Enter your email address:

Delivered by FeedBurner

Mills & Reeve: Technology Law Update

Full_Scale_Ahead_campaign_banner

Mills & Reeve: Full Scale Ahead

  • Our thought leadership campaign, Full Scale Ahead, explores the challenges the owners of medium sized businesses face when deciding how to grow. Find out more here.

Disclaimer

  • The information on this blog is not legal advice. You should not rely on it and we don't accept liability in connection with it. Please read our full disclaimer and let us know if you would like us to advise on any legal issue.

eCommerce

Your chance to shape new cyber-security rules

Amid the noise about the introduction of data privacy reforms under Europe’s General Data Protection Regulation, the GDPR, less attention has been paid to the Network and Information Systems Directive. The NIS Directive calls on EU member states to introduce cyber-security requirements for “Operators of Essential Services” (OESs), with a less stringent set of obligations for certain groups of "Digital Services Providers" (DSPs).

Implementation of this EU law is due in May 2018. The UK will still be part of the EU at that date and so must take steps to include it in national law. The UK Government has now issued a consultation on what the UK’s implementation will look like, and expressly stated its support for the overall aim of the new rules.

Although previously relying on market forces to spur security developments, the Government recognises that those hit by a security breach rarely incur all of the resulting losses – so “have a less than optimal incentive” to make necessary investments in the security of their networks.

Without board-level focus on, and a good understanding of, cyber-security issues, organisations tend to exhibit a poor cyber-security ethos. According to a study published in the Harvard Business Review (HBR) earlier this year, cyber-security is viewed by many company directors as a lower level risk – akin to the need to pay compensation or supply chain issues – rather than a fundamental issue potentially resulting in significant financial, reputational and other long-term damage.

The adequacy of an organisation’s processes and procedures, and its cyber-security culture, strongly depends on managers’ understanding of the issue. The IT and Telecoms industries tend to have the strongest cyber-security cultures – with specific processes for ensuring that security is discussed regularly, management information on cyber issues is both available and informative, and planning for cyber breaches is kept updated. In contrast, and despite frequent cyber-attacks, 79% of healthcare-linked respondents to the HBR survey did not consider their organisation’s processes to be robust. It seems that Government action to take the issue up the agenda is necessary.

The Government’s consultation asks for views on what organisations and businesses will be affected by the new rules, the obligations they will have to comply with and the regulators that they will have to answer to.

This is your opportunity to comment on the shape of the new legislation, including:

  • the identification of OESs (operators and providers of infrastructure and services like energy, transport, water, healthcare) and DSPs (providers of online marketplaces, online search engines, cloud services, etc.)
  • setting up a national framework, including the planned selection of competent authorities on a sector basis
  • the security requirements for OESs and DSPs
  • incident reporting for OESs and DSPs
  • the penalty regime (maximum penalties to track those in the GDPR but which are only intended to be used as a last resort).

The deadline for responses is 30 September 2017.

Claire Williams

Posted by on 16/08/2017 at 14:39 | | Comments (0)

Plans for a new Data Protection Bill

The collection and use of private information by business is a hot topic, with the tech giants frequently in the news accused of going too far. Cold-calling companies contacting us out of the blue with unwanted products or services, and indiscriminate collection and retention of information about suspects are other by-products of the information age. It is high time for individuals’ rights to be improved.

The EU’s reform programme is set for full roll-out in May 2018. While the UK remains an EU member, reforms under the centrepiece of the legislation, the EU General Data Protection Regulation or GDPR, will apply automatically as of May 2018. But the UK has scope to dial protection up or down in particular areas. It must also take steps to introduce reforms to data processing by law enforcement agencies.

After a consultation process earlier this year the UK Government has now published its plans for a Data Protection Bill.

The UK will deploy the flexibility in the GDPR in the following ways:

  • The age at which children can give consent to processing is set at 13 years.
  • It will remain permissible to process personal data on criminal convictions and offences in certain circumstances, eg employers carrying out criminal records checks, driving insurance fraud prevention, safeguarding of vulnerable individuals.
  • Automated decision making (profiling) will be allowed in some situations, such as creditworthiness checks by banks.
  • The current balance between privacy and freedom of expression for journalists will be maintained.
  • Rights of individuals to ask for deletion etc in relation to data being used for publicly beneficial purposes, like research, archiving and statistics-gathering activities, are restricted.

The following new criminal offences will carry potentially substantial fines:

  • Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, or knowingly handling or processing such data
  • Altering records with intent to prevent disclosure following a subject access request.

The offence of unlawfully obtaining data will be widened to include unlawfully retaining data.

And as has been widely discussed the ICO will be able to impose civil fines of up to £17m or 4% of global turnover.

The Data Protection Bill will also address:

  • implementation of the Data Protection Law Enforcement Directive. This will allow processing by UK criminal justice agencies and information sharing across borders, with appropriate safeguards; and
  • a revised data protection framework for national security purposes.

We expect the Bill itself to be laid before Parliament in early September. This will flesh out the plans in greater detail. It remains important for organisations to prepare now for implementation next year.

Paul Knight

Posted by on 08/08/2017 at 15:37 | | Comments (0)

Plans for an EU Blockchain Observatory and Forum

Is blockchain about to take over?

Blockchain is increasingly cited as the solution to many of the world’s problems, offering a low friction, tamper-resistant record of transactions or processes.

Harvard Business School’s Iansiti and Lakhani argue that although blockchain offers great promise, “True blockchain-led transformation of business and government… is still many years away.” They argue that “It would be a mistake to rush headlong into blockchain innovation without understanding how it is likely to take hold”, and recommend a step by step approach to organisations planning to implement the technology within their activities.

EU focus on blockchain and distributed ledger technologies

There is increasing focus on blockchain and distributed ledger technologies among EU legislators and institutions, within a specific FinTech context and more broadly.

A May 2016 European Parliament report focusing on virtual currencies also emphasised the potential for Distributed Ledger Technologies beyond financial transactions. The MEPs’ resulting resolution identified:

"DLT’s potential to accelerate, decentralise, automate and standardise data-driven processes at lower cost has the potential to alter fundamentally the way in which assets are transferred and records are kept, with implications for both the private and the public sector, the latter being concerned in three dimensions: as a service provider, as a supervisor and as a legislator."

Blockchain now has a place both in the parts of the EU Commission dealing with financial services and digital technology. These units have come together to establish the Financial Technology Task Force. A recently closed consultation by the FTTF called for views on distributed ledger technologies in a financial services context.

Plans for a Blockchain Observatory and Forum

Now the EU Commission’s Digital Single Market programme, is calling for proposals to set up a new organisation dealing with Blockchain and Distributed Ledger Technologies in their broadest sense, and has €500,000 to spend. The plan for the proposed Blockchain Observatory and Forum is “to identify and provide analysis of the technological and organisational trends of emerging issues in an agile way”. 

The call for tenders is open until 25 September.

 

Posted by on 03/08/2017 at 17:43 | | Comments (0)

Hidden pitfalls in T&Cs: are they enforceable?

In a recent prank, thousands of free WiFi users inadvertently agreed to 1000 hours community service by accepting public WiFi business Purple’s T&Cs without question. The possible duties ranged from “painting snail shells to brighten up their existence” to cleaning toilets and scraping up chewing gum. Only one person (0.000045% of users) flagged up the spoof clause in return for a prize.

A lot of people don’t read the small print. This raises an interesting question of whether unfair clauses in standard terms can be enforced.

There are laws which protect consumers and, to a lesser extent, businesses against unfair/unreasonable terms.

The “community service clause” here is an unexpected hidden pitfall and is unlikely to be valid against a consumer. To be enforceable, any consumer-facing terms should be drafted in a transparent way: consumers need to be able to foresee the possible consequences of the terms. However, if the clause was expressly drawn to the attention of the consumer when entering into the contract, it would be more likely to be valid.

Businesses don’t have the same rights and this unusual clause would be more likely to be valid against a business. Although there are some exceptions (eg, if a supplier unreasonably limits its liability in its standard terms of business), the courts will not routinely relieve a business from an unreasonable contract or a bad bargain.

This highlights the importance of making consumer terms accessible and easy to understand, and bringing unusual clauses prominently to the attention of a consumer. The terms should set out all rights and duties in a clear and comprehensible way in ordinary language. Short documents, short sentences and easily understood headings covering recognisably similar issues will also help.

Hannah Shaw

Posted by on 21/07/2017 at 10:08 | | Comments (0)

Reform of the ePrivacy rules – will your business be affected?

Alongside data protection law runs a set of rules relating to electronic communications – the Privacy and Electronic Communications Regulations (EC Directive) 2003, or PECR. Data protection law reform has been centre stage recently, with the General Data Protection Regulation coming into effect in May 2018. But plans to reform EU legislation underlying PECR have not been widely discussed. EU law-makers intend to introduce the changes along with the GDPR next May. The details of the changes are not hammered down yet. This presents a problem for any organisation that uses technology to communicate with the public. In this blog, we take a look at the existing rules, and the likely changes that will (or may) come in next year.

What do the current rules say?

The existing rules give individuals specific privacy rights relating to electronic communications. The scope of electronic communications is explained in guidance made available by the Information Commissioner’s Office, and includes phone calls, faxes, text messages, video messages, emails and internet messaging. The rules deal with cookie notices, cybersecurity, customer privacy and importantly consent to receiving messages or calls. Briefly:

  • Unsolicited messages require an opt-in from the customer.
  • Previous dealings with a customer can replace the need for opt-in consent in relation to similar products and services, if a suitable unsubscribe mechanism is offered.
  • Unsolicited live phone calls are not permitted where someone has registered with the Telephone Preference Service or told you they don’t want your calls.
  • Unsolicited automated calls are only allowed with specific consent.

What’s changing?

The planned rule changes in the new ePrivacy Regulation are substantial. As currently drafted the Regulation would:

  • Remove separate security obligations, which will be covered under the GDPR, but introduce customer notification of specific security risks.
  • In terms of cookies and other online tracking devices, shift focus from website cookie banners to users’ browser settings, and seek to address issues around ad-blocking and Wi-Fi location tracking.
  • Tighten the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
  • Incorporate the GDPR’s two-tier system of fines of up to €20 million, or 4% of worldwide turnover if greater, for breaches of some parts of the Regulation.
  • Apply to services providing so-called "over-the-top" communication channels over the internet, such as Skype, Messenger or WhatsApp. It will also apply to businesses providing customer Wi-Fi access, and machine to machine interactions (IoT), as well as the traditional telecoms and internet providers.
  • Apply to organisations based anywhere in the world if they provide services to people in the EU.

The UK government has confirmed its intention to implement the changes.

Plans to settle and implement the new rules by May 2018 seem ambitious. Only partway through the legislative process, they have already generated debate and conflicting views. Consumer organisation BEUC, for example, considers the draft to be too limited and has called for much stronger protection in areas like default privacy settings and location tracking.

And once finalised, businesses are likely to be left little time to implement the new regime. Potentially affected organisations will need to monitor progress and be ready to work towards compliance once a final position is agreed, probably at the end of 2017 or early in 2018.

Paul Knight

Posted by on 12/07/2017 at 09:44 | | Comments (0)

Morally questionable trade marks: why the US and Europe see things differently

The United States

In a landmark ruling last week, the US Supreme Court held that the rule against disparaging trademarks in the Lanham Act is unconstitutional under the First Amendment right to free speech. The case concerned an application by a rock band to register "THE SLANTS" (widely used as a slang, derogatory term for people of Asian descent) as a US Federal trademark. The band, themselves Asian American, were making a point, reclaiming a word that had been used against them as an insult. They certainly gained themselves some publicity along the way.

Why was the rule unconstitutional?

The Lanham Act forbids the registration of trademarks that may “disparage… persons, living or dead, or bring them into contempt, or disrepute”.

Initially The Slants' trademark application was rejected, but the courts at Federal Circuit level and now the Supreme Court went the other way.Their reasoning includes the following point.

“[A] fundamental principle of the First Amendment is that the government may not punish or suppress speech based on disapproval of the ideas or perspectives the speech conveys.” The Lanham Act rule wrongly “reflects the Government’s disapproval of a subset of messages it finds offensive.”

Europe

EU trade mark law has its own morality rule. It prohibits registration of signs "which are contrary to public policy or to accepted principles of morality". Trade marks should not be a tool to "assist people who wish to further their business aims by means of trade marks that offend against certain basic values of civilised society" (the SCREW YOU case, R 0495/2005-G). But this rule is not limited by the principle of freedom of expression in the European Convention on Human Rights. Why? Because ruling out registration as a trade mark does not stop the sign from being used.

EU law tries to find a middle ground between avoiding offending the exceptionally puritanical and adopting the relaxed views of those “who find even gross obscenity acceptable”. The EUIPO Guidelines give some good examples. Trade marks that refer to terrorists or terrorist groups, terms that are particularly offensive and insulting racially or sexually, and symbols of despotism (the USSR hammer and sickle) have been refused registration.

A complicating factor in Europe is its cultural diversity. A variety of languages each with their own slang terms, and different national histories and racial issues paint a complex picture. What might look perfectly innocent to an English speaker, for example, can be deeply insulting elsewhere. But the trade mark office or court will have to analyse the situation across the territory where the registration will apply.

In the UK, the 2006 decision to allow FCUK to be registered for use by the fashion brand French Connection is a well-known example. Although it could be misread as a swear word, it was not one. It could be used quite inoffensively and so was not intrinsically objectionable.  

Posted by on 27/06/2017 at 13:04 | | Comments (0)

General Data Protection Regulation (GPDR) Series, Part 2 - the importance of self-assessment

The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline. 

Part 2 of this GDPR Series is brought to you by Mills & Reeve. Other blog entries in this series will be brought to you by the law firms of FIDAL (France), Graf von Westphalen (Germany) and Van Benthem & Keulen (Netherlands) as well as Robinson & Cole (United States).

The importance of self-assessment

In any major project there is an analysis phase – involving a careful examination of your organisation’s current set-up and what needs to be done to deliver the project successfully. Preparing for the GDPR is no exception. Depending on the structures and practices of your organisation, compliance could require a significant allocation of resources to ensure that you are ready by the implementation date: 25 May 2018.

So what can be done to get started?

Perhaps the best first step is to conduct a self-assessment audit. This will help organisations map the likely impacts of the changes in data protection law on their activities.

A few key points are worth looking at in detail:

Management awareness

The development and implementation of a GDPR strategy requires strong leadership and the most effective strategies will be those that begin life as a boardroom priority, not least because fines of €20m or more may be issued under the new legislation. Organisations should be updating their risk register and organising work-flows to ensure compliance – recording any issues and allocating responsibility from senior management downwards. Depending on the scale of your activities, this might include the appointment of a Data Protection Officer under GDPR Article 37.

Accountability

‘Accountability’ is a “red thread” that runs throughout the GDPR – Article 5(2) states that controllers “shall be responsible for, and be able to demonstrate compliance with” the data protection principles, whilst Article 24 refers to controllers being able to “demonstrate that processing is performed in accordance with this Regulation”.

Organisations ought to be reviewing their framework of policies and procedures as well communicating those policies to staff and monitoring compliance. Part 1 of this series on GDPR mentioned the importance of promoting a risk-based approach and changing internal processes to comply with accountability risks. The right documentation will be key.

Know your data flows

Mapping data flows should be a priority. Work out where in your system personal data is received and where it is transferred out. Who has access to it and is that access necessary? Are there any security issues to be aware of at any point in your network? (eg ”internet of things” devices that connect to both your network and the internet and often do not have a high level of security – a prime example is CCTV).

Identify which of your data flows pose the highest risk to individuals. Some examples are already being heavily scrutinised under the current law – international transfers, large-scale marketing, profiling, behavioural analytics and fundraising activities are all typically deemed high-risk activities.

Fair processing information

Article 5 of the GDPR requires that personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject. One of the best ways to comply with this will be to provide clear and full information up front to individuals about how, where and why you will be using their data.

A self-assessment exercise should focus on what fair processing information is currently given to individuals at the point of acquisition of their data. Information can be collected from various platforms – marketing lists, credit reference checks, Facebook / website sign-ups, or apps. Each platform may collect the data through different means, and require different processes. What is your condition for processing the data? Are you relying on consent and, if so, how is that consent obtained? Organisations should assess whether current consents are sufficient to meet the requirements under GDPR.

In particular, review whether any new projects are being planned and take a look at how privacy can be built into these from the start, particularly if they are likely to result in a high risk to the rights and freedoms of individuals.

Know your escape routes

There are a few ways in which the effects of the GDPR can be mitigated or disapplied. Remember that the GDPR only applies to data that falls within the definition of “personal data” – if you can effectively anonymise the data so that individuals are no longer identifiable then the principles of data protection will not apply (GDPR Recital 26).

Implementing technical and organisational security measures can also provide a safety net in the event of a data breach – Article 32 notes the importance of encryption of data and making back-ups. A strong self-assessment will look at what techniques are already being used to secure data, how these can be improved and how new techniques (eg pseudonymisation) can be harnessed.

Conclusion

Achieving GDPR compliance is a challenge and an early self-assessment is vital. Organisations wishing to know more can track the next instalment in this series, which will focus on consent and fair processing – two of the key topics that will require considerable thought to bring activities in line with GDPR compliance.

Edward Hadcock

Posted by on 15/06/2017 at 11:23 | | Comments (0)

Major cyber attack highlights need to be prepared

The recent crippling “WannaCry” cyber attack has affected businesses and public sector organisations around the world. Thousands of businesses, hospitals and government bodies have been subjected to the same ransomware attack, encrypting files and providing users with a prompt including a ransom demand, a countdown timer and a bitcoin wallet to receive the ransom. As the UK’s newly formed National Cyber Security Centre explains, while new attacks seem to have ceased, existing infections from the malware spread on 12 May may not yet have been detected and may yet come to light.

The NCSC is working with the National Crime Agency, and crucially, with international partners, to tackle the current threat, but this is a reminder for all organisations to review their policies and procedures around cyber security.

What do businesses need to do to be best prepared?

Technical measures

The NCSC has three key recommendations for all types of organisations:

  • Ensure that security patches and updates are applied in a timely way.
  • Use “proper” (ie good quality and up-to-date) antivirus software
  • Back up your important data. This is particularly important to fend off ransomware attacks. If you can access your backed up data you cannot be held to ransom.

Increasingly sophisticated counter measures are becoming available. One example is Antigena offered by cyber defence leader Darktrace. Antigena provides an automated response technology that augments human security teams by reacting autonomously to in-progress cyber threats.

Many businesses make use of penetration testing services, where skilled hackers are hired to try to get past your defences. Using a service provider authorised under the NCSC’s CHECK scheme will help to ensure that the provider is competent and secure.

Employee education and working practices

Harnessing the vigilance of your workforce is a vital component of cyber security. Areas of vulnerability include:

  • Mobile and remote working. Can a user’s device be overlooked, lost or stolen? Can security credentials be accessed? A range of measures can be taken to minimise the risk involved in working remotely. For example, organisations can keep the amount of data stored on a mobile device down to the minimum necessary to carry out the required business activity.
  • BYOD. Use by staff of their own devices for work presents its own security risks. If a device is stolen, for example, could you remotely remove any sensitive data stored on it? You’ll need a risk-assessed policy that is communicated to all relevant staff.  Remember that any personal data that is processed in this way is likely to fall within the responsibility of the employer as data controller and be subject to data protection laws.
  • Passwords. With individuals now expected to maintain numerous separate passwords, employers are re-visiting current thinking on password policies. Requiring users to regularly change their passwords is now considered to be potentially counterproductive, for example. Password rules are necessary, but they should be simple and easy to follow. 
  • Email. Training to help employees to spot increasingly sophisticated phishing and spoofing, and avoid clicking on links or attachments, can reduce the risk of malware being introduced into systems, although it can be difficult even for experienced users to identify criminal material.

Attacks like these present a serious threat to any organisation’s operations and productivity. In addition, where data relating to individuals is compromised, an organisation can become exposed to substantial regulatory penalties, the risk of compensation claims or awards, and adverse publicity through breach of data protection laws. These are soon to become tougher with the introduction of the General Data Protection Regulation from May 2018.

The UK’s approach is currently to work alongside and support industry to improve security across the network. (See for example, the National Cyber Security Strategy 2016.) However, increasing regulation and stricter penalties for failure cannot be ruled out for the future. 

David Hall

Posted by on 16/05/2017 at 12:03 | | Comments (0)

General Data Protection Regulation (GPDR) Series, Part 1 - introduction and overview

The General Data Protection Regulation (GPDR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next ten months, several European Union and United States law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline. 

Part 1 of this GDPR Series is brought to you by FIDAL, a French law firm. Subsequent blog entries in this series will be brought to you by the law firms of Mills & Reeve, Graf von Westphalen (Germany) and VanBenthem & Keulen (Netherlands) as well as Robinson & Cole (United States).

GPDR Effective Date & Geographical Scope of Application

The GDPR will apply as of 25 May 2018. It provides a single set of innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures – which means that any personal data processing ongoing at this date must comply with the GDPR.  This leaves one year for companies to ensure compliance.

The GDPR provides for a scope of application wider than processing undertaken in EU countries. It will also apply to data controllers or subcontractors not established within the EU, but which process data with the aim of providing goods and services to EU residents or monitoring EU residents’ behaviour. 

Several steps should be taken by businesses in order to achieve compliance with provisions of the GDPR:

  1. Changes to internal processes to comply with the accountability rules

In order to effectively manage personal data protection within your business, an individual should be nominated to take charge of information and counsel, as well as organization of personal data activities. For many organisations, it will make sense to appoint a Data Protection Officer or "DPO" as of now in order to assess compliance as soon as possible, even outside the three mandatory legal circumstances imposed by the GDPR (public bodies, large scale monitoring and large scale processing of criminal convictions etc). In any event, an audit of personal data held and processing undertaken makes sense.

The nominated person can then map data processing within the business and build a record of all ongoing data processing. On the basis of this information, a list of necessary actions can be prepared and prioritized in the light of risks to data subjects’ rights.

In practical terms, the principle of accountability means that businesses must track and document their compliance with data protection rules and keep these records available to respond to an inspection by state authorities.

  1. Promoting a risk-based approach

If any processing is identified as carrying a high risk to data subjects’ rights, the business should then conduct a Privacy Impact Assessment (PIA).

In addition, internal processes should be developed in order to respond to events likely to trigger the controller’s liability, such as security breach, requests to access or rectify data, update of processed data, change of subcontractor, etc.

Data protection safeguards shall be built into products and services from the earliest stage of development ("Privacy by Design"), making use of techniques such as pseudonymisation and encryption.

  1. Data transfers

Data transfers outside the EU are subject to EU law for any subsequent processing and transfer. Standard Contractual Clauses, Binding Corporate Rules and the Privacy Shield scheme may still be used for transfers outside the EU. 

  1. Agreements between data controllers and their subcontractors

Data controllers’ agreements with their subcontractors agreements will have to incorporate new mandatory elements set out by the GDPR. Existing long-term agreements may need to be redrafted. Subcontractors will now have their own direct obligations in certain key areas such as record-keeping and security, separately from the obligations on data controllers. 

  1. A single data protection authority

In future, businesses will deal with one single supervisory authority in the EU country in which they are mainly based, rather than having to engage with authorities in all relevant countries. The lead authority will then work with other national data protection authorities to achieve an EU-wide approach.

  1. Negative impacts in case of a legal breach

Whereas the existing EU legislation (Directive 95/46/EC) leaves to Member States the task of determining and applying sanctions, the GDPR is more prescriptive. It provides for administrative fines to be imposed on data controllers and subcontractors. The amount of those fines can go up to the greater of 20 million Euros, and 4% of annual global turnover.

In the event of a serious data breach, companies will have to inform the relevant data protection supervisory authority within tight timescales, as well as the data subjects themselves in the event of the most serious breaches.

Isabelle Gavanon

Posted by on 08/05/2017 at 12:06 | | Comments (0)

Brexit, Article 50 and what it means for innovative businesses

The shock of last June’s referendum result, with the UK electorate opting to leave the European Union, is starting to fade. Now the hard graft begins. Tomorrow British Prime Minister Theresa May will trigger Article 50, starting the two year process of negotiations that will end with a deal, an untidy departure or (maybe) an agreement to keep talking. Since the first analysis of what Brexit will mean for businesses we have learned more about what the UK intends to keep and discard. How are things looking now?

Patents

The long-planned European Unitary Patent, and its associated Unified Patent Court, looked at serious risk after last June’s vote. Although the creature of separate agreements, the Unitary Patent is closely interlinked with the EU. But the UK has repeatedly stated that it intends to press ahead with ratification and has taken steps to get this done. The UPC’s Preparatory Committee is targeting December 2017 as the start date, so it seems that the system will commence before Britain’s departure, with the UK considering ways to remain a part of it into the future.

With one of the Central Court locations in London, and the UK as a major patent filing economy, there is a lot of enthusiasm across the European IP community to keep the UK in the system. And disentangling the UK post-Brexit would be complicated. But a major concern from a UK perspective is the role of the European courts as final arbiter of Unified Patent Court disputes. "Taking back control" was one of the key messages of the 2016 Leave campaign. As the Unified Patent Court will be a creature of an international agreement, and not a UK court, this is not the same as UK courts having to treat the Court of Justice of the EU as determining UK law. But, politically, a system where ultimate decision making remains with an EU institution will be difficult to square with the "control" objective.

Fortunately, the European Patent Convention is separate from the European Union and so businesses can rely on that tried and tested route to protection until the dust settles. Opting patents out of the Unitary Patent - patent owners should have this on their to-do list before the opening of the new court - may be the wiser course until it is clear where we will end up.

EU registered rights: trade marks, designs, and protected food and drink registrations

Trade mark protection for brands, and design protection for innovative designs, operate on parallel national and EU tracks. The national routes to registered protection in the UK will remain unaffected, but the widely used EU Trade Mark and Community Registered Design (EUTM and CRD) will no longer cover the UK. It is likely that existing EUTMs and CRDs will be given protection within the UK, discussed below.

Also, the EU’s Protected Geographical Indication system (giving registered protection to the names of foods and beverages such as Melton Mowbray pies, Stilton cheese, Scotch whisky, Parma ham and Champagne) may no longer apply to the UK. As there is no parallel UK system these names are vulnerable to loss of protection within the UK, as are the names of UK produce elsewhere in Europe, and it is not at all clear what, if any, system will be put in place to protect these names.

The UK Government promises to transpose EU law wholesale into UK law through a Great Repeal Act. We expect to see the proposed text soon. But a straightforward copy and paste of existing EU law will not work. The Government has recognised this and intends to use delegated powers to tidy up the many areas of detail where a simple replication will not make sense. But there will be a good many devils lurking in the details.

We have yet to learn what will happen to existing EUTMs and CRDs.

  • The UK could adopt a model of automatic conversion of any existing EU registrations to UK registrations. But this would crowd the UK register with a substantial number of registrations that are used only in other parts of the EU. For example, a brand that is used in Eastern European countries but not in the UK could form the basis of an opposition to future applications for UK marks that look or sound the same or similar. However, if these registrations are not renewed in the UK (which is likely if the owners have no interest in the UK market), then they will cease to have effect here.
  • The UK could actively require all owners of EUTMs and CRDs to apply to convert their registrations to corresponding UK registrations (subject to payment of a fee and within a specific time). There has also been talk that any such EUTMs will be subject to re-examination by the UK Intellectual Property Office for registrability (e.g. to check that they are sufficiently distinctive), but this would be onerous and potentially unfair to those owners, and would put a huge burden on the UK IPO.
  • Another approach might be simply to extend UK protection to existing EUTMs and CRDs, without taking these onto the UK register, and for them only to be registered as UK rights when they fall due for renewal. But this raises its own administrative and regulatory issues, with the UK then outside the EU.

Businesses may want to seek parallel national and EU protection for their key rights. Doing this for all registrations, though, may be going too far until we know more about the future arrangements, and we would suggest taking stock a year into the Article 50 negotiations.

The IPO is alive to the issues and is "exploring various options" to find solutions. Moreover, new issues will arise in relation to those EU rights in relation to protection in the EU, on areas such as trade into the EU and whether such rights remain valid in the EU.

Data protection

International data flows are a feature of modern life. If the UK is to retain its place as an leading innovator in sectors like FinTech and gaming, data protection that meets EU requirements will be vital. For the personal data of EU citizens to be processed, or for services to be targeted at them, the UK will be looking for a formal decision recognising that its law and procedures come up to scratch. And with data protection law becoming tougher in May 2018, compliance with those higher standards will also be necessary.

The UK has said that it intends to implement the General Data Protection Regulation in time for the 2018 deadline, but this implementation will not by itself be enough. The formal recognition required to acknowledge equivalence of the UK regime will have to be in place by the time of Britain's exit from the Union. And if things are getting tricky in the negotiating process, there’s no reason why the EU Commission should feel compelled to play ball. What’s more, activist individuals or groups can use legal proceedings to challenge recognition of a non-EU country’s data laws. As those following the saga of the US Safe Harbor and its successor, the EU-US Privacy Shield will be aware, it can take years to get a settled arrangement in place to permit international data flows.

That said, alternative arrangements are available for many types of data transfer. Individuals can be asked to give their informed consent to transfer, for example, or standard contractual clauses can be inserted into contracts between the sender and recipient of the data. So it should be possible to find a way to continue operating, by following alternative procedures.

Regulated industries - life sciences, transport etc

For the life sciences sector, a major threat remains the upheaval of the regulatory landscape. European approvals processes for pharmaceutical, medical device, veterinary and crop protection products are closely integrated. While it is still possible to use UK procedures for sale on the UK market (with some exceptions), for most products the efficiency of using one of the EU systems is highly desirable. Some commentators are concerned that separating the UK from the EU systems will mean delays to the clinical testing or marketing of novel products in the UK. And the current London home of the EU pharmaceuticals and veterinary products regulator, the European Medicines Agency, seems likely to change. Countries around Europe have expressed interest in taking over the role of host. 

Similar concerns arise in other heavily regulated sectors like automotive and aviation. Recent reports suggest that Britain will aim to retain access to at least some EU regulatory agencies for a transitional period to avoid the need to establish new ones within a two-year period.

Research funding

The UK has offered a short term guarantee for EU funding for research projects agreed while the UK remains a member. While this is aimed to encourage UK research businesses and institutions to continue to apply for competitive funding it offers little comfort for the longer term. In the future, research funding is more likely to come from UK projects and initiatives like those announced in the Industrial Strategy Green Paper.

Steps towards greater certainty

It is difficult at this stage for businesses to plan for the future with the legal outlook so uncertain. We have not touched on some of the wider issues for industry as a whole – immigration restrictions and trade barriers for example. What business needs is certainty, and this can only develop as the "divorce" negotiations begin in earnest, and the UK’s approach to tidying up the legal mess that Brexit involves becomes clearer.

What is certain is that parties entering into, or with existing, long term agreements which relate to activities in the EU must think carefully about the implications for those agreements. Some changes can sensibly be made now to deal with a post-Brexit reality.

Posted by on 28/03/2017 at 11:46 | | Comments (0)

Next »