Are the UK Courts bound by decisions of the European Courts on matters related to GDPR?

The UK’s departure from the European Union (EU) has sparked speculation over whether the UK Courts will be bound by decisions of the European Court of Justice (CJEU) – particularly in matters relating to GDPR.

It is important to distinguish between the CJEU and the European Court of Human Rights (ECHR); the former’s role is to adjudicate on matters of European (EU) Law, escalated from the 27 member states,  the latter which by virtue of its status as membership of the Council of Europe and as a signatory to the Convention for the Protection of Human Rights and Fundamental Freedoms, the UK is still a member and bound by their decisions.

Matters which were raised to the CJEU before the UK left the EU, would remain binding on the UK Courts, for example, the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems case.[1] This matter is outlined in Articles 86 and 89 of the Withdrawal Agreement, Treaty Series No. 3 (2020).

The question remains; are matters adjudicated by the CJEU relative to the General Data Protection Regulation[2] (GDPR), still binding for the UK now we have left the EU?

To understand whether we need to be aware of decisions on matters of Information Rights Law we need to follow the legislative trail to understand the relationship post-Brexit.

Practitioners should consider the following principle; as of the 31st December 2020, UK Courts are generally not bound by decisions made by the CJEU. This principle defined in section 6(1) European Union (Withdrawal) Act 2018[3].  Section 6(2) goes on to say that “a court or tribunal may have regard to anything done on or after exit day by the European Court, another EU  entity or the EU so far as it is relevant to any matter before the court or tribunal”.[4] This is an important principle insofar as if the UK Courts were considering a matter of UK GDPR and there was a judicial or administrative decision from an EU Court, Institution or a new EU law – similar to the matter in hand then the court could consider this when determining the case.  The word could, may change to would if the Court were inclined to agree with, say the decision of the CJEU.

The challenge for UK practitioners will be to determine what is relevant and what is not in terms of the decisions of the CJEU and other EU institutions. Luckily for the UK, our Courts are adept in dealing with matters relating to Data Protection Law – they’ve had a lot of practice since the first Data Protection Act in 1984. The Information Commissioners frequently update relevant guidance when decisions of the CJEU are likely to affect Data Controllers and Processors in the UK, so fear not!

In Summary:

My advice is to follow online posting, blogs (such as our own) and other legal practitioners. It’s always a good idea to keep up to date with the ICO newsletters, which are always very informative and more impartial than most commentators, who often have an axe to grind.

Keep attacking.  

Want to learn more about UK GDPR? Read our GDPR FAQs for any unanswered questions you may have. If you’re in need of a UK GDPR representative, then read through our page to understand how we could be of service. 

References:

[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems [2020] CJEU

[2] General Data Protection Regulation [2016] OJ 2 119/33.

[3] European Union (Withdrawal) Act 2018 c.16 s.6.1

[4] European Union (Withdrawal) Act 2018 c.16 s.6.2

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation