The EU Withdrawal Act 2018: What does it mean for information rights practitioners?


By Susan Wolf

Amidst all the media attention about the resignation of David Davis and Boris Johnson, and what type of deal (if any) the UK will end up with, uncertainty seems to be the current default setting in British politics. However, there is one certainty that may have escaped many people’s attention, namely that the European Union (Withdrawal) Act 2018 received Royal Assent on 26 June 2018. Many would be forgiven for not noticing that after over 270 hours debate in Parliament (during which the government was forced to concede some significant amendments proposed by the House of Lords) the Bill became law on 26thJune. Many would also be forgiven for not knowing what the Act does or what it is trying to achieve. This guide is intended to briefly summarise the EU Withdrawal Act 2018. Further and more detailed information will be provided in follow up blogs on the impact of Brexit on the GDPR, EIR  and the PECR.

Why was it necessary to enact the EU (Withdrawal) Act  and what does it do?

EU law covers many areas of daily life, including employment law, environmental law and of course data protection law.  EU legislation, enacted by the EU institutions, takes the form of:

  • EU Regulations (such as the General Data Protection Regulation 2016). EU Regulations are described as ‘directly applicable’. This means that they require no national implementing legislation, because they automatically become part of domestic law when enacted by the EU institutions. EU Regulations are designed to ensure that the law is uniform throughout the EU.
  • EU Directives are quite different from EU Regulations. Directives set out the objectives that are to be achieved but leave some degree of latitude to Member states on how to achieve them. Directives require Member States to introduce national legislation in order to bring the provisions of the directive into force.
    • For example, the Environmental Information Regulations (EIR) 2004 is a piece of domestic law that implements the provisions of the EU Directive on Public Access to Environmental Information 2003/4/EC.
  • Most EU Directives are implemented into domestic law by means of statutory instruments, but the Data Protection Directive 95/46/EC was implemented into domestic law by the Data Protection Act 1998. The Law Enforcement Directive 2016/680/EU has been implemented into domestic law by Part 3 of the Data Protection Act 2018.

The European Communities Act (ECA) 1972is the statutory mechanism that enables such EU legislation to have legal effect in the UK. In particular it allowed EU regulations to take effect in domestic law and gave Ministers powers to introduce secondary legislation to implement directives.

The referendum decision on 23rd June 2016, in favour of leaving the EU meant that the European Communities Act 1972 had to be repealed. However, repealing the ECA 1972 would have resulted in large areas of EU law and regulation no longer having any legal effect in the UK. It is widely recognised that this would have created a “black hole’ in the domestic statute book and huge amount of legal uncertainty about the applicable law and the rights previously conferred by EU Law.

The EU (Withdrawal) Act 2018 repeals the European Communities Act from the date that we leave the EU, 29thMarch 2019. However, to avoid the problem described above, the Act essentially ‘converts’ EU law as it stands at the time we exit the EU into domestic law. It also ‘preserves’ all laws made in the UK to implement EU obligations (such as the Environmental Information Regulations 2004).  In a nutshell it means that all the laws and regulations made over the last 40 years, while the UK was an EU Member State, will continue to apply after Brexit. Contrary to what members of the public may have believed when they voted in favour of leaving, EU law will continue to have force in the UK after the date of exit.

This means the following will continue to have effect after the date when the UK leaves the EU:

  • The GDPR 2016
  • The Environmental Information Regulations 2004
  • The Law Enforcement Directive 2016 provisions in Part 3 of the Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003

After the UK has exited the EU in March 2019, Parliament will be able to decide which of the ‘EU retained’ laws and regulations it wishes to keep, repeal or amend. Ministers will be given wide-ranging and somewhat controversial powers to make these changes by secondary legislation. In particular, there has been criticism about the use of secondary legislation (and the lack of parliamentary scrutiny) to potentially repeal important statutory provisions.

The extent to which these powers may be exercised and may impact on current EU law information rights and data protection law, including the GDPR, the Privacy and Electronic Communications Regulations, the Environmental Regulations and the Law Enforcement Directive will be considered in subsequent blogs and forthcoming webinars.

Judicial interpretation of retained EU Law

The courts and tribunals of the Member States have a legal obligation to interpret national law that gives effect to EU law, in a purposive manner. This means there is a duty on the courts to do what is within their jurisdiction to interpret national law in a manner that best achieves the results laid down in EU law, and offers the effective protection of any legal rights conferred by EU law.   This is known as ‘indirect effect or the duty of sympathetic interpretation’. For example, the Information rights Tribunal has frequently cited the aims of the Environmental Information Directive as an aide to the interpretation of the EIR 2004.  The Directive requires that the exceptions to disclosure are interpreted in a restrictive manner, and there is clear evidence that the First Tier and upper tribunals have taken this on board in their decision-making.

Post Brexit, the national courts will no longer be bound to do this.  However, it is unlikely that the national courts will return to the traditional ‘literal’ approach to interpretation. Increasingly the national courts have shown a willingness to interpret most legislation in a purposive fashion and this is unlikely to change as a result of Brexit.

Where the courts have been faced with the interpretation of national law that gives effect to EU law, then they have been able to refer questions to the Court of justice of the European Union, using the ‘preliminary rulings procedure’.  The preliminary rulings of the CJEU are currently binding and seek to ensure that the law throughout Europe is uniformly interpreted. As many information rights practitioners will know, the CJEU has handed down some significant rulings on the interpretation of the 1995 Data Protection Directive 1995/46/EC (such as the famous Lindqvist case in 2001 on the processing of personal data on the internet [1]) and on public authorities under the Environmental Information Directive 2003/4/EC in Fish Legal v the Information Commissioner. [2] In the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.

The continuing relevance of these decisions and the role of the Court of Justice, post Brexit, will be considered in a later Blog.

[1]Case C 101/01 Criminal proceedings against Bodil Lindqvist

[2]  Case C-279/12 Fish Legal and Emily Shirley v Information Commissioner and Others

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 16 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in Article 50, Data Protection, EU DP Regulation, EU Withdrawal, GDPR. Bookmark the permalink.

2 Responses to The EU Withdrawal Act 2018: What does it mean for information rights practitioners?

  1. Pingback: The role of the Court of Justice of the European Union ( CJUE) post Brexit | Blog Now

  2. Pingback: European Parliament approves text of forthcoming EU Regulation on the Free Flow of Non-Personal Data within the European Union | Blog Now

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s