The UK’s departure from the European Union (EU) has sparked speculation over whether the UK Courts will be bound by decisions of the European Court of Justice (CJEU) – particularly in matters relating to GDPR.
It is important to distinguish between the CJEU and the European Court of Human Rights (ECHR); the former’s role is to adjudicate on matters of European (EU) Law, escalated from the 27 member states, the latter which by virtue of its status as membership of the Council of Europe and as a signatory to the Convention for the Protection of Human Rights and Fundamental Freedoms, the UK is still a member and bound by their decisions.
Matters which were raised to the CJEU before the UK left the EU, would remain binding on the UK Courts, for example, the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems case.[1] This matter is outlined in Articles 86 and 89 of the Withdrawal Agreement, Treaty Series No. 3 (2020).
The question remains; are matters adjudicated by the CJEU relative to the General Data Protection Regulation[2] (GDPR), still binding for the UK now we have left the EU?
To understand whether we need to be aware of decisions on matters of Information Rights Law we need to follow the legislative trail to understand the relationship post-Brexit.
Practitioners should consider the following principle; as of the 31st December 2020, UK Courts are generally not bound by decisions made by the CJEU. This principle defined in section 6(1) European Union (Withdrawal) Act 2018[3]. Section 6(2) goes on to say that “a court or tribunal may have regard to anything done on or after exit day by the European Court, another EU entity or the EU so far as it is relevant to any matter before the court or tribunal”.[4] This is an important principle insofar as if the UK Courts were considering a matter of UK GDPR and there was a judicial or administrative decision from an EU Court, Institution or a new EU law – similar to the matter in hand then the court could consider this when determining the case. The word could, may change to would if the Court were inclined to agree with, say the decision of the CJEU.
The challenge for UK practitioners will be to determine what is relevant and what is not in terms of the decisions of the CJEU and other EU institutions. Luckily for the UK, our Courts are adept in dealing with matters relating to Data Protection Law – they’ve had a lot of practice since the first Data Protection Act in 1984. The Information Commissioners frequently update relevant guidance when decisions of the CJEU are likely to affect Data Controllers and Processors in the UK, so fear not!
In Summary:
My advice is to follow online posting, blogs (such as our own) and other legal practitioners. It’s always a good idea to keep up to date with the ICO newsletters, which are always very informative and more impartial than most commentators, who often have an axe to grind.
Keep attacking.
Want to learn more about UK GDPR? Read our GDPR FAQs for any unanswered questions you may have. If you’re in need of a UK GDPR representative, then read through our page to understand how we could be of service.
References:
[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems [2020] CJEU
[2] General Data Protection Regulation [2016] OJ 2 119/33.
[3] European Union (Withdrawal) Act 2018 c.16 s.6.1
[4] European Union (Withdrawal) Act 2018 c.16 s.6.2