Brexit or no Brexit – what companies still need to do
With so much political uncertainty surrounding Brexit and what it might mean for the UK, companies can be forgiven for assuming that many legal developments in the EU will now not affect them. Other than companies inserting some key contractual clauses into any existing or future agreements – as explained in our article here – companies may feel that there is little more they can (or need to) do in the current political landscape.
However, whilst the future impact of EU law is by no means certain, such an assumption would be dangerous. There is still plenty of new EU legislation that companies should take active steps to comply with and an awareness of the latest legal developments in the EU is as critical as ever. Businesses that want to operate in the EU post-Brexit will still be required to comply with EU law and there are significant changes which are due to be implemented in 2018 – whilst the UK is still an EU member and bound by EU terms. Furthermore, the European Union (Withdrawal) Bill is to convert all EU law (that is directly applicable or implanted into UK law as a result of the UK’s obligations) into UK law at the time of withdrawal from the EU. We have summarised below some of the significant pieces of EU legislation which all companies should be made aware of:
The EU’s General Data Protection Regulation (“GDPR”) will be directly applicable in all EU Member States from 25 May 2018, replacing the Data Protection Directive 95/46/EC. The UK government has confirmed that it will continue to apply post-Brexit and the Data Protection Bill, which will replace the Data Protection Act 1998, is currently making its way through Parliament.
The GDPR will result in extensive changes to data protection laws across the EU. It is designed to catch any company that processes personal data in the EU (whether a data controller or data processor), regardless of whether the processing takes place in the EU or not. It will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to the offering of goods or services to EU citizens, or monitoring of behaviour that takes place in the EU.
Other significant developments include provisions that put more onerous obligations on data processors, and the fact that processors can now be jointly and severally liable with the relevant data controller and that the penalties for non-compliance have increased dramatically. For more information about the GDPR and how businesses should prepare, visit our GDPR hub page here.
On 10 January 2017, the European Commission published a draft Regulation on Privacy and Electronic Communication (“ePrivacy Regulation”) designed to update the electronic communication sector and align e-Privacy laws with the implementation of the GDPR (as discussed above). Significantly – and despite calls from many who believe such a timeline to be unrealistic – the ePrivacy Regulation is intended to enter into force on 25 May 2018, at the same time as the GDPR.
Some of the main features of the ePrivacy Regulation include widening the scope of its ambit to include new players in electronic communications, such as Whatsapp, Facebook Messenger and Skype, and confirming that consent must be given for any unsolicited commercial communications (although the current soft opt-in for electronic mail remains). For more information about the ePrivacy Regulation and how businesses should prepare, see here.
Trade Secrets Directive
The Trade Secrets Directive (“TS Directive”) is designed to harmonise the law on the protection of trade secrets. EU Member States have until 9 June 2018 to transpose the TS Directive into their national law. Assuming that the UK complies with its obligation to implement the TS Directive, it will be implanted into UK law prior to Brexit and will remain as part of UK law as a result of the EU (Withdrawal) Bill.
The impact of the TS Directive is unlikely to be significant in the UK as there is already a relatively high degree of protection through the existing law of confidence and the protection of trade secrets has always been important. However, for UK businesses with a presence in EU, the TS Directive should provide another level of protection in those EU jurisdictions.
Under the TS Directive, the third limb of the definition of ‘trade secret’ requires ‘reasonable steps’ to have been taken to keep the information confidential. It is advisable therefore for companies to develop policies to identify their secrets and protect them as this would mean that such information would fall under the TS Directive’s ambit. For example, companies may want to protect confidential information by using encryption or passwords and/or training staff so they know what a trade secret is and the consequences of misusing it.
Cyber Security Directive
The Network and Information Security Directive ((EU) 2016/1148) (the “NIS Directive”) is designed to compel essential service operators to take the necessary action to protect their IT systems. EU Member States have until 9 May 2018 to transpose the NIS Directive into their national law.
The NIS Directive allows the UK to determine which organisations are operators of ‘essential services’ in sectors such as banking, finance, transportation, energy and healthcare. The NIS Directive also applies to digital service providers such as search engines and cloud computing service providers. It requires them to take, amongst other things, appropriate and proportionate technical and organizational measures to manage the risks to the security of their network (and notify the relevant authorities regarding serious cyber incidents).
The NIS Directive is currently subject to consultation in the UK, but the government has announced that it intends to implement the NIS Directive regardless of Brexit. The increasing cost and damage inflicted by cybercrime has made this an area of increasing priority. It is important therefore that businesses take the time to make sure that they have the necessary policies and procedures in place to protect them from cybercrime.
For more infomration please contact Freddie Law on +44 (0)20 7427 6522 or at Freddie.Law@crsblaw.com.
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Charles Russell Speechlys advises Appital Ltd on £2.5m Investment led by Frontline Ventures
Appital is an Equity Capital Marketplace which aims to bring innovation to Equity Capital Markets.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Charles Russell Speechlys advises Metier on US$39m investment into Africa Mobile Networks
AMN builds, owns, operates and maintains mobile network infrastructure in Africa.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
The regulation of big tech: a changing tide?
Sonia takes a look at the two main areas where the UK is increasing the regulation of Big Tech in 2021
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
Top 7 Data Protection Tips for Employers
Here are our top 7 data protection tips for employers.
There has been an increase in online phising attacks over the past year - but why?