What impact will Brexit have on contracts, NDAs and GDPR?

The following FAQs provide practical advice and guidance about the implications of the UK leaving the EU.

Brexit FAQs | Contracts, NDAs and GDPR

What will happen to my contracts with EU customers after Brexit?

It is advisable to have your contracts reviewed by a lawyer if they cross the UK/EU border in some way (for instance, one party is EU-based, goods are sold in the EU etc.)

The key points to consider within contracts are:

  • Does your contract refer to the EU? If so, how is ‘EU’ defined? It is important that the UK isn’t accidentally included or excluded from your contract
  • Are the references to legislation correct? For instance, does the contract refer to EU legislation that is no longer applicable to the contract?
  • Is Brexit covered in force majeure scenarios? Do you want it to be if it becomes unprofitable or administratively burdensome to continue with the contract after Brexit?
  • Are there VAT changes, import tariffs etc. that should be reflected in the contract?

Will new contracts need to be drafted and signed after Brexit?

Depending on the basis on which the UK leaves the EU it’s safe to assume that in most instances entirely new agreements will not be necessary. Amendment of pre-existing agreements more than likely will require the following questions to be answered however:

  1. Will the Brexit outcome affect the rights, obligations, costs and/or fees of performance of the contract by one party or both?
  2. Would the changes best be dealt with by a pre-existing Force Majeure clause dealing with matters which are beyond the ability of a party or the parties to control and which as such may frustrate the contract or is this an over-reaction to the disruption or difficulty the parties might face?

What is important to bear in mind is the fact that parties are contractually obliged to perform a contract, even if that contract is no longer financially or otherwise viable. Unless these issues are considered and addressed and so, therefore, the scope for contract variations to be required is extensive and the sooner you realise that a contract requires variation the sooner you will repair or avoid potential injury or loss to your business.

Can I use a “Brexit” clause?

A Brexit clause will try to anticipate likely outcomes of the Brexit negotiations:

  1. Will a Brexit outcome affect the rights, obligations, costs and/or fees of performance of the contract by one party or both?
  2. Does the clause therefore need to be drafted to the benefit of one party or both parties?
  3. Does a clause need to identify specific outcomes in relation to specific obligations/costs etc?
  4. Would the changes best be dealt with by a pre-existing Force Majeure clause dealing with matters which are beyond the ability of a party or the parties to control and which as such may frustrate the contract or is this an over-reaction to the disruption or difficulty the parties might face?

What issues could arise under your existing contracts?

What is important to bear in mind is that parties are contractually obliged to perform a contract, even if that contract is no longer financially or otherwise viable, unless these issues are considered and addressed. Therefore the scope for future contract variations to be required is extensive and the sooner you realise that a contract requires variation the sooner you will repair or avoid potential injury or loss to your business.

How will Brexit affect GDPR?

If there is no Brexit deal by the end of October 2019, the UK Government intends to write GDPR into UK law. However, there will still be some issues, particularly for international data transfers, as the UK will no longer be recognised as part of the EEA (i.e. where personal data can be freely transferred). This is, of course, unless the EU formally recognises the UK as having an equivalent data protection regime in place.

If a UK business is looking to transfer data outside the EEA, the UK Government will permit these transfers, and those EEA businesses will already have GDPR-compliant processes in place. So there are unlikely to be significant issues with such transfers. 

However, a transfer from the EEA to the UK is likely to be more problematic. If the EU doesn’t recognise the UK as adequate for personal data transfers, then the EEA sender must have put in place appropriate safeguards (e.g. standard contractual clauses) to allow the personal data to be transferred to the UK.

The other alternative is that an exception applies, which allows the data to be transferred without these safeguards (e.g. an individual has consented to the transfer, or the transfer is necessary to perform your contract with an individual). It is likely that businesses will need to update their contracts to ensure that standard contractual clauses are included, where needed.

Will the UK still be regarded by the EU Commission as a ‘safe third country’ outside the EU so that personal data can continue to be transferred to the UK from the EU?

Data protection presents two very distinct challenges:

a) The European Data Protection Board (EDPB) has issued guidance to businesses to the effect that, in the event of a no-deal outcome, the UK will be considered a third country from 00.00 hrs 1 November 2019. If this occurs, then there is currently no adequacy decision in place (which is the necessary indication that the EU considers the data protection environment of a third country as meeting the standards required of a member country). If this remains the case, any transfer of data  to the UK from an EU member state will need to be made on the basis of the current and developing procedures for transfer to a non-member state (with the exception of the USA):

  1. standard contractual clauses (SCCs)
  2. binding corporate rules (BCRs)
  3. codes of conduct and certification which the EDPB is in the process of developing, or
  4. potentially one-off derogations from the standard procedures.

The EDPB has advised that businesses prepare to:

  • Identify what processes in business require data transfer from the EU to the UK.
  • Put in place the appropriate process to manage the safe transfer of data (SCCs; BCRs etc.) before 30 March 2019 at the very latest, where the impact would be most detrimental
  • Heighten awareness amongst staff involved where transfers to the UK occur
  • Update privacy policies to reflect the change in procedure and in UK status

b) Data transfers to the USA which have to date been protected under the Privacy Shield arrangement which the EU has in place with the USA (and which are still being challenged in EU courts by Austrian Max Schrems) will no longer automatically apply to UK data transferred to the USA.

The US Dept. of Commerce issued advice at the end of last year indicating that unless the US corporations involved indicate in their published materials (including privacy policies) that the Privacy Shield Framework will still apply to data transfers from the UK, the data transferred will no longer be protected. The cut off (“Applicable”) date will be 31 October 2019 in the event of no-deal and 31 December 2020 if a deal has been agreed. Either way it is incumbent upon US corporations to make the necessary changes and UK business, charities and individuals should pay heed to the actions of US corporations who host their data on servers beyond the EU and UK.

You may also be interested in:

 

Employment

Trade and the UK economy

Business regulation

Why use LawBite?

We're Brexit experts - regulated and experienced UK Lawyers

Fully regulated, qualified & insured lawyers give you the widest range of expertise and experience tailored to your needs.

Show more
  • Clive Rich LawBrief Mediator and Arbitrator
    Clive Rich
  • Adrien Herbert LawBrief Solicitor
    Adrien Herbert
  • Andrew Smith LawBrief Solicitor
    Andrew Smith
  • Laura Symons
    Laura Symons
  • Raza Naqvi LawBrief Solicitor
    Raza Naqvi
  • Barbara Jamieson LawBrief Solicitor
    Barbara Jamieson

Related services