The UK-EU Trade and Cooperation Agreement: Implications for technology services
The UK-EU Trade and Cooperation Agreement (the TCA) reflects the efforts made by both the UK and EU to address the results of the Brexit referendum in the UK and protect the continuation of the EU single market while avoiding the potential consequences of a “no deal” exit scenario. While the TCA is less wide-ranging than many had hoped for or promised, it does at least provide a measure of certainty for some areas – not least in relation to the avoidance of tariffs or quotas on goods passing between the UK and the EU.
The position in relation to services, and in particular technology-related services – including digital services and cloud-based offerings such as Software-as-a-Service (SaaS) solutions – is less clear and subject to further negotiation in the months to come. But the TCA does include a separate chapter relating to digital services (contained in Title III, re Digital Trade) which provides some key details relevant to both providers and customers of technology-related services. These are as follows:
- There is a commitment to not restrict cross-border data flows by:
- requiring the use of computing facilities or network elements in the applicable territory (the EU and the UK) for processing, including by imposing the use of computing facilities or network elements that are certified or approved in that territory
- requiring the localization of data in the territory for storage or processing
- prohibiting the storage or processing in the territory of the other, or
- making the cross-border transfer of data contingent upon use of computing facilities or network elements in the other territory or upon localization requirements in the other territory
- requiring the use of computing facilities or network elements in the applicable territory (the EU and the UK) for processing, including by imposing the use of computing facilities or network elements that are certified or approved in that territory
- There is to be no imposition of customs duties on electronic transmissions (eg, the provision of services via electronic means, such as via the cloud or through SaaS)
- There will be no requirements for prior authorization of service provision, based solely on the fact that the service is provided online (eg, on a “as a service” basis or as a cloud-based offering)
- There will be no default legal requirements for the transfer of (or provision of rights of access to) source code (albeit that this is left subject to commercial negotiation, as it is today).
The TCA otherwise contains some positive indications of the intentions of both the UK and EU to help promote digital trade and avoid additional barriers or requirements which might hinder it. However, it remains to be seen how these “intentions” will then be reflected in actual alignment between the UK and the EU in terms of their approaches to legislation and regulation in the coming years – for example, in relation to Fintech and Regtech, where London may seek to implement measures to maintain its current dominance when compared to other locations in mainland Europe.
On data transfers more generally, the can has been kicked down the road a bit: transfers and processing are permitted to continue as is for six months while the EU authorities conclude their “adequacy” assessment of the UK data protection regime. As this currently matches exactly the GDPR regime, the expectation is that the adequacy determination will be granted, and so will enable data transfers and processing between the UK and EU to continue pretty much as is. However, the Schrems 2 decision has shown that it is unwise to make too many assumptions about the way the EU authorities will jump when it comes to the treatment of personal data. This issue will be crucial for the technology services community to monitor in the months to come – particularly so for those cloud service providers who infrastructures in service locations in both the EU and the UK, and beyond).
In any event, the data protection burden for organizations operating across both the UK and the rest of the EU will increase. It will no longer be sufficient to have a harmonized approach dealing with the UK and the EU together. Instead, privacy compliance will need to be managed separately for each region even though, for the immediately foreseeable future, it seems likely that the regimes will remain fundamentally the same.