Introduction
A revised version of the “Retained EU Law (Revocation and Reform) Bill” (that the UK government initially issued last year) was recently released. This news item looks in brief at this (complex) Bill and what the implications of it might be for the data protection regime in the UK.
What’s this all about?
Following Brexit the UK is no longer part of the EU. Generally-speaking, post-Brexit, EU legislation was kept in the UK as derived or retained EU law (amended as necessary) which is made up of several categories of law but essentially comprises directly applicable EU law (Regulations) and EU law that had to be implemented into national law (Directives) – EU Decisions also fall in scope. So, for example, the EU General Data Protection Regulation (EU GDPR) became “Retained Regulation (EU) 2016/679 (UK GDPR)”; PECR, the colloquial name for the UK’s implementation of EU e-Privacy rules (which deal with things like cookie regulation), was also retained. For more details and the list of retained EU law see the UK government’s “Retained EU Law Dashboard” (https://www.gov.uk/government/publications/retained-eu-law-dashboard).
The UK Government decided that it wished to amend, repeal or replace retained EU law that, in the government’s view, “is no longer fit for the UK” in order to be able “to create a new pro-growth, high standards regulatory framework that gives businesses the confidence to innovate, invest and create jobs”. The outcome to achieve this in legislative terms is the “Retained EU Law (Revocation and Reform) Bill”, which was introduced on 22 September 2022 following which a revised version was issued on 19 January 2023.
What are the highlights?
Key aspects of the “Retained EU Law (Revocation and Reform) Bill” include the following:
- EU-derived law will be revoked as of 31 December 2023 (this is the so-called sunset clause/provision) – the majority of retained EU legislation is to expire, unless it is expressly preserved (see below);
- But, this sunset date can be extended until 23 June 2026, for some, but not all, retained EU law (this date will be the 10th anniversary of the Brexit referendum);
- Government ministers (and devolved authorities) will have the power to (swiftly) either revoke, restate, replace or update retained EU law (or “assimilated law – see below) – Parliament will only have limited scrutiny;
- Any remaining retained EU law will become so-called “assimilated law”;
- The UK courts will have a new legal framework for reconciling inconsistent sources of law when they include those of EU origin – it will be easier for UK courts to depart from retained EU case-law; and,
- The principle of the supremacy of EU law and general principles of EU law will be abolished as part of UK law.
It is currently estimated that some 4,000 EU-derived laws are at stake.
What’s next?
The Bill will continue its way through the UK Parliamentary legislative pipeline, but it is not expected to be plain sailing as it has faced criticism already from many Members of Parliament in all political parties.
What are the takeaways?
It is difficult at this stage to assess the impact the “Retained EU Law (Revocation and Reform) Bill” will eventually have on the substantive law of the UK. There is the distinct possibility that vast areas of EU-derived law will disappear leaving gaps and therefore create much legal uncertainty. If however common-sense prevails, the different powers to preserve, restate, replicate, revoke, replace and update parts of retained EU law will be used extensively before the end of the sunset period.
The challenge for, UK GDPR and PECR for example, is whether there would be sufficient time to deal with them in time before the sunset clause applies, failing which they would then lapse. Although the UK Data Protection Act 2018 would remain, the consequences in data protection compliance terms would likely be significantly confusing and disruptive for businesses. This must however also be considered in the context of the UK government’s plans to reform data protection legislation in the form of the Data Protection and Digital Information Bill (which we’ve previously written about here: https://www.corderycompliance.com/ukgov-ukdpr/), which is also currently in the UK Parliamentary pipeline.
Given the potential enormity of the “Retained EU Law (Revocation and Reform) Bill” it really is a question of watch this space very closely – the disappearance of some EU-derived legislation could have very significant consequences for compliance.
More information
We report about data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The latest version of the Retained EU Law (Revocation and Reform) Bill can be found here: https://bills.parliament.uk/bills/3340.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |