Retained EU Law (Revocation and Reform) Bill

Supplementary written evidence submitted by Bates Wells (REULB88)

Introduction

This submission deals with two areas of the Bill:

· The effect of clause 5 – the removal of the retained general principles of EU law;

· The effect of the sunset in clause 1 in the field of intellectual property law and consumer law.

Summary

Effect of clause 5 – abolition of the retained general principles of EU law

· The abolition of the retained general principles of EU law could lower data protection standards in the UK. This could lead to the loss of data adequacy and the free flow of data from the EU to the UK, increasing red tape for UK businesses at a cost of up to £1.6bn.

· While the UK is deleting retained general principles from its statute book, the US is importing the very same principles into its law in order to facilitate EU-US trade.

Effect of clause 1 – Sunset

· The sunset would delete important legislation in the field of intellectual property law (copyright) and consumer law.

The effect of removing the retained general principles of EU law on data protection standards

Context

· Fundamental rights are general principles of EU law. [1] The right to the protection of personal data is a fundamental right in the EU legal order and a general principle of EU law. [2] The general principle of the protection of personal data was saved into UK law at the end of the transition period. [3] This was necessary in order to provide continuity and certainty: the essence of data protection law is a fundamental rights balancing test. The right of the individual to privacy has to be weighed against the interests of business, government and others in using the data. [4]

Effect of clause 5

· Clause 5 would strip out the fundamental right to the protection of personal data from the UK GDPR and the Data Protection Act 2018. This removes the central underpinning theory from the law. [5] The removal of fundamental rights also casts doubt on the continuing application of retained EU case law in the field of data protection. This is because the CJEU views data protection law through the prism of fundamental rights. [6]

· If the protection of personal data is no longer interpreted as a fundamental right in the UK legal order, then this makes our data protection frameworks more difficult to apply and could lower UK data protection standards.

· The lowering of data protection standards creates risks for the free flow of data from the EU to the UK. Currently the UK is in receipt of an EU adequacy decision in respect of its data protection standards. This means that the EU has deemed the UK framework to be essentially equivalent to its own. If UK data protection standards were to be lowered then this could threaten the UK’s adequacy decision. Losing adequacy could have the following consequences:

o UK companies would have to enter into contracts with EU counterparts in order to transfer data, as well as conducting transfer risk assessments. This could cost up to £1.6bn for UK businesses. [7]

o Under the terms of the EU-UK Withdrawal Agreement, the UK would be obliged to treat data which had come from the EU differently from UK data. Data which came from the EU during the UK’s EU membership or during the transition period would have to be protected in accordance with EU data protection standards. [8] This could create significant operational difficulties for UK businesses and other organisations.

o If the adequacy decision under the Law Enforcement Directive was lost this could lead to suspension of Part 3 of the EU-UK Trade and Cooperation Agreement which deals with Law enforcement and Judicial cooperation in criminal matters. [9] This could make citizens on both sides of the channel less safe.

The UK approach as contrasted with the US’s approach

Ÿ Whilst the UK is intending to delete fundamental rights from the statute book, the US is doing the opposite in order to restore the free flow of data from the EU to the US, enabling trade worth $7.1 trillion. [10] In 2020 the CJEU invalidated the US’ adequacy decision - the EU-US Privacy Shield framework. The CJEU’s reason for invalidating Privacy Shield was that US legislation did not confer minimum safeguards limiting US public authorities’ access to personal data to what was strictly necessary and proportionate. [11]

Ÿ On 7th October 2022 President Biden signed an Executive Order [12] to facilitate the implementation of a new EU-US data privacy framework. That Executive Order addresses the concerns of the CJEU by ensuring that any interference with data subjects’ rights is "necessary" and "proportionate". Commentators have pointed out that this is a significant shift for the US. Previously US negotiators had deleted references to necessity and proportionality from multilateral texts because they were perceived to be tied to European Fundamental Rights jurisprudence which the US could not accept. Writing these concepts into US law shows a convergence between the US and the EU in the approach to privacy. [13]

· The UK’s approach in deleting these concepts from the statute book is out of step with the positions taken by its closest international partners.

Restating the general principles

· Whilst the problems which arise from Clause 5 could be mitigated by using the powers in clauses 12 or 13 to restate the general principles and the case law that relates to them, this is a difficult exercise. It is far from certain that redrafting will in fact create the same effect as simply keeping the general principles and the relevant case law. It also means expending a lot of effort to reach an outcome that has already been achieved under the European Union (Withdrawal) Act 2018.

The Impact of Clause 1 in the fields of Intellectual Property and Consumer law

· Clause 1 of the Bill would have direct and far-reaching implications across most business sectors. Below, we have provided some examples from copyright law and consumer protection that are impacted and note that intellectual property rights, are significantly impacted by the sunset.

Copyright Law

§ The Copyright Designs and Patents Act 1988 ("CDPA") contains a number of significant additions by EU law that would fall away under the sunset. These include:

§ sections 3(1)(d), 3A, 50D CDPA [14] set out the framework for the copyright protection of databases. The Database Directive [15] confirmed that the structure of a database (i.e. selection or arrangement of the database contents) can be protected by copyright [16] ; and created a sui generis "database right", separate from copyright which protects a person’s investment in obtaining, verifying and presenting the contents of a database;

§ sections 3(b), 3(c),50A, 50B, 50BA and 50C [17] CDPA which sets out the legal framework for copyright protection of software. If these parts of the CDPA fell away, UK intellectual property law would not protect the rights of software creators and/or developers;

§ section 20 CDPA gives copyright owners an exclusive right of "communication to the public". Copyright owners tend to rely on this right where an infringer has made an unauthorised broadcast, digital communication or transmission of protected content that doesn’t involve "copying"; and

§ section 28A CDPA [18] which contains a copyright exception that users do not need a copyright licence to browse content online.

The case study of the CDPA indicates that the process of considering what amendments have been made by instruments that fall within scope of the sunset is a time intensive and susceptible for error if not undertaken meticulously. The commercial impacts of losing software copyright and database rights through the sunset would directly impact investment into the UK as these valuable assets would become unprotected under the law.

Consumer Protection

§ The Consumer Protection from Unfair Trading Regulations 2008/1277 ("Unfair Trading Regulations") are derived from the Unfair Commercial Practices Directive 2005/29/EC concerning unfair business-to-consumer commercial practices. The Unfair Trading Regulations are important consumer protection including (i) prohibiting "traders" from engaging in misleading or aggressive practices towards consumers; (ii) requiring to traders to conform to standards of professional diligence; and (iii) giving consumers rights of redress against a trader who has breached the Regulations.

§ The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013/3134 are derived from the Consumer Rights Directive 2011/83/EU. These instruments work to ensure that consumers have proper information before entering into a contract with a trader. They place obligations on traders to provide certain pre-contract information to consumers and give consumers the right to cancel "distance" contracts (e.g. online purchases of goods, services or digital content) during a limited window, and obtain a refund.

22 November 2022


[1] See Takis Tridimas (2019). The general principles of EU law. Oxford Oxford Univ. Press, Chapter 7.

[2] See Article 8 of the Charter of Fundamental rights and the case of Stauder (Erich) v. City of Ulm – Sozialamt (Case 29/69) EU:C:1969:57). Recital 1 to the GDPR states: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right’.

[3] See Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at 13.5.4.‌

[4] See for example recital 4 to the UK GDPR which states: "The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity."

[5] The changes brought about by clause 4 of the Bill of Rights Bill are also relevant here. Clause 4 would elevate the right to freedom of expression above other rights including the right to privacy. Parliament’s Joint Committee on Human Rights in its report on proposed changes to the UK’s human rights framework stated "When freedom of expression and the right to privacy are in conflict, the courts conduct a finely-tuned balancing exercise to decide which should prevail. To give stronger priority to freedom of expression would unbalance the Convention rights, undermine the principle that all rights are equal and fundamental, and prevent the courts from undertaking a balancing exercise as required by the Convention." See Human Rights Act Reform (HC 1033 HL Paper 191).

[6] See for example the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C311/18) EU:C:2020:559, at paragraph 99-101. Note also that clause 5 removes the requirement under section 5(5) of the European Union (Withdrawal) Acct 2018 which preserves case law which references the Charter of Fundamental Rights and requires references to the Charter to be read as if they were references to any corresponding retained fundamental rights or principles.

[7] See McCann, D., Patel, O. and Ruiz, J. (n.d.). The cost of data inadequacy. [online] New Economics Foundation. Available at: https://neweconomics.org/2020/11/the-cost-of-data-inadequacy , page 2 .

[8] See Article 71(3) of the EU-UK Withdrawal Agreement. ‌

[9] See Article 693 of the EU-UK Trade and Cooperation Agreement.

[10] See House, T.W. (2022). FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework. [online] The White House. Available at: https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/

[11] See Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C311/18) EU:C:2020:559, at paragraph 184.

[12] Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities | The White House.

[13] See Fennessy, Caitlin .The EU-US Data Privacy Framework: A new era for data transfers?  [online] Available at: https://iapp.org/news/a/the-eu-u-s-data-privacy-framework-a-new-era-for-data-transfers/.

[13]

[13]

[14] Inserted by Copyright and Rights in Databases Regulations 1997

[15] Directive 96/9/EC on the legal protection of databases (the Database Directive)

[16] Directive 96/9/EC on the legal protection of databases (the Database Directive), recital 13

[17] Inserted by The Copyright (Computer Programmes) Regulations 1992

[18] Inserted by The Copyright and Related Rights Regulations 2003

 

Prepared 25th November 2022