New legislation in the form of the Retained EU Law (Revocation and Reform) Act 2023 (REULA) brings with it the potential for interpretation of the provisions of the UK GDPR to shift in unexpected ways. Data protection managers and others involved in data governance should be aware that the changes are likely to open up opportunities for data subjects to test boundaries and raise complaints.
REULA took effect at the end of 2023 and made a few seemingly administrative, but important, changes with potential to impact your role as a data controller. In addition to renaming ‘retained EU Law’ to ‘assimilated law’, REULA took away the requirement to interpret that assimilated law in line with EU general principles (including the EU charter of fundamental rights (Charter)).
Recognising that the Charter is repeatedly referenced in the UK GDPR and Data Protection Act 2018 (DPA), the Government introduced the Data Protection (Fundamental Rights and Freedoms)(Amendment) Regulations 2023 (the Regulations), which provide that references to fundamental rights and freedoms must now be read as references to those rights and freedoms set out the European Convention on Human Rights (ECHR). The ECHR is, of course, implemented in the UK via the Human Rights Act 1998.
The problem is that the Charter and the ECHR are different. The rights they provide are not identical – for example the right to protection of personal data is present in the Charter, but not the ECHR. The charter is much more specific.
So, what does this mean for you? Whether a given right is protected will necessarily be a matter for the courts to decide, involving time consuming debate by the parties to the relevant dispute. Complainants may have increased opportunity to draw data controllers into potentially expensive disputes, and to develop arguments that require expenditure on professional legal advice.
Even in more ‘normal’ situations where advice is needed, much of the Court of Justice of the European Union (CJEU) case law that is currently used to interpret the UK GDPR and DPA makes reference to the Charter, not the ECHR. It is not clear how, and to what extent, that case law will continue to apply and that creates a lack of certainty for those seeking to meet their obligations under the UK GDPR. It is notable that the Regulations could have confirmed such case law remains applicable, but they do not.
Given a dearth of domestic consideration of many of the UK GPDR’s provisions, data controllers are heavily reliant on insights gleaned from CJEU cases. Such cases cover myriad situations, including amongst other things employee surveillance, the approach to be taken to data subject rights, marketing and communications, and the right to compensation.
Finally, REULA removed the principle of the supremacy of EU law. This means that if there is a conflict between the provisions of the UK GDPR and the DPA, the provisions of the DPA prevail. The most immediate issue arising from this will be the application of exemptions when processing data subject rights requests. Whereas previously an overly broad exemption in Schedule 2 to the DPA could simply be disapplied, it will now apply until such time as a court has made a relevant ‘incompatibility order’. Subtle shifts in the scope and application of exemptions, potentially leading to more long-term movement as domestic cases are heard and decided, can be expected.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.