EU & UK – Continental drift on data protection?
A key justification for the UK’s exit from the EU was to create a more competitive regulatory regime, including through the reform of its data protection laws. Enthusiastic suggestions to scrap the GDPR and replace it with a “UK Framework of Citizen Data Rights” proved less attractive on closer examination; but the approach between the EU and UK is starting to diverge and those changes will become more pronounced over time.
Some change comes from the mostly unexciting Data Protection and Digital Information Bill but more significant changes come from the treatment of data protection as a fundamental right, including under proposed new UK regulations. Importantly, change also comes from the EU; as much as anything the UK will, over time, drift apart largely by simply standing still.
We consider the current state of play and the opportunities this divergence provides for the UK.
Data protection no longer a fundamental right in the UK
One largely overlooked source of divergence is the EU’s treatment of data protection as a fundamental right under Articles 8 of the EU Charter of Fundamental Rights. This has been hugely significant in the interpretation of the GDPR, underpinning many of the decisions of the CJEU and acting as a “gap filler” to bridge from the text of the GDPR to the desire to protect fundamental rights.
For example, the seminal decision in Schrems II (Case C‑311/18) concluded that transfers under standard contractual clauses must be supplemented by a transfer impact assessment to assess the risk of access by third country authorities. That decision is largely based on the need to read the GDPR in light of the EU Charter.
Similarly, in Sovim (C-601/20 and C-37/20) the CJEU invalidated the provisions in the anti-money laundering directive that required beneficial ownership information to be made public. That decision was because those disclosures interfered with the rights to privacy and data protection under Articles 7 & 8 of the EU Charter, and that interference was not limited to what was strictly necessary or proportionate to the objectives of the directive.
In contrast, the UK European Union (Withdrawal) Act 2018 disapplies the EU Charter in the UK. Moreover, the UK Government is proposing to introduce the Data Protection (Fundamental Rights and Freedoms)(Amendment) Regulations 2023. This will amend the UK GDPR so that it no longer protects personal data as a “fundamental right” per se, but rather only as a right within the meaning of the ECHR.
Importantly, under the ECHR there is no freestanding right to data protection, only a right to privacy. In addition, while the UK courts should interpret legislation in a way that protects ECHR rights “so far as possible”, that principle is generally applied in a less interventionist manner.
The combined effect of these changes will mean that the Information Commissioner and UK courts will be more tightly bound to the wording of the law, and less able to take a loose purposive or teleological interpretation of the law.
New CJEU decisions are no longer binding in the UK
There is also an increasing body of divergent case law between the EU and the UK. The introduction of the GDPR led to a bow wave of CJEU cases. Since the UK left the EU around 30 judgments have been handed down and another 55 are still pending. These judgments cover a wide range of core issues such as compensation rights and the scope of subject access requests (and as described above are heavily influenced by the status of data protection as a fundamental right).
In the UK, under the EU (Withdrawal) Act 2018, decisions by the CJEU after 31 December 2020 are no longer binding in the UK (unless they arise from a UK referral). Moreover, the appellate courts in the UK have the power to depart from earlier CJEU judgments – with that discretion broadened under the Retained EU Law (Revocation and Reform) Act 2023, including the ability to depart from a pre-Brexit judgment of the CJEU where complying with it “restricts the proper development of domestic law”.
Having said that, the courts can still “take account” of CJEU judgments. The UK GDPR remains very similar to the EU GDPR so new CJEU judgments continue to be highly persuasive in the UK. For example, in Delo, R v Information Commissioner [2023] EWCA Civ 1141 the Court of Appeal relied on the post-Brexit CJEU’s judgment in BE (C-132/21) to conclude that the Information Commissioner is not obliged to reach a definitive decision on the merits of every complaint made to it.
“Harms-based” regulation by the ICO outside the EDPB
The UK Information Commissioner is no longer part of the European Data Protection Board and no longer subject to the consistency mechanism. This is increasingly leading to a difference in approach to the enforcement of data protection laws.
The UK Information Commissioner has a long history of pragmatic regulation that is closely based on actual consumer harm. This approach comes partly from the legislative framework in the UK. For example, before serving an Enforcement Notice the Commissioner must consider if the relevant breach “has caused or is likely to cause any person damage or distress”, section 152(2), Data Protection Act 2018.
In contrast, supervisory authorities in the EU tend to take a more technical approach to enforcement. This has manifested itself through the continuing tension between the Irish Data Protection Commissioner and the European Data Protection Board who have, on a number of occasions, required the Data Protection Commissioner to strictly enforce some of the more formalistic aspects of the GDPR, such as the precise content of privacy notices.
No EU Digital Package
The EU is also in the process of passing and implementing a range of new instruments as part of its EU Digital Package. This includes a number of instruments that overlap with the GDPR such as:
- the Digital Services Act, which requires greater transparency over recommender and ad systems;
- the Digital Markets Act, which more tightly controls the use of data by gatekeepers, introduces new portability rights and requires an audit of profiling techniques; and
- the new security obligations under NIS2 and the Cyber Resilience Act and new rights to data under the Data Act.
The UK is making some changes through the Online Safety Act 2023 and the Digital Markets, Competition and Consumers Bill though the data protection implications of these instruments are very different and will lead to different user experiences.
The (limited) impact UK Data Protection and Digital Information Bill
Finally, the UK is proposing to amend the UK GDPR and Data Protection Act 2018. Despite some of the ambitious claims, the reforms are generally modest with only a handful of major changes, such as loosening the rules on cookies, allowing greater use of automated decision making and replacing data protection officers with “senior responsible individuals” (here).
Indeed, many of the changes actually strengthen the law, such as increasing the sanctions for breach of PECR and giving new powers to the Information Commissioner (such as the power to commission a “skilled person” report). Added to that, the very latest changes row back on Government interference with the Information Commissioner; something that is reportedly necessary to preserve the EU’s adequacy finding for the UK (see Amendment Paper dated 24 November 2023).
The result is likely to be the most complex data protection law in the world based on detailed interactions between the heavily amended, and soon to be re-amended, UK GDPR and Data Protection Act 2018. The Data Protection Act 1998 was described in Campbell v MGN [2003] QB 633 at [72] as “a thicket” and “a cumbersome and inelegant piece of legislation”. In the intervening 20 years, UK data protection laws have grown to resemble a jungle.
In turn, the EU is also looking to reform its data protection laws, both through a regulation to address the enforcement of the GDPR and early proposals to amend the GDPR itself. These reforms are at a very early stage but could cause further divergence between the EU and UK.
A bright future for the UK?
Where does this leave the UK? In an ideal world, the UK approach should be based on three key principles:
- Maintaining the EU’s adequacy finding for the UK. Given the importance of UK-EU trade and the increasing challenges in transferring data from the EU to inadequate third countries, the loss of UK adequacy could cause significant economic dislocation.
- Protecting the rights of individuals. UK citizens expect their data to be protected. Given the importance of the digital economy and the potential for data misuse, it is important that citizens can trust companies with their personal information.
- Deliver a better regulatory environment for business. There is clearly room to reduce the regulatory burden on businesses without undermining the rights of the individual or affecting UK adequacy. However, this needs to be carefully considered – deregulation does not always deliver a “better” regulatory environment. For large businesses there are benefits in maintaining a degree of consistency with the GDPR and other international data protection norms, rather than having to adopt a bespoke solution for the UK.
There is evidence that this divergence is already delivering benefits within the UK. For example, some new products are being launched more quickly in the UK market (such as the Threads social media platform which is available in the UK but not in the EU) and the UK continues to attract innovative new companies (such as Palantir which has chosen to set up its European AI headquarters in the UK).
As time goes by, the data protection regimes of the EU and UK are likely to more resemble cousins than close siblings; but will hopefully continue to respect and learn from each other as those regimes evolve.