CA-2024-000578 - [2025] EWCA Civ 1117

The GDPR is EU legislation with direct effect in all EU member states. It enacts a number of data protection rights and obligations and contains provision for their enforcement. Article 5 identifies six “principles relating to processing of personal data” with which data controllers must comply. Articles 24, 25 and 32 require data controllers to “implement appropriate technical and organisational measures” to ensure GDPR compliance. Article 82 confers a right to receive compensation for material or non-material damage suffered as a result of an infringement. The GDPR applied with effect from May 2018. By Part 2 of the DPA, Parliament enacted provisions supplemental to the GDPR. Those provisions also came into force in May 2018.

These are the legislative instruments that apply to the events of 2019 with which we are concerned in this case. That is because Parliament decided that the GDPR should remain part of English law until the end of the Brexit implementation period on 31 December 2020 (“IP Completion Day”) and it continues to be enforceable in respect of that period: see ss 2, 3 and 6 of the European Union (Withdrawal) Act 2018 (“EUWA 2018”). Since IP Completion Day a slightly modified domestic counterpart known as “the UK GDPR” has been in effect and Part 2 of the DPA applies in a correspondingly amended form: See the Data Protection, Privacy and Electronic Communications (Amendments. etc) (EU Exit) Regulations 2019 (SI 2019/419). We are not directly concerned with the UK GDPR, but it is relevant to note that nobody has suggested that there is any material difference.

Brexit has had this relevant legal effect: whereas in EU law decisions of the Court of Justice of the European Union (“CJEU”) on the interpretation and application of EU legislation are authoritative and prevail over domestic decisions, our approach to the GDPR is governed by section 6 of EUWA 2018. We are bound by principles laid down by the CJEU and decisions made by it before IP Completion Day. These are “assimilated EU case law”. However, we are not bound by any principles laid down, or any decisions made, by the CJEU after that date; we “may have regard” to such principles or decisions “so far as it is relevant to any matter before the court”. In deciding how to approach the latter class of CJEU decisions we are of course bound by the domestic law of precedent.