK’s obligations) into UK law at the time of withdrawal from the EU. We have summarised below some of the significant pieces of EU legislation which all companies should be made aware of:
The EU’s General Data Protection Regulation (“GDPR”) will be directly applicable in all EU Member States from 25 May 2018, replacing the Data Protection Directive 95/46/EC. The UK government has confirmed that it will continue to apply post-Brexit and the Data Protection Bill, which will replace the Data Protection Act 1998, is currently making its way through Parliament. The GDPR will result in extensive changes to data protection laws across the EU. It is designed to catch any company that processes personal data in the EU (whether a data controller or data processor), regardless of whether the processing takes place in the EU or not. It will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to the offering of goods or services to EU citizens, or monitoring of behaviour that takes place in the EU. Other significant developments include provisions that put more onerous obligations on data processors, and the fact that processors can now be jointly and severally liable with the relevant data controller and that the penalties for non-compliance have increased dramatically. For more information about the GDPR and how businesses should prepare, visit our GDPR hub page here.
On 10 January 2017, the European Commission published a draft Regulation on Privacy and Electronic Communication (“ePrivacy Regulation”) designed to update the electronic communication sector and align e-Privacy laws with the implementation of the GDPR (as discussed above). Significantly – and despite calls from many who believe such a timeline to be unrealistic – the ePrivacy Regulation is intended to enter into force on 25 May 2018, at the same time as the GDPR. Some of the main features of the ePrivacy Regulation include widening the scope of its ambit to include new players in electronic communications, such as Whatsapp, Facebook Messenger and Skype, and confirming that consent must be given for any unsolicited commercial communications (although the current soft opt-in for electronic mail remains). For more information about the ePrivacy Regulation and how businesses should prepare, see here.
Trade Secrets Directive
The Trade Secrets Directive (“TS Directive”) is designed to harmonise the law on the protection of trade secrets. EU Member States have until 9 June 2018 to transpose the TS Directive into their national law. Assuming that the UK complies with its obligation to implement the TS Directive, it will be implanted into UK law prior to Brexit and will remain as part of UK law as a result of the EU (Withdrawal) Bill. The impact of the TS Directive is unlikely to be significant in the UK as there is already a relatively high degree of protection through the existing law of confidence and the protection of trade secrets has always been important. However, for UK businesses with a presence in EU, the TS Directive should provide another level of protection in those EU jurisdictions. Under the TS Directive, the third limb of the definition of ‘trade secret’ requires ‘reasonable steps’ to have been taken to keep the information confidential. It is advisable therefore for companies to develop policies to identify their secrets and protect them as this would mean that such information would fall under the TS Directive’s ambit. For example, companies may want to protect confidential information by using encryption or passwords and/or training staff so they know what a trade secret is and the consequences of misusing it.
Cyber Security Directive
The Network and Information Security Directive ((EU) 2016/1148) (the “NIS Directive”) is designed to compel essential service operators to take the necessary action to protect their IT systems. EU Member States have until 9 May 2018 to transpose the NIS Directive into their national law. The NIS Directive allows the UK to determine which organisations are operators of ‘essential services’ in sectors such as banking, finance, transportation, energy and healthcare. The NIS Directive also applies to digital service providers such as search engines and cloud computing service providers. It requires them to take, amongst other things, appropriate and proportionate technical and organizational measures to manage the risks to the security of their network (and notify the relevant authorities regarding serious cyber incidents). The NIS Directive is currently subject to consultation in the UK, but the government has announced that it intends to implement the NIS Directive regardless of Brexit. The increasing cost and damage inflicted by cybercrime has made this an area of increasing priority. It is important therefore that businesses take the time to make sure that they have the necessary policies and procedures in place to protect them from cybercrime.