The United Kingdom is no longer a member of the European Union and has entered into a transition period until December 31 2020, unless an extension of 1 or 2 years is agreed by July 1 2020 (the Brexit Long Stop Date).

During this transition period, the UK will continue to trade with the EU in much the same way as it did before its exit. Negotiations will take place throughout this year to determine the future permanent relationship between the UK and the EU.

The UK’s Prime Minister, Boris Johnson, has repeatedly stated that the transition period will not be extended beyond the end of this year. This is an ambitious deadline to reach a comprehensive agreement with the EU and the possibility of a “no deal” Brexit remains an event for which companies should prepare.

Against this backdrop, this update summarises the current status of the UK’s relationship with the EU and sets out some of the key legal implications associated with a “no deal” scenario for certain areas—one of which being employment, which we examine here.


Continue Reading

The General Data Protection Regulation (GDPR) was the biggest story of 2018 in the field of global privacy and data protection. The GDPR became enforceable in European Union Member States on May 25, 2018, significantly expanding the territorial reach of EU data protection law and introducing numerous changes that affected the way organizations globally process the personal data of their EU customers, employees and suppliers. These important changes required action by companies and institutions around the world. In almost six months after the GDPR’s effective date, organizations are still working on compliance—and will be for years to come.

Critical provisions

The GDPR applies to organizations inside and outside the EU. Organizations “established” inside the EU, essentially meaning a business or unit located in the EU, must comply with the GDPR if they process personal data in the context of that establishment. The GDPR also applies to organizations outside the EU that offer goods or services to, or monitor the behavior of, individuals located in the EU.

The GDPR uses other terms not familiar to US businesses but which need to be understood. Both “data controllers” and “data processors” have obligations under the GDPR, and data subjects can bring actions directly against either or both of those parties. A data controller is an organization that has control over and determines how and why to process data. A data controller is often, but not always, the organization that has the direct relationship with the data subject (the individual about whom the data pertains). A data processor is an organization that processes personal data on behalf of a data controller, typically a vendor or service provider. The GDPR defines “processing” to mean any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (e.g., collection, recording, storage, alteration, use, disclosure and structuring).

The GDPR also broadly defines “personal data” as any information directly or indirectly relating to an identified or identifiable natural person, such as a name, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Organizations in the US are used to a narrower definition of personal data, which typically includes information that, if breached, would put an individual at risk of identity theft or fraud and require notice (e.g., Social Security numbers, driver’s license numbers, and financial account, credit and debit card numbers).
Continue Reading

The EU General Data Protection Regulation 2016/679 (GDPR) was published in the Official Journal of the European Union on 4 May 2016 following the compromise agreed among the Council of the European Union and the European Parliament.

The GDPR will essentially affect any business coming into contact with European personal data.

Read the full article

European employers should exercise caution in the event of the dismissal of an obese employee.  The European Court of Justice (ECJ) determined that obesity may qualify as severe disability if it significantly restricts participation in working life (ECJ, judgment of December 18, 2014 in Case C-354/13).  This decision may be relevant not only for dismissals