As is beginning to become apparent, Brexit has wide-ranging consequences in many commercial and business areas. This is equally true in the sphere of data protection, where much of the applicable legislation has developed at an EU level. This is readily understandable, given (i) the wide-ranging technological advances that have occurred since the UK joined the European Communities in 1973 and (ii) the quintessentially cross-border nature of these developments.
We know that after Brexit the UK will cease to lie within the European Economic Area (EEA) boundary line, and will become an external territory for the purposes of the EU legislation. At this stage, as far as Brexit is concerned, there are probably more “known unknowns” than “known knowns” (to use the terminology of the then United States Secretary of State for Defence, Donald Rumsfeld, in 2002). We are going to try and turn some of those unknowns into knowns as far as Brexit, your contracts and data processing are concerned.
For those of you that deal with contracts it makes sense to consider future and existing contracts separately. There are various contractual implications but we will begin with the fundamental matter of the territory to be covered by the contract.
With existing contracts, signed before Brexit was even contemplated or became a reality, the starting point when considering the territory of a contract is that the contract should be interpreted as it would have been on the date that it came into effect. In the absence of any contrary indication (such as, for example, a reference to the EU “from time to time”), if the territory in the contract covered the EU then, despite Brexit, the UK would remain “in” as far as the contract was concerned.
One might be able to argue in relation to certain contracts that the arrangements in place relied (regardless of how the territory was defined) on the principle that the UK would have free and open access to the EU market. If that is the case in a particular contract then a party seeking to exit that contract may be able to argue that the doctrine of frustration applies. This doctrine provides that a contract is frustrated and may be terminated if something unforeseen has occurred which makes it impossible to fulfil the contract. In those circumstances, the parties are no longer obliged to perform their respective obligations under the contract. Whether or not that is the case will obviously depend on the circumstances.
For contracts not yet in existence, it should be relatively straightforward to specify whether or not the territory upon which the contract is predicated should include or exclude the UK following Brexit. Careful consideration and drafting should, quite simply, spell it out and the intention of the parties should be made clear. When the territory is carefully considered and dealt with, many other factors will fall neatly into place, and chief among those is exclusivity. Having a clear grasp of whether one can operate in a territory on an exclusive basis or whether it will need to be shared with competitors is a crucial consideration.
Most businesses are contemplating beginning relationships that will start before Brexit and are intended to continue well after it. As a result of the uncertainty that Brexit will bring it may be prudent for contracts to contemplate a short period (possibly six months or so), following Brexit, during which a party (or either party) can terminate “for convenience” if the arrangements are not proceeding as planned. An alternative would be to turn proposed long-term contracts into short-term ones terminating shortly after Brexit, so that the operational aspects of Brexit are able to be fully considered without the anxiety of long-term commitments. Another option would be to introduce flexibility into contracts relating to pricing (proposed annual price reviews could, for example, become quarterly) after Brexit.
As alluded to above, in the IT industry and, in fact, in most industries and most areas of business, information and personal data are becoming more and more important. Brexit is certainly not going to change that. In relation to personal data and the processing and protection of that personal data the key EU legislation is currently the EU Data Protection Directive, which was transposed into English law by the Data Protection Act 1998. The EU Directive created a framework of data safeguards that were intended to apply on a uniform basis throughout the EEA. As a result, both the European and the UK rules prohibit the transfer of personal data to a location outside the EEA unless that country provides an adequate level of protection for that data.
The current regime dates back to 1995 in the EU and 1998 in the UK and it will be all change for data processing from 25 May 2018 when EU Regulation 2016/679 will come into force. The regulation is commonly known as the General Data Protection Regulation (GDPR) and is intended to offer a harmonised approach to data processing across the EU.
Many of the principles of the Data Protection Act 1998 are reflected in the GDPR but there is no doubt that the GDPR is a step up and UK businesses cannot ignore the requirements of the GDPR (not least because of the increased level of sanctions – up to the greater of €20 million or 4% of global turnover). We know, for certain, that on 25 May 2018 the UK will still be an EU member and therefore on that date UK businesses will need to be compliant with the GDPR (this is a very clear “known known”).
The GDPR means that UK businesses (amongst other things):
It is clear that Brexit cannot be ignored. Contracts must be examined and personal data processes must be carefully considered to ensure that following 25 May 2018 they are consistent with the GDPR.