Impact of retained EU law reforms on data protection

The Retained EU Law (Revocation and Reform) Act 2023 (REUL Act) came into force on 1 January. It made changes to the 'retained EU law'established in the UK post-Brexit from the EU law that previously applied in the UK, including the UK’s data protection legislation and, in particular, the UK General Data Protection Regulation (UK GDPR) which replaced the EU General Data Protection Regulation (EU GDPR) in the UK after Brexit.

The REUL Act has removed the special features of EU law that governed the interpretation and application of this legislation. This included revoking EU fundamental rights and other general principles of EU law. It has also reversed the EU law supremacy rule of priority that was previously accorded to EU legislation over domestic legislation where there is a conflict between the two.

What is the impact on data protection law of removing the supremacy of EU law?

The removal of the principle of the supremacy of EU law means that in the event of a conflict, the UK’s Data Protection Act 2018 (DPA) takes precedence over provisions of the UK GDPR. This is the opposite of the position which the DPA and UK GDPR were both designed for, with the DPA essentially providing the “flesh to the bones” of the overarching principles outlined in the UK GDPR, as well as exemptions to those broad principles. That position applied both before Brexit and in the initial period of retained EU law up to the end of 2023.

For example, in the recent case involving the3million and Open Rights Group, the Court of Appeal ruled that the immigration exemption under Schedule 2 to the DPA was unlawful because it was overly broad and therefore incompatible with the UK GDPR. The immigration exemption provided an exemption to the UK GDPR obligation to honour data subjects’ rights, such as the right to make a data subject access request. Now, in a conflict between the UK GDPR and broader exemptions in the DPA, the DPA exemptions would take precedence over the safeguards which the UK GDPR prescribes, unless the DPA expressly cedes priority to the UK GDPR. The REUL Act itself does recognise the paramountcy of data subjects’ rights, perhaps to address such a DPA exemption diluting a data subject right in the event of a conflict between the DPA and the UK GDPR.

What is the impact on data protection law of shifting away from EU fundamental rights and other general principles of EU law?

References to EU fundamental rights in the UK GDPR are now to be read as references to rights under the European Convention of Human Rights (ECHR), following amendments made at the end of 2023 as a consequence of the retained EU law reforms.

While this might sound like a simple terminology change, EU case law has suggested that the EU fundamental rights go further and are more specific than Article 8 ECHR, which refers to privacy but contains no specific right to data protection. Whilst UK judges might seek to develop the ECHR rights in a similar way to EU case law, their established practice is not to develop ECHR rights in UK case law in ways that go beyond the ECHR case law of the European Court of Human Rights.

This leaves some uncertainty in an area of case law which has to date been a central feature of how data protection has been interpreted. Courts in the UK will now need to resolve this uncertainty created by the retained EU law reforms.

Whilst it may be years before we see this clarification, the much subtler and more immediate impact is the approach taken by the data protection authority, the Information Commissioner’s Office (ICO). It has already embraced the terminology change in the context of data transfer impact assessments when looking to transfer personal data to another jurisdiction. The ICO has also introduced a degree of proportionality to that risk assessment which is not present in equivalent guidelines at EU level. In this way, we are already seeing that the basis for assessment is slightly different now, following the reforms.

What legislative changes is the government planning for UK data protection law?

The Data Protection and Digital Information (DPDI) (No.2) Bill has been progressing on a long, slow journey through the UK parliament for the last year. It is currently at the committee stage of the House of Lords where it is expected to face rigorous scrutiny that might delay it further. It is likely to become law before an autumn 2024 general election, but it does risk being lost if it suffers further major delays.

The Bill is described by the UK government as a way of unlocking post-Brexit opportunities, intended to promote data-driven innovation and reduce some of the burdens organisations have come to associate with the EU GDPR. It makes some fundamental changes to the DPA and UK GDPR.

What are the expected outcomes in practice from the combination of retained EU law and legislative reforms taking effect?

There are already some subtle changes in ICO guidance, and more significant changes to its guidance and approach to enforcement are likely once the DPDI (No.2) Bill becomes law. New case law is likely to emerge over the next few years which may either limit or increase divergence from EU case law.

In key areas of risk where the ICO is most active, such as personal data breaches and online direct marketing, major changes are not expected. However, it is in more complex cases, such as the Experian enforcement notice, where Experian successfully appealed an ICO enforcement notice at the first-tier information rights tribunal (FTT) – a decision that the ICO has appealed – where the subtle effects of the retained EU law reforms may play a key role.

It remains to be seen if this will affect the approach taken by UK courts to balancing the data subjects’ rights against the controller’s legitimate interests, in the context of relying on the legitimate interests ground for lawful processing. In the EU, the question of whether purely commercial interests qualify as legitimate interests is being tested before the EU’s highest court.

The fact that question has been referred to the Court of Justice of the EU (CJEU) shows that – in light of the FTT’s decision in the Experian case and the retained EU law reforms – the UK and the EU are at a crossroads of potential divergence on the issue of processing based on the legitimate interests ground for lawful processing.

The retained EU law reforms have brought small changes and some uncertainty to UK data protection law, but the radical overhaul, namely of a “new system of data protection” that would ditch the “needless regulations and business-stifling elements” of the GDPR that has sometimes been talked of has not yet materialised.