On 22 September 2022, Jacob Rees-Mogg, the former Minister for Brexit Opportunities and Government Efficiency and current Secretary of State at the Department for Business, Energy and Industrial Strategy, introduced the Retained EU Law (Revocation and Reform) Bill in the House of Commons.

While the Bill itself is mercifully short, its implications are significant, including for the UK’s data protection legal framework.

The Retained EU Law (Revocation and Reform) Bill

When enacted, the Bill would revoke all retained EU direct legislation and EU-derived subordinate legislation at the end of 2023, except for instruments specified in regulations made by a relevant national authority (clause 1).

Ministers would be entitled to make regulations to delay the effect of the revocation in respect of a specific piece or type of legislation until a date no later than 23 June 2026.

Retained EU law by virtue of Section 4 of the European Union (Withdrawal) Act 2018 immediately before the end of 2023 will no longer be recognised in English law as that section will also be repealed at the end of 2023 (clause 3).

The Bill would also remove the supremacy of EU law from the end of 2023, requiring it to be read and given effect to compatibly with domestic law, with any incompatibility resolved in favour of domestic law (clause 4).

General principles of EU law will similarly no longer apply from the end of 2023 (clause 5), and courts will have greater rights to depart from EU case law and from domestic case law influenced by EU law (clause 7), with lower courts and tribunals entitled to make references for guidance (clause 7) and law officers entitled to make ex-post-facto references in cases where no referral was made by lower courts and tribunals (clause 7) and to intervene in proceedings on retained law.

Secondary retained EU law, i.e. retained EU law that is not primary legislation or only primary legislation as a consequence of being inserted by secondary legislation, may be re-stated by regulations by a relevant national authority before the end of 2023 (clause 12), as well as any secondary assimilated law, i.e. any assimilated law that is not primary legislation or is only in primary legislation as a consequence of being inserted by secondary legislation, with an extended deadline of 23 June 2026.

Alternatively, secondary retained EU law may be revoked or replaced (clause 15) by regulations until 23 June 2026 (clause 15).

What does this mean for the UK’s data protection legal framework?

The UK’s data protection legal framework comprises the UK GDPR, the Data Protection Act 1998, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations.

While the Government has introduced the Data Protection and Digital Information Bill in the House of Commons with a view to achieving data protection reform post-Brexit, the Bill would not serve to consolidate the relevant provisions into one piece of legislation, and would be an addition to - rather than a replacement for - the existing legislation.

The UK GDPR

The UK GDPR, as defined by s.3(10) Data Protection Act 2018, means "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4))”. S.205(4) provides that “the reference to Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 is to be treated as a reference to that Regulation as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the 2019 Regulations”)”.

Section 3 of the European Union (Withdrawal) Act 2018 provides that “Direct EU legislation, so far as operative immediately before exit day, forms part of domestic law on and after exit day”.

As such, unless excluded, delayed or restated by regulations, the UK GDPR will no longer form part of UK domestic law as of the end of 2023.

PECR

The Privacy and Electronic Communications (EC Directive) Regulations 2003 will be similarly revoked at the end of 2023 unless action is taken to exclude it from the effect of clause 1 of the Bill, to delay its impact or to re-state or otherwise replace its provisions.

Since the Data Protection and Digital Information Bill, at least as introduced in Parliament, does not consolidate existing legislation, the Government will either have to issue regulations to retain or effectively re-introduce the UK GDPR and PECR or introduce significant amendments to the Bill.   

We must therefore await an indication from the Department for Digital, Culture, Media & Sport as to how they intend to proceed.

Just when you thought you were getting to grips with the UK’s seemingly constantly evolving data protection law…