The Retained EU Law Revocation and Reform Bill and its impact on UK data regulation

The question

What impact will the Retained EU Law (Revocation and Reform) Bill 2022 (REUL Bill) have on EU-derived data protection law in the UK?

The key takeaway

The UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) are at risk of lapsing if ministers do not take action before 31 December 2023. If the legislation is allowed to lapse, this would have significant repercussions for the UK. If the legislation is saved, changes will have to be pushed through with relative speed and should therefore be closely monitored. 

The background

Retained EU law (REUL) is a category of UK law which was created at the end of the Brexit transition period. It mainly comprises: (i) directly applicable EU legislation pre-Brexit (ie Regulations); and (ii) EU legislation that had been implemented in local law (ie Directives). These laws currently apply on a provisional basis to help smooth the transition post-Brexit. There is a useful list of these laws on the http://www.gov.uk website – see “Retained EU law dashboard”. In September 2021, the UK Government began reviewing the substance and status of REUL with a view to repealing or replacing laws which are no longer appropriate for the UK.

On 22 September 2022, the Retained EU Law (Revocation and Reform) Bill (REUL Bill) was introduced to Parliament. The REUL Bill sunsets the majority of REUL automatically on 31 December 2023, unless otherwise preserved. Government ministers can take steps to preserve laws by exempting them from the sunset clause, or they can extend the sunset clause up to 23 June 2026.

The development

The REUL Bill will have a significant impact on UK data protection law – the key parts of which are derived from EU law. The UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426 (PECR) for example are derived from EU law and fall within the scope of the sunset provisions.

If the UK GDPR ceases to apply as a result of the REUL Bill and is not restated, this would have the following effects:

• the UK would be in breach of international law as its data processing regulation would not meet the standards set by the Council of Europe Convention 108
• the UK may no longer be considered “adequate” by the EU under the EU GDPR, and would therefore no longer benefit from a free flow of personal data from the EU to the UK
• the Information Commissioner’s Office framework would lack coherence as much of its functions are set out in the UK GDPR.

Additionally, if PECR ceases to apply, a number of rules in areas of digital commerce such as direct marketing and cookie consent would cease to apply. This would remove protections that the UK public currently has against intrusive marketing practices.

Why is this important?

If the UK GDPR and PECR were to lapse without adequate replacement, the effect would be extremely disruptive on the data protection landscape in the UK. However, it is unlikely that the government will allow this to happen. A more likely scenario involves this legislation being “assimilated” and becoming domestic law. 

The reality of the 31 December 2023 deadline imposed by the REUL Bill is that it does not leave much time to create the desired bespoke British data protection system which would still meet EU requirements on adequacy. Assimilating the legislation would require changes pushed through at speed. The massive impact of the REUL Bill on a multitude of areas also means that Government resources may be stretched. 

Any practical tips?

Businesses should keep up to date with the progress of the REUL Bill and any indications from the Government as to its plans for the UK GDPR and PECR. This must also be considered in the context of the progress of the Data Protection and Digital Information Bill, which is currently subject to a second round of comments. The Bill makes far-reaching amendments to the UK GDPR, the DPA and PECR.

Winter 2022