Following our 2022 round up, as promised, we have pulled together a selection of legal developments that we anticipate will happen in 2023. As with the previous blog, this is not a comprehensive list and clearly, as with any attempt at prediction, it comes with a general caveat that things may not pan out quite in the way expected so please do sign up to our legal updates to keep up to date.
- Data Protection Reform – The UK Government introduced a Data Protection and Digital Information Bill last year but its progress through Parliament was put on hold in the autumn. The Bill sought to make a number of refinements to the current Data Protection Act 2018 and UK GDPR, but regime change within the UK Government prompted a more fundamental re-think with Government ministers now apparently favouring a simplified (bespoke) regime built from scratch to replace the UK GDPR. The main constraint on the UK Government's freedom to manoeuvre is likely to be the desirability of maintaining the UK's adequacy status under EU GDPR. Expect significant developments this year .and (possibly) the demise of GDPR.
- Data Protection and International Transfers – As discussed in the 2022 review, the Biden administration has created a beefed up regime in the US which seeks to provide binding safeguards for personal data. This is likely, in turn, to result in adequacy decisions being finalised in 2023 by both the EU Commission and the UK government, allowing free movement of personal data to organisations within the US that have signed up to the new US regime. This will be welcomed by organisations in the EU and UK still struggling with the fallout from the CJEU decision in Schrems II, however expect privacy campaigners to seek to test the validity of the new decisions.
- Proposals to improve cyber resilience –in the area of cyber and critical infrastructure, a review conducted in 2022 identified a failure by the market to improve security practices at a sufficiently rapid rate to keep pace with ever increasing international cyber threats. Following the publication of a UK government response paper, we are expecting to see legislation amending the Network and Information Systems Regulations 2018 to extend supervisory regulation to digital managed service providers and also to make it easier to futureproof the regime by amendment through regulation rather than primary legislation.
- Retained EU Law (Revocation and Reform) Bill - In September 2022, the Retained EU Law (Revocation and Reform) Bill was introduced in the House of Commons. Under the Bill, all retained EU Law (a category of EU derived law created and preserved by the European Union (Withdrawal) Act 2018) will expire on 31 December 2023 unless written into UK domestic law before then. There is a huge quantity of retained EU law and Government departments have been tasked with analysing each piece of retained EU law before the expiry date to determine whether it should be preserved by assimilation into UK law. This is extremely important because many current rights and protections stem from these laws – in areas such as employment, health and safety, environmental and consumer protection. Some commentators have expressed concern that failure to preserve (or replace) specific pieces of retained EU law could leave regulatory gaps that could have significant implications for business. Expect to hear a lot more about this during the course of the year as the Bill progresses and the deadline draws nearer.
- Agency workers - the Supreme Court is to hear an appeal against the Court of Appeal decision (Kocur-v-Angard Staffing Solutions Limited and Royal Mail Group Limited) that the fact that agency workers have the right to informed about relevant vacancies with a hirer, does not mean that they have the right to apply, and be considered, for those vacancies. The decision is expected to have significant implications in the labour market, particularly for those who use agency workers.