The Retained EU Law (Revocation and Reform) Act (REUL Act) has recently received Royal Assent. We look at the potential impact on data protection, e-commerce, tech and IP, together with the bigger picture on divergence from the EU in these areas.
1 What does the REUL Act do?
The original scheme of the REUL Act provided for a substantial proportion of EU-derived legislation to be revoked at the end of 2023 unless expressly preserved. Thankfully, this approach has now been jettisoned in favour of a list of about 600 measures which will be revoked at the end of the year; our view is that the majority of these are unlikely to cause most businesses significant concern. However, the REUL Act makes a number of other changes which could have an impact on data protection, tech, e-commerce and IP:
- It removes the principle of supremacy of EU law and provides
that domestic legislation takes precedence over retained direct EU
legislation, such as UK GDPR; and
- It provides a new route for retained EU case law (currently binding on the UK courts) to be re-examined and potentially overturned.
2 Data protection
The original draft of the REUL Act raised a question mark – at least in theory – over the future of two cornerstones of the UK's data protection law framework, the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426 (PECR). It's now clear that they will be retained, as they are not on the list of measures to be revoked. However, it was always expected that they would have to be preserved because the Data Protection and Digital Information (No.2) Bill (DPDI Bill), which is currently before Parliament, has been drafted on the basis that they will remain in place – although the DPDI Bill will make a number of important changes to them. This is an example of an area where retained EU law is being reformed outside the framework of the Act – for further examples, see our detailed guide to the REUL Act.
Until now, the Government's scope to provide for exemptions to general rights and obligations under Schedules 1 and 2 of the Data Protection 2018 (DPA) has been governed by UK GDPR. There have, for example, been two successful challenges where the courts have ruled that the "immigration exemption" in Schedule 2 to the DPA is incompatible with Article 23 of the UK GDPR. The REUL Act's removal of the supremacy of retained EU law over domestic UK legislation means, however, that amendments to the DPA, including those made by the DPDI Bill, would by default take precedence over the provisions of the UK GDPR. This technically gives the Government more scope to restrict data subject rights through the exemptions and makes challenges like the ones to the "immigration exemption" harder to mount in future. In practice, the UK has a strong interest in not diverging too much from the EU in this area, as this would put its EU data adequacy ruling at risk (which would make it harder to exchange personal data with data controllers and processors based in the EEA).
3 Intellectual property
Bodies including the UK Intellectual Property Office, the IP Federation, the Chartered Institute of Trade Mark Attorneys and the British Copyright Council had all expressed a high level of concern over the original sunsetting provisions in the legislation - so the Government's change of heart is likely to have been greeted with a sigh of relief in the world of IP. Apart from a small number of measures which are effectively redundant, the list of EU-derived legislation to be revoked does not appear to include any material piece of legislation relating to IP.
There are, however, various areas of IP where the Government has indicated previously that it may want to diverge from the EU, such as overlapping copyright and design protection for designs, as well as the complex system of protection for designs. The IPO had told stakeholders that its work on the designs consultation was on hold while it conducted further work to ascertain the impact of the sunsetting provisions – but, now that distraction has ceased, it may be able to return to potential reform of the designs regime.
EU case law has also been important in a number of areas of IP; for example, the British Copyright Council notes that EU case law has significantly expanded the scope and availability of copyright protection. As noted above, the REUL Act creates a new route for the principles established by this case law to be reopened, which may give rise to uncertainty.
As regards trade mark law, following the hearing at the end of June 2023, we await the Supreme Court's ruling in coming months in SkyKick v Sky on the issue of what constitutes a "bad faith" trade mark registration to see whether the court takes a different view from the Court of Justice of the EU (CJEU) (the case having been referred to the CJEU by the High Court prior to Brexit taking effect). Currently trade mark law in the UK and the EU is aligned in allowing for reasonably broad specifications of goods and services at application; it is not automatically bad faith if the applicant does not intend to use the marks for all the goods/services - more is needed to demonstrate bad faith, such as an intention to undermine third party interests or to obtain exclusivity for a mark for reasons other than as an indication of the origin of the goods/services. However, it's possible that the Supreme Court could reset the rules for the UK, without recourse to principles from previous EU case law. (See here for our commentary on the Court of Appeal's earlier ruling).
4 E-commerce and tech
When the draft legislation was first published, Meta expressed its concern over the impact on the Electronic Commerce (EC Directive) Regulations 2002. Among other things, these provide that online services that transmit, store and/or make available information provided by users are not liable for such user content. This is subject to certain provisos such as not having actual knowledge of the information (and this has led to "notice and takedown" processes). These Regulations are not on the list of measures to be revoked, nor are we aware of any plans to reform them.
That said, platforms such as Meta are being confronted with legislation such as:
- the Online Safety Bill which seeks to impose more obligations
on them over policing of content; and
- the Digital Markets, Competition and Consumers Bill, which will give the UK's competition regulator, the CMA, new powers to regulate Big Tech.
These are also areas where the EU has been active, although it is taking a somewhat different path from the UK – so this is an area where we are already seeing a degree of divergence. Another area where divergence is emerging is in relation to cybersecurity – see our briefing on changes to the UK's and EU's network and information security (NIS) regimes.
Originally published 4 July 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.