HANSARDLords12 Dec 202335 contributions

Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023

View on hansard.parliament.uk ↗

Considered in Grand Committee
3:45 pm
Moved by
Baroness Swinburne
ConservativeLife peer
That the Grand Committee do consider the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023.
Relevant document: 3rd Report from the Secondary Legislation Scrutiny Committee
Baroness Swinburne (Con)
ConservativeLife peer
My Lords, these regulations, which were laid before the House on 7 November 2023, will be made under the powers provided by the Retained EU Law (Revocation and Reform) Act 2023, known as the retained EU law Act. They are concerned with the definition of “fundamental rights and freedoms” in the data protection legislation and making sure we continue to have a meaningful definition beyond the end of the year, when the retained EU law Act takes effect.
In several areas, the data protection legislation—specifically the Data Protection Act 2018 and the UK general data protection regulation, which I will refer to as the UK GDPR from now on—requires the Government, the Information Commissioner and organisations using personal data to consider people’s “fundamental rights and freedoms” in certain situations. For example, Ministers must consider such rights and freedoms when creating new exemptions or permissions for the use of people’s special category data, and data controllers must consider them when relying on the “legitimate interests” lawful ground for processing under Article 6(1)(f) of the UK GDPR. It is vital that, in circumstances such as this, the rights of individuals continue to be carefully considered and protected.
Prior to EU exit, references to fundamental rights and freedoms in the data protection legislation were taken to mean rights described in the EU Charter of Fundamental Rights—which I will refer to as the charter. Following the European Union (Withdrawal) Act 2018, some of these rights were retained by Section 4 of that Act. Given that Section 4 of the European Union (Withdrawal) Act will be repealed at the end of 2023 by the retained EU law Act 2023, action is needed now via this statutory instrument to replace the definition of “fundamental rights and freedoms”. Without action, there would be a lack of clarity about what these references mean. This could cause significant difficulties for organisations trying to apply the data protection legislation, risking inconsistent approaches, legal uncertainty and insufficient protection of data subjects’ rights.
That is why, through the draft regulations, the Government are clarifying that references to fundamental rights and freedoms in the data protection legislation mean rights under the European Convention on Human Rights, known as the ECHR, as defined by the Human Rights Act 1998. By doing this, the Government are ensuring that there is a clear, legally meaningful definition to rely on. This will provide consistency and certainty for organisations which are subject to data protection legislation, as well as continued protection for people’s rights. It is important to note that these regulations themselves do not remove any EU law rights; it is the European Union (Withdrawal) Act and the retained EU law Act that do that. These regulations are simply designed to replace references to EU law that would become meaningless at the end of this year.
Lord Clement-Jones (LD)
Liberal DemocratLife peer
My Lords, I welcome the Minister to this crowded box-office occasion—over the years it has been for aficionados, by and large.
I thank her for setting out the purpose of these regulations. Originally, they were to be approved by the negative procedure. It is to the great credit of the Secondary Legislation Scrutiny Committee that, in its 53rd report, it recommended an upgrade of the instrument to the affirmative procedure because of concerns about a potential reduction in rights protection. I heard what the Minister said in her introduction.
In its report, the committee quoted the Department for Science, Innovation and Technology, which stated that
“the impact on organisations and individuals as a result of the proposed changes was expected ‘to be minimal’”,
and that the changes
“replicate the current position ‘as far as possible’, but it was unable to rule out entirely potential differences in the rights and freedoms”.
In those circumstances, I need to thank the Minister and the Government for bringing back these draft regulations for affirmative approval—in other words, for listening to the committee.
However, our conclusion is that the regulations fail to contain damaging uncertainty and inconsistency in this area, which is exactly what concerned the SLSC. I am afraid it will be clear from our debate next week on the Data Protection and Digital Information Bill, as it was when we recently debated the Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023, that data is a really weak spot for this Government—as if they needed any more.
I am afraid that it is clear that these regulations by themselves are insufficient to stabilise the UK’s data protection frameworks once what has been called the tsunami of legal uncertainty unleashed by the retained EU law Act—REULA—engulfs us on 31 December 2023. The Minister lightly skipped over that. When the UK stopped being subject to the EU treaties at the end of 2020, the European Union (Withdrawal) Act 2018—EUWA—saved the rights and obligations which applied in domestic law as a result of the UK’s EU membership. This meant, in essence, that the EU GDPR became the UK GDPR. The Data Protection Act 2018 remained on the statute book. The rights and obligations became part of retained EU law—the vast body of law saved from the EU legal framework on the UK’s departure. Retained EU law was to be interpreted as it had been while the UK was an EU member state. This created continuity and certainty as to what the law meant.
4:00 pm
Another area of significant uncertainty will be how, if and to what extent CJEU case law still applies when interpreting the UK GDPR and the DPA 2018. Much of the CJEU case law on data protection references EU fundamental rights, as set out in the charter. If EU fundamental rights have been deleted, it is not clear that the case law still applies. Again, we will have to wait for cases to reach the courts to understand whether and to what extent the case law is still applicable. The Explanatory Memorandum and Explanatory Note make no attempt to answer whether the Government consider that they do, other than stating that
“no, or no significant, impact”
is foreseen by the implementation of the regulations.
Given what I have said so far, this looks a rather complacent and even misleading statement, especially when Sir John Whittingdale in the Commons said of these regulations that
“they simply tidy up the existing statute book as a result of the UK’s withdrawal from the European Union”.—[Official Report, Commons, Second Delegated Legislation Committee, 4/12/23; col. 8.]
In fact, looking closely at the wording of the Explanatory Memorandum, we see that there is no unequivocal statement to the effect that there is “no, or no significant, impact” on individual human rights as such. I think that the Minister, when she introduced those regulations, actually used those words—that there is no significant impact on human rights as such—but I hope that she will reassure us by repeating those and that she anticipates that there will be no significant impact.
The deletion of supremacy also turns the relationship between the UK GDPR and the DPA 2018 on its head. If there is a conflict between the UK GDPR and the DPA 2018, the DPA 2018 will take precedence. That is the opposite of the intention of the legislation when it was drafted and may have unforeseen consequences. There is a limited exception to the general rule that REULA introduces, that domestic law will trump retained direct EU legislation. This exception operates in the context of data protection rights. Data subject rights under the UK GDPR will generally take precedence over rights or obligations in other domestic law. However, the rights and obligations in chapter 3 of the UK GDPR, relating to the rights of the data subject, are subject to the exceptions in Schedule 2 to the DPA 2018.
It appears that there is no scope under REULA to disapply the Schedule 2 exceptions on the basis that they are overly broad, as happened in the Open Rights Group case; instead, the courts would need to make an incompatibility order under Section 8 of REULA, which may delay, explain, remove or constrain the consequence of the Schedule 2 condition trumping data subject rights, but this is a less certain remedy than would have existed before. Under EUWA or when EU law still applied, it would have been clear that the UK GDPR had precedence and that overly broad exceptions in Schedule 2 to the DPA 2018 were unlawful. In practice, this means that data subject rights in the UK will be less certain and potentially less protected than before.
The significant uncertainty caused by the changes that REULA makes to the statute book could have been remedied by the Government using powers in REULA. The powers in Section 11 of REULA could have been used to turn the effect of EU fundamental rights and supremacy back on. Alternatively, the current relationship between the UK GDPR and the DPA 2018 could have been restored by using the power in Section 7. For instance, the Government could have clarified that established case law still applies, but they have chosen not to do so. The regulations seek only to cure the problem of deleting EU fundamental rights by replacing those references to fundamental rights under the ECHR, using the powers in Section 14, but this creates new uncertainties as outlined above.
I think noble Lords would agree that all this potentially makes the head spin, but I have not even got to the point where we might need to talk about the consequences if the UK withdraws from the ECHR or repeals the Human Rights Act, as so many Conservative MPs seem to want to do. Lowering the standard of data protection rights in the UK creates obvious risks to the continuing UK data adequacy decision, which rests on data protection rights being essentially equivalent to those rights in the EU. If the Conservative Party campaigns to leave the ECHR or repeal the Human Rights Act at the next election, then this will simply magnify the uncertainties. The substitution that the regulations make of ECHR human rights for EU fundamental rights may be short-lived. Lowering the standard of protection of personal data in the UK also risks failure in delivering the trusted data regime, which purports to be one of the underpinning foundations of the UK’s ambition to become a technology superpower by 2030.
There are clearly major questions to answer, which the Explanatory Memorandum and the Minister’s introduction come nowhere near answering. Perhaps she will now make a bit of a stab at this—although I would be perfectly happy for her to write with a response. We should be very grateful to Eleonor Duhs for her SOAS ICOP policy briefing and to Professor David Erdos for raising these issues in the first place.
In addition to all the foregoing, Professor Erdos also raises the question of ultra vires. I hesitate to raise this at this stage, having said quite a lot already, but he raises the fundamental issue concerning what appears to be a problem with the draft regulations’ legal basis— I expect that the Minister has been briefed on this. This is stated to be issues relating to Section 14 of the Retained EU Law (Revocation and Reform) Act 2023.

20 of 35 shown