The Retained EU Law (Revocation and Reform) Act 20231 (Act) came into effect on 1 January 2024, abolishing the supremacy of EU law and making changes to the interpretation and effect of EU case law in the UK.
How will this impact data protection case law in the UK? Whilst the UK has been able to form alternative GDPR case law since 1 January 2021, previous EU case law still applied until the Supreme Court or Court of Appeal decided otherwise, fundamentally on the basis of previous conflicting decisions.
New test
Whilst it remains the case that the courts retain this power to move away from EU case law, the circumstances under which these courts can exercise this power has now changed.
Going forward a new test will apply which is set out in Section 6 of the Act and consists of a non-exhaustive list of factors including:
- the fact that foreign court decisions are not usually binding;
- any change of circumstances which are relevant to the retained case law; and
- the extent to which the retained case law restricts the proper development of domestic law.
Current examples
The new test gives the UK further opportunity to change the current position from reflecting the EU decisions, to forming a new UK position and below we explore some case law where these powers have begun to be exercised by the UK courts (and indeed where they haven't), and so far it appears the issue of divergence does not seem to be a concern:
Non-material damages
In Austrian Post2, the European Court of Justice (ECJ) held there was no threshold of seriousness for non-material damages. In Lloyd v Google3 the High Court of England and Wales concluded the opposite.
However, the divergence between the cases was limited, as both decisions found that GDPR infringement alone is not enough for damages.
Post Brexit cases
However, In two of the biggest post Brexit cases (Soriano v Forensic News and others4, and Delo v The ICO5), the Court of Appeal did not contradict the ECJ’s prior decisions.
In Delo v the ICO, the Court of Appeal relied on the ECJ'sjudgment in BE6 to conclude that the Information Commissioner is not obliged to reach a definitive decision on the merits of every complaint made to it.
Data breach claims
Lloyd v Google demonstrates a difference in the conditions for data breach claims between the UK and the EU. In this case, there were low data breach awards with claims being reallocated to the county court, making it more difficult for litigators to recover all their costs due to the fixed cost regime.
The current EU stance facilitates mass claims across the EU states, including for the GDPR.
This shows some divergence with narrowing conditions for UK data breach claims, but it is hard to see how this could get much narrower, showing that potential divergence in this instance may be at its limit.
Conclusion
A key consideration in respect of UK divergence from the EU position is the bearing on the UK-EU data adequacy decision, the spectre of which is likely to limit too much divergence. As we can see from the above, current examples of case laww, do not indicate that losing adequacy is likely to be an issue.
The cases demonstrated above show there has been some slight divergence already in some areas, but as this has already occurred and given the adequacy considerations, it would be reasonable to expect to see a similar approach from both the UK and EU going forward.
[1] https://www.legislation.gov.uk/ukpga/2023/28/enacted
[2] C-300/21- UI v Osterreichische Post AG
[3] UKSC 2019/0213
[4] [2021] EWCA Civ 1952
[5] 2023 EWCA Civ 1141
[6] (C-132/21)