With the latest Brexit deadline now confirmed as 31 January 2020 and a no-deal Brexit remaining a possibility, both overseas and UK businesses (which may include UK subsidiaries of multinationals) should review their key cross-border contracts. Such contracts may, for example, be affected if the consequences of Brexit result in a significant increase in costs due to new tariffs, trade barriers or currency fluctuations. Contracts that depend on a regime that may no longer apply after Brexit, such as free movement of people, may also need to be amended or renegotiated.
In response to the uncertainty surrounding Brexit and the period that might follow Brexit – and, in particular, a no deal scenario - parties are increasingly seeking to include bespoke provisions dealing with Brexit. Such clauses trigger some change in the parties’ rights and obligations because of a defined Brexit event, in order to provide some protection against Brexit-related risks. Brexit clauses can take various forms and may not be appropriate in all circumstances. For example, a Brexit clause may not be needed where the parties can terminate without penalty on short notice or in short-term contracts.
Some options that could be considered for a Brexit clause include:
Alternatively, the clause could provide that the agreement will continue unless there is an urgent need to terminate for licensing or another regulatory reason following Brexit. This approach may be appropriate if the parties not only wish to include a Brexit clause but also want to limit as far as possible the circumstances in which it can be invoked.
Brexit clauses are similar to the types of clauses already often deployed by contracting parties in order to deal with unexpected adverse events. For example:
It is debatable whether or not either clause in its standard form would allow a party any respite from its obligations because of Brexit. In any event, for contracts entered into since the referendum vote in June 2016, it will be difficult to argue that the adverse effects of Brexit were unforeseen. Indeed, since the Brexit vote in 2016 some parties have been seeking to exclude Brexit expressly from the definition of a force majeure event.
Under English contract law, a contract is ‘frustrated’ if an event occurs which the parties could not have foreseen when contemplating the contract that radically alters the parties' performance of the contract such that it would be unjust for them to continue. Since the effect of frustration is to release the parties from further contractual performance, the bar for a finding of frustration is set high by the courts.
The issue of whether Brexit can constitute a frustrating event was considered by the English High Court in the recent case of Canary Wharf v European Medicines Agency . In this case the European Medicines Agency (EMA) - the EU agency responsible for the approval of medicines - argued that its 25-year lease on premises in London, granted in 2014 and worth a reported £500 million, with the Canary Wharf Group was ‘frustrated’ by Brexit.
Unfortunately for the EMA, the High Court held that, in this case, the lease had not been frustrated by Brexit. Consequently, the EMA remained liable not only to pay rent but also to perform its other contractual obligations for the remainder of the term. The EMA was given permission to appeal to the Court of Appeal, but this appeal was withdrawn following a settlement reached between the parties in July 2019.
The EMA case affirms that the English common law doctrine of frustration is unlikely to save contracting parties from contracts entered into that have since turned out to be a bad deal because of Brexit.
In addition to considering whether to include a specific Brexit clause in a contract, assess what amendments might be needed to existing contracts or included in future contracts. For example:
There are also a number of practical steps businesses should take in order to ensure that their business partners and contacts in the EU will be able to continue to share personal data with them following Brexit. This is because, once the UK has left the EU, it becomes a third country from an EU perspective. GDPR requirements for transferring data to third countries will apply and that personal data transferred to the UK from the EU must have adequate levels of protection. For example:
The UK government is planning on seeking an adequacy decision from the European Commission for the UK. This means that the UK’s data protection regime would be recognised by the European Commission as ‘essentially equivalent’ to those in the EU. As a result, data will be able to flow from the EEA without the need for businesses to adopt any other specific measures to allow the international transfer of personal data.
This arrangement will not be in force immediately post-Brexit as the European Commission’s assessment as to whether the UK’s data protection regime is ‘essentially equivalent’ will only start when the UK has left the EU and become a third country.
Until an adequacy decision in favour of the UK is in place, UK businesses that want to receive personal data from businesses established in the EU should work with their EU partners to identify a legal basis for those transfers such as the BCRs and SCCs mentioned above.
For most businesses, the most relevant alternative legal basis is likely to be the SCCs. While this mechanism would allow UK-based businesses to continue to receive personal data from the EU, it will not be sufficient to allow UK businesses to transfer EU personal data to a third country that does not have an EU adequacy decision without further measures being put in place. However, transfers of personal data from countries outside the EU to the UK are likely to remain the same.
Transfers of personal data from the UK to the EU/EEA will not be restricted. In addition, transfers of personal data from the UK to countries outside the EEA are likely to remain similar to the pre-Brexit position. This is because the UK government has confirmed that there will be transitional arrangements to recognise most existing EU adequacy decisions, the SCCs and the BCRs.
If an organisation is relying on BCRs, they will need to be updated to reflect that the UK is a third country and, if such BCRs have been authorised by the UK Information Commissioner’s Office (ICO), they will need a new Lead Supervisory Authority (LSA) within the EU/EEA.
The UK Information Commissioner is preserving the availability of the Privacy Shield for UK personal data flows to the US. However, to take advantage of this, Privacy Shield-certified companies will need to state expressly in their Privacy Shield policies their commitment to applying the Privacy Shield principles to UK personal data. They will also need to make this commitment clear in their human resources (HR) privacy policies if importing HR data from the UK.
After the UK has left the EU, businesses that do not have a presence in the EU or the UK but intend to offer goods and services and/or monitor individuals located in the UK and the EU/EEA may require both a UK representative under the UK GDPR and an EU/EEA representative under EU GDPR.
For example, a company in India, which has no EU offices currently has to have an EU representative if it intends to sell goods to individuals located in the EU. After Brexit, this Indian company would need to have both an EU and a UK representative if it wishes to continue to sell goods to individuals in the EU and the UK.
In summary, it is clear that there is no ‘one size fits all solution’ when it comes to contracts and Brexit. Businesses should review their key contracts with UK counterparties and consider how these and future contracts are likely to be affected by Brexit. Businesses should consider if any of their existing contracts need to be amended or renegotiated in light of Brexit. Businesses should also review their data flows and transfer mechanisms and take steps to ensure that they will be able to maintain the free flow of personal data from the EU/EEA to the UK following Brexit.