The UK has left the EU. EU Treaties, EU free movement rights and the general principles of EU law no longer apply in the UK. EU regulations continue to apply in UK domestic law (by virtue of the European Union (Withdrawal) Act 2018) to the extent that they are not modified or revoked by regulations under that Act.
The EU and the UK agreed a detailed Trade and Cooperation Agreement which came in to effect on 1st January 2021.
Technology and Communications businesses need to be aware of the implications for their businesses arising from the UK’s status as a “third country” outside the EU.
The following areas are outlined in this note:
- Data protection
- Trade, tax and tariffs
- Online Tech Services - Regulatory Compliance (eCommerce Directive)
- Trade marks and other IP Protection
- Software export controls
- Conformity Assessments (CE marks)
- Geo-blocking; and
This Checklist is an update to the Checklists previously issued by Bird & Bird in 2018 and 2019.
Since March 2019, the UK Government has committed to protect the rights of EU nationals and their family members who wish to stay in the UK. The EU Settlement Scheme ("Scheme"), which required EU nationals to register in order to preserve their rights under UK law (including rights to work, pensions, healthcare and other benefits) has now come to an end (except to the extent that it applies to eligible dependents of EU nationals).
Organisations with EU nationals working in the UK should be aware of the new right to work check rules and ensure their EU national employees are on-boarded correctly in order to avoid business interruption and immigration compliance issues.
Businesses with British Citizen employees residing and working in EU Member States should already have confirmed that affected individuals have complied with national requirements to protect their continued right to reside and work in that Member State after the end of the transition period. In particular, cross-border workers based in the UK (who are British Citizens) but who work in multiple EU Member States will need to carefully plan their future activities following the cessation of freedom of movement on 31 December 2020. They will most likely need to obtain multiple work permits, visas and/or residence permits in order to work at client sites in EU Member States.
The UK Government has implemented a new set of Immigration Rules which apply to all non-UK nationals. We have seen a significant rise in the uptake of employers sponsoring skilled migrants after the lifting of COVID-19 measures in the UK. There is also a strong interest from employers seeking to apply for a sponsor licence, which is a prerequisite when sponsoring non-UK nationals.
For employers, the overall message is clear. The Home Office has effectively rolled back most of the restrictions placed on work visas since April 2011 and it has become much easier to sponsor non-UK nationals as new hires from January 2021. Whilst the work visa threshold has been lowered, employers should carefully consider the disproportionate financial cost and increased compliance burden following the introduction of the new Immigration Rules.
For more information click here.
EU to UK data transfers:
The departure of the UK from the EU on 31 January 2020 did not lead to dramatic immediate changes in UK data protection law. The GDPR has been enacted into UK law as the UK GDPR and continues to sit alongside the Data Protection Act 2018. However, the EU GDPR continues to apply to UK organisations which trade in the EU to the extent any of their processing activities are caught by the extra-territorial provisions set out therein.
Transfers of personal data from the EU to the UK now constitute a transfer of personal data to a "third country". However, following on from interim data transfer arrangements under the EU-UK Trade agreement, on 28 June 2021, the European Commission adopted two adequacy decisions for the UK (one under the GDPR and the other under the Law Enforcement Directive) meaning that personal data can continue to flow freely from the EU to the UK without the need for additional safeguards such as Standard Contractual Clauses. However, these adequacy decisions include strong provisions to protect against future divergence of UK laws such as a “sunset” clause which limits the duration of the adequacy to four years.
Data transfers from the UK:
The UK continues to treat EU countries' laws as adequate for the purposes of the UK GDPR and the Data Protection Act 2018. On this basis, transfer adequacy mechanisms are not needed for UK to EU data transfers.
Personal data transfers to other jurisdictions need to comply with the UK GDPR and Data Protection Act 2018 obligations. Essentially these are as per the pre-Brexit position and the UK Government has confirmed that EU adequacy decisions, approved EU Standard Contractual Clauses and Binding Corporate Rules are recognised in the UK to legitimise data transfers to non-adequate countries. Transfers to Gibraltar are also allowed to continue.
Organisations which prior to Brexit had relied upon Binding Corporate Rules for their data transfers should also now have updated these documents so that they meet both EEA and UK requirements. New applications for UK BCRs must be submitted to the ICO using the new UK BCR application forms and referential tables available here.
Lead supervisory authority and representative issues:
The GDPR "one stop shop" no longer applies in the UK for investigations that have a multi country dimension. EU regulators will no longer be bound to act through the Information Commissioner, even when a business has its overall European headquarters in the UK. Conversely, for organisations with their "main establishment" in an EU country, the Information Commissioner will no longer be bound by the GDPR's consistency mechanism. In either case, this means that organisations could face distinct investigations and sanctions in the UK and the EU. In a large-scale data breach, for instance, both the Information Commissioner and at least one EU regulator may need to be notified with details of the breach, and each could follow up with distinct investigations and sanctions (such as fines).
The situation is more problematical for EU-active, UK-headquartered businesses unless they can position one of their other (non-UK) EU presences as their "main establishment" in the EU. For offshore (i.e. non-EU) businesses without a "main establishment" in the EU, the EU GDPR's "consistency" rules do not apply; so in a data breach scenario, the UK-headquartered business might have to notify (and then cooperate with investigations by) regulators in every relevant EU / EEA country (plus the UK, if the UK is relevant).
To avoid that worst-case outcome, many UK-headquartered multinationals are therefore looking at how best they can position a subsidiary in the EU as their "main establishment" in the EU; for efficiency, businesses might even decide to shift control of data protection matters entirely out of the UK, rather than split control between the UK and the EU.
UK businesses without an EU presence but which process the data of EU-based individuals (e.g. their online customers) need to consider the EU GDPR's requirements to appoint an EU representative, including so that the representative can deal with regulators on their behalf. The same is also true of EU businesses which process the personal data of UK-based individuals but don't have a UK presence; they need to appoint a UK representative under the UK GDPR.
It is also worth noting that whilst the European Commission adopted new Standard Contractual Clauses for data transfers subject to the EU GDPR on 7 June 2021, these Clauses don’t cover transfers of personal data to which the UK version of the GDPR applies. This is because post-Brexit UK data protection legislation only references the standard contractual clauses which were approved as at 31 December 2020 (i.e. the 2001, 2004 and 2010 versions of the EU SCCs). Click here for more detail on these new EU Standard Contractual Clauses.
However, the UK Information Commissioner has recently run a consultation on data transfers looking at whether it would be helpful for the Information Commissioner to approve an addendum allowing the EU Standard Contractual Clauses to be used for transfers of personal data from the UK. In addition, the consultation considered whether to terminate the current temporary approval of the older EU SCCs and whether to approve a new UK specific international data transfer agreement and accompanying transfer risk assessment. Changes to the existing UK guidance on data transfers also formed part of the consultation. The consultation closed on 7 October 2021 and at the time of writing, we are waiting for the final proposals. For more information on the consultation please see our recent article:UK Information Commissioner consults on data transfers – including approach to EU Standard Contractual Clauses (twobirds.com).
In addition, it is worth noting that the UK’s Department for Digital, Culture, Media & Sport has also released a consultation document (consultation now closed) about the future of data protection law in the UK. Some changes being proposed are small clarification changes intended to resolve uncertainties in the GDPR’s drafting but others are fundamental reforms to the operation of the UK’s data protection laws and the obligations and protections they bring. All organisations operating in the UK should be interested in potential changes to:
- Data subject rights (to make them less burdensome)
- Accountability (potentially burdensome)
- Data transfers (significantly more flexibility)
- E-privacy (possibly helpful, although proposals not clearly articulated)
There are also proposals of significant interest to those involved in research and AI, and reforms on the powers and governance of the Information Commissioner. For more details, please see: Changing direction? UK consults reforms to its data protection law (twobirds.com).
Trade, tax and tariffs
Multinational tech companies should review their international strategies to determine whether, and to what extent, they continue to use UK group companies as a gateway to the EU, particularly as companies within the EU are no longer able to rely on EU directives to eliminate withholding tax on dividend, interest or royalty payments to the UK.
The EU-UK Trade Agreement establishes that trade between the EU and UK and vice versa from the end of the transition period is tariff and quota free.
However, customs declarations and procedures are necessary for the import and export of goods into and out of the EU and GB. Northern Ireland has a special position. The Northern Ireland Protocol establishes that Customs declarations and procedures are not necessary for the import and export of goods between Northern Ireland and the EU.
Businesses which relied on a UK-based Mini One-Stop Shop (MOSS), enabling businesses to register and account for VAT on all relevant supplies throughout the EU via a single registration for sales to EU customers, now need to register in an EU jurisdiction. The UK is no longer part of the MOSS scheme.
UK businesses trading goods with the EU should review their supply chains and consider how they will handle the logistics of import and export declarations and procedures. In particular, UK businesses trading goods with the EU must have an Economic Operator Registration and Identification (EORI) number. This is essential in order to import into or export goods out of the EU into the UK.
From 1 July 2021 the HMRC simplified import customs clearance system – Customs Freight Simplified Procedures/Entry In Declarants Records (CFSP-EIDR) is no longer freely available for all importers but importers may formally apply to stay on the deferred customs scheme. Under CFSP-EIDR importers have six months to present the import entry, but importers must keep records of arrivals. Full Export declarations and Safety & Security declarations have been required for exports from the UK to the EU from 1 January 2021. Safety & Security declarations are now also required for imports to the UK (from 1 July 2021).
For more information on future trading arrangements click here.
The EU-UK Trade Agreement does not include any provisions relating to the enforceability of business contracts or the mutual recognition and enforcement of judgments.
Existing commercial contracts should be reviewed, particularly those involving contracting entities in the UK and the EU, in order to assess the on-going enforceability of English law contracts where there is a non-UK element to the contract – see the comments on enforceability later in this section.
On the choice of governing law in contracts, Rome I and Rome II, the EU Regulations which governed the choice of law of contractual and non-contractual obligations, have been incorporated into UK law and therefore will continue to apply. This means that the position in relation to governing law will not change.
The position on determining the jurisdiction of a court to hear a dispute and the enforceability of any resulting judgment is less straightforward. EU law will continue to apply to legal proceedings issued in the UK before the end of the transition period and to the recognition and enforcement of judgments given in legal proceedings before the end of the transition period.
For new cases, unlike with governing law, the EU rules on jurisdiction and enforceability were not replicated into UK law, as they rely on reciprocity. One partial solution is for the UK to accede to The Lugano Convention 2007 (which it officially requested to do on 8 April 2020). This would be welcome as Lugano provides a reciprocal arrangement in the areas of jurisdiction and the enforcement of judgments on a broadly similar basis to that in operation between the UK and the EU prior to the end of the Brexit transition period. However, accession to the Convention depends upon consent from the other signatories and, currently, the EU and Denmark continue to withhold their support.
In the absence of Lugano, The Hague Convention on Choice of Court Agreements is applicable from the end of the transition period. This provides a partial solution to questions of jurisdiction. The Convention provides a worldwide framework of rules in relation to exclusive choice of court (jurisdiction) clauses only and the recognition and enforcement of judgments based on these clauses in civil and commercial matters. It does not, however, apply to asymmetric jurisdiction clauses, or to enforcement of interim remedies. Under the Convention courts in EU Member States (and the other contracting states to the Hague Convention) are obliged to honour exclusive choice of court agreements designating UK courts, and to enforce the resulting judgments. However, whilst it appears that English courts will respect an exclusive choice of court provision in contracts entered into from 1 October 2015 onwards, EU member state courts may regard the Convention as applying only to contracts entered into from 1 January 2021.
As a side note, a new Hague Convention on Jurisdiction was drafted in 2019. This proposed convention has a far wider scope than the 2005 Hague Convention in that it deals not just with exclusive jurisdiction clauses and, if ratified may have the effect of harmonising this area between the UK and the EU. The EU has indicated that it maybe interested in signing and ratifying this new Convention.
Where the 2005 Hague Convention does not apply, the English courts will instead apply common law rules to determining questions of jurisdiction and enforcement, which are generally less predictable than the old Brussels/Lugano regimes.
Practically speaking, permission to serve a claim outside of the jurisdiction will almost always be required (unless the 2005 Hague Convention applies) and older conventions between the UK and the EU Member States on service abroad/taking evidence abroad will now apply once more.
If it is a priority to be able to obtain a judgment under an English law contract that can be enforced in the EU without difficulty, it is imperative to seek advice as to whether an exclusive jurisdiction clause drafted in favour of the English courts would be enforceable in the desired way under the 2005 Hague Convention. If not, other options worth considering are choosing another EU Member State to have exclusive jurisdiction or considering an arbitration clause instead.
For further information see our notes on the Cross-border dispute resolution implications of Brexit, English law and English courts can continue to be used in international contracts after Brexit and our Commercial Drafting Checklist which highlights Brexit-related issues for businesses.
Online Tech Services - Regulatory Compliance (eCommerce Directive)
The eCommerce Directive no longer applies to the UK.
For companies established in the EU, Article 3 of the eCommerce Directive provides a form of “passporting” protection for EU established online service providers (including cloud solution providers) by allowing them to operate in any EEA country while only following relevant rules in the country in which they are established. Article 4 of the eCommerce Directive states that EU service providers that provide services in a regulated field, such as financial services, only need to obtain prior authorisation to do business in the country where they are established.
As the eCommerce Directive no longer applies in the UK these protections are no longer available for UK companies that provide online services across the EU. The loss of these protections means that online service providers based in the UK and providing services to customers across the EU need to comply with the national rules applicable to their services in each EU country where their services are available. Similarly, EU service providers doing business in the UK need to consider and take steps to comply with the UK law applicable to their services.
As an alternative, online service providers should consider if they are already EU established or if they could become EU established in order to benefit from the “passporting” provisions of the eCommerce Directive.
For additional information on the implications of the end of the eCommerce Directive in the UK click here.
Trade marks and other IP Protection
Tech companies should identify which of their business' trade mark rights are likely to be affected by the UK's departure from the EU and may need further application/registration in order to achieve maximum protection over those rights; as set out below, the opportunity to make further applications or registrations in the normal way has run out so any anomalies should be addressed and rectified as soon as possible to minimise the risk of losing existing or potential rights.
EU Trade Marks (EUTMs) and Registered and Unregistered Community Designs no longer have effect in the UK. The UK Government has automatically created a comparable UK trade mark for every registered EUTM, at no charge, with effect from 1 January 2021. The same applies for Registered Community Designs (RCDs). However, this did not automatically apply to pending EUTM applications, instead there was a nine month grace period (ending on 30 September 2021) within which UK comparable rights could be applied for.
There is, therefore, technically no need for tech companies with EUTM and RCD registrations which existed as at 31 December 2020 to re-file for equivalent registrations in the UK, as comparable UK registrations have been automatically granted. For new filings, however, tech companies are advised to dual-file in the EU and UK if protection is needed both in the UK and the EU. Tech companies should also review the following:
- Whether they have any pending oppositions/cancellation actions at the EUIPO: actions which were only based on UK rights will have fallen away and parallel actions against the new comparable UK trade mark will need to be brought.
- Whether their existing EUTM legal representatives will remain entitled to represent them before the EUIPO and the UKIPO after the end of the transition period. Bird & Bird will be able to represent clients before both the UKIPO and the EUIPO.
- Their broader enforcement strategy: pan-EU injunctions no longer cover the UK and will not be available in the UK, meaning that separate EU and UK proceedings need to be brought to cover all of Europe.
- Whether they have an EU customs notice ("Application for Action") in place which was filed via UK Customs: these have fallen away at the end of the transition period and need to be renewed/re-filed via one of the remaining EU countries. A UK filing will also be needed.
- Whether they have hardware businesses affected by parallel imports between the UK and continental Europe: the ability for trade mark owners to prevent imports from one territory to the other will differ depending which way the goods are going.
- References to the EU in brand licence agreements will need to be considered to ensure that the territorial provisions continue to reflect the commercial need and understanding.
Patents will to a great extent continue as before - patents covering the UK will continue to be granted both by the UK Intellectual Property Office (UKIPO) and the European Patent Office (EPO). Applications for patents can be filed directly with the UKIPO or EPO, or can be made pursuant to an international patent application filed under the Patent Cooperation Treaty. Neither the UKIPO, nor the EPO, is an EU institution and their operation will be unaffected by Brexit.
The UK will continue to be one of the 38 contracting states to the European Patent Convention, which is the international treaty that established the EPO. Applicants will continue to be able to file their applications with the EPO and, on grant, request validation in the UK and other countries of interest.
The standing of granted patents will also be unaffected by Brexit. Following grant and validation in the UK, European patents have – and will continue to have – exactly the same legal effect in the UK as national patents granted by the UKIPO.Furthermore, the UK will remain a member of the Paris Convention, which supports IP protection around the world. Applicants who have filed for patent protection in the UK will still be able to subsequently claim the priority of that application for a patent registration in other countries and vice versa.
For additional information on what to consider in regards to IP click here.
Software export controls
Export controls apply generally to items that are specially designed or modified for military use and to items designed for civilian use which have potential military uses ("dual-use" items). Some software is subject to EU export control as dual use items, including many commonly used encryption protocols, unless the products are specifically excluded (such as smart cards and smart card reader/writers and mobile telephones for civil usage) or are excluded as being generally available to the public at retail selling points.
The EU Dual Use Regulation has been incorporated into UK law. However, the UK is now regarded by the EU as being a third country for the purposes of EU export control. The EU General Export Authorisation (GEA) for the export of all dual use items (including encryption software) has been amended to include exports from the EU to the UK. Exporters of dual use software from the EU to the GB (that is not exempted) must notify the relevant national competent authorities of the first use of the GEA and EU Member States may require registration prior to first use of the GEA.
The EU Dual Use Regulation has been revised (with effect from 9 September 2021) The revised Regulation includes a new EU GEA for the export of encryption software to a wide variety of countries outside the EU. The EU GEA does not apply to exports from the UK. The UK has introduced an Open General Export Licence for Cryptographic Developments with a similar scope and coverage.
For transfers from GB to the EU, the UK has issued an Open General Export Licence (OGEL) to cover the export of dual use items (including encryption software) from the UK to the EU. The OGEL has conditions and does not apply if the exporter is aware that the dual use item is intended to be used in certain weapons systems. Companies need to pre-register with the Department of International Trade for each product for which the OGEL is relied on and must comply with the terms of the OGEL, including a requirement to include a note on official export documentation that the items are exported under the OGEL.
Conformity Assessments (CE marks)
Conformity assessments carried out by UK conformity assessment bodies prior to 1 January 2021 are no longer valid for EU purposes. Instead, EU conformity assessments need to be carried out by EU-based bodies. Where companies hold existing certificates issued by a UK conformity assessor they need either to apply for a new certificate from an EU-based conformity assessor or to arrange for a transfer – with the EU Conformity Assessor then taking over the responsibility for that certificate.
In the UK, in most instances until 1 January 2023, it will be possible to use the EU CE mark when placing products on the UK market (if the product meets the relevant EU requirements), including where products have had a third-party assessment carried out by an EU-recognised body. The new UK Conformity Assessed (UKCA) mark will also be available for products that require third party assessment of conformity within the UK. This will need to be carried out by a UK-based Approved Body. After 1 January 2023 a UKCA marking will be required, declaring conformity with the UKCA marking regulations instead of the EU directives and regulations.
UK manufacturers exporting products to the EU must appoint an importer. Similarly, products from the EU placed on the UK market will require a UK importer.
- Mark the product with their name and address;
- Understand and check the markings, declarations and technical file;
- Satisfy themselves that the CE or UKCA marking process is complete;
- Be the primary point of contact for the EU or UK authorities; and
- Be prepared to cooperate with the authorities if there is a product recall or similar.
The EU Geo-Blocking Regulation prohibits, amongst other matters, blocking access to, or forced redirection away from, a website on the basis of an internet user's EU nationality or place of residence within the EU. The EU Geo-Blocking Regulation has been revoked in the UK with effect from the end of the transition period.
As a result, companies are not prohibited from discriminating in the UK between EU customers and UK customers in their on-line businesses. Within the EU27 the EU Regulation will continue to apply to UK businesses, meaning that UK companies will not be able to discriminate between customers in different EU Member States.
Companies operating in the UK and the EU should consider potential exposure to parallel investigations by the European Commission and UK Competition and Markets Authority (CMA) and the need to safeguard their position under both the UK and EU regimes.
They should re-assess territorial restrictions in agreements, as between the UK and the EU, under the anti-trust rules as from Brexit. More generally, companies should be aware that the Competition (Amendment etc.) (EU Exit) Regulations 2019 will adapt EU competition regulations and have become a set of domestic regulations.
If you are planning a large-scale merger or acquisition, consider whether it will be subject to merger control scrutiny by both the UK CMA and the European Commission, as the Commission will no longer be a "one stop shop" for large mergers affecting the UK, as from Brexit.
Read more on the competition law implications here.