How might the technology and innovation sector be affected by Brexit?
On 24 December 2020, the European Union (EU) and the United Kingdom (UK) reached agreement on an EU-UK Trade and Cooperation Agreement (TCA). The TCA governs the future relationship between the EU and the UK following the end of the Brexit transition period and consists of a Free Trade Agreement, a partnership for citizens’ security and a horizontal agreement on governance.
The EU has provisionally applied the TCA from 01 January while awaiting endorsement by the European Parliament and ratification. The UK Government has already ratified the TCA. In effect, the EU and UK applied the rules of the TCA from the moment the Brexit transition period expired, i.e. at 11.00 PM on 31 December 2020.
Besides trade in goods and, to some extent, services, the TCA covers a broad range of areas, such as investment, competition, state aid, tax transparency, sustainability, data protection and certain industry sectors (such as air and road transport and energy). The technology and innovation sector is not the subject of detailed, separate consideration (except in relation to telecoms) in the TCA.
The European Union (Withdrawal) Act 2018, in combination with the European Union (Withdrawal Agreement) Act 2020 and the Agreement on the Withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community of 19 October 2019 (Withdrawal Agreement) provide some clarity in relation to certain areas of law affecting businesses operating in the technology and innovation sector. In addition, the TCA touches on a number of areas of law relevant to the sector (discussed below). In many respects it will continue to be “business as usual” for many businesses operating in the technology and innovation sector. Accordingly, in this publication, we deal only with the following aspects of the legislation, Withdrawal Agreement and the TCA which do involve notable changes:
- Data privacy;
- Digital services, e-commerce, and cybersecurity;
- Consumer protection;
- Acquisition of intellectual property assets, including source code; and
- Intellectual property rights.
Part Two of the TCA covers telecoms regulation. We do not cover that area (nor audio-visual regulation) in this document.
Can personal data continue to be transferred to the UK from the EU?
Yes, for the time being.
Under the TCA, the UK is not to be treated as a third country for an interim period of four to six months from 1 January 2021 (Interim Period). This is to allow time for the European Commission (EC) to finalise its adequacy assessment of the UK.
The purpose of the adequacy assessment is for the EC to decide whether the UK provides “essentially equivalent” protection for personal data as the EU and, therefore, whether transfers of data may be permitted without the need for organisations to take further measures (Adequacy Decision).
The Interim Period will last for a minimum of four months and will be automatically extended to six months, unless either the UK or the EU unilaterally objects. The application of the Interim Period is subject to two main conditions:
- the UK must not make any changes to its data protection law; and
- the UK data protection regulator must not approve new transfer mechanisms or Codes of Conduct, without the consent of the EU-UK Partnership Council (the Partnership Council will oversee the TCA and make recommendations as to its functioning).
It is important to note that the Interim Period applies in respect of data transfers only. Therefore, other post-Brexit data protection obligations apply immediately.
The UK Information Commissioner’s Office (ICO) has issued a statement confirming the Interim Period, but recommending that organisations nevertheless consider putting in place data transfer mechanisms during this period, as a “sensible precaution” to safeguard against any interruption to transfer of personal data at the end of the Interim Period.
How likely is it that the UK will be given an Adequacy Decision by the EC?
It is uncertain as to how likely it is that the UK will be granted an Adequacy Decision.
As part of the adequacy assessment process, the EC is obliged to take into account the national security and surveillance laws of the UK, which must offer guarantees ensuring an adequate level of protection for personal data that are “essentially equivalent” to EU law.
Reaching this standard could be a challenge for the UK. Over recent years, privacy campaigners have taken legal action against the UK for its national security and surveillance laws, including one that reached the European Court of Human Rights (Big Brother Watch v United Kingdom). This case found that aspects of the Regulation of Investigatory Powers Act (which has now broadly been replaced by the Investigatory Powers Act 2016) were incompatible with Articles 8 and 10 of the European Convention on Human Rights.
The UK’s national security practices have also received scrutiny from the Court of Justice of the European Union (CJEU). On 6 October 2020, the CJEU published a decision which found that UK law which enabled the UK government to require the providers of electronic communications services to carry out the general and indiscriminate transmission of traffic and location data to the security and intelligence agencies was not permissible under EU law.
In addition, the European Parliament published a resolution in February 2020 in relation to the Brexit negotiations. The Parliament directed the EC to pay particular attention to the legal framework in the UK in the fields of national security and the processing of personal data by law enforcement authorities, and stated that the UK’s mass surveillance programmes may not be adequate under EU law.
The European Parliament also commented that the UK Data Protection Act 2018 provides for a general and broad exemption from the data protection principles and data subjects’ rights for the processing of personal data for immigration purposes, and that this conflicts with the EU General Data Protection Regulation.
Where no Adequacy Decision is found following the end of the Interim Period, EU entities will need to implement data transfer mechanisms to cover the flow of personal data from the EU to the UK.
It should be noted that, for transfers of personal data from the UK to the EU, the UK Government has stated that one-way flows of personal data from the UK to EU will be considered adequate under the UK’s domestic data protection law.
Digital services, e-commerce and cybersecurity
What does the TCA provide for in relation to digital services?
The TCA seeks to ensure that the UK and EU will co-operate on digital trade issues, and a digital trade chapter sets the terms under which businesses can provide products and services to each other via digital channels, such as over the Internet.
The TCA provides that no customs duties will be imposed on electronic transmissions, and there is a positive obligation on the UK and EU to co-operate on the development of emerging technologies.
Will data flows have to be localised?
To facilitate digital trade, address unjustified barriers to trade enabled by electronic means and to ensure an open, secure and trustworthy online environment for businesses and consumers, the TCA contains certain provisions in relation to the free-flow of data. Specifically, it provides that the EU and the UK are committed to ensuring cross-border data flows to facilitate trade in the digital economy and that, to that end, cross-border data flows shall not be restricted between them by a party (that is, one or other of the EU or the UK):
- requiring the use of computing facilities or network elements in the party's territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of a party;
- requiring the localisation of data in the party's territory for storage or processing;
- prohibiting the storage or processing in the territory of the other party; or
- making the cross-border transfer of data contingent upon use of computing facilities or network elements in the parties' territory or upon localisation requirements in the parties' territory.
Such provisions are subject to any countervailing provisions for the protection of personal data in the TCA and elsewhere.
How will e-commerce be affected?
The TCA provides that:
- equal treatment must be given to electronic signatures and electronic documents against paper documents;
- services can be provided digitally by default without requiring any prior authorisation. There are a few exceptions to this, notably, legal services, gambling services and broadcasting services;
- the UK and EU agree to adopt or maintain measures to ensure the effective protection of consumers engaging in e-commerce transactions; and
- both parties will co-operate on regulatory issues with regard to digital trade: the recognition and facilitation of interoperable electronic trust and authentication services; the treatment of direct marketing communications; the protection of consumers; and any other matter relevant for the development of digital trade, including emerging technologies.
The requirements in the first three bullets above are quite generic, and are already the subject of extant English law provisions. The TCA seeks to lay down de minimis or baseline legal requirements in relation to e-commerce, without calling for actual compliance with specified EU legislation. To the extent that such TCA provisions are not already enacted in existing domestic law in all respects, section 29 of the European Union (Future Relationship) Act 2020 is the mechanism by which such provisions are implemented.
Section 29 provides for the general implementation, via a “glossing mechanism”, of provisions of the TCA that are not implemented by any other mechanism. The mechanism provides that existing domestic law has effect with such modifications as are required for the purposes of implementing the TCA so far as it is not otherwise so implemented and so far as such implementation is necessary for the purposes of complying with the international obligations of the United Kingdom under the TCA.
In other words, the modifications are to be read across to domestic law (in contrast to text amendments to the law itself). Any equivalent or other provision in legislation implementing the TCA takes precedence over section 29(1).
Is sharing of public sector data provided for?
The TCA contains a provision on open government data. When governments choose to make non-personal or anonymised public sector data available, the TCA provides that the data will be, among other things, easily accessible, in machine-readable format, and regularly updated.
What is the EU and UK approach in relation to cybersecurity?
The TCA creates a framework for UK-EU cooperation in the field of cybersecurity.
As well as the UK’s participation in expert bodies (such as European Union Agency for Cybersecurity (ENISA) and the Network and Information Systems (NIS) Cooperation Group), the TCA envisages that UK and EU will co-operate in the field of cyber issues by sharing best practices and co-operative practical actions aimed at promoting and protecting an open, free, stable, peaceful and secure cyberspace.
In the area of consumer protection law and commercial law more generally, many EU laws have been carried over into English law. In addition, the UK has itself implemented into English law a number of EU requirements. What is the effect of Brexit in this area of law?
The short answer is that the extent to which such legal requirements change is (with some exceptions) determined by the transitional and savings arrangements under the European Union (Withdrawal) Act 2018 in combination with the effect of the European Union (Withdrawal Agreement) Act 2020. As a result, a considerable body of English consumer protection law continues to be aligned with EU law under such legislation.
How does the TCA impact this position?
The TCA provides that the UK and EU agree to adopt or maintain measures to ensure the effective protection of consumers engaging in e-commerce transactions - for example, measures that:
- proscribe fraudulent and deceptive commercial practices;
- require suppliers of goods and services to act in good faith and to abide by fair commercial practices, including through the prohibition of charging consumers for unsolicited goods and services;
- require suppliers of goods or services to provide consumers with clear and thorough information, including when they act through intermediary service suppliers, regarding their identity and contact details, the transaction concerned, including the main characteristics of the goods or services and the full price inclusive of all applicable charges, and the applicable consumer rights (in the case of intermediary service suppliers, this includes enabling the provision of such information by the supplier of goods or services); and
- grant consumers access to redress for breaches of their rights, including a right to remedies if goods or services are paid for and are not delivered or provided as agreed.
Speaking generally, such matters are in one form or another (for the most part) already part of English consumer protection law. The TCA seeks to lay down de minimis or baseline legal requirements for the legal protection of consumers, without calling for actual compliance by the UK with specified EU legislation. To the extent that such TCA provisions are not already enacted in existing domestic law in all respects, section 29 of the European Union (Future Relationship) Act 2020 (discussed above) is the mechanism by which such provisions are implemented.
A similar de minimis approach under the TCA is taken in relation to unsolicited direct marketing campaigns.
The TCA also recognises that consumer protection bodies can co-operate and enforce breaches of UK and EU consumer rights in order to protect consumers and enhance online consumer trust.
Businesses located in the UK will still wish to sell to consumers and other businesses in the EU after Brexit. To do that, regardless of the technical position under the legislation and the TCA, such businesses will still need in practice to comply with a significant amount of EU law (not least because such requirements may be imposed on them as part of supply chain requirements from their own business customers within the EU).
Acquisition of intellectual property assets
Can a business’s intellectual property assets be compulsorily acquired as a condition of it having access to the other’s markets?
The TCA includes provisions designed to avoid making access to another’s markets conditional on acquiring a business’s intellectual property rights.
For example, under the TCA (and with some exceptions) neither the UK nor the EU may impose or enforce any requirement, or enforce any commitment or undertaking, in connection with the establishment or operation of any enterprise in its territory to transfer technology, a production process or other proprietary knowledge to a natural or legal person or any other entity in its territory.
Under the TCA, the UK and EU agree not to require the transfer of, or access to, the software source code of the other’s residents or businesses. This is without limit to private parties’ ability to negotiate agreements for the transfer of source code.
Intellectual property rights
What is the impact of Brexit on intellectual property rights?
For a detailed analysis of Brexit in relation to the intellectual property rights, see Impact of Brexit on Intellectual Property.