The UK government has announced that it intends to formally commence the process to leave the EU by the end of March 2017. The start of the process should prompt businesses to take stock of their current contractual arrangements and consider how best to “future-proof” new contracts. This two-fold approach will help protect against the inevitable uncertainty while the terms of the UK’s withdrawal are negotiated.
We examine the potential impact of Brexit on three key provisions regarding IT and commercial contracts including Termination, Governing Law and Data Protection.
Certain IT and commercial contracts allow for termination in the event of, for example, a material change in the law or regulatory framework that governs the operation of the contract. Businesses should assess the likely impact of clauses like this in their existing contracts in the context of Brexit.
Given the uncertainty of the UK’s relationship with the rest of Europe, businesses may also wish to negotiate termination rights in the event of certain contingencies. If the UK is excluded from the EU single market, this could make performance of a contract much more difficult or less profitable than the parties intended. An obvious example would be the effect on cloud contracts if a basis for transfer of data to the UK from another EU Member State cannot be established. We discuss this challenge in more detail below in the context of data protection.
In the absence of more specific termination rights in the contract, the ability of a party to terminate for convenience (without cause) will be important. Businesses should keep this in mind when negotiating termination notice periods and the duration of any lock-in periods.
2. Governing Law
Most pre-Brexit IT contracts will have been drafted on the assumption of the UK’s membership of the EU. Parties that traditionally chose the laws of England and Wales, Scotland or Northern Ireland to govern their contracts may wish to re-evaluate this position. In addition, English law has traditionally been a common choice for cross-border contracts and is viewed as a commercial and predictable legal system.
Much of the UK’s current legislation, covering everything from free movement of labour, to combating climate change, is derived from EU law. Due to initiatives such as the Digital Single Market, technology businesses are increasingly likely to trade across Europe. These businesses will have benefited from the level of consistency between English law and the laws of other EU Member States. While it seems unlikely that the UK would choose to repeal its current laws, we may see future divergence as UK case law and policy develops independently of the EU.
If a business wishes to adopt a common law system subject to EU primacy, then the laws of the Republic of Ireland are an obvious choice for any future contract.
Moreover, any existing contracts that define the EU as its territorial scope should be amended to identify the UK and the EU. This will be relevant, for example, for distribution, agency and franchise contracts.
3. Data Protection
The transfer of personal data is often a major consideration in modern IT and commercial contracts. As discussed in a previous article, if the UK does not join the European Economic Area, serious issues may arise with respect to the free flow of personal data between the EU and the UK. Such issues may arise where data is stored on a server within a UK data centre. As a first step, a business should review its contracts and map out the flow of personal data to determine if data transfers to the UK are taking place.
Currently, data protection in the UK is governed by the Data Protection Act 1998. As this legislation is derived from EU law it therefore offers data subjects similar levels of protection to the other EU Member States. However, EU data protection law is changing. On 25 May 2018, the General Data Protection Regulation (“GDPR”) will come into force. The GDPR represents a significant strengthening of EU data protection rules.
If the UK opts for a “hard Brexit” and does not join the European Economic Area, the GDPR will not apply to it. The UK may still ask the EU Commission to issue a decision finding that, in the absence of adopting the GDPR, UK law is “adequate” for the purposes of international data transfers. An adequacy decision would only be forthcoming if the UK could show that its law was “essentially equivalent” to EU data protection law.
Ultimately, Brexit in any form may require businesses to rethink their basis for transferring data to the UK, and ensure that they cover off the data protection risks in all existing and future contracts.
Where to from here?
The UK and remaining Member States of the EU will soon commence a series of complex negotiations to determine the terms of the UK’s formal withdrawal. While the exact nature of the UK’s future relationship with Europe remains uncertain, now is the perfect time for businesses to audit their IT and commercial contracts. In doing so, businesses can develop a strategy for their future contracts in order to manage the inevitable disruption resulting from the UK’s intention to trigger Article 50 and leave the EU.