On 12 March 2018, the European Commission published a notice on the consequences of Brexit in the field of security of network and information systems (NIS).  Subject to any transitional arrangements contained in a possible withdrawal agreement, EU rules on NIS will stop applying to the UK from the date of its withdrawal from the EU in 2019.  At that point, the UK will become a ‘third country’ in respect of the EU regulation.  This will have important consequences for online shopping centres and online market places selling goods and providing services (non-financial) across the border, as well as all other ‘online digital services’ such as search engines, Software as a Service (SaaS), and cloud computing service providers.

Rapid development

According to the European Commission, the retail sector is the biggest sector in the EU non-financial business economy in terms of number of enterprises and persons employed.  Retail is also closely linked to other sectors of the economy such as wholesale, manufacturers, farmers as well as transportation and logistics, and other business services.  With the rapid development of e-commerce, the security of the sector which brings goods and services from around the world to EU and non-EU consumers is essential.  Alongside this, the digitalisation of processes in the retail sector are not only influencing the way consumers shop, but are also modifying offline and online shopping.  This includes shopping platforms for the sale of goods (such as Amazon or Shopify), and market places for suppliers of services, such as freelancers in the media, computing, and the arts (like Upwork and Guru).  It also includes tradesmen and facility services (such as Uber, Airbnb, MyBuilder, and Rated People) who advertise and sell their services digitally to ever more trusting consumers.

Safety at stake

The consequences of the withdrawal date are as follows:

1. Where a digital service provider (DSP) is established in the Union, the DSP is subject to the jurisdiction of the Member State where it has its main establishment, which in principle corresponds to the place where the provider has its head office in the Union.

2. Where a DSP is not established in the Union but offers digital services into the Union, it must designate a representative in the Union.  If the DSP is broadly in breach of the General Data Protection Regime (GDPR) or the NIS rules, the designation of a representative shall be without prejudice to legal actions which could be initiated against the digital service provider itself, across jurisdictions.

3. If the DSP‘s main establishment was in the UK before the withdrawal date, and:

3.1 If it maintains one or several establishments in the EU 27-member states, it will be deemed to be under the jurisdiction of the EU 27 resulting in a change of competent authority (for example: the CNIL in France).

3.2 If the DSP is no longer established in the EU27 but offers digital services into the EU27 member states, it will be subject to the obligation to designate a representative in an EU27 member state.

4. If a DSP is neither established in the EU27 nor in the United Kingdom but subject to the jurisdiction of the United Kingdom before the withdrawal date because it had designated a representative in the United Kingdom, that DSP will, as of the withdrawal date, be subject to the obligation to designate a representative in an EU27 Member State where services are offered by that DSP.  As retailers and suppliers of services accumulate vast amounts of valuable personal information on their customers, the risks involved in data breaches are increasing in the retail industry.  In the UK, the NIS Directive will be implemented into law on 9 May 2018 and the General Data Protection Regime (GDPR) will be implemented into law on 25 May 2018.

“With the rapid development of e-commerce, the security of the sector which brings goods and services from around the world to EU and non-EU consumers is essential”