GLD Vacancies

Changes to data protection law

Changes to UK data protection law could be quicker and more profound than we thought. Eleonor Duhs examines how the Brexit Freedoms Bill could make fundamental changes to retained EU law, including the UK GDPR.

Last year the government announced its new post-Brexit national data strategy and consulted on proposed changes to the UK’s data protection landscape. These changes were described as “improvements within the current framework”. But that framework could be about to undergo significant amendment. The planned “Brexit Freedoms Bill” looks set to alter how we interpret legislation that came from the EU, which has been saved into domestic law. This vast body of law is known as retained EU law. It includes the UK GDPR. Fundamental changes to retained EU law may mean that the UK’s data protection framework could diverge more profoundly from the EU GDPR than we previously thought. Specific changes to the data protection regime may be made relatively quickly, using powers conferred in the “Brexit Freedoms Bill” to amend the UK GDPR and the Data Protection Act 2018 using secondary legislation. Secondary legislation cannot be amended (MPs must take it or leave it) and is subject to minimal Parliamentary scrutiny. This is highly unsatisfactory for a policy area which is complex and where the government’s plans would benefit from thoughtful debate. Applying a “quick fix” could undermine the national data strategy and the government’s ambitions to build a “world-leading data economy whilst ensuring public trust in data use”.

Proposed changes to data protection law

The government’s national data strategy and consultation: Data: a new Direction set the UK on a different path from the EU. The new regime was to build on the UK GDPR, but aimed to reduce regulatory burdens. Examples of areas where changes were designed to lessen the resources required for compliance included:

  • creating a list of types of processing which would automatically count as meeting the “legitimate interests” test
  • putting new limits on the right of subject access
  • reducing the need to report personal data breaches to the ICO
  • removing the requirement to conduct data protection impact assessments
  • removing the right to human review of automated decisions. 

These innovations are significant enough on their own. But the government’s plans to simultaneously reform retained EU law may mean that the changes to the UK’s data protection regime are more far-reaching than was envisaged when the national data strategy and consultation were thought up.

What is retained EU law?

When the UK left the EU it had to resolve a significant problem: what do you do with the vast body of EU law in the UK’s statute book in all areas of the economy including health and safety, financial services, employment law and equality law as well as data protection? Leaving the EU would involve repealing the legislation which gave effect to EU law in domestic law: the European Communities Act 1972. But repealing an Act of Parliament usually means that all the secondary legislation made under that Act falls. The government needed a solution to ensure that the law regulating huge swathes of the economy (including data protection) did not simply disappear on the UK’s exit from the EU Treaties. The answer was to create a mechanism to save the EU law which applied in the UK immediately before the end of the transition period on 31st December 2020 and turn it into domestic law. This was done through the European Union (Withdrawal) Act 2018 (“EUWA”). This body of law which is saved into domestic law is known as retained EU law. 

What happened to data protection law when the UK left the EU?

In terms of data protection law, the EU’s GDPR was saved into domestic law and rebadged the ‘UK GDPR’. Powers in the EUWA were used to make changes to the EU GDPR in order that it could work as domestic law. Examples include enabling the UK Secretary of State to confer data adequacy on third countries, in place of the European Commission.

How do you interpret retained EU law?

The case law of the Court of Justice of the European Union (“CJEU”) from before the end of the transition period and the domestic case law interpreting EU rights and obligations remain relevant to the interpretation of retained EU law. The retained general principles of EU law such as proportionality and respect for fundamental rights are also relevant in interpreting retained EU law. The methods of interpreting EU law still apply when considering the meaning and effect of this body of law. For example, looking at the legal basis of the measure, using a purposive interpretation where the meaning of the law is unclear or ambiguous or looking at the foreign language versions of the legislation are all ways of preserving continuity in terms of what the law means: in essence, the law means the same thing now the transition period is over as it did when the UK was subject to EU law. The continuity in interpretation creates legal certainty for individuals, commercial enterprises, the public sector and the third sector.   

What is happening with retained EU law?

On 31st January 2022 the government announced a “Brexit Freedoms Bill” which would “end the special status” of retained EU law and “ensure that it can more easily be amended or removed”. 

The detail of what this means is not yet clear. Statements made in Parliament at the end of last year, as well as the government’s paper “The Benefits of Brexit:  How the UK is taking advantage of leaving the EU”, suggest that the government intends to make changes which include:

  • removing the principle of the supremacy of EU law from the body of retained EU law
  • removing rights in retained EU law where they overlap with other rights in domestic law
  • allowing all courts (not just the Court of Appeal and equivalent courts and the Supreme Court) to depart from retained case law of the CJEU  (Retained case law being case law dating from before the end of the transition period. Post-transition period CJEU case law is not binding on UK courts, although they may have regard to it).
  • removing retained general principles of EU law as an aid to interpretation of retained EU law
  • allowing the repeal or amendment of retained EU law through secondary legislation.

What effect might these changes have?

The principle of the supremacy of EU law ensures that in a conflict, EU rights and obligations prevail over those in domestic law. Retaining this principle was key to ensuring legal certainty in terms of how to interpret the law which pre-dated the end of the transition period. So for example if there was a conflict between the UK GDPR and the Data Protection Act 2018, the UK GDPR would prevail. Removing or replacing this rule could alter how these two pieces of legislation interact in ways which may not be immediately obvious. It could also make the application of case law which references supremacy uncertain. 

Allowing all courts to depart from retained EU case law could result in attempts to re-litigate principles such as how the framework for international transfers in the UK GDPR should be interpreted (in an attempt to move away from the approach of the CJEU in Schrems II [1]) or the breadth of the household exemption, as established in the cases of Lindqvist [2] and Ryneš [3]. 

Removing the retained general principles of EU law such as respect for fundamental rights could create legal complexity. It may be arguable that the right to a private and family life under Article 8 of the European Convention on Human Rights (“ECHR”) (as implemented through the Human rights Act 1998) is the same as the right to the protection of personal data as reflected in the EU legal order. The removal of this general principle therefore makes no difference to the interpretation of data protection rights in the UK as compared with in the EU legal order. But there is also case law which suggests that the right to privacy in EU law as currently preserved through the EUWA goes further and is more specific than the protections offered by Article 8 of the ECHR (see R (Davis & Watson v Secretary of State for the Home Department [2015] EWHC 2029 (Admin) at [80]). That means that removing the general principle of respect for fundamental rights could have an impact on how the right to privacy is interpreted in the UK as compared with in the EU. This has the potential to create uncertainty.

How quickly could these changes be brought about?

The “Brexit Freedoms Bill” (this name will almost certainly be ditched) is likely to be announced in the Queen’s speech in May. It will probably be introduced relatively soon thereafter. The Bill is likely to make broad changes to the body of retained EU law (such as removing the principle of the supremacy of EU law and certain general principles). The most probable outcome is that it will contain powers to amend, repeal or replace retained EU law using secondary legislation. This is significant. Sir Jonathan Jones QC, formerly head of the Government Legal Department, warned in recent evidence to the European Scrutiny Committee (at q16) that “secondary legislation typically gets minimal scrutiny by Parliament”. He stated “I am suspicious of this reference to quick special mechanisms for changing retained EU law”. He cautioned that Parliament should have “proper input into what will potentially be the biggest overhaul of our statute book that any of us can remember.” It is also worth noting that secondary legislation cannot be amended (in contrast to a Bill which has several amending stages in both Houses). MPs must either approve secondary legislation or it falls in its entirety. Almost invariably, therefore, MPs approve the legislation. (further detail can be found in the Constitution Blog Reliance on secondary legislation has resulted in significant problems: it is time to rethink how such laws are created?)

It is highly likely that the changes to the UK GDPR would be made using these powers in secondary legislation and at speed without the considered input which accompanied legislative change on data protection in the past. Previously we used primary legislation for new data protection frameworks. The government states that it wants to “create a bold new data regime” and “usher in a new golden age of growth and innovation”. This requires careful thought, debate and proper democratic accountability. Legislating at speed using secondary legislation risks undermining this vision.

How should my organisation plan ahead?

The most important thing to do is to keep up with developments. Once the “Brexit Freedoms Bill” is introduced the picture will become clearer – at least in terms of the changes to retained EU law. The government is also planning to respond to Data: a New Direction in the Spring. This will give a sense of which of the proposed changes to the data protection framework are likely to be implemented. It is also probable that the government will want a degree of interoperability as between the EU GDPR and the UK GDPR. In other words, if your compliance programme meets EU GDPR standards and practices, then you will be deemed to be meeting UK GDPR standards even if you do not implement the relevant changes. On the other hand, some of the proposed changes to the UK GDPR will be attractive to organisations who want to minimise the amount of resource they put into data protection compliance. Most entities will want to rely on the ability to limit the scope of subject access requests, for example. It is therefore worth budgeting in the forthcoming financial year to carry out some adjustments to your compliance programme which could save considerable resource in the future. But you should also bear in mind that changes to retained EU law may cause our legal frameworks to become unsettled and uncertain.

Eleonor Duhs is partner and Head of Data Privacy at Bates Wells.

[1] In broad terms, Schrems II was about international data transfers and the mechanisms required to send data to third countries.  The requirements for sending data overseas are now onerous, following the judgment of the CJEU.

[2] The CJEU held that publishing personal data on the internet so that it is accessible to an indefinite number of people is not an activity which falls within the exemption from data protection law for personal or household processing. 

[3] In this case, the CJEU held that capturing images using a camera fixed under the eaves of a family home which recorded images of the entrance to the home, the public footpath and the entrance to the house opposite was not an activity which fell within the scope of the exemption for personal or household processing in the GDPR.