On the anniversary of the conclusion of the Brexit transition period, the then Prime Minister Boris Johnson promised that “In the year ahead, my government will go further and faster to deliver on the promise of Brexit and take advantage of the enormous potential that our new freedoms bring”.

Shortly thereafter he appointed Jacob Rees-Mogg as Minister of State (Minister for Brexit Opportunities and Government efficiency), who was reported by The Times in May 2022 to have proposed to the Cabinet a bonfire of EU regulations by enacting a sunset clause which would automatically expire retained EU legislation. He subsequently introduced the Retained EU Law (Revocation and Reform) Bill, commonly referred to as the Brexit Freedoms Bill, in September 2022, which was intended to ensure that by the end of 2023 all retained EU law would be amended, repealed, or replaced.

We have previously highlighted the consequences such an approach would have for the UK’s framework of data protection legislation in the absence of intervention by Ministers.  

In a change to policy, however, on 10 May 2023 the Secretary of State for Business and Trade, Kemi Badenoch, published a written statement announcing that an amendment to the Bill would be introduced in the House of Lords to replace the sunset clause with a schedule detailing each of the retained EU laws that the government intended to revoke in accordance with the original timetable of 31 December 2023. The schedule confirms that the following aspects of the UK’s existing data protection legislation which are derived from EU law, specifically the UK General Data Protection Regulation, the Data Protection Act 2018,  the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2018 and sector specific legislation such as the Commission Implementing Regulation (EU) 2017/78 implementing Regulation (EEU) 2015/758 and The Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (all identified in the Retained EU Law Dashboard), are not to be revoked in accordance with the initial deadline.

However, the Government does intend to repeal three EU Council Decisions which are no longer relevant since the UK’s exit from the EU: Council Decision (EU) 2019/682 of 9 April 2019, authorising Member States to ratify, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; Council Decision (EU) 2019/2071 of the European Parliament and of the Council of 5 December 2019 appointing the European Data Protection Supervisor; and, Council Decision (EU) 2018/893 of 18 June 2018 on the position to be adopted, on behalf of the European Union, within the EEA Joint Committee concerning the amendment of Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 containing the list provided for in Article 101 to the EEA Agreement (General Data Protection Regulation).

Consequently, the Data Protection & Digital Information (No.2) Bill will be the immediate focus of the government’s reform of  the UK’s data protection law.