The United Kingdom exited the European Union on January 31, 2020, and the Brexit transition period ended on December 31, 2020. The EU-UK Trade and Cooperation Agreement has been in effect since January 1, 2021. U.S. technology companies need to be aware of the key implications for their businesses arising from the UK’s new status as a “third country” outside the EU.
There is no longer free movement of people between the EU and the UK. The Trade and Cooperation Agreement includes a framework for new mobility routes for business travelers but does not confer any new residence rights. EU nationals who were lawfully resident in the UK at the end of the transition period and wish to stay must register to preserve their rights under UK law.
British citizen employees residing and working in an EU member state must comply with national requirements to protect their continued right to reside and work in that state after the end of the transition period. For people moving to the UK after the end of the transition period, there are new immigration rules that will apply. Applications can now be made for the new Skilled Worker and Intra-company Transfer visa.
For technology companies in the UK, the message is clear. Whilst freedom of movement for EU nationals to the UK has ceased, most work visa restrictions have been removed. It will be much easier to sponsor non-UK nationals as new hires.
EU to UK data transfers: Transfers of personal data from the EU to the UK now constitute a transfer of personal data to a third country. As the UK does not yet have an adequacy decision, the EU-UK Trade and Cooperation Agreement includes a temporary arrangement allowing personal data transfers for four months, extendable up to six months. During this period, alternative safeguards such as standard contractual clauses are not required.
Data transfers from the UK: The UK will continue to treat EU countries’ laws as adequate. On this basis, transfer adequacy mechanisms are not needed for UK to EU data transfers.
Personal data transfers to other jurisdictions will be as per the pre-Brexit position. EU adequacy decisions and alternative safeguards are recognized for these transfers.
Lead supervisory authority and representative issues: The General Data Protection Regulation “one-stop shop” no longer applies in the UK for investigations that have a multicountry dimension. Organizations could face distinct investigations and sanctions in the UK and the EU. In a large-scale data breach, for instance, both the Information Commissioner’s Office and at least one EU regulator may need to be notified, and each could follow up with distinct investigations and sanctions.
TRADE, TAX AND TARIFFS
Trade both ways between the EU and UK is tariff and quota free, but customs declarations and procedures are necessary for the import and export of goods into and out of the EU and Great Britain. UK businesses must have an Economic Operator Registration and Identification number. For value-added tax purposes, businesses that have relied on a UK-based Mini One Stop Shop need to re-register in an EU jurisdiction.
Until June 30, 2021, there will be a simplified import customs clearance system for imports into the UK from the EU. From then on, full formalities will apply. Full export declarations for exports from the UK to the EU have been required since January 1, 2021.
The EU-UK Trade and Cooperation Agreement does not include any provisions relating to the enforceability of business contracts or the mutual recognition and enforcement of judgments. As to the choice of governing law, the Rome I and Rome II EU regulations governing the choice of law have been incorporated into UK law and continue to apply.
With regard to enforceability for cases commenced after January 2, 2021, the Hague Convention will be applicable, and the UK may accede to the Lugano Convention in due course. Hague only applies to exclusive jurisdiction clauses and the enforcement of judgments based on these clauses in civil and commercial matters. In other cases, English common law rules, which are generally less predictable, will apply.
Practically speaking, permission to serve a claim outside of the jurisdiction will almost always be required unless the Hague Convention applies.
ONLINE TECH SERVICES AND REGULATORY COMPLIANCE
The EU’s E-Commerce Directive no longer applies to the UK. Article 3 of the directive provides “passporting” protection for online service providers established in the EU, which allowed them to operate in any European Economic Area country while only following relevant rules in the country in which they are established. UK companies providing online services across the EU now need to comply with the national rules applicable to their services in each EU country where their services are available.
EU trademarks and registered and unregistered community designs no longer have effect in the UK. Comparable UK trademarks and registered community designs have been automatically created, at no charge, and have been in effect since the end of the transition period. This does not apply to pending applications. Companies with pending applications should apply to register a comparable UK trademark as soon as possible. For new filings, companies should dual-file in the EU and UK.
SOFTWARE EXPORT CONTROLS
The UK is now a third country for EU export control purposes. The EU General Export Authorization for the export of all dual-use items, including encryption software, now covers exports from the EU to the UK. For transfers from Great Britain to the EU, an open general export licence covers the export of dual-use items, and includes encryption software.
Conformity assessments carried out by UK bodies prior to the end of the transition period are no longer valid for EU purposes.
In the UK, it will be possible in most instances to use the EU CE mark until January 1, 2022. The new UK Conformity Assessed mark is also available and must be used after that date.
The EU Geo-Blocking Regulation has been revoked in the UK. As a result, companies are not prohibited from discriminating in the UK between EU customers and UK customers in their on-line businesses. Within the EU27, the EU regulation will continue to apply to UK businesses.
Companies operating in the UK and the EU should consider potential exposure to parallel investigations by the European Commission and UK Competition and Markets Authority.
By Roger Bickerstaff, Yuichi Sekine, Elizabeth Upton, Sally Shorthose, Nick Aries and Bryony Hurst
Roger Bickerstaff, Sally Shorthose, Nick Aries and Bryony Hurst are partners at Bird & Bird LLP. Elizabeth Upton is Legal Director, Privacy & Data Protection, and Yuichi Sekine is Head of Business Immigration.